Advice for networking newbie - setup & hardware choice

[jhob101]

Hi all,  I've been thinking more that I need to secure my home family network and my research has led me to opnsense (mainly thanks to Dave Plummer).

I'd appreciate a little advice about if needs can be met by opnsense and would perform well on the hardware I'm intending to purchase.

I'm a techie (self employed web dev) but have never enjoyed networking and found getting it configured right to be a struggle, and debugging issues hit & miss.  Although I am slowly picking up knowledge and more confident than I was. 

Last time I tried something similar, setting up DD-WRT on a TP-Link Archer C7 I had to factory reset the ISP router/modem as I ended up with no working DHCP server on the network!  I gave up at that point.

Anyway I would like to get a mini pc to put behind the ISP modem and put opnsense on it to act as:

• an IDS/IPS
• firewall
• switch (raspberry pi on one port and tenda mesh WiFi network is all that would be connected)
• DHCP server inc port forwarding
• vlan config to separate IOT (security cameras, TV etc), guest, adult & child networks
• Content filtering/monitoring to keep some of the darker corners of the net away from my kids
• Useful metrics so I can analyse any bottlenecks & see where bandwidth is being consumed
• Optimise network conditions for gaming rigs (mainly Xbox) for low latency/jitter)

I'm in the UK and we're on a 300MB FTTP connection. Behind the OPNSense box would be a Tenda MW12 mesh wi-fi network.

I'm intending to put it on a 4 port N100 8gb ram, 128GB NVMe, this one: I just found this on AliExpress: https://a.aliexpress.com/_EItqu6s

The questions I have are:

• Can Opnsense do all that I've outlined?
  My research tells me it can, but I'm aware that what's possible in practice is often different to what's possible in theory.  Coupled with my limited networking experience too, I'd need it to be relatively straight forward to set up, although I wouldn't do everything all at once, just get the basics right and build from there as my knowledge grows.
• Is that hardware I'm proposing to buy suitable for the workload? Are there alternatives I should consider?
• Can anyone point me in the direction of beginners/idiots guides to getting the sort of thing I'm after set up?
• Could I do anything useful with the TP-Link DD-WRT router in the network in tandem with the OPNSense box?
• Anything else I need to consider but haven't mentioned?

I also see this as a fun project to learn more and gain a deeper understanding about networking concepts.

TIA for any replies!

[cookiemonster]

For a 300 MB FTTP connection, pretty much any hardware will be sufficient. You'll get more advice on the merits of N100 versus other choices relating to efficiency and power use.
For your requirements, some remarks:

•     an IDS/IPS

No problem.

•     firewall

No problem.

•     switch (raspberry pi on one port and tenda mesh WiFi network is all that would be connected)

Can be done but ideally get yourself a cheap switch from Amazon. It'll be more efficient at the expense of another power socket used.

•     DHCP server inc port forwarding

No problem.

•     vlan config to separate IOT (security cameras, TV etc), guest, adult & child networks

No problem. VLANs require a managed switch.

•     Content filtering/monitoring to keep some of the darker corners of the net away from my kids

No problem. Zenarmor, AdGuard Home are options. All free and integrated.

•     Useful metrics so I can analyse any bottlenecks & see where bandwidth is being consumed

Limited metrics built in and only/maily point in time. For better, you need something external, but OPN can send metrics out to those systems i.e. a monitoring stack.

•     Optimise network conditions for gaming rigs (mainly Xbox) for low latency/jitter)

Limited. OPN is not domestic but commercial grade, so no built in optimisations for gaming. Those require manual tuning and looking around for tutorials, forum posts, etc. This is on the user.
[/list]

[jhob101]

For a 300 MB FTTP connection, pretty much any hardware will be sufficient. You'll get more advice on the merits of N100 versus other choices relating to efficiency and power use.
For your requirements, some remarks:

•     an IDS/IPS

No problem.

•     firewall

No problem.

•     switch (raspberry pi on one port and tenda mesh WiFi network is all that would be connected)

Can be done but ideally get yourself a cheap switch from Amazon. It'll be more efficient at the expense of another power socket used.

•     DHCP server inc port forwarding

No problem.

•     vlan config to separate IOT (security cameras, TV etc), guest, adult & child networks

No problem. VLANs require a managed switch.

•     Content filtering/monitoring to keep some of the darker corners of the net away from my kids

No problem. Zenarmor, AdGuard Home are options. All free and integrated.

•     Useful metrics so I can analyse any bottlenecks & see where bandwidth is being consumed

Limited metrics built in and only/maily point in time. For better, you need something external, but OPN can send metrics out to those systems i.e. a monitoring stack.

•     Optimise network conditions for gaming rigs (mainly Xbox) for low latency/jitter)

Limited. OPN is not domestic but commercial grade, so no built in optimisations for gaming. Those require manual tuning and looking around for tutorials, forum posts, etc. This is on the user.
[/list]

Brilliant, thanks so much for that - exactly the sort of info I was after.

For the managed switch, I think the TP-link dd-wrt router could be configured as a switch, which would solve that one I guess?  Could all of the vlan config still be done from OPNSense in that scenario?

The gaming thing is mainly my son complaining about lag when playing EA FC25.  I'm also considering putting a wired ethernet connection into his bedroom for the xbox.  His room is conveniently located right above the router so shouldn't be too hard to route.

Part of my problem is just not knowing enough about networking, or having metrics to analyse, to know what's causing the lag.

[cookiemonster]

> For the managed switch, I think the TP-link dd-wrt router could be configured as a switch, which would solve that one I guess?  Could all of the vlan config still be done from OPNSense in that scenario?

If DD-WRT can be used a non-managed switch then yes you just use it to expand to its ports. So if it has 4 ports, you use one to connect to OPN and you gain 3 ports on it, using one power point.
If DD-WRT can be used as managed switch , then you can use VLANs.
No managed switch, no VLANs. Simple.

[jhob101]

> For the managed switch, I think the TP-link dd-wrt router could be configured as a switch, which would solve that one I guess?  Could all of the vlan config still be done from OPNSense in that scenario?

If DD-WRT can be used a non-managed switch then yes you just use it to expand to its ports. So if it has 4 ports, you use one to connect to OPN and you gain 3 ports on it, using one power point.
If DD-WRT can be used as managed switch , then you can use VLANs.
No managed switch, no VLANs. Simple.

Great, thanks for that.  I did look into earlier to see if DD-WRT can do a managed switch, and it can, but seems a bit complex to set up so for the price of a managed switch I think it would be easier to just get a cheap one off amazon, like this TP Link one as you suggest.

Presumably I would assign a port on the switch to a VLAN, not necessarily have anything connected to it, but be able to assign a virtual WiFi network to the VLAN and for them to have an IP allocated in that VLAN's range by OPNSense.  Have I understood that correctly?

[cookiemonster]

For that switch, you might need to disable Energy saving on ports (puts it in some sleep mode and lead to disconnections). One to think about if it causes problems.

> Presumably I would assign a port on the switch to a VLAN, not necessarily have anything connected to it, but be able to assign a virtual WiFi network to the VLAN and for them to have an IP allocated in that VLAN's range by OPNSense.  Have I understood that correctly?
There are two things to unwrap.
First one is VLAN setup. You need to set one port on the switch as trunk, that means ALL traffic on it is tagged. That is what you connect to OPN. Then the rest of the ports are set in access mode untagged. That means the client, say a PC on that port, will send the traffic in untagged and the switch will add the appropriate tag that you decide to give it.

Now the second point. The next port (from the paragraph above) might have a different tag. So if you plug a "normal" WiFi access point into the port, then ALL the wifi clients will have that traffic tagged.
There are APs (Access Points) that support a better setup with multiple SSIDs that can be assigned to separate VLANs but you need to search for those.

So long way to say yes you got it correct. Wifi Clients on the port of the switch with tag XX will be on a different network to clients on the next port of your OPNSense (unbridged) and in the same network of the other port(s) of the managed switch if on the same VLAN.

[jhob101]

Thanks for that, you've been a great help.  Really appreciate it.

[pfry]

For a 300 MB FTTP connection, pretty much any hardware will be sufficient. You'll get more advice on the merits of N100 versus other choices relating to efficiency and power use.
[...]

I always recommend going for the most computing power that fits within your money, space, power, noise, and thermal budgets. It's hard to go too wrong with something like the N100, as it should meet your compute needs, and should be (relatively) inexpensive, small, efficient, quiet, and won't cook you.

My old set of equipment (two servers, a firewall, and a switch on a single UPS) consume about 90W average - no problem in the summer. My new equipment (two servers and one or two firewalls on two UPSs) will consume more like 200W, and come summer I'll probably have to take steps to prevent... well, the fanless machine(s) and UPSs from cooking themselves. (The fan-cooled machines will just make more noise.) But it'll all be real fast!

[EricPerl]

It seems the Archer C7 is VLAN capable using OpenWRT: https://openwrt.org/toh/tp-link/archer_c7
It might work with dd-wrt too.

[jhob101]

It seems the Archer C7 is VLAN capable using OpenWRT: https://openwrt.org/toh/tp-link/archer_c7
It might work with dd-wrt too.

I just checked the Archer C7 and turns out that it was OpenWRT that I'd installed previously and not dd-wrt.  So I've just flashed it with the latest firmware.

I've got another Archer C7 I could use in the network too.  Starting to think about how I could use them in the network.

Also ordered a TP-Link TL-SG605E managed switch too in case the Archers didn't work out.  So I've got plenty of hardware to play around with now!

[jhob101]

For a 300 MB FTTP connection, pretty much any hardware will be sufficient. You'll get more advice on the merits of N100 versus other choices relating to efficiency and power use.
[...]

I always recommend going for the most computing power that fits within your money, space, power, noise, and thermal budgets. It's hard to go too wrong with something like the N100, as it should meet your compute needs, and should be (relatively) inexpensive, small, efficient, quiet, and won't cook you.

That's always been my philosophy when choosing laptops.  Pressed the button on the N100 8GB/128GB last night.  N100 seems to really sip power compared to the other processor options.

I'm in the UK, never gets too toasty in the hallway where the server will live so should be ok.  I might avoid stacking anything on top of it though to improve airflow.

[cookiemonster]

I'm also in the UK (North West - plenty of snow right now) and the only personal preference is I go AMD everytime I can. Especially with current and recent Intel misteps, but don't let my preferences sway you. You could have used a spare small pc if you had one lying around, all you want is two or more well supported NICs (not realtek). You'll ge good.
p.s. you can almost always use the replaced routers as APs if they can go in bridge mode.

[jhob101]

I'm also in the UK (North West - plenty of snow right now) and the only personal preference is I go AMD everytime I can. Especially with current and recent Intel misteps, but don't let my preferences sway you. You could have used a spare small pc if you had one lying around, all you want is two or more well supported NICs (not realtek). You'll ge good.
p.s. you can almost always use the replaced routers as APs if they can go in bridge mode.

Derbyshire Dales here, and similar weather, baltic -7 last night!

Yeah, intel haven't covered themselves in glory of late.  Back in the 486/pentium days all my PCs were AMD as you got so much more for your money.  Although my last 3 laptops have been intel i7 of various generations.  I'm on desktop linux now so checking support of chipsets is important, nice when stuff just works and you don't need to faff with compiling drivers etc.  Had those sort of issues with a realtek wifi dongle I was trying to get work, I did succeed but have since replaced with an plug & play alternative, which I'm only using because the awful Intel killer wifi (soldered to MB).

I'll have a look and see if I can configure the openwrt routers as bridges.  Thinking I could put one in son's bedroom for his xbox, which can connect with ethernet.  Not sure about enabling the wifi though as I don't think that would work with the Tenda mesh network unless I used a separate SSID.

[cookiemonster]

I don't know about Tenda but I use eeros for mesh. All their smarts are disabled, all done by OPN. Work wonderfully BUT they are not VLAN aware, so I can't put different SSIDs on different VLANs. That's the big but only drawback.

[jhob101]

I don't know about Tenda but I use eeros for mesh. All their smarts are disabled, all done by OPN. Work wonderfully BUT they are not VLAN aware, so I can't put different SSIDs on different VLANs. That's the big but only drawback.

My tendas are running in bridge mode so similar.  Could see anything suggesting vlan awareness in the app. Will have to do some more research...

I'm starting to think that my vlan plans in their current form might not be possible.