OPNSense with SNORT / Suricata hardware search

[sparkplug]

My current router/firewall threw a bit of a tantrum over the last few days and I've managed to bring it back to life, but it reminded me that the hardware is now nearly 8 years old and I should be looking into replacing it.

I do quite like the sound of OPNSense but definitely want IPS/IDS which is going to increase the required spec of the hardware to run it on.

Looking at Protectli - they recommend their FW6 series for that - but I don't really want or need 6 ports. I currently only use two.

Just wondering if anyone else has a similar setup and what hardware you used or would recommend?

 

[SOAA]

What is your current bandwidth?

I have used Untangle NGFW for a number of years now, it's now known as Arista Edge Threat Management NGFW.

I have this running on a 4 port mini PC with an Intel Celeron J1900 & 8GB RAM sitting at the edge of a 330 / 50 FTTP connection. There's around 25 devices active at any one time, including various servers (web, mail, Plex etc)

I don't have IPS / IDS running on the router, but I do have Web Filter, Virus Blocker, Spam Blocker, Phish Blocker, Web Cache, Application Control, Firewall, Ad Blocker & OpenVPN Server running on it.

The hardware handles this all without any trouble, but I do know that adding IPS / IDS in to the mix would cause a significant load increase

 

[sparkplug]

200/20 Mbps - although it's far in excess of what I need on the dl (but it's nice to have the extra ul when submitting artwork which I still do for a handful of old clients)

Funnily enough I know quite a lot of the guys at Untangle as some moved from my old company when it was acquired (in a disastrous way. All 200 of the developers walked out on the same day with no jobs to go to rather than work for newco )

It's good kit by all accounts but I like the idea of going open source to avoid falling into the subscription trap.

Control freak? Yeah, maybe a little...

I've also got a mail server sitting behind it but not really anything more (Synology doing remote off site backups)

Because of its placement in the house I'm really looking for something fanless.

I asked over on the OPNSense forums and have had silence from them on the HW question

Currently looking at the Protectli FW6D which has an i5 8250U and you can spec the RAM/SSD. I reckon 8GB RAM should be plenty and a 120G SSD is overkill, but it's only a couple of € more.

All comes in at €571 delivered which probably isn't too bad considering. They'll even pre-install OPNSense free!

Mulling it over for a few days to see if I can find a better alternative before pulling the trigger.

 

[SOAA]

The mini PC I use is fanless

It originally came with a SATA to SD Card adapter with something like an 8GB SD Card (urgh, gross)
Pretty quickly swapped that out to something more reliable, a 120GB m2 SATA from what I can remember.
It’s been ages since I have had to worry about it.
It’s been up for just over 5 months currently, although I am planning a rebuild of it soon. It was running on 4GB of RAM when I first built it, since then I have upped that to 8GB & even though it recognises the 8GB the installation is optimised to run on 4. The advice is to just reinstall with the 8 from scratch, so I really should get round to doing that

I currently pay $50 a year for the Home License from Untangle.
I very recently nearly switched over to OPNSense, as I liked the idea of going open source & not having to pay for an annual license.
That was until I discovered that in order to continue blocking specific devices access to specific web sites during specific time frames, I would need to pay for a licensed add on (Zenarmour) at $100 a year

I’m so glad I had the sense to have a play in a VM set up before rebuilding my router proper & then discovering this

 

[sparkplug]

The devil is always in the detail

I had a quick skim over Zenarmour but to be honest my brain was Firewalled out at that point.... will have a proper look again another time.

I was also looking at putting Zabbix on a Pi (inexpensive experiment) but not sure that I 'need' it really. Might be fun.

I also just thought that it would be nice to have some form of AV on OPNSense (if it isn't built in already - I haven't looked yet) so that's yet another detail to go shopping for...

I really should bite the bullet and do something like a CCNA or Comptia A+ because there are some massive holes in my self taught knowledge.

It just comes down to time though.

 

[SOAA]

I had a quick skim over Zenarmour but to be honest my brain was Firewalled out at that point.... will have a proper look again another time

From what I could tell, Zenarmour is free as a blanket coverage for all devices on your network, but if you want different rules for different devices and / or at different times etc then you need to pay for additional licensing.

I was also looking at putting Zabbix on a Pi (inexpensive experiment) but not sure that I 'need' it really. Might be fun.

I’ve seen bits about Zabbix but quickly decided that it wasn’t something that I really need, as you say.

I also just thought that it would be nice to have some form of AV on OPNSense (if it isn't built in already - I haven't looked yet) so that's yet another detail to go shopping for...

You can configure ClamAV to work with OPNSense as an add on / plugin

I really should bite the bullet and do something like a CCNA or Comptia A+ because there are some massive holes in my self taught knowledge

All of my knowledge has been self taught over the years. I have found this to be the best way for me as I can focus on learning exactly what I need to & skip anything that isn’t relevant.
I have an old HP Z800 workstation running ESXi handling ~10 VMs. If I want to mess around with something new I spin up a new VM & play around. If I mess things up there’s no drama as I can just scrap the VM & start again

 

[sparkplug]

You can configure ClamAV to work with OPNSense as an add on / plugin

sweet!

I like ClamAV - thank you!

I know sig based scanning is 'old hat' these days but until there's a 'home' version of stuff like Crowdstrike then it's just another bit of filtering which isn't going to hurt.

We used to sell our firewall with dual AV (McAfee & Sophos initially then we binned the hateful McAfee and brought in BitDefender) because even when sig based stuff wasn't old hat, it wasn't always reliable.