Home setup - Looking to optimize, willing to pay for solid guidance

[Floppy Donkey]

Hello,

I am looking for a lot of guidance on a home setup. I don't come with much networking background, so please bear with me.

Recently setup an Intel NUC NUC9VXQNX key features that I liked beside being a Xeon with ECC RAM, built-in Wi-Fi 6 (not using currently), dual onboard Intel 1Gb NICs and 2 x PCIe expandable slots, one expandable slot is being used with a 4-Port 2.5 Gigabit Ethernet Card using an Intel I225 Chipset. For a total of 6 network ports.

Networked devices:

• Port 1: 1 Gigabit - Cable modem provided from ISP, not in bridged mode
• Port 2: 1 Gigabit - Microsoft Surface dock
• Port 3: 2.5 Gigabit - Asus GT-AX11000 running in AP mode
• Port 4: 2.5 Gigabit - Gaming desktop
• Port 5: 2.5 Gigabit - QNAP NIC 1
• Port 6: 2.5 Gigabit - QNAP NIC 2

Really looking for some insight on how to configure OPNSense properly as a router, understand some port forwarding rules. I've figured out so far, how to allow Plex running on the QNAP to be locally as well as externally accessible. I believe IPv6 is working on the internal network properly.

If possible I'd like to use the Intel NUC to host an AdGuard Home DNS system. Prior to this setup when using the Asus GT-AX11000 as my router, I hosted a PiHole, then moved to AdGuard Home on the QNAP device as a container. Currently not sure how to adjust DNS settings, I believe its using public AdGuard DNS IP.

Looking for and willing to pay for professional guidance to optimize the configuration.

[bimbar]

You should use a separate switch.

[cookiemonster]

I agree with bimbar. Floppy, the way you have it right now will work fine, albeit traffic between them is going through the router ie. routing traffic being "routed" when each interface is a separate network, or if you follow the docs and "bridge" them -doesn't have to be all of them- , then OPN acts as a swtich and is suboptimal for performance.
If you can based on wiring and location of the involved elements to be networked, a switch will do good.

[Floppy Donkey]

Appreciate the replies, correct I'm currently running all the local ports in a bridge.

I'm having a lot of difficulty understanding why a switch would be required to achieve an optimal configuration, is this due to some limitation of OPNSense?

Are there other opensource alternatives that would work better with my current hardware/layout without the need for a switch?

[cookiemonster]

It doesn't have to be a managed or expensive switch. Say an 8 port one is £22 delivered https://www.amazon.co.uk/NETGEAR-Ethernet-Unmanaged-Internet-Splitter/dp/B07PWHGQSS/ref=sr_1_5?crid=36253SBA7YBYX&keywords=network+switch&qid=1700258372&sprefix=network+%2Caps%2C87&sr=8-5 a 5 port is £13 https://www.amazon.co.uk/TP-Link-TL-SG105S-Ethernet-Lifetime-Warranty/dp/B07HP5TN4S/ref=sr_1_3?crid=36253SBA7YBYX&keywords=network+switch&qid=1700258372&sprefix=network+%2Caps%2C87&sr=8-3
The limitation is not OPN but the OS it is built upon freebsd. It is not as performant for switching. The switches use dedicated switch chips that are far more efficient.
If you want to use only your router you can still do it, it is just could be more complicated.
If you have bridged the ports then you are already set OPN up as router. It is routing WAN to LAN, where LAN is made of all bridged ports. That's it.
You'll need to setup Adguard only once and I suggest to run it directly on OPN via the plugin. And needs only one firewall rule to get all the devices protected by it.
Sorry no IPv6 knowledge from my part. I don't use it.

[Floppy Donkey]

Interesting to learn that freebsd is part of the issue.

If someone wanted to run it differently, using Promox with OPNSense running and another VM that handles switching?

[bimbar]

You would be switching in software either way.

[cookiemonster]

Sure you can run OPN as a VM. I do that on proxmox too, on a far less capable physical host to yours.
If new to virtualisation and networking, this might not be the most straight forward method to use. You'll need to understand how and which physical and virtual interfaces to bridge and how to access them.
That out of the way, there are other OSes tha are better at switching ie linux. If you can budget for a cheap switch, it is still preferable from a cost to effort ratio. Unless you are determined to go without and learn, which is fair enough. Some other forum might be better placed to advice on that setup.

[Patrick M. Hausen]

The bridging code in FreeBSD has been completely rewritten and is entirely comparable to the one in Linux, performance-wise. Only advantage Linux still has is support for some SoC embedded switch hardware like in Edgerouters, e.g. when you put OpenWRT on them.

But as soon as switching is done in software, both OSes are comparable. And you can easily switch at gigabit speeds with the FreeBSD bridge.

BTW all of this was implemented back in 2019 and 2020.

[cookiemonster]

thanks for expanding on that Patrick.

[Patrick M. Hausen]

Yo're welcome. I meant to link the FreeBSD Foundation's announcement, but forgot So here it is:

https://freebsdfoundation.org/blog/500-if_bridge-performance-improvement/

[Floppy Donkey]

Fine Sir, with your FreeBSD knowledge and the use of bridging, could you share if it is wise to enable Hyperthreading on an Intel processor or would it be best to leave it disabled?

[Patrick M. Hausen]

Hyperthreading - I tend to leave it enabled. I also disable all Meltdown etc. mitigations. A firewall does not have multiple tenants so VM isolation is irrelevant. If there is a zero-day RCE, you are screwed, anyway.