Hi all. I want to know what hardware requirements I would need to run the 2 following scenarios:
Scenario A:
1Gbps symmetic fiber (this should not be hard)
DNS, NTP and DHCP (this should run in a potato)
Wireguard server for incoming backup server requests (1Gbps desirable, 500Mbps would be OK)
Wireguard client to route some outgoing traffic (the same speed requirements as above)
The Wireguard client and server will NOT have traffic at the same time
GeoIP block for incoming traffic to my home server
Scenario B:
All of the above
Suricata
Zenarmor
I was looking at a Dell Wyse 5070 with a J4125 or J5005 adding a second NIC in the M.2 port, a 2.5G one with a Realtek RTL8125 as they are cheap. It will be enough? I guess the scenario A would be OK but the B would be a no-go?
Your overhead is the Zenarmor and Wireguard instances. I built my OPNSense router on Zen 3 architecture (a Ryzen 5600G specifically) because I like you I needed to be able to accommodate the overhead of Zenarmor and Wireguard. Going beyond that it really is a question of NICs which Melinox stuff is very affordable these days. So if you want a complete set of spec for how I did this:
Encryption algorithms very as do the overhead they require. Regardless they still are overhead that one has to take into account when you combine that with IPS/IDS and Zenarmor the overhead is multiplied.
Then i would look to onboard chip situations. 10gbe is fun. but it costs more power. But i do have a internet connection of more then one gigabit. so i need it.
The n100 class of cpu do have aes encryption on chip, But no Qat or network on the chip
But they would be a decent router a lot of people have done it. But the n100 is 20 wat less then the atom procesor. And the asrock n100 board is 300 euro cheaper then that aliexpres offering.
I don’t have experience with their products but I am planning to get one at some point. I just currently don’t want to commit to reconfiguring my network. Hardware-wise they’re very similar to the chinese aliexpress-type boxes but personally I have more trust in them from a security and support point of view.
For power use a box designed for routing might be more efficient than a repurposed office box IMO. Less surprises.
Make sure these work on FreeBSD (which OPNSense is based on). Realtek drivers can be hit-and-miss on those I heard. Intel is generally recommended.
Also remember. A pfsense / OPNsense box thingy isn’t a switch. The networks are seperated. You can send trafic between ports. But this wil come with a performance hit if you compare it with a switch
If you’ve already decided why ask? Realtek is a poor choice and I’m not even sure why you’d bother with a CPU that’s EOL out of the box but I guess security isn’t a priority? Keep in mind that J4*** and J5*** are really slow, N97 is roughly twice as fast.
I don’t, but I want to know if I can get away with the cheaper option. That’s the point, know if something of 50€ is enough or if I have to shell out more to get a N100 or equivalent.
Of course I would prefer a Beelink or Odroid with an N100 and dual i226V, but that would cost me 200€, either of them.
Thanks! The VP2410 seems to be roughly equivalent with the J4125. It seems that can do 733Mbps as a wireguard server/client.
From what I see, it heavily favors single-core performance as a Celeron J6412 and an i3 10110U have about the same multithread score but the 10110U has much better speed. Also, the i5 12210U has same single core and much better multi core but seems that the speeds are the same. For a single connection, single core seems king.
For a 1Gbps wireguard server, N5105 seems to be the minium to not have any problems. An J5005 should be about 700Mbps. So between OK and desirable of scenario A.
I’ve been experimenting with an itx build with a 5600g.
I tried the Realtek nics and they would work until Zenarmour was installed at which point the system would just reboot when traffic started getting heavy.
The ASRock mobo I’m using has an Intel nic so I swapped out the Realtek for an IO CREST SY-PEX24086 that uses Intel i225 chips and it seems to be stable so far.
One anomaly I did notice with OPNsense is when I brought down an interface, made changes, then brought the interface back up the install was borked and I had to start from scratch.