I’m a pretty novice person considering installing opnsense for my personal home use.
Their documentation has what would seem to be incomplete hardware requirement.
For example it does not list any network hardware. I assume you need at least 1 Ethernet connection. I recall reading somewhere that you might need 2 network cards? One for in and one for out?
What about network card specs? I have old computers lying around that exceed the CPU/RAM/SSD requirements but cards are practically antiques. Should I upgrade? If so, to what?
ETA: The best internet I could subscribe to where I’m at is 1024 Mbps down, 50 Mbps up. So don’t worry about wasting fibre speeds. :(
Does anyone know about a more thorough description of requirements?
Not much. You can run it with one network card, but you’ll have to run it in trunk mode. That will also limit you to 500 mbps on a gigabit network.
I’ve run with on an old dual-core cpu with 4GB of memory, and it was still able to pump out gigabit speeds.
The best internet I could subscribe to where I’m at is 1024 Mbps down, 50 Mbps up. I’ll add that to the post I guess it is relevant since so many people have fibre. (sigh)
That is actually dependent on what you are doing. With gigabit ethernet being full duplex, you can transfer 1Gb/s both up and down at the same time.
This would mean that if he has a single port, if he was downloading a file from the internet, he could still reach 1Gb/s. If he, however, had 1Gb up and down, he could only download at 500Mb/s and upload at 500Mb/s simultaneously.
His upload being so much lower than his download would lead to him not likely noticing any difference.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters IP Internet Protocol NAT Network Address Translation PCIe Peripheral Component Interconnect Express
3 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.
[Thread #27 for this sub, first seen 11th Aug 2023, 18:05] [FAQ] [Full list] [Contact] [Source code]
deleted by creator
Does “interface” mean you need separate cards? Or you have a single card with multiple interfaces?
Is DMZ like a guest network?
I looked up “IDS/IPS” and it wounds like something I would prefer to avoid doing if I can.
deleted by creator
I was hoping to make use of one of the various computers I have cluttering this place up so I could justify continuing the collection. ;)
Do you know how to determine suitability of an existing card, or how to correctly purchase a replacement?
deleted by creator
What’s a server card?
I’d prefer to avoid VMs if possible I never had much luck with them.
You can buy multi-port Intel ethernet cards cheap on eBay. But a used one and drop it into your computer. If you stick to Intel you should have a better time with driver support under OPNsense, and it would enable you to have separate ports for VLANs if you wanted to get fancy.
thanks! so for example: Intel Gigabit Dual PORT GIGABIT ETHERNET PCIe NIC Card EXPI9402PT NC360T which is CA$30. Does that sound right?
Yes, that kind of thing. I can’t guarantee it will work but I’ve had good luck with Intel cards in the past. You can get 4-port ones too.
just to check my understanding: a 4 port card provides different capability than a 1 or 2 port card with a switch attached, yes?
DMZ is usually where you put servers that should be externally accessible
it’s like a guest network in that it is a separate network segment with different filtering/forwarding rules than the main local network
that sounds useful.
i like to keep things separate when plausible.
I would try and set something up on your old hardware, and try it out.
Use it as a learning experience.Gigabit packet forwarding (even basic NAT) isn’t super heavy.
When I was trying it out, I used some old $50 refurbished thing from eBay with like 2 cored and 4gb or ram.
Only upgrade I made was to install an Intel 4port ethernet card, mostly because it was a widely recommended one, and I could pick one up for like $20. I only ever used 2 ports on it - wan and lan.When I first started playing, I used my ISP router as a modem/router, and DMZ’d opnsense. Opnsense was the only thing connected to the ISP routers lan.
This meant that my opnsense had a private ip (ie rfc1918) for its wan port, and I would have a double-nat (outbound packets from my actual lan would get nat’d from opnsense’s wan IP (which was inside the ISPs routers lan), then the ISP router would nat that onto its public IP).
I never had any issues with double nat, but I only had a small network.
As the opnsense box was the DMZ for the ISP router, all incoming traffic was forwarded to opnsense, which could then control port forwarding to wherever. So I didn’t have any complications with port forwarding.My next upgrade was a more dedicated opnsense box (one of those 4-port fanless nameless nucs for ~$300).
I also bought a bridge modem, so that opnsense could do the PPPoE (or whatever it was) connection and take the public IP directly.After that, I bought a managed switch with VLANs.
However, I still only use 2 physical ports on my opnsense box (which was a mistake). 1 for WAN, and 1 for Trunk. I then have virtual interfaces for each VLAN configured within opnsense.I think the important minimum requirements are “decent network card”. Which, for the most part, is the recommended 4 port intel card. I can’t remember the part number, but quick Googles will probably find it.
Then, install opnsense, make sure it works, figure out how to replace your ISP router (or DMZ/double-nat).If you ever plan on doing more complex things, my biggest recommendation is to essential keep the default assignments, then build off of them.
So opnsense will default assign a wan port and a lan port.
Use the wan port as wan, and use the LAN port as “admin access” and nothing else (ie don’t actually connect it to a network).
Then, add an additional physical interface for your actual lan (which in my case now carries the trunk for various vlans).
This makes it SUPER easy to wipe the config, reinstall or whatever using the “admin” network, then import a backup.
I made this mistake, and would often have to do “vlan shenanigans”, annoying patching, etc to get me out of trouble.
Whereas grabbing a laptop, plugging directly into the “admin” (ie default lan) port, and fixing stuff is easy as hell. Doesn’t matter if it’s a fresh wipe install, a default’d config, or active installation. I always have easy physical access (which is guaranteed by opnsense’s antilockout rules - which don’t seem to apply to anything you create)thanks for all the info!
i am definitely a person who will always change the defaults for no particular reason. so I appreciate the warning. except I don’t quite know what you mean by “assignments”. do you mean like the names?
eth0
? or their functions? I do like the idea of having a physical jack that’s always guaranteed to allow access no matter what I foul up otherwise.all these years I have been running my home network with a collection of routers just kind of attached together in a way that shouldn’t work due to “double nat” according to everything I ever read, but it is pretty much functional if not at all optimized. maybe if you don’t believe in double nat it won’t happen to you.
I’ve done crazy things and never had an issue with double nat. But that’s all on small networks.
Assignment as in what opnsense is aware of.
Whether that is a physical NIC (NICs aren’t assigned by default), virtual NICs (IE multiple vlans on a physical nic), or PPPoE/PPPoA/whateverWatch a video of the install process, then watch a video of assigning additional interfaces.
They will be able to explain and show it to you better than I can type!
I just upgraded my home server and now have a spare Odroid H2 that features 2 ethernet ports.
Would that be a good option for opnsense? My current Fritzbox is connected through a single cable with my 24p NETGEAR switch which collects the cables from my home network and my server.
I have mine setup on a Supermicro itx-based machine with an Intel n3710 and 8G of RAM. It has four Intel-based ports but you can easily get away with two.
I used to run a Zotac ci323 with dual Realtek nics. Works fine for 300M up/down.
You’ll want two ports, one for WAN one for LAN and most nics will support VLANs if you need more than that. Any VPN or encryption will increase your cpu requirements. If your needs are low a cheap dual-nic Nuc like device works great.