Home OPNSense setup: reliable, budget-friendly fanless Mini PC suggestions?

[aleco]

Hi everyone,

I'm new to OPNSense and currently using a Linksys mesh router/AP system for my home network. I'd like to change my setup so that the routing and firewall tasks are handled by OPNSense on a dedicated Mini PC, instead of relying on my Wi-Fi hardware for these functions. My plan is to switch the Linksys system into bridge mode and later replace it with UniFi access points.

I'm looking for a budget-friendly Mini PC with passive cooling, low TDP (6-15W), and preferably 2x Intel NICs (as I've read Realtek can cause issues, is that true?). While the official OPNsense hardware is great, it's unfortunately too expensive and bulky for my needs. I need something very compact, as I plan to hide it somewhere in my living room.

Regarding the CPU, I assume the Intel N100 is a good choice, but I've also heard that Ryzen 3 U-series chips might be suitable. However, I'm a bit overwhelmed by all the CPU options and naming conventions, so any guidance here would be helpful.

I don't need Wi-Fi or many ports since I'll be running this Mini PC headless as a firewall. My main concern is being able to consistently connect to it from my MacBook. If that becomes an issue, I might need to buy a small display and keyboard as well.

The device should handle OPNSense, including VPN and ad-blocking, for up to 3 people. Additionally, I have various IoT devices that may generate some internet traffic, and I might want to set up a second VLAN for these devices and guest access.

I've been reading about various brands, such as Acemagician, ASUS, Fitlet, Glovary, Mele, Minisforum, Minix, Neosmay, Odroid, Protectli, Qotom, Topton, XCY, and Zotac. However, I have no experience with these brands and am unsure which ones offer reliable, fanless Mini PCs with 2.5Gbps Intel NICs and modern CPUs. I'd greatly appreciate any insights on which brands are trustworthy and which models you would recommend.

Any recommendations or experiences would be greatly appreciated. Thanks in advance!

–––
UPDATE: Here's what I purchased: https://forum.opnsense.org/index.php?topic=42462.msg213758#msg213758

[bimbar]

Beelink and GMKtec are fairly reputable brands.

[aleco]

Beelink and GMKtec are fairly reputable brands.

Thanks for the info. I couldn't find any Beelink devices that are fanless. Regarding GMKtec, they don't specify the NIC manufacturer, so I assume it's not Intel. How critical is this? Are Realtek NICs problematic for a firewall/router setup?

[qarkhs]

I'd avoid the Fitlet3. The Fitlet2 was a nice machine but the built-in LAN ports on the Fitlet3 appear not to play well with BSD. See https://fit-pc.com/wiki/index.php?title=Fitlet3_Errata_Notes#FITLET3ERR005:_fitlet3_default_LAN_interfaces_are_not_recognized_by_some_-nix_based_OS

Other options that might be worth a look are AAEON and Jetway (these are both Asus companies) and GigaIPC (Gigabyte). These companies all make industrial minipcs for various purposes. They will generally be more expensive than the boxes made in the PRC but manufacturing standards are likely to be higher and you'll get better support. I'm currently using a GigaIPC with J6412 and dual Intel 1G LAN ports to run Opnsense. Barebones cost me $169 last year but cheapest I can find it for now is $240. I have no experience with Jetway boxes but you can find their J6412 barebones online with 2 to 4 i225v for under $300. They also sell a couple of Alder Lake N systems with dual i225v.

[tangofan]

I had a Protectli device for many years and recently bought a 2nd one for OPNsense, a VP2420. Some of their devices have soldered RAM (so no upgrade), which I made sure to avoid. So far everything works fine.

[bimbar]

Beelink and GMKtec are fairly reputable brands.

Thanks for the info. I couldn't find any Beelink devices that are fanless. Regarding GMKtec, they don't specify the NIC manufacturer, so I assume it's not Intel. How critical is this? Are Realtek NICs problematic for a firewall/router setup?

Fanless might be difficult, since the N100 turbos up to 55W.

EDIT: Confused that with the Core i3 1215u. It seems that the N100 is up to about 15W.

[meyergru]

Not really. The default PL2 usually is ~20-25 Watts. Many Aliexpress boxes have that and it can even be reduced in the BIOS.

I would really look fo devices with Intel I226 NICs (I225 use more power), as Realtek drivers for FreeBSD are notoriously bad. Some manufacturer do not tell which NIC chips are builtin.

Also, the Beelink S12 ist not passively cooled.

[aleco]

Other options that might be worth a look are AAEON and Jetway (these are both Asus companies) and GigaIPC (Gigabyte).

Thanks for the recommendations. I couldn't find a Mini PC from these manufacturers with an N100 chip, and fanless models seem to be scarce. Fanless is a strict requirement for me since the device will be placed in my living room, right next to my couch. I've also learned to avoid Realtek NICs due to potential issues with FreeBSD drivers.

I didn't look into devices with other CPUs, as I'm not familiar with older options that might be suitable. Being an Apple user for the past 20 years, I remember names like "Celeron," "Atom," and "Pentium," which don't feel like modern choices to me. At least the "N100" sounds more current. I also assume the improved performance-to-TDP ratio is something we see mainly in newer chip generations.

Fanless might be difficult, since the N100 turbos up to 55W.

I've seen quite a few N100 devices recently, usually powered by 12V 3A DC, so 36W max. The TDP for the N100 is 6W. But I'm not an expert on how these power levels translate to real-world performance. I had assumed that a modern CPU like the N100 would easily be sufficient for managing the internet connectivity for a few people, including VPN and ad-blocking, and run at <10% load most of the time, with brief spikes.

I would really look fo devices with Intel I226 NICs (I225 use more power), as Realtek drivers for FreeBSD are notoriously bad. Some manufacturer do not tell which NIC chips are builtin.

Thanks for the tip. Now I know what to search for. My issue is that I can't easily tell which brands are trustworthy. Having used Apple computers for the past two decades, I've been out of the x86 space and am wary of accidentally buying a Shenzhen knockoff with fake labels that could be a security hazard. I recognize brands like ASUS, but beyond that, most of the others are unfamiliar to me. Any advice on which brands are reliable would be greatly appreciated.

I just found the CWWK X86 P5 and the iKoolCore R2 POE, both are N100, fanless, with Intel I226 NICs. Does anyone have insights on these brands? Or should I look into dedicated devices like the Netgate 1100 and skip the N100 alltogether?

[qarkhs]

I couldn't find a Mini PC from these manufacturers with an N100 chip, and fanless models seem to be scarce.

https://www.jetwaycomputer.com/BFTADN1.html
https://www.jetwaycomputer.com/BFDADN1.html

https://www.gigaipc.com/en/products-detail/QBiX-Pro-ADNAN97H-A2/

These are all fanless with N97. N97 is closely related to N100. See comparison here:
https://ark.intel.com/content/www/us/en/ark/compare.html?productIds=231803,233090

[aleco]

These are all fanless with N97. N97 is closely related to N100. See comparison here:

Thanks for the info! I wasn't aware that the N95, N97, and N100 CPUs have nearly identical power usage, despite the different TDP ratings, likely for marketing. I also found that the N50 is a binned N100 with only 2 active cores, used in devices like the Asus NUC 143, but I haven't found any speed comparisons with the Celeron N5095 or N5105.

I've read some forum posts about the N100's performance on FreeBSD, mentioning higher-than-expected idle clocks, possibly due to incomplete p-state support. This has raised concerns for me about its efficiency, especially since I want a fanless device in my living room with limited ventilation. I'm worried about managing the heat from both the device and its power supply. I need to hide my firewall, modem, switch, WiFi access point, and two Raspberry Pi 4s (which probably will be replaced by two additional Mini-PCs soon) together with their power supplies in a living room shelf or TV stand, maybe behind a woven cane door—so cooling and space management are crucial.

Based on your replies and my research, I'm currently considering three options:

Firewall-specific devices: I've looked at examples like the Netgate 2100 or Protectli Vault FW4B, which feature 4x Intel NICs and are specifically designed for firewall use. But these come with quite old CPUs, and their price seems relatively high compared to other options.

Celeron-based Mini PC (N5095/N5105): These seem to have a mature platform, and after multiple iterations, most issues should have been resolved, making them potentially more reliable for 24/7 firewall use. However, these are older CPUs and might not be sufficient for also running ad-blocking and VPN?

N50/N95/N97/N100 devices: These promise better efficiency and performance. However, I'm concerned about potential issues as mentioned above. Since these devices are newer, they might be less tested compared to the older Celeron models.

Any advice or corrections to my assumptions would be greatly appreciated!

[DEC670airp414user]

buy an appliance from Deciso

support the project, buy a certified to work device

[qarkhs]

I think Netgate 2100 uses a ARM CPU. Not sure Opnsense runs on that, at least official builds.

Why not include the Elkhart Lake CPUs as well (e.g. J6412)? The performance is similar to N5105, N5095 (Jasper Lake). Take with a pinch of salt but:
https://www.cpubenchmark.net/compare/5157vs5337vs4474vs4472vs4412/Intel-N100-vs-Intel-N97-vs-Intel-Celeron-J6412-vs-Intel-Celeron-N5095-vs-Intel-Celeron-N5105

Other thoughts. There appear to be lots of people running OpnSense on Alder Lake CPUs (e.g. N100) bought from PRC companies. You may need to do a microcode update. See:
https://forum.opnsense.org/index.php?topic=36139.0

I believe Protectli machines are made in PRC as well but you get better warranty, support and product is more consistent but you pay quite a bit more for similar features. There are lots of posts here that give you some idea of the manufacturing quality control of PRC companies selling on Ali Express e.g.: https://forum.opnsense.org/index.php?topic=41232.msg203797. Some people appear to buy these units and have great success and others have problems. You roll the dice...

The Taiwanese companies mentioned previously (GigaIPC, Jetway, AAEON) may also manufacture in PRC but to ISO manufacturing standards. They appear to be mostly making industrial PCs to sell to businesses rather than consumers and people who are happy to tinker. But again, you are likely to pay more. And they are slower to bring latest and greatest low-power CPUs to market compared to PRC companies selling on Ali Express and elsewhere.

You have to decide what trade-off is right for you in terms of CPU performance/features -- manufacturing quality/reliability/support -- cost. 

A thought on heat issue: I installed an NVMe drive on my last machine. Faster but I think the extra speed is unnecessary for this application and likely generates more heat than other storage options.

[aleco]

You're right—once I started considering older CPUs beyond the N95/97/100/200, a lot more devices became available. Given the downclocking issues with the N100 on BSD, those older models might actually be more power-efficient and generate less heat, even if they have a higher TDP (10W vs. 6W for the N100).

Regarding brands: I want a device that's stable and reliable for years, so I'm avoiding no-name brands. It's also important to me that others have already installed OPNSense on the device and documented their experiences. This rules out many industrial PC brands, as they don't have a large home user base or community support. As an Apple user, I'm also not familiar with BIOS configurations, so I prefer something that doesn't require too much tweaking.

I also noticed that some Mini PCs have COM ports that aren't compatible with macOS, and this isn't always clearly mentioned. To avoid running into this problem, I prefer to choose a product that explicitly states compatibility with macOS.

When it comes to brands, Deciso might be great, but their devices are too expensive for me (>500 EUR). So, I'm leaning towards Protectli, specifically the V1210 (2 ports, 4GB RAM) or V1410 (4 ports, 8GB RAM). These seem to be the successors to the FW2B/FW4B/FW4C models.

I'm still undecided on whether 4GB or 8GB RAM is necessary and if 2 or 4 ports will be sufficient. And if I need a storage NVMe or if the on-board 32GB eMMC is enough for OPNSense with ad-blocking and VPN. I don't plan to log anything.

I don't have a backup internet connection, so I'm thinking 2 ports might be enough (WAN + LAN, with a switch connected to the LAN port), but I want to make sure I'm not overlooking anything critical.

One challenge I've faced is finding specific hardware requirements for OPNSense in a home setup. There's limited information available for this kind of environment, which makes the decision-making process a bit tricky.

This will be my first time setting up a dedicated firewall, as I've been relying on my Linksys Velop for routing. The main reasons I'm making the switch are to run an adblocker and to set up a VPN that allows me to securely route my internet traffic through this device when I'm using a public Wi-Fi hotspot.

Overall, I'm hoping for a setup that will just work without issues. It's bad enough when my internet provider is down; I don't want to add more downtime due to problems with the firewall or router. Especially as other family members cannot fix these issues at all.

Again, thanks to everyone for the valuable insights shared in this thread. I really appreciate it!

[qarkhs]

I'd go with the 8GB of RAM model. Default install now uses ZFS and it will use the extra memory if it is available. My system is currently using about 6GB. And you want to use ZFS so you can use bectl.

[Greg_E]

I would suggest also looking at some of the AMD powered systems, they do seem to work fine. OPNsense hardware is AMD x86_64 based. When you can get them cheap, the HP t740 with a network card works pretty well, I ran my system at work on one of these for several months until I could free up a rack mount Xeon E3-1230v5 system for the permanent firewall. Both the T740 and the rack mount are 4c/8t and seem to always have processor available, which is just where I want it. Suricata, Crowdsec, Zenarmor free version all running through an intel i350 made by 10GTek (some different components). So far, so good.

I will go against recommendations and say that you should have 16gb of ram, yes you might have a bunch "wasting" away unused, but when you get into these soldered down ram mini computers, there is no upgrade.

If you find a nice 6c/12t or 8c/16t fanless system that doesn't cost much, let me know because I think I may need to sell my XCP-NG lab (4 HP DL360 gen8 servers) and build something more compact, less power/heat/noise. Because I need 3 and a NAS, I need to keep the cost down as far as possible. XCP-NG prefers 4 threads for system work, which doesn't leave a lot of threads for the VMs. Yes off topic, but help would be appreciated.