10G OPNsense Hardware

[OhioYJ]

So I've been looking at moving everything in my rack to 10G, and the last piece of the puzzle is my router / firewall (for OPNsense). Currently using a NUC BOX-155H (2.5G). Generally I've always gone with the NUC route over cheap Chinese boxes, as they get BIOS updates among other other reasons. However for 10G choices I haven't found any clear "winner"? I could really use some help / suggestions. I would like to keep it to a 2U of space, and pretty quiet though.

 

Here is what I've looked at so far, and my thoughts / concerns:

 

• Minisforum MS-01 - Price is great on this one. However I see lots of complaints across the board about reliability on all Minisforum's machines. This does sort of concern me.
• Protectli VP6670 - Available with open source BIOS, supposed to be quiet. A bit pricey, however not horrible.
• Supermicro SYS-111AD-HN2 - This I think might be more reliable, as it should be "server grade"? However it's by far the most expensive option. I think it would be my clear winner though if it weren't for the loud server fans. I don't think this would be tolerable noise-wise where my network rack is currently located.

Yes I briefly looked at say something like the DEC2752 from OPNsense directly. However I like the freedom to just repair something easily, and do whatever I want with a device. I kind of assume pfsense and OPNsense hardware are essentially branded PCs, but as soon as I assume...

 

 

 

[AbydosOne]

Just a quick sanity check: do you have 10G internet service? If not, you can use a sub-10G router to do the DHCP, DNS, etc., and connect it downstream (LAN side) to a 10G+ switch for actual communication between 10G devices (that's what I do).

[OhioYJ]

25 minutes ago, AbydosOne said:

Just a quick sanity check: do you have 10G internet service?

 

Not currently. I am currently 1G symmetrical, and have a locked in price for a while yet. Once that deal is up, the plan is to move to a higher speed (Hopefully lock myself into another 3 year deal).

 

Right now I have:

 

ONT (1G) --> Firewall (2.5) --> Switch (10G)

 

You're saying just swap that around:

 

ONT --> Switch --> Firewall.

 

That's a little less fun than new hardware though.

[AbydosOne]

1 minute ago, OhioYJ said:

Right now I have:

 

ONT (1G) --> Firewall (2.5) --> Switch (10G)

 

You're saying just swap that around:

 

ONT --> Switch --> Firewall.

No, what you have now is pretty much the optimal, unless you're routing 10G traffic between subnets (and assuming your firewall is also doing your routing).

[OhioYJ]

4 minutes ago, AbydosOne said:

unless you're routing 10G traffic between subnets (and assuming your firewall is also doing your routing).

I have just enough knowledge here to be dangerous. There is traffic crossing VLANs, as my NAS for example is in it's own VLAN. VLANs and subnets are similar in this regard correct? However the switches are aware of the VLAN, so is the switch routing the traffic directly between those devices, or does the router still need to be involved?

[AbydosOne]

1 minute ago, OhioYJ said:

VLANs and subnets are similar in this regard correct?

Technically different, usually made synonymous in practice.

 

2 minutes ago, OhioYJ said:

However the switches are aware of the VLAN

Layer 2 switches? Then you're set.

 

2 minutes ago, OhioYJ said:

so is the switch routing the traffic directly between those devices, or does the router still need to be involved?

If the switch is VLAN aware, then the router is primarily just for DHCP, DNS, and handling routing to addresses the switches don't know (either internal or external).

[Lurick]

15 hours ago, AbydosOne said:

Technically different, usually made synonymous in practice.

 

Layer 2 switches? Then you're set.

 

If the switch is VLAN aware, then the router is primarily just for DHCP, DNS, and handling routing to addresses the switches don't know (either internal or external).

A L2 switch is VLAN aware but does NOT do routing. You need a router or L3 capable switch to route between VLANs

[OhioYJ]

So the more I thought about this, it was something I just wanted to do. None of the options above were a clear cut winner, so I decided to just build a mini-itx machine that would do the job. My only complaint was the only motherboard I could find that did have Intel Networking onboard was an Asus board, but oh well. (I wanted the onboard to work just in case I needed it)

 

(10G Intel card is in the brown box under the ram and SSD)

 

 

The case should be arriving tomorrow, Silverstone ML09.

 

I've never built a mini-itx machine, or seen SFX PSU. It's pretty surprising how small this stuff is.

[OhioYJ]

Ok everything is done. I'm kind of wondering why I didn't go this route originally. So I just went stupid spec wise:

 

- Intel 265K

- Asus B860-I Gaming Wifi (Only Mini-ITX I found with Intel LAN)

- 32 GB DDR5 6000

- 1 TB MP600

- SF850 PSU

- Intel X550-T2 (Actual Intel Card)

 

I still ended up roughly the same price as a MS-01, but for a much more powerful machine. Though, admittedly, not as small. However it still fits on my rack fine.  The network card has two 80mm intake fans pointed at, so it should have plenty of cooling.

 

 

Found out my ONT actually is 10G capable. So perhaps faster speeds than 2G is on my fiber providers radar? Either way I also noticed I no longer have any issues with my upload speeds. Not that they were necessarily slow before, but it wouldn't keep the full speed, for extended uploads before. Never dug too deeply into that one though, as I don't do a ton of uploading.

 

[LIGISTX]

I know I’m to late… but Lenovo m720q is the play. I just picked one up for 150 bucks off eBay; i5 8500t, 16GB RAM, and a 256 nvme drive. And the m720q specifically has PCIe slot (you just need a little expanded board). Pretty power efficient, small, quiet, awesome little router or HA node for Proxmox. 
 

Also, if TrueNAS is on its own subnet, you should create NIC’s on the subnet you actually pass traffic over. That way you’re not hitting the firewall for a subnet hop and the traffic can be routed entirely by your switches (unless as stated above, you have layer 3 switches which you said you don’t have). Then on that subnet, disallow the WebUI, SSH, etc.

 

This is how you create security in the form of limiting what subnets can even talk to Truenas’s controls like ssh and webUI, but allow SMB or NFS shares to go directly through switches and not having to hit the firewall for a routing decision.