Drowning in (old) hardware trying to solidfy the move to 2gb ISP connection

[PlzKeepMeSafeOPN]

Hello,
Apologies if this has been answered, I couldn't find it anywhere.

I have an odd setup I could use some help with.

Currently, I have a UDM Pro with two 10GB SFP+ ports serving as WAN. No modem, this is straight from ISP Fiber ONT. I'll be shortly moving to 2GB ISP speed.
That is connected to a unmanaged TP-LINK switch, with basic port filtering.

I had setup a opnsense on Dell Optiplex 7070 Micro a while ago but when I was given the UDM Pro I swapped it for UDM Pro.
I noticed that I had, what seemed like, speed issues with optiplex running 1GB with any additonal security tools configured, and it has NO ability to add additional NIC's as there is No PCIE slot. Or rather the pCIE slot is dedicated to the NVME slot. the max number of Ethernet ports than is 2, 1 at 1GB and 1 at 2.5GB with a NVME wlan adapter.

I'd like to go back to opnsense since it would allow me to continue learning and exploring more options such as ZenArmour, IDS/IPS, DoH and other tools + customization's. I work in security so although these tools aren't needed for Home use I want to get better at utilizing and understanding them for my career.

I have a Dell R260 Server with multiple 4port 1GB ports and no SFP+ ports. It has dual 750Watt PSU's but they aren't really tapped that hard.
I was thinking of installing proxMox and virtualizing Opnsense on this server + using it as a replacement for my current Plex server. I'd need to purchase likely 1-2 10GB SFP+ cards and/or 1-2 2.5gb ethernet adapters in order to replace the UDM Pro as virtualized opnsense firewall. Power isn't crazy expensive but coming from the UDM pro power draw to approx 150watt minimum for the r260 would be an significant increase. Currently paying around 11KwH. Storage might also be an issue for this route but I need to see if my existing drives will play nice with 1 Raid SAS array and 1 14TB Sata drive.
the R260 has 128GB of ram and the stock Dual Xeon CPU's.

Other option would be to just purchase a different firewall such as the DEC697 but I don't want to spend $800 USD.

I could also repurpose my current plex server, a old gaming PC with a i9-9900k and a single 2.5gb NIC, I'd of course need to purchase additional NIC's but would be possible. I could virtualize this machine as well or run bare metal. Power consumption is not likely to be an issue as it seems it shouldn't pull much more than 80watts.

lastly, I have a very old HP Thin client with a PCIE expansion slot and 16GB of ram, but it's CPU is a  quad Core GX-420CA  which I suspect will not have enough throughput to use a 2GB ISP connection and run Zenarmour etc.

I'm struggling to find what specs I'd need for a 10+ device network with IDS/IPS on, for a 2GB internet speed.

 I have approx $500USD To spend on this project, but would like to spend less if possible.

I feel like purchasing several SFP+ and 2.5GB NIC for the r260 is probably the cheapest route but I'm concerned about power draw and fan noise.

Thoughts?

[OPNenthu]

Speaking only of dedicated desktop appliances, not server platforms or VMs...

I'm struggling to find what specs I'd need for a 10+ device network with IDS/IPS on, for a 2GB internet speed.

If you're expecting IDS/IDP at close to the 2Gbps rate, you're looking at a DEC850 from Deciso (as per the published specs).

DEC750 gets you ~1Gbps.

DEC697 drops to ~540Mbps.

If those are out of budget, you can use them as baselines to figure what comparable CPU/memory you need and add a little bit for overhead.  The DEC appliances are efficient for networking tasks and you know what to expect, whereas general purpose mini-PCs might vary in this department.  Make sure the one you get has dedicated PCIe lanes for the NICs.

I don't use threat protection but I can tell you that for basic home networking my N5105 box is more than adequate for a 1-1.5Gbps ISP plan and idles most of the time, though I wouldn't dream to run Suricata on it.  It can saturate the 2.5Gbps links, however, it requires at least two streams (iperf3 -P 2) in order to realize that because of CPU frequency limitations on a single core.  A single stream tops out at ~1.7Gbps or less, IIRC.  That's something to consider if you use older SMB protocols for NAS shares, for example, then you might be better served with an N100/N150.

Take a look at the VP66xx series of Protectli for a more capable Suricata/ZA platform.  You're talking higher power draw and the need for active cooling, as the tradeoff with the DEC850.

[PlzKeepMeSafeOPN]

Thank you for your response this is very helpful.

I should add I'm not using PPOE for the ISP connection but ipoe. that seems to be less demanding overall.

I will examine the VP66xx.

The specs to run approx 2GB with IDS/IPS: (as of 2026)
Internal
Storage   256GB M.2. Solid State Flash
Memory   8GB --16GB DDR4
CPU
Cores   4 (max frequency 2.9Ghz)    to 8 (max frequency 3.1Ghz)

since these are optimized cores as you stated, how much more over provisioning on typical general purpose CPU performance would you provide?

and if I wanted to ensure that I was able to inspect the entire amount of traffic with a 2GB ISP, should I be more closely looking to mirror the specs on the devices that can run 3.5gbps? Just to properly estimate the headroom. Specs pulled from DEC4240
Internal Storage 1TB M.2. Solid State Flash   
Memory   64GB DDR4   
CPU Cores   8 (max frequency 3.1Ghz)

at this point it looks like at the very least a home setup will pretty much exclude any mini pc to be able to fully inspect 2gbps of traffic.

[OPNenthu]

More storage doesn't help with IDP throughput, so I wouldn't waste money there unless you have a specific need (are you virtualizing)?

RAM helps with performance up to a point, but those larger systems are designed for capacity: very large number of users, policies/tables, VPNs, etc.  Doesn't sound like that's your use case.  I think 8-16 GB of DDR4 or better is good, dual-channel if you can.  IIRC, both the DEC850 and the VP66xx are dual channel.

The CPU is the limiting factor.  IDS/IDP is CPU bound and in many cases they are single-threaded applications.  You need a CPU with high frequency in order to get the kind of throughput you are asking for, but as I'm not a user of those I would refer you to the respective forum sections for ZA and Intrusion Prevention.

I would drop an email to the vendor you are looking into and get their opinion of what kind of throughput you might expect for your use case.

[nero355]

IDS/IDP is CPU bound and in many cases they are single-threaded applications.

I am 100% sure Suricata has a config option where you assign the amount of Cores/CPU's it is allowed to use : Ubiquiti made a mess with that one on their UniFi UDM models :P

Also please understand the difference between :
- Multi CPU a.k.a. Multi Core Support.
- Single-threaded vs. Multi-threaded Support.

And the fact that there are always multiple threads within any application that is just one big single thread, because otherwise a lot of applications would perform and work very poorly !! :)

[OPNenthu]

I am referring to this: https://forum.opnsense.org/index.php?topic=41295.0

- Multi CPU a.k.a. Multi Core Support.
- Single-threaded vs. Multi-threaded Support.

My latest programming work was in Python and in that environment I would refer to these as multiprocessing and threading, respectively (though earlier Pythons used a GIL so there could be no true concurrency in threading, but still parallelism is achieved).

I don't know what you mean by this:

there are always multiple threads within any application that is just one big single thread,

If I wrote a simple C program with just an infinite control loop, it would peg a single hardware thread if I'm not mistaken?

[nero355]

I am referring to this: https://forum.opnsense.org/index.php?topic=41295.0

Ahh, OK :)

I don't know what you mean by this:

there are always multiple threads within any application that is just one big single thread,

If I wrote a simple C program with just an infinite control loop, it would peg a single hardware thread if I'm not mistaken?

I am not a programmer/developer but let me put it this way =>

A simple browser comparison :
- Mozilla Firefox
- Pale Moon

Pale Moon is a piece of software that will never use more than 1 CPU/Core to render a website.
However, it is multi-threaded because otherwise it would be extremely slow/unusable as a browser.
It also runs as one thread that is spread amongst the cores of your CPU but it will in total never use more than 1 Core.

Mozilla Firefox is a piece of software that can use as much CPU's or Cores as you allow it to basically.
It is extremely multi-threaded and a lot faster on older multi-Cored CPU's than Pale Moon.
It starts multiple threads spread over all the cores of your CPU and does a lot of things at the same time when rendering a website.

The same comparison can be made for example for PPPoE connections handled by FreeBSD vs. Linux which is one of the drawbacks using OPNsense/pfSense for such a connection instead of let's say OpenWRT or so...

In that case Linux is Mozilla Firefox and FreeBSD is Pale Moon when it comes to their PPPoE modules/libraries:)



I hope you see now what I was trying to say in my previous reply ?

[OPNenthu]

I hope you see now what I was trying to say in my previous reply ?

Got it... thanks for the examples.

Also, my earlier point about CPU frequency being the limiting factor is based on the idea that when limited to a single core then performance only scales with clock speed (assuming all other optimizations have been exhausted).  This seems to be the limiting factor for the home license version of ZA.

For Suricata (and here I think you're correct- it has a setting for "Listeners," but I don't know much about it), I think we can use the Deciso specs for "Threat Protection Throughput" as a guide.  This is cut and dry because the footnote of the specsheet says:

IPS performance is measured using ET Open and standard 1500 byte package size.