Hello everyone, I recently got 940 mbps asynchronous Centurylink fiber installed at my house and the garbage C4000XG Centurylink gave me is holding back the fiber speed as you could imagine. I was looking at this mini pc to be the Edge Router/Firewall with OPNSense Topton dual nic 12th gen N100 with 8gb of DDR5 memory but I don’t enjoy shopping at Aliexpress because of the long wait on shipping and the difficulty of returns. I will also need a 12 port layer 3 switch as I would like to setup VLANs and then probably just one wireless AX AP. I am totally open to other mini pc’s but definitely would like barebones as I am trying to do this all on somewhat of a budget and I would like to run deep packet inspection and VPN as well so I’m not sure if that PC I listed above would even be able to handle that, any recommendations will be greatly appreciated.
Most wifi “routers” have at most, dual core 1.5 Ghz arm processors, with most being single core and well under 900 Mhz.
Whatever the processor is, will probably faster than that.
Project ideas
Pi-Hole
Local NTP server including full firewall redirection to force all lan devices to sync time locally via one source. I fully believe this can save electricity especially combined with pi-hole to prevent data upload electricity and the server side power involved in then processing that data, then causing further back-and-forth data transmissions thereafter, and that cycle repeating.
I’d maybe lean towards the more expensive N305 because the marginal cost (of about 3x takeaway dinners(?)) gives you both a slight immediate advantage with OpenVPN, but also opens the opportunity to use the hardware for other things down the line (Proxmox … Containers… that kind of thing).
Those are 12th gen E cores, in both, and OpenVPN is notorious due to its single threaded-ness causing jitter and high latency on small/cheap multi core systems. 8 cores instead of 4 (N305/N100) will provide more opportunity for non-openvpn stuff to get cycles without getting in the way, and slightly higher clock speed won’t hurt.
L2TP/IPSec, Wireguard - generally don’t suffer as much from serialization.
There’s a bunch of people out there on the internet running Suricata at 40G or more per machine on xeons. These would sit at various “great firewall” setups in various ISP network and server rooms. They use fancy nics to split split flows by hash… and usually they run Linux.
Long story short, I’m not sure OPNsense will be good enough on those cheap boxes for 1gig + 1gig squid splicing AND Suricata AND OpenVPN at the same time.
It would make an awesome basic firewall router with VPN + might as well make it a backup/media server on the side.
Re other hardware - switch and wifi, popular around these forums are Ubiquiti/TP-Link Omada/Engenius/Mikrotik … roughly in that order. If I were you, I’d just checkout their offering and ask here again.
Pretty much anything that’s not a potato will do gbit line speed just fine, a RK3399 based solution or whatever. As always, going bleeding edge on anything other than Windows is usually not a smooth ride and you probably want to check if your hard uses Realtek (Crab) NICs if you want to run *sense because that will most likely be a slightly bumpy ride any at all. If you want to do DPI at Gbit-speeds you likely need to look at i3 (or better) CPUs from 10th-11th or newer. There are also bunch of threads tackling your issue. I’d also like to add that if you can’t bridge your connection/modem you’ll get very limited functionality of adding another firewall (and possibly Double NAT).
Thank you very much for this detailed posting, you have given me a lot to think about. I do have a 10th gen i5 optiplex that was setup for TrueNAS but I don’t really use it, maybe I could add a nic to the WiFi card slot and just use that as a basic firewall/media server.
I believe I can bridge my connection modem, I’ll start tinkering with that and see if I can get faster Wi-Fi speeds using the nighthawk I have instead of the modems built in WiFi. Thank you very much for all the insight I hadn’t considered.
After further thought I am probably going to just buy a Belkin RT 3200 and put OpenWrt on it after I verify that I can bridge my modem. Thanks everyone for the advice that was given!