Should I use Opnsense?

[Herdie27]

First off, this isn't a question of choosing Opnsense over something else.

This is a question of, should I take on another thing that I have to manage? When it doesn't work for a technical problem I'll be the only one who can fix it. When it needs updating I'll be the only one doing that.

Here's my position, I really like this stuff but I can't necessarily always dedicate as much time as I would like. I'm a photography/ videography professional and I already run my own Unraid server to store my footage, stream media, and that can take up time and expertise I may not have and when something goes wrong I end up dedicating days so I know what I'm doing. I like doing it, on my own time, but when things go wrong, I have no choice, things need to get fixed now.

So when it comes to Opnsense I'm hoping I can get some insight from you folks on the forum.
Firstly, I've been doing a lot of research on components and that's already taken a lot of time. So I'll ask about that now.
1. I have an Intel 4770k, an atx motherboard, with 4 sticks of 4GB ddr3 1600mhz ram, a tower cooler measuring 150mm tall and all I need is a NIC with duel 2.5GB. However, I have a few questions.
1a) Does my RAM speed matter?
1b) Any suggestions for a case? The case I have for this possible Opnsense system is huge. Get a smaller cooler is fine as well and isn't expensive. 
1c) If I want to make this router nice and small I'm spending a decent amount of money. New itx case, itx motherboard, wireless access point, new ram since I'm limited to 2 sticks in a itx case (please advise on 8GB vs 16GB), and powersupply since I don't need the old 850W and it starts to add up fast, so...is it worth it? Time and money? I'm not sure and want to get the perspective of

2. I can do a far bit of reading and do the tutorials, etc, etc.
2a) But at the end of the day is having an Opnsense router a lot of work? Is most of the work upfront?
2b) Can I set it and forget it?
2c) Will it just be periodic updates by just doing a few clicks?
2d) Will I even notice the difference with my internet? And what about added security?...worth it?

One of my goals is to simply not throw away an old Intel chip that can be used for something genuinely useful. Added security would be nice.
3. So in short, any suggestions on hardware?
4, Is Opnsense a hobby you put time into? Or a means to an end? (Plus being a very part-time network technician)

Sorry for the extended post but after doing some research I feel like this might be more time and money than it's worth. Would like some advice on things.

[meyergru]

Finally one that has the correct approach, asking questions before thinking: "Everyone is doing it, why can't I?"

To answer your questions:

1a) Does my RAM speed matter?

Not really, unless you have more than 1 Gbit/s speed.

1b) Any suggestions for a case? The case I have for this possible Opnsense system is huge. Get a smaller cooler is fine as well and isn't expensive. 

No, this only depends on the space you can put it in.

1c) If I want to make this router nice and small I'm spending a decent amount of money. New itx case, itx motherboard, wireless access point, new ram since I'm limited to 2 sticks in a itx case (please advise on 8GB vs 16GB), and powersupply since I don't need the old 850W and it starts to add up fast, so...is it worth it? Time and money? I'm not sure and want to get the perspective of

This is clearly a tradeoff. However, you should consider that using modern hardware will save you money with a device that is running 24/7. Depending on your local energy cost, buying a new china box with a N100 or N150 will amortize its costs over three years of operation, so I see no good reason to reuse old hardware that usually uses more power.

2. I can do a far bit of reading and do the tutorials, etc, etc.
2a) But at the end of the day is having an Opnsense router a lot of work? Is most of the work upfront?

Yes. Depending on your networking knowledge, you should plan at least a week for first setup. Also, this is not just "following tutorials", as experience has shown. Many of the tutorials out on Youtube and the wider internet are of questionable quality and do not fit all needs.

I would strongly suggest to read this now and then look at the first two pages of the tutorial section to get a first impression of what lies ahead of you.

2b) Can I set it and forget it?

No. OpnSense being a security appliance, it has to be kept updated. Frankly speaking, if you do not buy the business licence, you will be the guinea pig for the community version - sometimes, upgrades will break things.

2c) Will it just be periodic updates by just doing a few clicks?

Not realistically, see above.

2d) Will I even notice the difference with my internet? And what about added security?...worth it?

That is two questions:

1. Is OpnSense an add-on to security?

Probably, if you need the features. Otherwise, any hardware store variety of router can do NAT and shield your network from outside access.

2. Do you need to keep OpnSense current?

That is a philosophic question. Do you update your current router? There have been many example of security leaks caused by routers and firewalls in the past. Because OpnSense is a complex product, there are a lot of chances something goes wrong, this applies to both of the features you use and the components OpnSense is made of.

One of my goals is to simply not throw away an old Intel chip that can be used for something genuinely useful. Added security would be nice.
3. So in short, any suggestions on hardware?

See above. I think you would have to invest anyway to make your old system less power-hungry, probably more than just to buy a dedicated appliance.

An old desktop can be put to better use as a Proxmox server with internal storage, IMHO. You can then build a homelab (which is another time-consuming hobby in itself), even letting you operate OpnSense as a VM on top of that. Energy and cost-wise, that would be a much better way of repurposing your old PC. However, this is even more complex to set up than a bare-metal installation.

4, Is Opnsense a hobby you put time into? Or a means to an end? (Plus being a very part-time network technician)

I think it is a hobby. For me, it is.

Sorry for the extended post but after doing some research I feel like this might be more time and money than it's worth. Would like some advice on things.

If you want a new hobby or have specific security needs, go for it, there is nothing much better.

In fact, there are a lot of features that many other routers do not offer, like:

a. different VPNs (OpenVPN, IPsec, WireGuard)
b. reverse proxies (Caddy, Nginx, HAproxy, Apache) including ACME certificates
c. proper DNS (Unbound, DNSmasq, others)
d. separation of security zones via VLANs (if your switches and APs allow it)

Remember that for each nice feature, you have to set it up (securely), so what sounds flashy first, may turn into a multi-day journey to set up and keeping it up-to-date later on.

If you are just a home user, you will be better of by buing a dedicated, yet more limited product like a Fritzbox, that is updated when there is need and uses much less power. Plus, you can install and forget it.

Repurposing an old PC or "going with the flow" is not a good sole reason to use OpnSense, IMHO. Sure thing is that you will find yourself either:

1. having found a new hobby inadvertently, with steep learning curves about networking
2. give up frustrated
3. ignore all advice and install the device in a suboptimal manner, causing security risks, probably leaving your installation untouched for years after installation.

I have seen all. Choose your poison.

P.S.: I know that there were no hardware recommendations in here besides buing a china box. If you still want to repurpose your old PC, avoid using Realtek adapters at all cost, and consider a smaller, modern power supply like a picoPSU.

[chemlud]

For me things always go along the line: Problem -> Solution.

If *sense is not the solution to any of your problems, don't do it.

Or start thinking new, if you don't see the problem with Fritz*-things or alike plastic routers (sometimes pawned by your ISP) ;-)

Then *sense is a very, very versatile tool with a steep learning curve, which can solve many problems. At the same time it needs some time and intellectual effort to get it started and maintained over the years.

[passeri]

You do not describe any special requirements so the Fritzbox or equivalent option could be good.

It seems to me that wanting to build your own machine while not distracting from your real work is inconsistent with not wanting to invest too much effort in Opnsense software.

If you think there is any chance you might want to exploit some aspect of Opnsense in the future, you could buy a Deciso box with business licence for something closer to an OOB solution with reliable and suitable hardware, lower maintenance effort, updates for security rather than for the leading edge.

My situation is somewhere in the substantial space between yourself and meyergru. I like playing and learning with routers yet I want something I can afford to ignore for a while, so I run the CE edition on Deciso hardware despite holding a current business licence.

[Seimus]

Most of the questions were very nicely explained and expanded by @meyergru

4, Is Opnsense a hobby you put time into? Or a means to an end? (Plus being a very part-time network technician)

Well this is a interesting one. I would say its both, but mostly hobby. Running anything extra at a homelab other than an off-the-shelf-router can be considered a hobby. We are doing it not cause we can but cause we want, want to learn, want to have control and want to participate.

In theory you can just set it up and forget about it. But whats the point then? Just use an off-the-shelf-router...

Regards,
S.

[OPNenthu]

In theory you can just set it up and forget about it. But whats the point then? Just use an off-the-shelf-router...

The problem with these is arbitrarily short supported lifetimes before they go EOL and become susceptible to this kind of crap:

https://www.securityweek.com/us-gov-disrupts-soho-router-botnet-used-by-chinese-apt-volt-typhoon/
https://www.pcmag.com/news/us-disinfects-routers-that-china-allegedly-used-for-hacking
https://www.justice.gov/archives/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical

(In this instance, the US govt. demonstrated its ability to infiltrate consumer devices on court order.)

Vendors haven't given us a great reason to trust that they can make secure products:

https://www.reddit.com/r/HomeNetworking/comments/kdf3wv/the_superuser_password_for_the_tplink_archer/
https://nvd.nist.gov/vuln/detail/CVE-2024-57040

There are many more examples.

At least with OPNsense you control the root account!  I also have (at least more) confidence that none of the base system components contain hard-coded credentials.

[meyergru]

Read again what I wrote: OpnSense is just as insecure as an off-the-shelf (i.e. unsupported) router if you do not update regularly.

That is mostly because you trade in security-by-obscurity in commercial products for an open source based product like OpnSense, which in turn can be easily analyzed for weaknesses. These exploits can and will be found after some time has passed, which makes it all the more essential to update.

That holds true for the whole stack of software that is underneath OpnSense.

You gain the sincerity that there is no builtin backdoor, true. But official actors have the means to employ 0day exploits as well, so they are not reliant on backdoors.

And lastly, product such as Fritzboxen are usually well supported.

[Patrick M. Hausen]

@meyergru but also if you just run the default setup - allow and NAT anything out, block anything in on WAN, I do not see much risk with just hitting "update" for every new release. Like you would with a Fritzbox, too.

In my experience poroblems after upgrades almost always concerned more special use cases.

Use ZFS and snapshots and you should be fine.

[Jyling]

The only maintenance that an open sense instance needs is the regular banning of IPs/subnets if you are so inclined. You do not have to do it if you do not want to spend time or do not have a policy. I am under a policy, so I have to block some types of access, and this is why I mention this task.

As to hardware, FreeBSD-based routers are very forgiving to it. Your config will be redundant as long as you use a high-quality Intel or other enterprise-class NIC. If you face SSL high-traffic, an instruction set that supports HW acceleration is beneficial but not really necessary. Your use case unlikely fits this description, so 4770 will certainly suffice. My router never uses more than 2GB of RAM, but I also do not run intrusion detection or other bells and whistles - just a plain router-firewall.

Maintenance-wise, an open sense instance is not too different from any cisco, microtic, or juniper. If you want flexibility and the best user-friendliness of the admin UI, open sense has no equals.

[meyergru]

Then again a default setup does not warrant the use of OpnSense, anyway... ;-)

[OPNenthu]

True, but again only if you believe that off-the-shelf products have at least comparable competence and execution in secure design.  It's not just about having a "default deny" policy on a firewall.  It's also about not actively helping bad actors to have a constant supply of back doors.

I'm not suggesting that FreeBSD or OPNsense are immune to exploit (to say nothing of firmware).  It's just my impression that they don't go out of their way to do obviously stupid things in the name of plug-and-play convenience.  They also don't create e-waste or leave you hanging by choosing to deny you updates after 2-3 years.

Of course Deciso could go out of business and stop developing OPNsense, but I'll hope not. :)

[BrandyWine]

There's a small matrix for OPNsense.

Buy OPNsense device + biz lic
Buy OPNsense device + free community lic
Buy xyz + biz lic
Buy xyz + free community lic

Nobody escapes 100% from any vulns/problems/0day from any option, and it's no different than buy other make/model/names, etc.
To what level of risk you are willing to take is up to you. Least risk is probably OPNsense device + biz lic, but costs more. Lowering risk usually costs more.

I run OPNsense on xyz + community (see https://forum.opnsense.org/index.php?topic=48166.0). 2.5Gb copper, 10Gb sfp. Seems to work ok. I now need to keep an eye out for OPNsense vulns by monitoring MITRE CVE and NIST NVD (eg; https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:opnsense:opnsense:25.7:*:*:*:*:*:*:*). You can use the bsd part of OPNsense install to create a script that uses API to comb various databases for related OPNsense issues, and then that script can email you a notice, or even throw you a popup message when you login to the web gui. See, right there you have flexibility over other router items.

The argument "should I take on a new thing to manage" is a bit of nuance in logic, because that statement applies to anything being "new". A simple upgrade of anything means you are taking on something new. 

Should you use OPNsense? Who knows, what are your choices, pros & cons to everything. I bought a N150 mini pc, china made item, I have no clue as to the quality, I not relying on the few amzon reviews, it may burn up on me in 30d, maybe 6mo, or maybe never. But I know enough that keeping it as cool as I can means it should last longer, but how much longer I have no idea. I went in under the cover to take a look at the PCB, it looked fairly decent, it was not hand soldered, etc. Obviously my choice means it's a device that is not servicing high value stuff, if it dies I just buy something else and rebuild.

[Seimus]

For the OP a question begs,

What are your future lookups with a FW/GW?

OPNsense has a ton of features (VLANs, VPNs, RProxy, Captive portal, DHCP/NTP servers, etc.), if you can imagine yourself that you would in time need one of this features. Than you should go with OPNsense.

I have friends who have been looking to replace their off-the-shelf and most of them ended on OPNsense instead due to few reasons:
1. Money/performance ratio
2. Longevity
3. Features

Usually most of the people are interested in the 1. 2., cause they want most of their buck. The point 3. they started to explore as they explored OPNsense, realizing they need VLANs, VPNs etc. the fact they had a system capable of this made it easy for them and made them to learn.

Regards,
S.

[BrandyWine]

Than you should go with OPNsense.

Agreed. Just do it.

[Herdie27]

Hey all, I really appreciate all the responses they're very helpful! There's a few things that are going through my mind.

1. I can take things one at a time and simply start with a good, fast, router. Adding on additional features later for simplicity sake.
This will still take some time since I'll do a ton of reading and listening in order to understand what setting control what and getting to know how things work.

2. There were a few comments on a regular desktop chip consuming a lot of power compared to prebuilt options. I'm sure this is possible, but has anyone ever tried tuning a desktop chip to be as efficient as possible in order to sip power? Ultimately saving a buck.

3. What about solutions to get notifications of opnsense updates? Whether through email, rss feed, etc? If I can get a notification on my phone to update opnsense and jot it down in my notes app or something that would be of great help! I'm sure there's many ways to do something like that.

Again, thank you all for being gracious about your time, especially meyergru. I always hate to bother a forum with a long question/s with not solid answer. As much as I'm into this stuff and other things like it. It can get to be a lot if you're not experienced enough yet.