this post was submitted on 04 Dec 2023
3 points (100.0% liked)

Homelab

371 readers
9 users here now

Rules

founded 1 year ago
MODERATORS
 

After having issues with my Netgate 4100 (see this post) and knowing all the crap Netgate has pulled the last few years, I decided to build a new Firewall capable of 10 gig routing. Hopefully this fixes my issues. If not at least I no longer have to support PFsense.

Pictures:

https://imgur.com/lTmvj4K

https://imgur.com/iVdBMnu

Hardware:

X11SSH-F Motherboard

Xeon E3-1240 v5 CPU

32GB 2400mghz RAM

ZFS Mirrored 128gb SSDs

350W Gold Rated PSU

Connect X3 Dual SFP+ NIC

Should have it production ready by next week. Really not looking forward to reconfiguring all the HAProxy/ VPN stuff, but so far already found quite a few Aliases/Rules I can cleanup.

Thanks for stopping by!

top 17 comments
sorted by: hot top controversial new old
[–] UnicornFireHole@alien.top 2 points 11 months ago (2 children)

Once you start, you'll find the conversion and resetup goes by quickly. I migrated to a dedicated supermicro box as well, in hopes that PFSense could do 10gig without issues. I eventually moved my 6+ year old PFSense build from a VM over to the dedicated box..... and was disappointed. Then PFSense pulled their stunt and I finally just said F-this and rebuilt it.

1 hour - it took me 1 hour to wipe PFSense, figure out the new menus of OPNSense and get everything back online. What I had dragged my feet on for so long, turned out to be a big nothing burger. Zero issues, 10gig speedtests just fine, zero trouble with the NIC and great performance overall.

I'll leave with this - fuck PFSense, what they pulled was rediculous and an insult to homelabs and folks who like to bring production tech into their homes. They turned a great product, one I've implimented into many commercial setups, into a joke - who could ever trust them again?! I'll never recommend them and I won't be looking back.

[–] speaksoftly_bigstick@alien.top 1 points 11 months ago

I used to sport pfsense decals on my back truck window for years. Like you, had deployed them commercially for years before that, and proudly.

After all the bs, I'd look at those stickers with combo of nostalgia and remorse.

Had a local lawn company out to do our yard last summer and they managed to wing something into that back window and shatter it, requiring me to replace it. (Lawn company paid).

Realized I was really happy with the new window cause the stickers were gone.

Fuck pfsense.

[–] dn512215@alien.top 1 points 11 months ago

What Supermicro box did you go with?

I have a recently acquired a SYS-5019A-FTN4 for pretty cheap as a primary network box: running things such as NUT, DNS, Wireguard, TailScale, Zabbix, Wol, etc., and It’s done great, but for some reason has an issue with the 6.2+ kernels. So I’m thinking of replacing it before I run into maintenance issues over time, and maybe use it as a new opnsense server.

Would this be able to handle 10G+, or would something else be better?

Specs:

https://www.supermicro.com/products/system/1U/5019/SYS-5019A-FTN4.cfm

Motherboard: https://www.supermicro.com/en/products/motherboard/A2SDi-8C-HLN4F

Cpu (embedded):

https://ark.intel.com/content/www/us/en/ark/products/97926/intel-atom-processor-c3758-16m-cache-up-to-2-20-ghz.html

Added:

128 GB RAM - SK Hynix 64GB 4DRx4 PC4-2400T DDR4 HMAA8GL7AMR4N-UH Server RAM

2x10GB SFP+: Mellanox ConnectX-3 Pro MCX312B-XCCT CX312B 2-Port 10GbE SFP+ Ethernet Adapter

128 gb so Hynix ssd (from factory) - boot, os

4x 1 tv samsung 980 ssd (storage, etc).

[–] fediverser@alien.top 2 points 11 months ago

This post is an automated archive from a submission made on /r/homelab, powered by Fediverser software running on alien.top. Responses to this submission will not be seen by the original author until they claim ownership of their alien.top account. Please consider reaching out to them let them know about this post and help them migrate to Lemmy.

Lemmy users: you are still very much encouraged to participate in the discussion. There are still many other subscribers on !homelab@selfhosted.forum that can benefit from your contribution and join in the conversation.

Reddit users: you can also join the fediverse right away by getting by visiting https://portal.alien.top. If you are looking for a Reddit alternative made for and by an independent community, check out Fediverser.

[–] Doowle@alien.top 2 points 11 months ago

I’ve done the same as well, can’t say it’s been any issue and I’m just as happy with opnsense as I was with pfsense.

Pfsense behaviours recently made me decide to look elsewhere.

[–] KellyKlarkson@alien.top 2 points 11 months ago

I've made a tool that can convert your pfsense configuration to an opnsense configuration. It's not perfect, but it can do a majority of the legwork for you.

You can pull the site via docker:

  • docker run --name pf2opn -p 4200:80 -d mwood77/pf2opn

Or use it on the web here:

  • https://www.pf2opn.com/
  • The conversion happens 100% on your machine; there are no network requests / cookies / or any kind of tracking on the site.

As always, please try the converted configuration in a test image before you apply it to a production environment. If you find any bugs, please reach out.

[–] UntouchedWagons@alien.top 1 points 11 months ago

Yeah I swapped pfsense for opnsense last saturday because local dns was shitting the bed. I'm not completely satisfied with opnsense but whatever.

[–] audioeptesicus@alien.top 1 points 11 months ago

Nice, OP. My pfsense config is large and complex, but I'm currently working on migrating it to OPNsense this week too. I'm glad to not be putting up with Netgate's crap for much longer. Since I have a few Dell R240s, I've even been thinking of doing HA.

[–] DismalAssistance1736@alien.top 1 points 11 months ago (1 children)

I’m in a similar boat. Have a Netgate 7100 and it’s garbage. My network is mostly 10gb with a few 25gb devices. The 25gb is on the same VLAN so the router doesn’t come into play there, but it does a bunch across the 10gb devices. The netgate can’t handle it. Just bought an r230 and started setting up vyos. If opnsense can handle the traffic I might just go with that. Having a GUI is nice and I’m already familiar with pfsense.

[–] MachDiamonds@alien.top 1 points 11 months ago

If pfsense can't do it I doublt opnsense can on the same hardware.

You can get pretty close if you throw more powerful hardware at it. I managed to route at least 1.4 million packets per second (~16.8Gb/s, 1500MTU concurrent upload and download summed together) using 4 alder lake P cores on pfsense+ 22.05.

[–] TheButtholeSurferz@alien.top 1 points 11 months ago (1 children)

Complete overkill in my opinion, but I like spending money, so I'll allow it.

Mine runs on an i3 and generally gets around 10-30% CPU usage, never anything even close to taxing.

[–] geek_at@alien.top 1 points 11 months ago

Agreed. OP should install pfsense on that thing and run opnsense vitually on this. I do this on a Lenovo Tiny with a 10g NIC and it works perfectly

[–] Top_Willow8360@alien.top 1 points 11 months ago

What supermicro case is that if I may ask? I'm also going to set up and build a dedicated firewall. Something similar specs to yours.

[–] MustangDreams2015@alien.top 1 points 11 months ago

I wonder how long pfsense will be able to stay in business, everyone in my little circle dumped them a while ago and I see constant posts on here of people switching.

[–] GrotesqueHumanity@alien.top 1 points 11 months ago (1 children)

Anyone know if the pppoe speed limits of pfsense are also present in opnsense?

Can't get more than 700mb/s from my 1gb/s service on my netgate box.

[–] pissy_corn_flakes@alien.top 1 points 11 months ago

I max out my pppoe FTTH install on pfsense with no issues

[–] Saint-Lunatic@alien.top 1 points 11 months ago

I made the switch from pfsense to OPNsense but I was having insane ping issues so I switched back to Pfsense and poof all better…. No idea why