Mini pc for firewall - opnsense

looking into a mini/micro pc for running opnsense.

I would normally build something (and I have several machines laying around) BUT, it has to fit into a structured media panel, in a wall. So I need something small.

I’ve also never actually specc’d something out for this, as I’ve always had something dedicated, and way overkill (VM on my old R710, HP ML310e w/ 16GB RAM, and so on.)

there’s enough mini pcs out there to make my head spin, so I want to know what everyone thinks.

Use:
-Gigabit Internet (Fios)
-VLAN termination and routing
-IPS
-VPN (client-server, possible site-to-site in the future)
-QoS
-Will be dual-stacking ipv4 and v6, though i doubt that will affect performance at all at the hardware leve. worth mentioning.

I’d really prefer intel networking if we can, and I only need two ports.

I’m based in the US, and would prefer to purchase new and close to current gen hardware.
Any suggestions?

NUC11TNHi30L or
NUC11TNHI50L00
Done?

Have a look at Minisforum GK41 or GK50

I didn’t realize those had come down so much in price, I’ll take another look at them.

Also, I’m sure an i5 wouldn’t struggle with IPS, would an i3? that’s really where I’m a little lost here. I’ve always had really overspec’d hardware for my firewalls, and now I’m trying to be as energy sipping as possible, without sacrificing throughput @ 1Gig with a few features enabled.

I’ve seen almost all of these, I was looking for user experiences and want to make sure I don’t underspec my hardware for my usecase.

I was looking at… I believe the GK41 before I posted, that’s what spurred me to join and make sure I’m not underspeccing my self.

Any idea on throughput with IPS, and VPN enabled on those chips? I’m going to make the move to wireguard slowly, I’m pretty familiar with openvpn (As well as it’s downsides, and heaviness…), so I’m making that move slowly.

For celerons/pentiums/atoms in that class, regular firewalling (connection tracking and nat) at gigabit is great.

You won’t be able to go gigabit over OpenVPN without bonding multiple links - wireguard is ok at gigabit.

IPS is mostly a no go - why would you need an IPS at home, especially if you can tunnel in, or if you can run an https frontend?

Given that pricing is pretty close I guess going for i5 makes sense in that regard. I would also be a bit concerned about aftermarket support regarding bios updates etc for the chinese ones.

I agree on aftermarket support on the Chinese ones, and honestly tinfoil hat on overall security, lol

I’m also looking at protectli, with coreboot.
The i5 pricing there is… more expensive, but maybe it’s a thing.

Yeah not concerned about gig over openvpn, I rate limit that anyhow, no need. I host some game servers so that’s really all that’s used for at the moment. Wireguard will be implemented soon, and that will have road-warrior style setup for my phones and such. Yay pihole in all the places!

IPS? honestly because I feel like it. I know it’s a pain to manage but, I know it’s overkill, but yeah.

Lenovo M720Q w/ either a PCIe Riser to a low profile network card, or M.2 A+E to gb network card.

generally about $150 and very low power at around 35w peak, 5-10w idle.

Also lots of 3d printable wall/rack mounts.

I’ll keep that in mind if I end up going used. The potential of vPRO would also be nice, if I get the right model.
That would also totally fit in the space this is going in.

I’d also like a few of those or similar to mess with kubernetes soooo

yeah that is the one downside of the two I have is no vpro

I’m hoping to find one with vpro, but that seems unlikely. I’m also not really seeing any stock, how hard is it generally to find a NUC?

Some variants of NUC11TN-series have vPro

if vPro so you can have IPMI? you could also look into PiKVM etc

yeah, that’s what I mean though, I’m having trouble finding the sku

That’s an added cost on top of this though lol, I’d rather it be native to the device.

Also, can anyone tell me how the heck we multi-quote on this forum? I can’t seem to figure that out