19
submitted 1 year ago* (last edited 1 year ago) by imaradio@lemmy.ca to c/selfhosted@lemmy.world

I'm a pretty novice person considering installing opnsense for my personal home use.

Their documentation has what would seem to be incomplete hardware requirement.

For example it does not list any network hardware. I assume you need at least 1 Ethernet connection. I recall reading somewhere that you might need 2 network cards? One for in and one for out?

What about network card specs? I have old computers lying around that exceed the CPU/RAM/SSD requirements but cards are practically antiques. Should I upgrade? If so, to what?

ETA: The best internet I could subscribe to where I'm at is 1024 Mbps down, 50 Mbps up. So don't worry about wasting fibre speeds. :(

Does anyone know about a more thorough description of requirements?

you are viewing a single comment's thread
view the rest of the comments
[-] towerful@programming.dev 3 points 1 year ago

I would try and set something up on your old hardware, and try it out.
Use it as a learning experience.

Gigabit packet forwarding (even basic NAT) isn't super heavy.

When I was trying it out, I used some old $50 refurbished thing from eBay with like 2 cored and 4gb or ram.
Only upgrade I made was to install an Intel 4port ethernet card, mostly because it was a widely recommended one, and I could pick one up for like $20. I only ever used 2 ports on it - wan and lan.

When I first started playing, I used my ISP router as a modem/router, and DMZ'd opnsense. Opnsense was the only thing connected to the ISP routers lan.
This meant that my opnsense had a private ip (ie rfc1918) for its wan port, and I would have a double-nat (outbound packets from my actual lan would get nat'd from opnsense's wan IP (which was inside the ISPs routers lan), then the ISP router would nat that onto its public IP).
I never had any issues with double nat, but I only had a small network.
As the opnsense box was the DMZ for the ISP router, all incoming traffic was forwarded to opnsense, which could then control port forwarding to wherever. So I didn't have any complications with port forwarding.

My next upgrade was a more dedicated opnsense box (one of those 4-port fanless nameless nucs for ~$300).
I also bought a bridge modem, so that opnsense could do the PPPoE (or whatever it was) connection and take the public IP directly.

After that, I bought a managed switch with VLANs.
However, I still only use 2 physical ports on my opnsense box (which was a mistake). 1 for WAN, and 1 for Trunk. I then have virtual interfaces for each VLAN configured within opnsense.

I think the important minimum requirements are "decent network card". Which, for the most part, is the recommended 4 port intel card. I can't remember the part number, but quick Googles will probably find it.
Then, install opnsense, make sure it works, figure out how to replace your ISP router (or DMZ/double-nat).

If you ever plan on doing more complex things, my biggest recommendation is to essential keep the default assignments, then build off of them.
So opnsense will default assign a wan port and a lan port.
Use the wan port as wan, and use the LAN port as "admin access" and nothing else (ie don't actually connect it to a network).
Then, add an additional physical interface for your actual lan (which in my case now carries the trunk for various vlans).
This makes it SUPER easy to wipe the config, reinstall or whatever using the "admin" network, then import a backup.
I made this mistake, and would often have to do "vlan shenanigans", annoying patching, etc to get me out of trouble.
Whereas grabbing a laptop, plugging directly into the "admin" (ie default lan) port, and fixing stuff is easy as hell. Doesn't matter if it's a fresh wipe install, a default'd config, or active installation. I always have easy physical access (which is guaranteed by opnsense's antilockout rules - which don't seem to apply to anything you create)

[-] imaradio@lemmy.ca 1 points 1 year ago

thanks for all the info!

i am definitely a person who will always change the defaults for no particular reason. so I appreciate the warning. except I don't quite know what you mean by "assignments". do you mean like the names? eth0? or their functions? I do like the idea of having a physical jack that's always guaranteed to allow access no matter what I foul up otherwise.

all these years I have been running my home network with a collection of routers just kind of attached together in a way that shouldn't work due to "double nat" according to everything I ever read, but it is pretty much functional if not at all optimized. maybe if you don't believe in double nat it won't happen to you.

[-] towerful@programming.dev 2 points 1 year ago

I've done crazy things and never had an issue with double nat. But that's all on small networks.

Assignment as in what opnsense is aware of.
Whether that is a physical NIC (NICs aren't assigned by default), virtual NICs (IE multiple vlans on a physical nic), or PPPoE/PPPoA/whatever

Watch a video of the install process, then watch a video of assigning additional interfaces.
They will be able to explain and show it to you better than I can type!

this post was submitted on 11 Aug 2023
19 points (95.2% liked)

Selfhosted

40152 readers
502 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS