Looking for a secure router/firewall, 'OPNsense A10 Quad Core SSD desktop'?

[Jefferson343]

Hello everyone

I'm looking for a good router/firewall for my home. I think that security is extremely important, you could say it's my top priority, and therefore I'm looking to get a really secure router.

I don't know much about networking, another thing is that I don't really know how I should estimate what kind of performance I need on my router, I'd be grateful if you could help me with some advice. At home I'll have

• An "average home setup" - a bunch of stationary PCs, one or two servers, maybe som NAS or other storage, one or two HTPCs, a network printer... plus about half a dozen of mobile devices (smartphones et.c.) or so maybe.
• Internal Gigabit network, i.e. the best possible, which should be Gbit Ethernet as of today.
  
• Internet/WAN connection up to 1 Gbit

Are there any other requirements or aspects I should consider when looking for a router?

...
I've searched a bit and found the OpnSense Project.
https://opnsense.org/

The main backing company, Deciso, sells some ready-made products that seem really neat and I'm considering buying this device:
OPNsense A10 Quad Core SSD desktop

Does it seem like a good product? Do you think it will live up to the general requirements I drew up earlier?
Any other alternatives you would suggest?

 

[Nullity]

I have high hopes for the OPNSense project but they are new. Too new for me...


If security is important, go with tried and true, OpenBSD, FreeBSD, or maybe pfSense. BSD tends to evolve slower, but the environments are more integrated.


Linux evolves faster, which brings along the occasional undocumented feature. IPFire is my choice if choosing Linux, but be smart and try not to run too many extra services on your perimeter firewall. Complexity and security flaws are common bedfellows.


I use pfSense mostly because of available documentation but my recently purchased Cisco 877 literally has thousands upon thousands of pages of documentation available, which is great/torturous. Almost any established router distro is capable of being secure, with proper administration.


I would focus on choosing software since that will affect security the most, then pick whatever hardware you want to run it, maybe looking for something with hardware/enhanced crypto if VPNs are your thing.

 

[Jefferson343]

Thanks for the reply Nullity

I guess it should be possible to install pfSense onto that device if I so wanted to, I can hardly think that there can be any major difference in hardware support between the two distributions.

Do you think the hardware specs on the product I linked to are all right?
I think it would work fine for my intended usage... but would it be possible to hit the limit with it in any scenario? Can you think of any use-case this router/firewall won't cope with?

 

[Nullity]

Go shop for those little mini-PCs yourself and avoid the rebranding. Things like the Intel NUC or micro-itx stuff are awesome. Many of them are legit desktop-class devices, so they can run any OS. There are many versions on amazon if you look.

Make sure to get Intel branded NICs.

There are some great mini-itx (or some other designation I am forgetting) motherboard review sites detailing the differences between the $70 versions up to the $300 versions. You can find the board that meets all your needs rather than get some unknown generic.

 

[Trip]

I would add that if the rebranded "turnkey" options do come truly ready-to-go, burned-in and optionally supported by competent staff (ie. actual domestic help with articulate communication skills and more than just level-1 skills/access) then they can be a compelling choice. Otherwise, yes, black-box would be my recommendation as well.

As Nullity listed, there seems to be a decent amount of choice in the lower wattage, fanless mini ITX space. Amazon, eBay, AliExpress all have prime examples in the $300-$600 range, some even coming in industrial-class enclosures and/or with flash and ram included and ready to be loaded with your OS of choice.

 

[Nullity]

About specs... really, everyone just seems to buy 100x more than they need, lol. Even if you do somehow overload the system you can always optimize your configuration. If you do a little forum searching I bet you will find that $500+ will more than meet your minimums.

Estimating is nearly impossible unless you know precisely what services you plan on running. Things like OpenVPN, snort, or suricata have different requirements. VLANs, QoS complexity, authoritative DNS or caching, blah blah etc. The design of your network is another area where you may require some drastically different processing power because you use LAN topography more efficiently.

 

[System Error Message]

One thing about your hardware choices. SSDs are only important for boot times and cache (such as web proxy cache). DNS cache is done in RAM.

Using AMD CPU isnt a bad thing but their controllers and motherboards tend to come with realtek ethernet NICs even for dual NICs. Realtek NICs use a lot more CPU either because of their drivers or their lack of hardware that relies on CPU to perform tasks such as checksum for instance. This doesnt matter if you plan to use Intel server NICs on PCIe instead of onboard.

I would not say that so much hardware is overkill. More CPU means more firewall configs, more features you can use on it, more VPN speeds for encrypted tunnels and such. More ram means more connections, more routes, more features, more cache.

 

[coxhaus]

The simplest software firewall I have used is Untangle. They have a free version and paid version. I run the free version. Once you have setup Untangle it just hums in the back ground not requiring any support or fixes. All upgrades are handled at night by Untangle. You never have to patch the firewall by hand.
I have never tried OPNSense so I cannot help with it.

 

[AdvHomeServer]

I'm a pfSense user and am happy. The cost of the box you selected is high. I built one with a Supermicro motherboard with a J1900 processor, a M350 case with suitable power supply, 8GB ram and a 120 gB SSD for less than $400, and it is extremely over provisioned. A less powerful box would have only cost a little less so, what the heck. Toss in free pfBlockerNG and a $30/year sub to SNORT and you're ready to go. 4GB RAM and 64GB SSD would work well and save $50. Some other J1900 motherboards are less reliable, even though they cost less.

Their OpenVPN implementation is excellent.

 

[AdvHomeServer]

Go shop for those little mini-PCs yourself and avoid the rebranding. Things like the Intel NUC or micro-itx stuff are awesome. Many of them are legit desktop-class devices, so they can run any OS. There are many versions on amazon if you look.

Make sure to get Intel branded NICs.

There are some great mini-itx (or some other designation I am forgetting) motherboard review sites detailing the differences between the $70 versions up to the $300 versions. You can find the board that meets all your needs rather than get some unknown generic.

Agree +100. Been there. Done that.