Home OPNSense setup: reliable, budget-friendly fanless Mini PC suggestions?

[qarkhs]

@Greg_E You might find something on https://mitxpc.com/

[aleco]

I'd go with the 8GB of RAM model. Default install now uses ZFS and it will use the extra memory if it is available. My system is currently using about 6GB. And you want to use ZFS so you can use bectl.

Indeed, having a snapshot I can roll back to might come in very handy if I encounter issues.

Is the on-board 32GB eMMC sufficient for installing OPNsense with plugins/services like OpenVPN/WireGuard, AdGuardHome/Zenarmor, CrowdSec, or will I need an NVMe drive? I don't plan to log any traffic. Thanks!

[Patrick M. Hausen]

ZFS puts a comparably high write load on the device, which if I am not mistaken eMMC is not really designed for. I'd use a 250 G NVMe SSD with a high TBW value like the old but reliable Samsung 970 EVO Plus. Or one from Transcend - make sure to check the TBW (Terabytes Written) numbers when shopping.

[Greg_E]

If you have enough RAM, can't you use a ramdisk to cut down on the number of writes?

[Patrick M. Hausen]

But why care if you can get a device with 150 TBW at less than 60€?

[Greg_E]

True enough, besides if you get a high write drive, then the logs don't evaporate when the system reboots.

[aleco]

Thanks, everyone! I just ordered a Protectli V1410 (4 x Intel 226 NICs, 8GB) with a 250GB NVMe for 375 EUR. I’m hoping this will be solid firewall hardware for the next few years.

Honestly, I’m a bit nervous about setting up OPNsense since it’s my first time and I’m not sure what issues I might run into. I’ll need to start with the basics, like how to access a COM port from macOS, how to use dd to create a bootable USB installer, and even which CAT cables I should buy. But I really appreciate this community and trust that I’ll find the help I need if I get stuck.

[Greg_E]

There are many GUI methods to making the bootable drive, pretty sure they are listed in the getting started document.

Connect a monitor and keyboard (VGA image) to that device when you are working on it, there's your console. If not then the serial image might have SSH running and you could SSH into the device, I'd need to check the documents to be more confident on this option.


And play with it, the more you work on it, the more confidence you'll get. Don't be afraid of breaking it, the hardware will survive and the worst you'll need to do is load the OS again. There should be no circumstance where any living creatures will get harmed during your setup or configuration. If you run into a problem, connect your old system, jump online, and come ask a question.

[aleco]

Connect a monitor and keyboard (VGA image) to that device when you are working on it, there's your console. If not then the serial image might have SSH running and you could SSH into the device, I'd need to check the documents to be more confident on this option.

All I have is a MacBook Air, no external keyboard or screen. The Protectli comes with a USB-C console cable, so I’m hoping iTerm, Warp, or Terminal on my Mac will let me do everything I need, like pressing F-keys to get into the BIOS and choose the boot disk. It’s probably straightforward, but it’s all new to me.

And play with it, the more you work on it, the more confidence you'll get. Don't be afraid of breaking it, the hardware will survive and the worst you'll need to do is load the OS again. There should be no circumstance where any living creatures will get harmed during your setup or configuration. If you run into a problem, connect your old system, jump online, and come ask a question.

Once I set up the firewall, I’ll need to switch my Linksys Velop Mesh from router mode to bridge mode. The tricky part is, I can’t test if the firewall is properly configured until I make that switch. Only then can I connect my MacBook Air or iPhone to check if I can access the internet. If I mess up the OPNSense setup, I’ll have to use my iPhone as a hotspot to troubleshoot. Since the Velop doesn’t save settings when switching modes, there’s no easy way to revert to router mode and bypass the new OPNSense firewall.

With two people in my household relying on the internet for their home office work, any downtime would be a problem. I’m really hoping to have everything up and running in one (long) evening.

[Greg_E]

The port on the protectli might do what you need, I've never used that device. But if it is like the network switches, you should be fine.

[qarkhs]

@aleco

Home Network Guy has a lot of useful guides. Maybe start here: https://homenetworkguy.com/how-to/install-and-configure-opnsense/

This was from 2 years ago so some parts may be a little dated (e.g. ZFS is now the default install).

[cookiemonster]

All I have is a MacBook Air, no external keyboard or screen. The Protectli comes with a USB-C console cable, so I’m hoping iTerm, Warp, or Terminal on my Mac will let me do everything I need, like pressing F-keys to get into the BIOS and choose the boot disk. It’s probably straightforward, but it’s all new to me.

yes, that is how it works. not sure if iTerm can do it bu cu will. I'm almost sure.
The key for the preparation is to map your equipment with a diagram. Pen and paper. You also need to know how your ISP requires you to dial and authenticate. PPoE creds, VLAN on WAN, that sort of thing.

[Greg_E]

What about running PuTTY? While this link assumes SSH, you should be able to use a serial connection with PuTTY as well https://www.ssh.com/academy/ssh/putty/mac

Can you install Minicom (apparently yes with homebrew https://www.ssh.com/academy/ssh/putty/mac ), I like this for serial port work on a linux device, but PuTTY also works on Linux.

On Windows I like Teraterm for serial and SSH, just something I used when XP or 95 shut down the built in serial terminal and I had to make a change. So yes a long time ago. But I can navigate PuTTY on Windows as well. And the Windows 11 Terminal application works for a lot of things and I'm becoming happy with it (you can add bash to it if you want).

[lp24db]

My actual OPNSense is a Fujitsu Futro S920 Thin Client with 8G Ram and upgraded with a quad GiG Intel PCIeX4 low profile card. (you may only use a dual card or single) All you need extra is a PCIe 90° PCI Riser or cable. Get rid of the internal speaker and the quad card fits perfect.

The AMD GX-415GA 4c does well. Only the onboard disk-on-module is a bit slow, but its on of the cheapest fanless gear you can get.

In use here with that unifi wifi stuff and a 400/200MBit ftth connection

Works great imo.

[Greg_E]

A step up from that Fuji would be an HP T620 which has the 420 processor in it and room for a quad port card without removing anything. That said, these T620 seem to still fetch a pretty good price, good enough that if you wait you can grab an HP T740 for the same price and have newer, faster, and probably less power draw. I don't have a power meter to measure the difference in power.

Anyone reading this and buying a T740 should search the forums for an error you will get while installing. This is a BSD error, not an OPNsense error. There is a post detailing what you need to do to work around this problem.