Hiya, looking the a firewall for my homelab, mostly to experiment but also for a added layer of security. There are just two of us in this household with a few laptops, phones and my servers, so nothing much. Therefore looking for something affordable and not “overkill”.

Anyone got any recommendations for this? Also how do you run your opensense/pfsense instance?

Appreciate any tips!

  • MuttMutt@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    14 hours ago

    Both OpnSense and PfSense have FreeBSD as a base. That means you really want to avoid realtek NIC’s.

    I’m running OpnSense on a Supermicro X10SLL-F, with a Xeon E3-1226 v3, 16GB of RAM, and an Intel X520 10G NIC with the OS installed on a mirrored pair of 240GB Intel D3-S4510’s. I underprovioned the drives by about 50GB to lower write amplification and allow the drive controller a scratch pad space for garbage collection even if the drive fills up with logs and snapshots. This is simply done with:

    zfs set quota=190G zroot

    I have the following services (beyond the routing and firewall) running:

    ACME Client - let’s encrypt certificates

    Caddy - to expose my home services for access via reverse proxy

    Chrony - network time server

    CrowdSec - running all free rules

    Intrusion Detection (also known as Suricata) - just under 193K rules

    Kea DHCP for IPv4 providing IP addresses for 5 vLan’s

    Monit

    Ntopng with Redis as the database

    NUT

    Router Advertisements for IPv6 for 3 vLAN’s

    SMART - for dive testing but it basically consumes no resources

    UnboundDNS with abuse.ch, Steven Blacklist, and Hagezi multi Pro++ Blocklists.

    Firewall has 79 rules, NAT has 8 Destination entries, IPv6 is provided by Route64 over Wireguard, remote management access is done via Wireguard tunnel. vLAN’s are Management, Trusted, Smarthome, Cameras, and a Guest network which is WiFi only. Smarthome and Cameras vLAN’s do not have internet access except for my HomeAssistant server.

    I’m using a Quanta LB6M for my fiber backbone which is 10G with a LAG connection to a Dell PowerConnect 5548 and 5548P gigabit network stack.

    I’m utilizing approximately 62% of RAM (which begins to have issues once you get over 80% used) and a load average that generally sits at .30 unless the GUI is open. Swap is 0

    I have a 1Gbps fiber internet connection through a Callix 803g and a cellular backup via a Netgear LM1200 that is controlled by OpnSense when a 20% or greater packetloss is detected.

    If you have a fiber connection or notice packetloss/slowdowns after 9 minutes you may need to set:

    net.link.ether.inet.max_age = 540

    This is because by default FreeBSD sets a 20 minute ARP maximum age while many ONT’s set a 9 minute maximum age.

    If you plan to use Intrusion Detection the required RAM will balloon quickly and the UnboundDNS Blocklists live in RAM as well. You can easily get a similar setup to mine on Ebay for 200 or less, old server boards or workstation boards with IPMI are great to have if something acts up and the router is living in a closet without a monitor. The old server boards IMHO are also super stable and they are designed to run for years without being shut down.

    • Monument@piefed.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 hours ago

      If you have a fiber connection or notice packetloss/slowdowns after 9 minutes you may need to set:

      net.link.ether.inet.max_age = 540

      Oooooh.