Hiya, looking the a firewall for my homelab, mostly to experiment but also for a added layer of security. There are just two of us in this household with a few laptops, phones and my servers, so nothing much. Therefore looking for something affordable and not “overkill”.

Anyone got any recommendations for this? Also how do you run your opensense/pfsense instance?

Appreciate any tips!

  • libretech@reddthat.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    8 hours ago

    I was going through this process about a year ago. I ended up settling on the Protectli V1410 (Intel N5105 and 4 Intel I226-V 2.5Gbps ports) because: a) I wanted coreboot, b) I was a little wary of lesser-known Ali Express sellers c) Protectli seemed like a decent company and I felt good about supporting people investing in an open source firmware (minus proprietary blobs which you can’t do much about). None of that was strictly necessary, and you probably would be fine just going with a cheaper NUC or mini PC. I would definitely second some of the other comments on avoiding Realtek NICs though.

  • MuttMutt@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    11 hours ago

    Both OpnSense and PfSense have FreeBSD as a base. That means you really want to avoid realtek NIC’s.

    I’m running OpnSense on a Supermicro X10SLL-F, with a Xeon E3-1226 v3, 16GB of RAM, and an Intel X520 10G NIC with the OS installed on a mirrored pair of 240GB Intel D3-S4510’s. I underprovioned the drives by about 50GB to lower write amplification and allow the drive controller a scratch pad space for garbage collection even if the drive fills up with logs and snapshots. This is simply done with:

    zfs set quota=190G zroot

    I have the following services (beyond the routing and firewall) running:

    ACME Client - let’s encrypt certificates

    Caddy - to expose my home services for access via reverse proxy

    Chrony - network time server

    CrowdSec - running all free rules

    Intrusion Detection (also known as Suricata) - just under 193K rules

    Kea DHCP for IPv4 providing IP addresses for 5 vLan’s

    Monit

    Ntopng with Redis as the database

    NUT

    Router Advertisements for IPv6 for 3 vLAN’s

    SMART - for dive testing but it basically consumes no resources

    UnboundDNS with abuse.ch, Steven Blacklist, and Hagezi multi Pro++ Blocklists.

    Firewall has 79 rules, NAT has 8 Destination entries, IPv6 is provided by Route64 over Wireguard, remote management access is done via Wireguard tunnel. vLAN’s are Management, Trusted, Smarthome, Cameras, and a Guest network which is WiFi only. Smarthome and Cameras vLAN’s do not have internet access except for my HomeAssistant server.

    I’m using a Quanta LB6M for my fiber backbone which is 10G with a LAG connection to a Dell PowerConnect 5548 and 5548P gigabit network stack.

    I’m utilizing approximately 62% of RAM (which begins to have issues once you get over 80% used) and a load average that generally sits at .30 unless the GUI is open. Swap is 0

    I have a 1Gbps fiber internet connection through a Callix 803g and a cellular backup via a Netgear LM1200 that is controlled by OpnSense when a 20% or greater packetloss is detected.

    If you have a fiber connection or notice packetloss/slowdowns after 9 minutes you may need to set:

    net.link.ether.inet.max_age = 540

    This is because by default FreeBSD sets a 20 minute ARP maximum age while many ONT’s set a 9 minute maximum age.

    If you plan to use Intrusion Detection the required RAM will balloon quickly and the UnboundDNS Blocklists live in RAM as well. You can easily get a similar setup to mine on Ebay for 200 or less, old server boards or workstation boards with IPMI are great to have if something acts up and the router is living in a closet without a monitor. The old server boards IMHO are also super stable and they are designed to run for years without being shut down.

    • Monument@piefed.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 hours ago

      If you have a fiber connection or notice packetloss/slowdowns after 9 minutes you may need to set:

      net.link.ether.inet.max_age = 540

      Oooooh.

  • Morgikan@fedia.io
    link
    fedilink
    arrow-up
    6
    ·
    13 hours ago

    I had pfSense running on an old Core 2 Duo machine from around 2010 when I worked in MSP. You can run it on just about anything.

    The only trouble I had was when I switched to gigabit+ service and had snort running. Snort is single-threaded and that CPU just could not keep up. Suricata would be a better choice given it’s natively multi-threaded, but the real limitation there was my setup and not pfSense.

    • irmadlad@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      12 hours ago

      Suricata would be a better choice given it’s natively multi-threaded

      +1 for Suricata/inline

  • monkeyman512@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    12 hours ago

    If your Internet connection is 1g or slower just about any desktop built in the last 10 years should be fast enough. The critical thing is having a good network card. Intel is generally very reliable for network cards and you can get used ones on eBay for not to much.

  • poVoq@slrpnk.net
    link
    fedilink
    English
    arrow-up
    2
    ·
    13 hours ago

    Opensense is based on BSD, which has a single threaded network stack. This means that low end CPUs can struggle to do >1gbit throughputs. Depending on your WAN this could be an issue.

  • bytepursuits@programming.dev
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    12 hours ago

    Nowadays I think most homelabbers are buying those n150 mini PCs from AliExpress. Specifically for opnsense

    • Elena Brescacin@poliversity.it
      link
      fedilink
      arrow-up
      2
      ·
      11 hours ago

      @bytepursuits @selfhosted I’ve tried one mini-pc about 10 years ago; what a disappointment! It was a small jewel, touching it. It ran Win10, 64GB hard disk. For a couple years it has been my emergency portable aid - I installed NVDA (non visual desktop access) screen reader in it, as JAWS for Windows, the commercial one, is very heavy. So, after a few updates from Win10, this poor machine literally became so, so slow. And, hot. It seemed to have a little oven in my hands.
      Now, I don’t find anything interesting; those machine, low-priced, sold in extra-EU e-commerces, don’t seem trustworthy. The second one I bought was bigger, about the size of an iPad mini. But it arrived with broken LCD screen. As a blind user, I was relying just on audio. But in the end, gearbest said “you have broken it” - money thrown in the toilet.

  • neonmagician@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    13 hours ago

    Any dual-nic SBC should be fine. My roommate & I run it on a i3 dual-nic small machine, but that’s almost overpowered. prior to that I ran it on a vm on proxmox, worked fine mostly, just a bit of a headache setting up the networking initially.

    • cmnybo@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      7
      ·
      13 hours ago

      If you’re buying a PC for OPNsense or pfSense, look for one with Intel NICs. Realtek NICs tend to be unreliable.

  • irmadlad@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    13 hours ago

    It wouldn’t take much really. I run a little fanless standalone pFsense box:

    • Intel® Celeron® CPU J3160 @ 1.60GHz
    • Current: 1600 MHz, Max: 1601 MHz
    • 4 CPUs : 1 package(s) x 4 core(s)
    • 8 GB RAM
    • 1 TB SSD

    Last time someone asked this question, I believe the going eBay price was in the $175 to $275 USD range. Mine sits between my modem and everything else, servers, cams, PCs, laptops, et al. I haven’t experienced any bottlenecks or sluggishness.

  • drkt@scribe.disroot.org
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    2
    ·
    12 hours ago

    My Pentium G3220 box running OpnSense has never bottlenecked me, so I imagine you can run it on basically anything you can find in a dumpster.