Hi,
I decided to build my own router using a Dell Wyse extended 5070 with Pentium silver j5005, 8Gb RAM and 512Gb SSD and a Intel X710-DA2 SFP+.
The goal is to use this as router, caching proxy and VPN.
I am having troubles to decide the software to choose for the box, I am thinking OPNSense and OpenWRT. Any recommandations with pro’s and con’s?
Thank you for your support.
For me, if it doesnt have wifi/AP capability, use OPNsense. If it has wifi/AP use capability, use OpenWRT.
Use whatever you prefer, OpenWRT mainly targets small embedded systems though so it’ll be more “limited”.
I’ve been pretty happy with OpenWRT, but I did the ‘standard’ thing of flashing a regular Belkin router. It’s super simple to set up, works great with lots of options, but my general understanding is that if you’re using an actual machine the *Senses give you more.
J5005 + X710 … ugh
It’s not the best CPU for 10G routing firewalling, OpenWRT, and you might need to ask for help setting it up.
You’re going to need to add some cooling to the X710, but otherwise it works great. I picked up a few of the wyse 5070’s when dell had them on that crazy deal a ways back, and am using one of them in exactly this way 
I would recommend OPNsense. It has a ton of options and setting that can make it a bit overwhelming, but its rock solid and has lots of documentation and support from the community.
You might check the forums over at OPNsense to make sure your nic is supported first.
While OPNsense is very capable homelab firewall, I wouldn’t call it “rock solid”.
Community edition has biweekly updates with additional hot fixes being pushed in-between those weekly updates. They also make some substantial changes which require updates to your config (like dynamic dns plugin, opnvpn server instances, now kea dhcp). Major version updates also require planning and may not always be smooth sailing.
That’s opposite of “rock solid” and I think it’s good to be aware that it’s not “set it and forget it” software, even in not that complex setup.
I think that’s the biggest con of OPNsense. I enjoyed it for many years, learned a lot with it, but when I stopped being the only one that relied on it for Internet access it ultimately pushed me away.
Hmm, okay so maybe “rock solid” was a poor choice of words on my part. Still, I think its a good option.
What would you recommend over OPNsense?
I switched from openwrt to opnsense, here are my thoughts:
Opnsense uses way more resources, in your case that will only matter cpu wise, my build was based on a apu2, openwrt is running fine with 256MB Ram opnsense will need 2 Gig to run without complaints.
Openwrt can be configured in text mode, you don’t need the gui. You can just ssh into your router and set what ever you want. On opnsense everything has to be set in the gui, unless you want to mess inside the xml config 
Opnsense is way more powerful in terms of routing / network rules, this is the main reason I switched. I was so done trying to get policy based routing working for ipv6, in opnsense that stuff just works
In opnsense upgrades are less “risky”. If you have modded your openwrt instance a bit, e.g. lagg you can’t just upgrade. You must be sure that all your custom scripts are persistent through the upgrade and you have the packages needed by the scripts after the upgrade.
For me both have their up and down sides, if you have weaker hardware and want to tinker, use openwrt. If you want something that is “more” of a setup once solution go with opnsense. If you run it baremetal on your HW it should run ok, but don’t expect 10Gig routing capability.
I opted for opnsense for my home router build. A lot of the pfsense guides work for opnsense too
I used these two guides to get opnsense setup. I haven’t gotten too far into vpns and proxies just yet
In these threads I got suggested openwrt for a wireless access point. It might not be as relevant for your use case, but the documentation can point you in the right direction
If I had to build my own router, which I wouldn’t do anymore, I’d go PFsense CE. A lot of people recommend OPNsense, because it receives more updates, but this is exactly why I’d choose PFsense CE. It’s still receiving security fixes and can do pretty much everything opnsense or pfsense+ would do. Other than that, it’s boring and not changing a lot. I like my main network device to be boring.
If the choice is between OPNsense or opnwrt I’d go OPNsense.
A lost a lot of trust in Netgate as a company with they way they’ve handled things with pfsense+ home user edition, so I’ve been playing with an opnsense VM instance to try it. The one thing that’s keeping me from jumping to now is the fire-hose update cadence, like you say.
It’s the exact opposite of what pfSense community edition is getting right now. It tends to lag too far behind with with a backlog of thousands of issues pilling up for the next 2.8.0 release. I poked around on their public redmine server today and it does look like all the fixes on plus branches are getting merged to the 2.8.0 CE target, which is about 90% complete, but who knows when that will be released. Its been over a year since 2.7.2
I too like my FW SW boring but my fear is that some day a remote zero day exploit will be out there and CE edition wont get a quick fix because they are just not setup with development processes, resources, and testing to get a quick fix turned out for the base CE targets. Given the past behavior of Netgate, I have serious doubts that would be inclined to go above and beyond to help the CE users anyway.
So the reality is that you if you don’t pay for either OPNSense or pfSense, then you are going to get too frequent or too seldom fixes, respectively. At least with OPNSense I can mitigate the rapid releases by using the excellent built-in ZFS snapshot feature for quick rollback. I can also chose not to accept an update for a while, and update when I want to. I could for example, wait until the next 6 month major is released and then update to the last minor on the previous major branch.
I think I’ve talked myself into switching OPNSense rather than pfSense CE or openwrt.