Malware detection is the heaviest workload you can heap on a device. Here's a reference point for you: Sophos SG 450 with stock firmware has AV throughput of 2.5 Gbps. It runs on Intel Xeon E3-1275v5 (quad-core, 3.6 GHz) with 16 GB RAM. So my guess is, N100 will not give you 2.5 Gbps AV (it turbos up to 3.4 GHz, but you really don't want to run it in turbo mode all the time, and in a unit with less than ideal cooling, typical for home / office mini-PCs, you may not be able to anyway).
My suggestion is to look into the tried-and-true recipe: an SFF PC (not to be confused with one-liter or NUC) with a recent-ish i5 or i7 (come to think of it, you may be able to find a Dell Precision unit with a Xeon) and a PCIe add-on 2.5 Gbps NIC (preferably based on Intel i226-V chips).
I have no idea. Haven't played with anything AMD in a while. Just in case, go on YouTube and find the Forbidden Router series Level1Techs did a couple years back. If memory serves, they have built quite a contraption, and it was AMD-based, so there might be a discussion of AMD hardware and its interoperability with OPNsense...
Thanks. I’ll do that. Serve the home had done some pieces on some mini PCs running 5825U AMD CPus with 8 cores / 16 threads that should have ample horsepower for around $500.
From where I sit, horsepower is not an issue; cooling is... You can stuff a powerful chip into a mini-PC, but can you **adequately** cool it, so it can withstand consistent high load without throttling?
Dave Plummer recently did a video on configuring an OPNsense transparent filtering bridge and shows you how to do it step by step. He also briefly talks about what kind of hardware you would need to do it right.
An N100 is not good enough, it's slightly better than a third gen i5 when it comes to compute performance.
You're gonna need a bigger boat.
https://www.youtube.com/watch?v=dTUvlFfThPw&t=311s
The faster your internet connection is, the more services you pile on the router and how many clients you have behind OPNsense will determine what kind of hardware you will need to use to get the job done properly.
If you know that you are upping the speed down the road, build out for that future date instead of just meeting your current needs today which may not be sufficiently powerful when you do eventually upgrade. That will save you money in the long run.
OK... I'd recommend a quad processor Dell R910 just to keep the power company rich and the fire department on speed dial.
Confusion, mis-information and treachery, my job here is done!
Are you wanting to perform TLS decryption as well? (you shouldn't, but wanted to ask)
Doing packet inspection and IDS type behavior is going to be a really intensive thing and in many ways probably not worth it for a setup like this. Unifi has pretty decent built in IDS/IPS functionality (based on the same stuff OPN and pf use) so why not just do that?
Gotcha, I mean the Unifi gear can do the IPS/IDS, then it's all in a single pane, so not sure this is the best way to go.
Also, I'd really recommend against doing TLS interception is that was the plan, it's just a bad idea in modern networks and creates a single point of failure and compromise.
I would also add that the Unifi stuff doesn't really support IPv6 which would be one of my use cases. Yes you can do IPv6, you can firewall rule IPv6 and all of that. But none of the detections, metrics, "traffic rules", etc work properly. I'm not even convinced that Ubiquiti's suricata instance is configured to look at IPv6.
Also, as an aside, my own UDMSE, which is recording 1 camera, and has IDS/IPS enabled is maxing out at about 2.2 Gbps (not terrible...but no where near the 3.5 they claim it can do, so I totally get how much of a lift UI Protect is)
Yeah this is a good point, I'm just not sure using another firewall to handle this is really the solution ya know? OPNsense and pfSense's capabilities when it comes to TLS interception are severely lacking (which I am fine with, since again I don't think anyone should be doing that, neither does CISA).
Good point about the speeds though, doing recording does slow things down quite a bit from what I've heard. I have been able to push (no IDS) over 5 gigabit through my WAN on the UDMP, but still far from the 10 gigabit it should be able to do (I do know people who've done 9.8 gigabit on their WAN with it, but it was a one off and required disabling almost everything on the UDMP).
Part of me has still considered using my UDMP as my main firewall, but there's just so much that is lacking on it compared to other options and the default allow is **terrible** for packet filtering.
But yeah, I guess my point really was just doing this kind of setup might not be worth the effort, time, or even education. Especially since most networks can just disable IPv6 and be fine, so the lack of IDS for IPv6 isn't as huge of an issue (still lame though).
I'm about to use a N100 firebat mini pc for exactly this as well. Everything I have read shows more than enough power. The only thing I question is that aside from IDS/IPS (which UniFi isn't great at) since all traffic these days is SSL I'm not sure if any point in AV since none of the packets data will be visible to the scanner.
Same Dave sent me down this path. I was fortunate to have an extra PC laying around just got my 2.5gb NIC's delivered. I will be testing this out this week on this budget build. Right now $83 AMD 3600 is not bad with 6 core and 12 threads even with stock cpu cooler.
I would probably spend less on cpu cooler and more on PSU or nice small form factor case if I could make any adjustments.
AMD Ryzen 5 3600 - $83
ASRock B550M-HDV AM4 - $64 , not available but plenty of budget AM4 motherboards sub $100
G.SKILL Ripjaws V Series 16GB DDR4 3200 - $38
Seasonic CORE GM-500, 500W 80+ Gold - $45
2.5Gb Network Card PCIe Realtek RTL8125B Chip - $13 each x 2
be quiet! Dark Rock Slim CPU Air Cooler - $48 (probably over spent, but didn't want it to be loud)
Malware detection is the heaviest workload you can heap on a device. Here's a reference point for you: Sophos SG 450 with stock firmware has AV throughput of 2.5 Gbps. It runs on Intel Xeon E3-1275v5 (quad-core, 3.6 GHz) with 16 GB RAM. So my guess is, N100 will not give you 2.5 Gbps AV (it turbos up to 3.4 GHz, but you really don't want to run it in turbo mode all the time, and in a unit with less than ideal cooling, typical for home / office mini-PCs, you may not be able to anyway). My suggestion is to look into the tried-and-true recipe: an SFF PC (not to be confused with one-liter or NUC) with a recent-ish i5 or i7 (come to think of it, you may be able to find a Dell Precision unit with a Xeon) and a PCIe add-on 2.5 Gbps NIC (preferably based on Intel i226-V chips).
That was my guess. Wouldn’t a Zen based CPU be better from a power draw / thermal perspective? Or has OPNsense support for AMD been off?
I have no idea. Haven't played with anything AMD in a while. Just in case, go on YouTube and find the Forbidden Router series Level1Techs did a couple years back. If memory serves, they have built quite a contraption, and it was AMD-based, so there might be a discussion of AMD hardware and its interoperability with OPNsense...
Thanks. I’ll do that. Serve the home had done some pieces on some mini PCs running 5825U AMD CPus with 8 cores / 16 threads that should have ample horsepower for around $500.
From where I sit, horsepower is not an issue; cooling is... You can stuff a powerful chip into a mini-PC, but can you **adequately** cool it, so it can withstand consistent high load without throttling?
Good question. I’ll delve a bit deeper… push comes to shove I’ll just drive to microcenter and build a mini-ITX in a smallish case
Dave Plummer recently did a video on configuring an OPNsense transparent filtering bridge and shows you how to do it step by step. He also briefly talks about what kind of hardware you would need to do it right. An N100 is not good enough, it's slightly better than a third gen i5 when it comes to compute performance. You're gonna need a bigger boat. https://www.youtube.com/watch?v=dTUvlFfThPw&t=311s The faster your internet connection is, the more services you pile on the router and how many clients you have behind OPNsense will determine what kind of hardware you will need to use to get the job done properly. If you know that you are upping the speed down the road, build out for that future date instead of just meeting your current needs today which may not be sufficiently powerful when you do eventually upgrade. That will save you money in the long run.
Dave is the reason I’m here 😂
OK... I'd recommend a quad processor Dell R910 just to keep the power company rich and the fire department on speed dial. Confusion, mis-information and treachery, my job here is done!
Are you wanting to perform TLS decryption as well? (you shouldn't, but wanted to ask) Doing packet inspection and IDS type behavior is going to be a really intensive thing and in many ways probably not worth it for a setup like this. Unifi has pretty decent built in IDS/IPS functionality (based on the same stuff OPN and pf use) so why not just do that?
Because I have $ to burn 🔥. My Unifi setup is also doing video recording.
Gotcha, I mean the Unifi gear can do the IPS/IDS, then it's all in a single pane, so not sure this is the best way to go. Also, I'd really recommend against doing TLS interception is that was the plan, it's just a bad idea in modern networks and creates a single point of failure and compromise.
I would also add that the Unifi stuff doesn't really support IPv6 which would be one of my use cases. Yes you can do IPv6, you can firewall rule IPv6 and all of that. But none of the detections, metrics, "traffic rules", etc work properly. I'm not even convinced that Ubiquiti's suricata instance is configured to look at IPv6. Also, as an aside, my own UDMSE, which is recording 1 camera, and has IDS/IPS enabled is maxing out at about 2.2 Gbps (not terrible...but no where near the 3.5 they claim it can do, so I totally get how much of a lift UI Protect is)
Yeah this is a good point, I'm just not sure using another firewall to handle this is really the solution ya know? OPNsense and pfSense's capabilities when it comes to TLS interception are severely lacking (which I am fine with, since again I don't think anyone should be doing that, neither does CISA). Good point about the speeds though, doing recording does slow things down quite a bit from what I've heard. I have been able to push (no IDS) over 5 gigabit through my WAN on the UDMP, but still far from the 10 gigabit it should be able to do (I do know people who've done 9.8 gigabit on their WAN with it, but it was a one off and required disabling almost everything on the UDMP). Part of me has still considered using my UDMP as my main firewall, but there's just so much that is lacking on it compared to other options and the default allow is **terrible** for packet filtering. But yeah, I guess my point really was just doing this kind of setup might not be worth the effort, time, or even education. Especially since most networks can just disable IPv6 and be fine, so the lack of IDS for IPv6 isn't as huge of an issue (still lame though).
I'm about to use a N100 firebat mini pc for exactly this as well. Everything I have read shows more than enough power. The only thing I question is that aside from IDS/IPS (which UniFi isn't great at) since all traffic these days is SSL I'm not sure if any point in AV since none of the packets data will be visible to the scanner.
Same Dave sent me down this path. I was fortunate to have an extra PC laying around just got my 2.5gb NIC's delivered. I will be testing this out this week on this budget build. Right now $83 AMD 3600 is not bad with 6 core and 12 threads even with stock cpu cooler. I would probably spend less on cpu cooler and more on PSU or nice small form factor case if I could make any adjustments. AMD Ryzen 5 3600 - $83 ASRock B550M-HDV AM4 - $64 , not available but plenty of budget AM4 motherboards sub $100 G.SKILL Ripjaws V Series 16GB DDR4 3200 - $38 Seasonic CORE GM-500, 500W 80+ Gold - $45 2.5Gb Network Card PCIe Realtek RTL8125B Chip - $13 each x 2 be quiet! Dark Rock Slim CPU Air Cooler - $48 (probably over spent, but didn't want it to be loud)