I’m a pretty novice person considering installing opnsense for my personal home use.

Their documentation has what would seem to be incomplete hardware requirement.

For example it does not list any network hardware. I assume you need at least 1 Ethernet connection. I recall reading somewhere that you might need 2 network cards? One for in and one for out?

What about network card specs? I have old computers lying around that exceed the CPU/RAM/SSD requirements but cards are practically antiques. Should I upgrade? If so, to what?

ETA: The best internet I could subscribe to where I’m at is 1024 Mbps down, 50 Mbps up. So don’t worry about wasting fibre speeds. :(

Does anyone know about a more thorough description of requirements?

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    IP Internet Protocol
    NAT Network Address Translation
    PCIe Peripheral Component Interconnect Express

    3 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.

    [Thread #27 for this sub, first seen 11th Aug 2023, 18:05] [FAQ] [Full list] [Contact] [Source code]

  • towerful@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I would try and set something up on your old hardware, and try it out.
    Use it as a learning experience.

    Gigabit packet forwarding (even basic NAT) isn’t super heavy.

    When I was trying it out, I used some old $50 refurbished thing from eBay with like 2 cored and 4gb or ram.
    Only upgrade I made was to install an Intel 4port ethernet card, mostly because it was a widely recommended one, and I could pick one up for like $20. I only ever used 2 ports on it - wan and lan.

    When I first started playing, I used my ISP router as a modem/router, and DMZ’d opnsense. Opnsense was the only thing connected to the ISP routers lan.
    This meant that my opnsense had a private ip (ie rfc1918) for its wan port, and I would have a double-nat (outbound packets from my actual lan would get nat’d from opnsense’s wan IP (which was inside the ISPs routers lan), then the ISP router would nat that onto its public IP).
    I never had any issues with double nat, but I only had a small network.
    As the opnsense box was the DMZ for the ISP router, all incoming traffic was forwarded to opnsense, which could then control port forwarding to wherever. So I didn’t have any complications with port forwarding.

    My next upgrade was a more dedicated opnsense box (one of those 4-port fanless nameless nucs for ~$300).
    I also bought a bridge modem, so that opnsense could do the PPPoE (or whatever it was) connection and take the public IP directly.

    After that, I bought a managed switch with VLANs.
    However, I still only use 2 physical ports on my opnsense box (which was a mistake). 1 for WAN, and 1 for Trunk. I then have virtual interfaces for each VLAN configured within opnsense.

    I think the important minimum requirements are “decent network card”. Which, for the most part, is the recommended 4 port intel card. I can’t remember the part number, but quick Googles will probably find it.
    Then, install opnsense, make sure it works, figure out how to replace your ISP router (or DMZ/double-nat).

    If you ever plan on doing more complex things, my biggest recommendation is to essential keep the default assignments, then build off of them.
    So opnsense will default assign a wan port and a lan port.
    Use the wan port as wan, and use the LAN port as “admin access” and nothing else (ie don’t actually connect it to a network).
    Then, add an additional physical interface for your actual lan (which in my case now carries the trunk for various vlans).
    This makes it SUPER easy to wipe the config, reinstall or whatever using the “admin” network, then import a backup.
    I made this mistake, and would often have to do “vlan shenanigans”, annoying patching, etc to get me out of trouble.
    Whereas grabbing a laptop, plugging directly into the “admin” (ie default lan) port, and fixing stuff is easy as hell. Doesn’t matter if it’s a fresh wipe install, a default’d config, or active installation. I always have easy physical access (which is guaranteed by opnsense’s antilockout rules - which don’t seem to apply to anything you create)

    • imaradio@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      thanks for all the info!

      i am definitely a person who will always change the defaults for no particular reason. so I appreciate the warning. except I don’t quite know what you mean by “assignments”. do you mean like the names? eth0? or their functions? I do like the idea of having a physical jack that’s always guaranteed to allow access no matter what I foul up otherwise.

      all these years I have been running my home network with a collection of routers just kind of attached together in a way that shouldn’t work due to “double nat” according to everything I ever read, but it is pretty much functional if not at all optimized. maybe if you don’t believe in double nat it won’t happen to you.

      • towerful@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’ve done crazy things and never had an issue with double nat. But that’s all on small networks.

        Assignment as in what opnsense is aware of.
        Whether that is a physical NIC (NICs aren’t assigned by default), virtual NICs (IE multiple vlans on a physical nic), or PPPoE/PPPoA/whatever

        Watch a video of the install process, then watch a video of assigning additional interfaces.
        They will be able to explain and show it to you better than I can type!

    • imaradio@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Does “interface” mean you need separate cards? Or you have a single card with multiple interfaces?

      Is DMZ like a guest network?

      I looked up “IDS/IPS” and it wounds like something I would prefer to avoid doing if I can.

      • MilderRichter@feddit.de
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        DMZ is usually where you put servers that should be externally accessible

        it’s like a guest network in that it is a separate network segment with different filtering/forwarding rules than the main local network

        • imaradio@lemmy.caOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I was hoping to make use of one of the various computers I have cluttering this place up so I could justify continuing the collection. ;)

          Do you know how to determine suitability of an existing card, or how to correctly purchase a replacement?

  • AreaKode@lemmy.thesharpcheddar.net
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    1 year ago

    Not much. You can run it with one network card, but you’ll have to run it in trunk mode. That will also limit you to 500 mbps on a gigabit network.

    I’ve run with on an old dual-core cpu with 4GB of memory, and it was still able to pump out gigabit speeds.

    • Zeoic@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      That is actually dependent on what you are doing. With gigabit ethernet being full duplex, you can transfer 1Gb/s both up and down at the same time.

      This would mean that if he has a single port, if he was downloading a file from the internet, he could still reach 1Gb/s. If he, however, had 1Gb up and down, he could only download at 500Mb/s and upload at 500Mb/s simultaneously.

      His upload being so much lower than his download would lead to him not likely noticing any difference.

    • imaradio@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      The best internet I could subscribe to where I’m at is 1024 Mbps down, 50 Mbps up. I’ll add that to the post I guess it is relevant since so many people have fibre. (sigh)

  • ag10n@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I have mine setup on a Supermicro itx-based machine with an Intel n3710 and 8G of RAM. It has four Intel-based ports but you can easily get away with two.

    I used to run a Zotac ci323 with dual Realtek nics. Works fine for 300M up/down.

    You’ll want two ports, one for WAN one for LAN and most nics will support VLANs if you need more than that. Any VPN or encryption will increase your cpu requirements. If your needs are low a cheap dual-nic Nuc like device works great.