Advice on device for OPNSense Edge Router/Firewall, Small switch and Wireless AP

Hello everyone, I recently got 940 mbps asynchronous Centurylink fiber installed at my house and the garbage C4000XG Centurylink gave me is holding back the fiber speed as you could imagine. I was looking at this mini pc to be the Edge Router/Firewall with OPNSense Topton dual nic 12th gen N100 with 8gb of DDR5 memory but I don’t enjoy shopping at Aliexpress because of the long wait on shipping and the difficulty of returns. I will also need a 12 port layer 3 switch as I would like to setup VLANs and then probably just one wireless AX AP. I am totally open to other mini pc’s but definitely would like barebones as I am trying to do this all on somewhat of a budget and I would like to run deep packet inspection and VPN as well so I’m not sure if that PC I listed above would even be able to handle that, any recommendations will be greatly appreciated.

Edit, I do already have a Netgear GS305E 8 port managed switch and a Netgear Nighthawk AC1750. I just came across this [Minis forum Intel Celeron J4125](Amazon.com? The networking card on this will only run openwrt which I would be fine with. I think I may have just answered my own question.

You don’t need a layer 3 switch to setup VLANs …

Most wifi “routers” have at most, dual core 1.5 Ghz arm processors, with most being single core and well under 900 Mhz.

Whatever the processor is, will probably faster than that.

Project ideas

Pi-Hole

Local NTP server including full firewall redirection to force all lan devices to sync time locally via one source. I fully believe this can save electricity especially combined with pi-hole to prevent data upload electricity and the server side power involved in then processing that data, then causing further back-and-forth data transmissions thereafter, and that cycle repeating.

Just my grain of sand for thought.

1 Like

Assuming N100 can do it : https://store.minisforum.com/collections/all-product/products/minisforum-un100-un305?variant=43831900569845

BTW, what kind of VPN?

Probably just OpenVPN

Looking at those minisforum offers…

  • N100 / 8 / 256 about 200-ish
  • N305 / 16 / 512 is about 300-ish

I’d maybe lean towards the more expensive N305 because the marginal cost (of about 3x takeaway dinners(?)) gives you both a slight immediate advantage with OpenVPN, but also opens the opportunity to use the hardware for other things down the line (Proxmox … Containers… that kind of thing).

Those are 12th gen E cores, in both, and OpenVPN is notorious due to its single threaded-ness causing jitter and high latency on small/cheap multi core systems. 8 cores instead of 4 (N305/N100) will provide more opportunity for non-openvpn stuff to get cycles without getting in the way, and slightly higher clock speed won’t hurt.

L2TP/IPSec, Wireguard - generally don’t suffer as much from serialization.

There’s a bunch of people out there on the internet running Suricata at 40G or more per machine on xeons. These would sit at various “great firewall” setups in various ISP network and server rooms. They use fancy nics to split split flows by hash… and usually they run Linux.

Long story short, I’m not sure OPNsense will be good enough on those cheap boxes for 1gig + 1gig squid splicing AND Suricata AND OpenVPN at the same time.

It would make an awesome basic firewall router with VPN + might as well make it a backup/media server on the side.


Re other hardware - switch and wifi, popular around these forums are Ubiquiti/TP-Link Omada/Engenius/Mikrotik … roughly in that order. If I were you, I’d just checkout their offering and ask here again.

1 Like

Pretty much anything that’s not a potato will do gbit line speed just fine, a RK3399 based solution or whatever. As always, going bleeding edge on anything other than Windows is usually not a smooth ride and you probably want to check if your hard uses Realtek (Crab) NICs if you want to run *sense because that will most likely be a slightly bumpy ride any at all. If you want to do DPI at Gbit-speeds you likely need to look at i3 (or better) CPUs from 10th-11th or newer. There are also bunch of threads tackling your issue. I’d also like to add that if you can’t bridge your connection/modem you’ll get very limited functionality of adding another firewall (and possibly Double NAT).

1 Like

Thank you very much for this detailed posting, you have given me a lot to think about. I do have a 10th gen i5 optiplex that was setup for TrueNAS but I don’t really use it, maybe I could add a nic to the WiFi card slot and just use that as a basic firewall/media server. :thinking:

1 Like

I believe I can bridge my connection modem, I’ll start tinkering with that and see if I can get faster Wi-Fi speeds using the nighthawk I have instead of the modems built in WiFi. Thank you very much for all the insight I hadn’t considered.

After further thought I am probably going to just buy a Belkin RT 3200 and put OpenWrt on it after I verify that I can bridge my modem. Thanks everyone for the advice that was given!

1 Like

not OPNSense, but I am using the Netgate 1100 and have been pretty happy with it on 300Mbps Fios

for wifi, I am just using a spare wifi 6E router in access point mode attached to a network switch

1 Like