Single home... device?

[kosta]

Hello,
I am looking to buy some official OPNsense hardware. I am looking at either Protectli or Deciso. However, I do have one requirement, which is: 2x SFP+ for 2x 10G. I want to connect my core equipment by 2x 10G, which is both future proofing and performance. It won't be long until internet crosses the 1G boundary for homes, right now 1G is the max in my area, but I am sure it is going to go up in next years.
Currently firewall is connected only with 1G link, and that is often saturated.
Usage is 4 person home, I am an IT guy however, have my own homelab and stuff, shuffling data around, so often good to have the bandwidth.
Only VPN is WG one, private devices.
I have basically narrowed it down to either:
Protectli VP2440 with N150 and 8G RAM, for €534
or
Deciso DEC750 for €799.
Beside a fact that I am getting 1 year business edition for free...
Is there some other really hard reason to get the DEC750? Not so much an issue with +€160, but I have to see the reason, honestly.

[Monviech (Cedrik)]

If you need (paid) support at some point because you have weird issues having official (Deciso) branded hardware helps.

Also its 100% made in EU and designed and assembled by Deciso themselves. That means software and hardware are tested for each other.

I would choose Deciso hardware. I use it myself.

(Disclaimer I work for Deciso)

[BrandyWine]

2x SFP+ for 2x 10G. I want to connect my core equipment by 2x 10G, which is both future proofing and performance.

20Gb connected how, .1q in trunk?
Even so, that's for your internal stuff, or will all fw ifaces run over this lagg?
Just be sure you get the correct SFP modules.

[kosta]

Thank you both. Exactly why I said Protectli and Deciso, I don't want some China-ware, both these devices are made in EU and have support, firmware etc.

Aggregated/trunked VLANs, yes. 3 links, one for WAN, and two trunked to the switch, which also has 4 SFP+ (Aruba Instant On 1930). And I would also like to connect the server with twin 10G. In that case, all internal interfaces go over a single trunk/lagg. And then two 10G links that go to my main server with Proxmox-

[Patrick M. Hausen]

I have a DEC750 and I absolutely love it. Core connection is 2x 10G with DAC in an LACP bundle to my Mikrotik switch. All internal networks are VLANs on top of that. WAN is one of the 3 1G interfaces to my DSL modem.

Necessary? No. Nice to have? Absolutely!

Creating YAV (yet another VLAN) is a matter of less than 5 minutes. I just love the flexibility. All "servers" are connected with 2x 1G LACP and also VLANs on top of that (jails, VMS, Docker, ...) and the regular systems with a single 1G port.

[passeri]

Regarding the brand choice alone, a year ago I switched from Hunsn to a Deciso box, the 697 with 4 x 2.5Gb suiting my needs. Additional to your caution about where it was made my two principal reasons were firstly the best assurance I could get that new versions of Opnsense would run without having to worry about device compatibility, and secondly it was a handy way to support Deciso/Opnsense beyond donations. Having used it a year, I will stick with Deciso gear when I need to change.

Not as prior distinctions but from experience, I have found its thermal performance to be excellent and as a strawberry on the cake they are also aesthetically quite neat.

[BrandyWine]

Four 2.5Gb ports where three are in lagg (that's 7.5Gb worth) for internal vlans, and then one 2.5Gb to the wan device, seems like plenty-proof.

4x2.5 is 10Gb, and that's a half duplex spec, can an OPNsense router handle 20Gb of throughput with 15Gb of that in a lagg? I doubt it.
The 2x10Gb is 40Gb of throughput, that's a lot of room, but not likely to get there on an OPNsense fw-router. The DEC2687 is only rated 5Gb, 3852/62 17.4Gb.

Also to note, if everything rides lagg (lan wan, etc), then your lan-wan wan-lan is a 2x hit on the lagg as lan-to-wan wan-to-lan has to go down lagg to fw, cross fw, then back up lagg to switch to reach the wan dfg, and vice-versa. I 1Gb stream from internet is 2Gb on the lagg.

I would probably choose a 4x2.5 over using 2x10Gsfp. Why? Less headache, less parts, less costly, less power, all copper.

Duly noted, published nic speeds are deceiving these days. The spec should indicate the half-duplex speed, so full-duplex is 2x that, however, many nic's cannot achieve 2x half-duplex max speed, and often attaining that rated speed does not happen when full duplexing traffic. As example, the i226V likely cannot do symmetric 1.25Gb, but it probably can get close to 2.5Gb half-duplex. Welcome to the world of nic vendor BS and hype. ;)

[Patrick M. Hausen]

Four 2.5Gb ports where three are in lagg (that's 7.5Gb worth) for internal vlans, and then one 2.5Gb to the wan device, seems like plenty-proof.

It has always been recommended for the number of links in a lagg/port-channel to be a power of two. It will work with odd numbers but you won't get even distribution across all links.

See for example this part of the Catalyst 6500 documentation.

[kosta]

Well, while 3x2,5 would maybe be enough performance-wise it would be less than what I have now (10G single) when it comes to server. And moreover, I have no 2,5G ports on my switch, and my SFP+ don't support 2,5G I think, so all would be a kind of patch-job. So, let's keep it simple :)

Thanks for the recommendations towards Deciso hardware.

[Seimus]

Will chime in for a bit,

I use Chinese knockoffs mostly, but I like to punish myself. As well the DYI aspect its kinda a learning curve. Anyway I would choose the official DEC, if I would not feel confident that I can make the knockoff box run.

My advice is as well, go for the DECs. They have trustworthy rated parameters from the vendor and look sexy.

to my Mikrotik switch

Can you tell me which one you have? I am thinking about to upgrade my old Zyxel.

Regards,
S.

[Patrick M. Hausen]

The CRS326-24G-2S+IN. Also available as a rack mount model.

2x SFP+, 24x 1G copper, fanless (although I put a quiet USB powered fan next to it), 200 €/$ - great bang for the buck.

I picked the desktop model because I do not have a rack. It's all on two shelf boards in the cabinet behind me in my study. That's why I also added some active airflow. If you decide to buy Mikrotik, IMHO you want RouterOS, even if you use it for layer 2 only. SwitchOS is so limited in features ... well it does switching, granted. But as you might have noticed I am an SNMP nut among other things. Observium and Rancid work great with RouterOS.

[passeri]

Can you tell me which one you have? I am thinking about to upgrade my old Zyxel.

How many ports? SFP or copper?

I am another one who uses Mikrotiks behind Opnsense. My switches comprise two CRS304 4 x 10Gb (+ 1Gb management port) in different places as the principal backbone and a CRS310 with 8 x 2.5Gb + 2 x SFP+ in the "server room" aka workshop. They are excellent switches, all running ROS, though I took advice and replaced the factory fan in the CRS310 with a Noctua for a quieter life.

[Seimus]

Patrick & passeri many thanks for the tips. I will look them up.

Currently I run the GS1900-24E, so 24 ports copper based. I could do as well with 16P or 8P on new switch with keeping the old one, but 24P is more suitable in case I would do a drop in replacement for the old switch. This is still something I am considering (oh and I have a small rack ;))

Regards,
S.

[kosta]

Will chime in for a bit,

I use Chinese knockoffs mostly, but I like to punish myself. As well the DYI aspect its kinda a learning curve. Anyway I would choose the official DEC, if I would not feel confident that I can make the knockoff box run.

Yeah, I punished myself enough for years now with my self built box - which is working alright - but God forbid it's not. I really want to go as far as possible away from boxes that break when power runs out. I do have UPS, but also that doesn't hold forever. Had two corruptions in last two years, it's just pain to fix. I would hope some dedicated HW box can do that better. Does it maybe come with PLP? Thought of making self built with PLP alright, but simply thinking if to get a pre-built box might be a better idea. The cost of self built with PLP would be lower also. But, consumes surely more power, on the other side.

Can you tell me what is the typical procedure if something happens to the OS? Like say you can't access it any more... reset? I see console per USB... how does that work?

[pfry]

Yeah, I punished myself enough for years now with my self built box[...]

I'm doing that now, but it's a hobby. If you don't get your jollies from that punishment, the official appliance is the way to go. You can always change your mind later, and you still have a usable device - the Deciso box doesn't transform into a brick if you let support lapse, unlike most appliances. I replaced a Fortigate 61E, and I can't give the thing away - proprietary hardware, and Fortinet would want the last 2+ years of support paid for before they'd reactivate the device.

[...]Had two corruptions in last two years[...]

Ouch. Were those with OPNsense? OPNsense doesn't do much with the file system - normally I'd expect some corrupted logs at most. As far as PLP, I generally use SSDs with big caps, but of course all they'll do is write the buffer on the SSD, not the system ARC. I've had some poorly-behaved UPSs, that say "batteries are great" even after they die during a self test, and never had a file system go bad on me. Not even an NTFS machine with three levels of cache (system, controller, and SSD) and no PLP (consumer SSDs). Just luck?