OPNsense Hardware Recommendations (2023)

post-thumb

Photo by grapestock from iStock
Page Contents

Occasionally I have been asked for hardware recommendations for OPNsense and the question appears on Reddit frequently. So I thought it may be helpful to categorize OPNsense features based on hardware utilization along with a list of products in various price ranges that should perform well for many home users. There are a number of devices that will run OPNsense, which is the great because you have many choices available to you. Depending on your needs and your budget, you should be able to narrow down your selection to a few good choices.

For my recommendation list, I do not have the means to test every item in my list since that would require purchasing all of the hardware or getting review units from companies to test the hardware so I cannot fully endorse all of the options below. However, I hope it will illustrate the many hardware options you have for OPNsense and provide you with a good starting point in your research. I suggest you further research the products below or others not listed before making your final selection to ensure it meets your needs.

How to Choose the Appropriate Firewall Hardware?

How to Select Firewall

If you are new to running a more advanced routing/firewall such as OPNsense, you may not know which is the best device to purchase for your home network. There are a number of considerations you must take into account in order to be satisfied with your hardware selection. To help guide you with your decision keep in mind the following bullet points below when determining your hardware requirements.

Services which Require Minimal Hardware Resources:

  • Routing (inter-VLAN 1 Gbps)
  • Firewall
  • Basic network services (DHCP, DNS, Dynamic DNS, mDNS Repeater, NTP)
  • Monit
  • SSH
  • CrowdSec

Services which Require a Significant Amount of Memory:

  • Zenarmor (if running Elasticsearch on the OPNsense box)
  • Intrusion Detection (Suricata)

Services which Require a Significant Amount of CPU:

  • Routing (inter-VLAN for multiple Gbps)
  • Intrusion Detection (Suricata)
  • VPN services (especially if hardware does not support AES-NI)

General Recommendations

  • If you only want to run the basic router/firewall services, nearly all lower end hardware will be sufficient especially if you only plan to have a 1 Gbps network. You can use a basic dual/quad core system with a low amount of RAM (1-4 GB).

  • However, if you plan to run more resource intensive services, you will need a faster CPU and likely a minimum of 8 GB of RAM (you can run both Zenarmor with Elasticsearch and Suricata with 8 GB of RAM). If you like to tinker, you may want to purchase hardware which has more resources than you currently need so you can have it available later when you are ready for it.

  • If you plan to have a 10 Gbps internal network, you may need a faster CPU if you are doing inter-VLAN routing since Layer 3 routing is done via software rather than hardware like Layer 3 network switches so it is not as efficient with routing packets.

  • If you plan to set up a VPN server to access your home network or use OPNsense as a client to an external VPN provider and you have a large amount of bandwidth, you will want a CPU which supports AES-NI encryption to reduce the load on the CPU. Otherwise, the CPU bottleneck will slow down your network throughput.

You will need to decide if you wish to purchase new hardware, used hardware, repurpose existing hardware you already own. You may also decide if you wish to virtualize OPNsense or run on bare metal.

In an effort to minimize updates to this page, I am going to generalize the prices by grouping products by approximate cost ranges. Some products may increase or decrease in price over time. The price ranges should help you understand the gain in performance and features as the prices range increases. I will focus primarily on new products, but I will discuss some used hardware options as well. Since the availability of used products vary greatly depending what is currently available by sellers, it would be more difficult to keep such a list up to date. Prices may flucuate greatly in a used market as well. You may be able to find a rare deal if you are willing to actively search and wait for it.

New Hardware Options

There are many types of new hardware options available. New hardware is not always the most affordable solution, but purchasing new hardware is both convenient (especially if the system is prebuilt) and may have a longer shelf life than older hardware.

Firewall Appliance Hardware

Desktop Hardware

Firewall appliance hardware is a good choice for new users to OPNsense since it offers an affordable, quiet, and energy efficient solution in a small form factor (similar to consumer grade routers). Firewall appliance hardware includes multiple Ethernet ports (typically 2, 4, or 6 ports). The size and types of desktop hardware you wish to use may vary greatly depending on your needs, preferences, and budget.

< $200 USD

  • ZimaBoard 832 (8 GB) (affiliate link) : When I first wrote this guide, I did not have anything under the $200 USD price range that would support OPNsense very well. Now that the ZimaBoard has been released, this may be one of the few low budget options (besides perhaps older used hardware) where the system would offer satisfactory performance for OPNsense. The Intel CPU is a bit older and less performant than some of the newer generation CPUs used in firewall appliances, but it should be up to the task because it has about the same CPU score as my old Qotom box. This model has 2 Ethernet interfaces so if you want the bare minimum router on a stick network, this may be sufficient. I recommend the 8 GB version if you wish to use IDS/IPS but if you do not plan to run those things, you could purchase the cheaper 4 GB model.

$200-$300 USD

  • PCEngines apu4d4 (4 GB): Some users like to use PCEngines hardware for their router/firewall. Some of the components are under $200 USD, but by the time you purchase a case and other parts, you will likely spend over $200 USD. This option is a little more of a DIY system, but the necessary parts to put the system together into an enclosure can be purchased at the same time. The performance of the PCEngines hardware may be fine for most basic routing/firewall purposes for home usage, but if you plan to run other services in OPNsense such as intrusion detection with Suricata, Zenarmor, or a VPN, you will be more satisified purchasing a mini-PC such as the Qotom box listed above. You will have much more performance and will be able to support 8-16 GB of RAM depending on the system you purchase. I would recommend a minimum of 8 GB of RAM if you are running those heavier weight services. I really like the idea of PCEngines to build my own router/firewall at an affordable price in a nice energy efficient package, but the hardware is not quite capable enough to run the heavy weight services.

  • VNOPN Micro Firewall Appliance 2.5 GbE (8 GB) (affiliate link) : The VNOPN brand has some cheaper models which have 2.5 GbE interfaces which may be worth looking into if you are looking for entry level performance with 2.5 GbE networking. The CPU is an older generation Intel N3700, but performance should be decent especially if not using any IDS/IPS. Routing data does not require as large of an amount of processing when IDS/IPS is not used. I have not personally tested the performance with IDS/IPS enabled on the N3700 as I have with the N5100/N5105 CPUs. Worse case scenario is that you see some Internet bandwidth being reduced when using IDS/IPS if you are trying to utilize most of the 2.5 GbE bandwidth. If I have the opportunity to test more hardware appliances, I will update this page with my findings.

$300-400 USD

  • Protectli Vault FW2B (affiliate link) : If you are interested in getting a Protectli, the Vault FW2B is one of the lowest priced boxes that is not a barebone system. You could save some money if you happen to have some extra RAM and disks laying around. However, these firewall appliances often use laptop SO-DIMM memory so you may not have any laying around unless you scavange it from an unused laptop. When you can get a good deal on the RAM and have an extra SSD laying around, getting the barebones system could save a little bit of money.

  • Qotom Intel i5-5200U (8 GB) (affiliate link) : For about the same price as the Protectli Vault FW2B, you can have two extra interfaces which is definitley nice to have if you wish to create several internal networks and/or VLANs and you want to reduce bottlenecks in bandwidth. You can spread the bandwidth across the ports using link aggregation or by using different interfaces for separate networks/devices. The Qotom does have some WiFi options but I do not recommend getting a model with WiFi to use as a WiFi hotspot for your entire network. You will likely have much better WiFi performance and range by purchasing separate wireless access points such as ones from Ubiquiti (affiliate link) .

  • Qotom Intel i3-10110U 2.5 GbE (8 GB) (affiliate link) : Qotom has recently joined other manufacturers with producing 2.5 GbE options for those who wish to go beyond 1 GbE on their home networks. This appliance has 8 interfaces that are 2.5 GbE! That is quite a few interfaces in a small package. I am a bit surprised that this device is priced in the same range as other 1 GbE devices with fewer interfaces and lower performance. Generally speaking 2.5 GbE network cards and switches are cheaper than 10 GbE options (unless you can find a deal on used hardware) so it is becoming more affordable to jump into 2.5 GbE networking. The advantage for many users is being able to use lower bandwidth Ethernet cables (Cat 5e) without needing to purchase or run new cables through walls, etc. Of course, your mileage may vary if you have poor quality Cat 5e cables.

  • MOGINSOK 2.5 GbE Firewall Appliance (8 GB) (affiliate link) : There are some 2.5 Gigabit Ethernet options emerging for the mini-PC firewall appliances at a budget friendly price (comparable to some of the 1 Gigabit options). If you are looking for increased bandwidth between some of your devices on your network, this may be an option. Keep in mind that you will need to pair this firewall with a network switch capable of 2.5 GbE and devices which have a 2.5 GbE interface to take full advantage of the increased speeds. Other considerations such as needing to use SSD/NVMe drives or traditional HDDs that use mirroring/RAID/ZFS, etc. are also important to for maximizing bandwidth for large data transfers. The great thing about the 2.5 GbE and 5 GbE standards is that you should be able to use existing Cat 5e cabling so you do not need to replace your Ethernet cables with higher quality cables (unless of course you are encountering issues).

  • HUNSN RS34g 2.5 GbE (8 GB) (affiliate link) : Another 2.5 GbE option that you may want to consider. This box actually has Amazon reviews which is helpful because there are users which stated the box works for pfSense and OPNsense. The reason that is important is that 2.5 GbE is a relatively new addition to FreeBSD support so the latest versions of OPNsense should work (I have not personally verified that to be true). The $300-400 USD range is pretty reasonable because I paid around $350 USD for my mini-PC firewall appliance which only supports 1 GbE in 2017 before there were electronics shortages and inflated prices. If I were to buy a mini-PC firewall appliance today, I would certainly consider getting a box like this to take full advantage of greater than 1 Gigabit download speeds provided by my ISP.

  • Fitlet3: The Fitlet is a build to order device where you can customize the components that meet your needs. This may be a good option for you if you want a feature that may not be standard with other mini-PC/firewall appliances such as a fiber SFP+ port (although it only supports 1 GbE but that may be fine for many home users who do not need/want 10 Gbps interfaces). You can also get WiFi/cellular modules installed as well. If you start adding those sorts of modules, the price will be outside the $300-$400 price bracket. Note: I received feedback that due to supply shortages (at the time of this update), it is possible you would receive a unit with uses a Marvell chipset instead of Intel which may cause driver compatibility issues when using OPNsense. Please keep that in mind when purchasing the Fitlet3.

$400-500 USD

  • Protectli Vault FW4B (8 GB) (affiliate link) : When you bump up to 8 GB of RAM and a 120 GB SSD, it will push the price beyond $400 USD. However, you will be able to enjoy it for many years assuming you do not have other needs for your home network in the future such as adding 10 Gbps connections for your internal networks.

  • Protectli Vault FW4C 2.5 GbE (8 GB) (affiliate link) : The Protectli Vault FW4C is Protectli’s update to their 4 port models to offer 2.5 GbE interfaces as well as a faster CPU. The price of this model is actually not much higher than the FW4B (at the time of this writing) so it would make sense to purchase the FW4C instead of the FW4B if you were already considering purchasing the 1 GbE model. Even if you do not currently have 2.5 GbE devices, you would be adding some future proofing to your network. 2.5 GbE network cards are a pretty cheap upgrade to your existing PC so it would be an easy way to more than double your bandwidth when transferring data between 2 systems on your network which have 2.5 GbE interfaces.

  • Protectli VP2410 (8 GB) (affiliate link) (or Protectli’s website): The Protectli VP-series models are the Vault Pro models which offer more performance as well as additional coreboot features. If you are seeking a device which has the security and other benefits of coreboot, you may want to consider this model even though it is pricier than some of the other 1 GbE models. You could even use this box for non-router/firewall purposes since you can buy them with a TPM and there is an option for secondary storage, etc. This model is the first firewall that I have been able to do a comprehensive hands on review so be sure to check it out if you would like more information. I used this system as my personal OPNsense router/firewall for several months, and it worked great! I even based a full network build guide around the VP2410 if you are interested in learning more about how to create a network using a box such as the VP2410.

  • Protectli VP2420 2.5 GbE (8 GB) (affiliate link) : The VP2420 is the successor to the VP2410. It has upgraded network interfaces (2.5 GbE instead of 1 GbE), faster CPU (J6412 instead of J4125), and up to 32 GB of RAM (instead of 16 GB). If you are interested in higher performing box with 2.5 GbE from Protectli, the VP2420 will serve you better than the Protectli FW4C due to superior hardware in the VP2420. This is especially true if you wish to run IDS/IPS. In my review of the VP2420, I found that Zenarmor would run at full 2.5 Gbps (after 30 seconds when speeds ramped up). One user mentioned purchasing the VP2420 even for a 1 GbE network instead of the VP2410 in order to have the extra performance. If you are looking for a lightweight, energy efficient mini-PC to use as a server, the fact that the VP2420 allows for up to 32 GB of RAM instead of 16 GB may be very helpful. 32 GB is often seen as the bare minimum recommended to run a virtualization server such as Proxmox. Of course, if you are not running VMs or containers that consume a lot of RAM, you could still do a lot with less than 32 GB. I plan to use the VP2420 to power my own network for the foreseeable future – even if I introduce higher speed interfaces to my network (I would dedicate those interfaces to its own storage/server network so I do not need routing beyond 2.5G).

$500+ USD

  • Protectli Vault 6 (affiliate link) : This Protectli with 6 interfaces is significantly more expensive than the Qotom with 6 interfaces. I am not sure why the price gap is larger between the two brands when bumping up to 6 interfaces. If you are willing to pay the price for this Protecli, you are in the price range of the most affordable, official OPNsense security appliance. The OPNsense DEC690 is actually a little cheaper than this Protectli box and you would be supporting OPNsense. However, it only has 4 network interfaces rather than 6.

  • OPNsense Desktop Security Appliance DEC695 (8 GB): This box is one of the most affordable firewall boxes OPNsense produces except for the 4 GB version, but as I have mentioned before, you will not be able to run as many heavy weight services in OPNsense. With that said, their hardware looks very nice and built with quality in mind. I love the dark gray and orange color scheme and the design of the chassis. I have seen some users choose to spend extra in order to support OPNsense to show appreciation for the free firewall software.

  • Protectli VP4630 (8 GB) (affiliate link) : This Protectli model has six 2.5 GbE interfaces and a faster Intel CPU than the other Protectli boxes. You have the option of upgrading RAM up to 64 GB so this system would be great if you wish to run a hypervisor to virtualize OPNsense and other apps/services on your network. I personally like having a dedicated router/firewall box, but for those into virtualization and wish to have a compact, power efficient option, you may wish to invest in Protectli’s top tier boxes. They offer higher specifications on their store than what is offered on Amazon if you are interested in greater performance.

  • OPNsense Desktop Security Appliance DEC750 (8 GB): If you wish to have 10 Gbps interfaces, this model from OPNsense is the cheapest model which supports 10 Gbps. The prices approaches $900 USD for the 8 GB model. When approaching this price range, you may able to purchase used rackmount servers or possibly build your server to use for OPNsense.

Rackmount Hardware

Rackmount Server

If you have a rack, you may want rack mounted hardware so there are less devices sitting on a shelf on your rack. I know I personally would love to rack “all the things”. I have a shelf in the middle of my rack for all my random boxes that are not rackmount. Rackmount hardware starts at a higher cost than the desktop hardware since the hardware (especially as price increases) offers greater performance and is considered more enterprise level (at least for a smaller-sized business). Medium to large businesses would like want better, more specialized equipment than anything on this list. For home networks, small to medium business grade equipment is more than enough for most users (unless you are wanting to learn how to use the more expensive enterprise gear at home).

$300-400 USD

  • Qotom Q530G6 1U Router (8 GB) (affiliate link) : Qotom offers 1U rackmount versions of their firewall appliances, which is very nice for those who want everything rack mounted. This model has 6 interfaces that are 1 Gbps. There are other options to include more or less RAM, SSD, and WiFi depending on your needs. It appears that these rackmount models use similar hardware to the smaller non-rackmount appliances so you should expect similar performance at a reasonably low cost. The shipping costs for Qotom devices is generally high, but the overall cost is often less than alternatives.

$400-600 USD

  • HUNSN 1U Firewall Appliance (8 GB) (affiliate link) : This style of rackmount is likely one of the cheapeast you will find new on Amazon. They look cheap, but the specs are good enough to run OPNsense just fine for a home network. The Intel J4125 is similar to the Protectli VP2410 so I have personally verified it runs IDS/IPS well enough for 1 Gbps interfaces. You may want to research other’s experiences with these boxes before purchasing, but I wanted to include it to show what is available at the lower end of the rackmount hardware.

$600-800 USD

  • HUNSN 1U Firewall Appliance (8 GB) (affiliate link) : This is yet another cheap 1U server but this one has 8 LAN interfaces. If you need a lot of interfaces and you are on a budget, you may want a device such as this. It is possible that this device will last many users in a home environment even though it is cheap. I used my Qotom box, for example, for 5 years with no issues.

  • Supermicro A1SRi-2558F Intel Atom C2558 (8 GB, No HDD) (affiliate link) : This Supermicro only has 4 interfaces that are 1 Gbps and the processor may be a bit weak for any CPU intensive tasks. A storage device needs to be added to this 1U server for it to be complete.

$800-1,000 USD

  • OPNsense Desktop Security Appliance DEC2685: The DEC2685 is the most affordable rackmount server that is produced by OPNsense. It should offer plenty of performance for home usage but there are no 10 Gbps interfaces at this price point. As with the desktop version, the aesthetics are quite nice. I would love to have a OPNsense branded rackmount device, but the 10 Gbps rackmount is beyond the price I would like to pay to get for 10 Gbps for home usage.

$1,000+ USD

On the high end of $1,000+ USD, you will find more 10 Gbps options as it is almost standard to have at least 1-2 10 Gbps interfaces. If you wish to have 10 Gbps, purchasing new is likely the most expensive option. You could probably build or buy a used system which has 10 Gbps for much cheaper than new hardware. I have included these higher end options for those who want to purchase new hardware and have larger budgets.

  • OPNsense Desktop Security Appliance DEC2750: The most affordable 10 Gbps rackmount option from OPNsense is the DEC2750. If you want 10 Gbps and want to support OPNsense, this is the option for you unless you have a “money is no object” type of budget.

  • Supermicro SuperServer 5018D-FN8T Xeon D (affiliate link) : This is another 10 Gbps option from Supermicro. At this price point, it is more expensive than the OPNsense appliance, but it does have a lot more RAM and double the disk storage. There is also more network interfaces available. You could also possibly repurpose this server as a small application server if you decide to retire it from router/firewall usage.

Build Your Own Router/Firewall

Build Your Own

In addition to all of the prebuilt systems mentioned above, you also have the option to build your own router with new hardware. You can build either a desktop or rackmount system depending on the chassis and parts you buy. One nice thing about this option is that you can customize the hardware to your needs. You could install a 2.5 Gbps card (affiliate link) if you have faster than 1 Gbps Internet and a 10 Gbps or higher card for your internal networks (although 2.5 Gbps NIC support may be limited in FreeBSD/OPNsense at this time). You may be able to build a system in this manner for cheaper than some of the prebuilt systems. Even if this option may be more expensive than some prebuilt solutions or used solutions, the extra cost could be justified. The nice thing is that you can always repurpose your custom built system for other needs as well.

Depending on the parts selected, this option may not be very energy efficient especially if you are using desktop/server hardware. There are some lower cost, energy efficent hardware you could purchase. Often times that hardware is not as performant, but for a router/firewall, they often provide enough power especially for home usage. Energy use is important to consider for a device such as a router which runs 24/7 unless money is no object when it comes to your power bill.

Used Hardware Options

Used Hardware

When on a budget, purchasing used and/or reusing existing hardware may be the best option. Depending on the hardware, it may not be the most power efficient or the quietest option, but it will certainly get the job done. One risk with used hardware is longevity. Enterprise-grade hardware may last longer than consumer-grade hardware but there are pros and cons to use either type of hardware especially when it is used. However, if you may be able to save enough money that it is worth the investment even if you have to buy replacement parts later.

Repurpose Existing Hardware

Repurposing existing hardware such as an old PC or laptop is likely the most affordable option of all options since you already own all or most of the hardware in hand.

  • The main thing you will likely need to purchase is additional network card or adapter such as an Intel 4 port Gigabit Ethernet card (affiliate link) since you will want more than one Ethernet interface on your system.

  • For additional bandwidth if you plan to utilize 10 Gbps or higher, you can purchase various network cards (affiliate link) . Many of them may be pulled from used servers which makes them more affordable than purchasing the hardware new. I have noticed that SFP+ network cards can often be cheaper than 10 Gbps Ethernet cards so if you have all your equipment near each other especially in the same rack, you could purchase SFP+ cards to connect to your servers and switches. You can either purchase short fiber optic cables (affiliate link) or direct attached copper cables (affiliate link) . For longer runs in your house when you do not have fiber optic cable installed, you can use 10 Gbps Ethernet cards for those devices.

  • The advantages of using an old laptop are that it is quiet, power efficient, and has a built-in backup battery. The disadvantage is that options are more limited for adding additional network interfaces. You will need to purchase a USB Ethernet adapter (affiliate link) . Performance may be lacking especially if using slower USB ports, but in theory, a USB 3.0 port should be sufficient for 1 Gbps Ethernet. Using a laptop may or may not be more unsightly than a small mini-PC network appliance especially if you have USB adapter(s) hanging off the side of the laptop. A laptop can work in a pinch or if you like the novelty of using an old laptop, but it is likely not a good solution for many users.

Old Enterprise Hardware

Many homelabbers love to get used enterprise gear because you an get an older generation server that is still pretty fast for a fraction of the original price.

  • Most standard 1U servers can be used as firewall appliances if they have multiple network interfaces. However, they may have a deeper footprint in your rack, be more power hungry, and can be much noiser than alternatives. A general purpose 1U server could possibly provide much greater performance than a lower power alternative, but at the expense of the cost of electricity, noise, etc. There are some more power efficient and quieter exterprise hardware available as described next.

  • The 1U servers which work best as a firewall appliance are typically half depth, lower power, and lower noise servers, which is perfect for most home lab usage. If you have a sealed off room or power and noise levels do not bother you, a standard 1U rackmount server may be a fine option since they are more powerful and possibly cheaper than the smaller 1U servers that are more tailored to function as network/firewall appliances. Supermicro has a few options in this category.

  • There are many websites which sell used enterprise hardware such as Ebay and Server Monkey.

Virtualizing OPNsense

Some users choose to run OPNsense on a virtualization server such as ESXi, Proxmox, or other servers. Virtualization makes it convenient to run new services and apps on your network. Backups and restores of OPNsenes are simple if something goes wrong. However, virtualization can add an extra layer of complexity and may require additional troubleshooting. If you have experience with hypervisors, you will likely be able to run OPNsense without issue.

The hardware requirements for virtualization will be about the same as running on bare metal unless you are planning to run other apps/services on your hypervisor. In that case, you need to have enough hardware resources available for everything you are running on your server.

Conclusion

I hope this information provides you with a good starting point of hardware that is available for purchase at various price ranges based on the types of services you plan to run on your OPNsense installation. Since it is impossible to create a list containing all possible hardware options for OPNsense, I tried to provide a few from each price range and category. I am certain I have not covered other good options as well. If you have some interesting options that I have not covered, please list them in the comments below, and I may add them to this list above since it may help others find hardware that meets their home networking needs.

comments powered by Disqus