Pfsense/opnsense box with AX88U Merlin firmware

[DJones]

Thanks all.

I tried proxmox with opnsense on my minipc and had a couple of issues with the pc freezing up. Switched to bare metal opnsense and no issue since.

No worries, that’s why you test before deploying if it doesn’t work well with your system and baremetal opnsense works then keep it simple.

@Tech9 It might be an unnecessary complication sure. I don’t disagree, but if willing it’s still informative as an alternative configuration. That’s all. Not trying to force his hand.

 

[RMerlin]

I wouldn’t recommend running virtualized firewall in first place. Dedicated hardware is better.

Depends. If you need high performance PPPoE, the only way to make PPPoE become multithreaded with pfsense is actually to virtualize it, so NIC interrupts can be irq-balanced then.

Want multi-threaded PPPoE in OPNsense/pfSense: Virtualize it with bridges

I am currently a CenturyLink Fiber customer in Seattle, WA and its well known that CenturyLink uses PPPoE. Yes, I’m aware of the migration to “Quantum Fiber” which uses DHCP, but I’ll probably move to NYC before I get shifted to Quantum and subsequently have Verizon FiOS (again), also with DHCP...

www.neelc.org

 

[coxhaus]

As a “free” user, I’d personally prefer OPNsense 24.1.9 released yesterday versus pfSense CE 2.7.2 released in December 2023. Paying users might make different choices.

So, has OPNsense moved to FreeBSD version 15? Last I looked is they were still on an older FreeBSD like 13. Way behind on security updates not using FreeBSD 15.

I am still on 24.03. My problem right now is I can't change my NIC. I have time to play with 10gig. I don't think the drivers exist in FreeBSD 13.

 

[dave14305]

So, has OPNsense moved to FreeBSD version 15? Last I looked is they were still on an older FreeBSD like 13. Way behind on security updates not using FreeBSD 15.

FreeBSD 15 isn’t even close to being stable for release. I find that baffling that Netgate uses a development snapshot OS release for their final releases.

OPNsense 24.1.x is still on 13.2, which is older but still being patched, moving to latest stable release 14.1 in July.

I’m no schill for OPNsense, but I prefer stability over the bleeding edge. I also like Debian over Ubuntu or Arch.

 

[DJones]

FreeBSD 15 isn’t even close to being stable for release. I find that baffling that Netgate uses a development snapshot OS release for their final releases.

OPNsense 24.1.x is still on 13.2, which is older but still being patched, moving to latest stable release 14.1 in July.

I’m no schill for OPNsense, but I prefer stability over the bleeding edge. I also like Debian over Ubuntu or Arch.

Not trying to push proxmox, as he said it’s not stable for his machine. But Linux has strong kernel compatibility for drivers it might be included. The reason I say this is Debian based proxmox would handle the nic then virtually pass on the nic to pfsense with the desired 10G compatibility on any pfsense FreeBSD version.

But anyways, I agree stability is important it’s disappointing pfsense ce takes such a backseat to pfsense plus 24x.

Personally I would like to see pfsense or opnsense on a Linux kernel as I’m not a big fan of freebsd, but supposedly freebsd has a lower latency network stack. Both perform better or worse in different ways. Both the *sense’s have found a good home in freebsd otherwise I wouldn’t touch them without the necessity. But that’s just me.

 

[coxhaus]

But I would assume FreeBSD 15 gets the latest patches as that is where development is

I guess I am more cutting edge. I don't want to wait for patches to be back ported.

I prefer bare metal for firewalls. I don't want another layer of software which can have its own software issues on top of it.

 

[DJones]

But I would assume FreeBSD 15 gets the latest patches as that is where development is

The problem with bleeding edge and snapshots of nightly or developing versions is stability. It’s also where untriaged vulnerabilities exist. If you look at the XZ Utils vulnerability, the git was exploited by social engineering to implant obfuscated code in the build process. Those that were affected were those that were running bleeding edge from the git or from select OS distro that used the newer versions. It’s a double edged sword, yes you can fix problems sooner, but you also introduce new problems.

 

[coxhaus]

It is why I am choosy about my firewalls and who stands behind them. They need to be the expert.

It is one of the reasons I run Cisco networking equipment.

 

[dave14305]

Personally I would like to see pfsense or opnsense on a Linux kernel as I’m not a big fan of freebsd, but supposedly freebsd as a lower latency network stack.

I’m cycling my N100 through pfSense and OPNsense right now, but my goal is to build a vanilla FreeBSD 14.1 router/firewall from scratch. No more *sense wars. If that fails, I’ll go with my previous Debian 12 router setup.

BTW, no one complains much about the ancient Linux kernels (4.1.x, 4.19.x) used in ASUS routers, thanks to Broadcom lock-in.

 

[coxhaus]

I’m cycling my N100 through pfSense and OPNsense right now, but my goal is to build a vanilla FreeBSD 14.1 router/firewall from scratch. No more *sense wars. If that fails, I’ll go with my previous Debian 12 router setup.

BTW, no one complains much about the ancient Linux kernels (4.1.x, 4.19.x) used in ASUS routers, thanks to Broadcom lock-in.

That is not my skills so you have fun.

I believe the lastest NIC drivers are in FreeBSD 15.

 

[Tech9]

If you need high performance PPPoE

I would use faster per core performance hardware instead.

Whatever can't process Gigabit PPPoE WAN won't be able to process Gigabit IPS/IDS as well, no?

 

[coxhaus]

I shoot for 3GHz CPU base system for my router. They are getting harder to find. Most of the high clock CPUs have fewer cores and Intel is going away from that style of CPU. I am also looking for around 35-watt CPUs.

 

[DJones]

I shoot for 3GHz CPU base system for my router. They are getting harder to find. Most of the high clock CPUs have fewer cores and Intel is going away from that style of CPU. I am also looking for around 35-watt CPUs.

What kind of core count do you need? And is smt a factor in your builds?

 

[coxhaus]

What kind of core count do you need? And is smt a factor in your builds?

For home not many cores. For a business more cores.

 

[DJones]

For home not many cores. For a business more cores.

Ah okay. Was just curious what kind of cpu specs you were looking for around 35 watts.

 

[jata]

I bought a very cheap minipc based on a J4125 quad core intel processor, 16G ram, 128gb ssd and 4x2.5g network for $200 aussie. It's fanless so I think its running on around 15-20w (CPU is 10w). It's low end hardware i know but for home use compared to a cheap router, I think that's a bargain.

 

[DJones]

I bought a very cheap minipc based on a J4125 quad core intel processor, 16G ram, 128gb ssd and 4x2.5g network for $200 aussie. It's fanless so I think its running on around 15-20w (CPU is 10w). It's low end hardware i know but for home use compared to a cheap router, I think that's a bargain.

That's okay I bought a Asustor 5202T with a J4025 16gb of ram, didn't like the asustor os so it now it now sits as another node in my proxmox cluster running pve on baremetal and ubuntu server for smb.

 

[Quoc Huynh]

I would suggest using Pfsense over OPNsense because Pfsense is more security hardened.

Also I would recommend you run Proxmox on baremetal which runs virtual machines this will save you a lot of headaches down the line as it’s very easy to backup or clone your virtual machine should you push a bad update.

It also allows you the flexibility to run LXE or docker containers, and additionally more than one operating system. Proxmox also comes with its own SDN if you want to use it or you can pass the traffic directly to PFsense.

Additionally if you have more than one machine you can run High Availability with at least 3 machines or cluster 2 or more machines for easy management or migration.

The proxmox community is very active, and I’ve pretty much solved any issues I’ve encountered which is rare aside from me being initially dumb and formatting the boot drive as btrfs, and later realizing you can’t install swap on the same drive unless it’s ext4 as CoW doesn’t like swap.

Thank you so much for your advice! I am running OPNSense on my old computer with Asus router as an AP. The reason why I selected OPNsense because its WebUI is more straightforward to me. As @Tech9 said, there would be a learning curve for me, and it actually is. However, I am happy with that because not only my knowledge of networking but also my control over home firewall have increased over time.

Regarding running on a virtual machine, I'll try them later when being more confident because I am still learning how to manage OPNsense on bare metal

By the way, does anyone know how to access the Asus router using either web browser or SSH? Because after putting it in AP mode, and let it sit behind the OPNsense box, I cannot access it even with the old or new router IP address

Edited to add that even after factory reset, setting up wireless functions and putting the router in AP mode, I still cannot access it via SSH or web browser, except for a factory reset again.

 

[dave14305]

Because after putting it in AP mode, and let it sit behind the OPNsense box, I cannot access it even with the old or new router IP address

Did you set a static IP, or use DHCP? If DHCP, you should find the lease IP under Services / ISC DHCPv4 / Leases.

 

[coxhaus]

I bought a very cheap minipc based on a J4125 quad core intel processor, 16G ram, 128gb ssd and 4x2.5g network for $200 aussie. It's fanless so I think its running on around 15-20w (CPU is 10w). It's low end hardware i know but for home use compared to a cheap router, I think that's a bargain.

The problem with miniPCs is if you try to push them at 3GHz base frequency they over heat and they throttle back. They don't have a big enough air space to breathe. If you have to add a fan then you are adding more watts.

The difference between 20 watts and 35 watts is nothing to me cost-wise nor heat-wise.

I use a refurbished Dell with a low watt CPU. They are very low cost. Most people have one laying around. If it is not low wattage, you can change the CPU to low watt.