this post was submitted on 11 Aug 2023
19 points (95.2% liked)

Selfhosted

40183 readers
500 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm a pretty novice person considering installing opnsense for my personal home use.

Their documentation has what would seem to be incomplete hardware requirement.

For example it does not list any network hardware. I assume you need at least 1 Ethernet connection. I recall reading somewhere that you might need 2 network cards? One for in and one for out?

What about network card specs? I have old computers lying around that exceed the CPU/RAM/SSD requirements but cards are practically antiques. Should I upgrade? If so, to what?

ETA: The best internet I could subscribe to where I'm at is 1024 Mbps down, 50 Mbps up. So don't worry about wasting fibre speeds. :(

Does anyone know about a more thorough description of requirements?

all 22 comments
sorted by: hot top controversial new old
[–] AreaKode@lemmy.thesharpcheddar.net 6 points 1 year ago* (last edited 1 year ago) (2 children)

Not much. You can run it with one network card, but you'll have to run it in trunk mode. That will also limit you to 500 mbps on a gigabit network.

I've run with on an old dual-core cpu with 4GB of memory, and it was still able to pump out gigabit speeds.

[–] imaradio@lemmy.ca 3 points 1 year ago

The best internet I could subscribe to where I'm at is 1024 Mbps down, 50 Mbps up. I'll add that to the post I guess it is relevant since so many people have fibre. (sigh)

[–] Zeoic@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

That is actually dependent on what you are doing. With gigabit ethernet being full duplex, you can transfer 1Gb/s both up and down at the same time.

This would mean that if he has a single port, if he was downloading a file from the internet, he could still reach 1Gb/s. If he, however, had 1Gb up and down, he could only download at 500Mb/s and upload at 500Mb/s simultaneously.

His upload being so much lower than his download would lead to him not likely noticing any difference.

[–] Decronym@lemmy.decronym.xyz 5 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
IP Internet Protocol
NAT Network Address Translation
PCIe Peripheral Component Interconnect Express

3 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.

[Thread #27 for this sub, first seen 11th Aug 2023, 18:05] [FAQ] [Full list] [Contact] [Source code]

[–] towerful@programming.dev 3 points 1 year ago (1 children)

I would try and set something up on your old hardware, and try it out.
Use it as a learning experience.

Gigabit packet forwarding (even basic NAT) isn't super heavy.

When I was trying it out, I used some old $50 refurbished thing from eBay with like 2 cored and 4gb or ram.
Only upgrade I made was to install an Intel 4port ethernet card, mostly because it was a widely recommended one, and I could pick one up for like $20. I only ever used 2 ports on it - wan and lan.

When I first started playing, I used my ISP router as a modem/router, and DMZ'd opnsense. Opnsense was the only thing connected to the ISP routers lan.
This meant that my opnsense had a private ip (ie rfc1918) for its wan port, and I would have a double-nat (outbound packets from my actual lan would get nat'd from opnsense's wan IP (which was inside the ISPs routers lan), then the ISP router would nat that onto its public IP).
I never had any issues with double nat, but I only had a small network.
As the opnsense box was the DMZ for the ISP router, all incoming traffic was forwarded to opnsense, which could then control port forwarding to wherever. So I didn't have any complications with port forwarding.

My next upgrade was a more dedicated opnsense box (one of those 4-port fanless nameless nucs for ~$300).
I also bought a bridge modem, so that opnsense could do the PPPoE (or whatever it was) connection and take the public IP directly.

After that, I bought a managed switch with VLANs.
However, I still only use 2 physical ports on my opnsense box (which was a mistake). 1 for WAN, and 1 for Trunk. I then have virtual interfaces for each VLAN configured within opnsense.

I think the important minimum requirements are "decent network card". Which, for the most part, is the recommended 4 port intel card. I can't remember the part number, but quick Googles will probably find it.
Then, install opnsense, make sure it works, figure out how to replace your ISP router (or DMZ/double-nat).

If you ever plan on doing more complex things, my biggest recommendation is to essential keep the default assignments, then build off of them.
So opnsense will default assign a wan port and a lan port.
Use the wan port as wan, and use the LAN port as "admin access" and nothing else (ie don't actually connect it to a network).
Then, add an additional physical interface for your actual lan (which in my case now carries the trunk for various vlans).
This makes it SUPER easy to wipe the config, reinstall or whatever using the "admin" network, then import a backup.
I made this mistake, and would often have to do "vlan shenanigans", annoying patching, etc to get me out of trouble.
Whereas grabbing a laptop, plugging directly into the "admin" (ie default lan) port, and fixing stuff is easy as hell. Doesn't matter if it's a fresh wipe install, a default'd config, or active installation. I always have easy physical access (which is guaranteed by opnsense's antilockout rules - which don't seem to apply to anything you create)

[–] imaradio@lemmy.ca 1 points 1 year ago (1 children)

thanks for all the info!

i am definitely a person who will always change the defaults for no particular reason. so I appreciate the warning. except I don't quite know what you mean by "assignments". do you mean like the names? eth0? or their functions? I do like the idea of having a physical jack that's always guaranteed to allow access no matter what I foul up otherwise.

all these years I have been running my home network with a collection of routers just kind of attached together in a way that shouldn't work due to "double nat" according to everything I ever read, but it is pretty much functional if not at all optimized. maybe if you don't believe in double nat it won't happen to you.

[–] towerful@programming.dev 2 points 1 year ago

I've done crazy things and never had an issue with double nat. But that's all on small networks.

Assignment as in what opnsense is aware of.
Whether that is a physical NIC (NICs aren't assigned by default), virtual NICs (IE multiple vlans on a physical nic), or PPPoE/PPPoA/whatever

Watch a video of the install process, then watch a video of assigning additional interfaces.
They will be able to explain and show it to you better than I can type!

[–] ag10n@lemmy.world 2 points 1 year ago

I have mine setup on a Supermicro itx-based machine with an Intel n3710 and 8G of RAM. It has four Intel-based ports but you can easily get away with two.

I used to run a Zotac ci323 with dual Realtek nics. Works fine for 300M up/down.

You’ll want two ports, one for WAN one for LAN and most nics will support VLANs if you need more than that. Any VPN or encryption will increase your cpu requirements. If your needs are low a cheap dual-nic Nuc like device works great.

[–] MaggiWuerze@feddit.de 2 points 1 year ago

I just upgraded my home server and now have a spare Odroid H2 that features 2 ethernet ports.

Would that be a good option for opnsense? My current Fritzbox is connected through a single cable with my 24p NETGEAR switch which collects the cables from my home network and my server.

[–] dartanjinn@lemm.ee 1 points 1 year ago

I currently have it running on a Zimaboard 216 which has a Celeron N3450 processor. Runs perfectly fine. Also have an instance running in proxmox with 2 cores and 1GB. Runs perfectly fine. I don't know what the documented requires are but I can say from experience, it doesn't need much.