[talk] opnsense box for home: APU2 or something else?

Isaac (.ike) Levy ike at blackskyresearch.net
Wed Dec 20 09:21:32 EST 2017

Hey There Thomas,

On Tue, Dec 19, 2017, at 5:07 PM, N.J. Thomas wrote:
> Looking to pull the trigger on an OPNSense box for home. Cheap and low
> power are probably my two main requirements.

> Currently eyeing the APU2, which looks to be about $190. If anyone's got
> any other suggestions, I would love to hear it.

Disclaimer for my ramble: I'm not a vendor, and don't work for PCEngines- but I am pretty biased.  After all of Pascal's donations to the *BSD universe over the years, I really love those folks and their gear- and I certainly do love my OPNSense systems.
Apologies in advance for not quite answering your question about alt hw:

OPNSense (and any FreeBSD) will run on nearly anything with >1 network interface, and there's certainly lots of small gear out there.  Yet, for a solid small GigE router, I highly recommend the APU2 boards from PCEngines, for a couple reasons:

- They are perhaps the smallest low-power box which allows all the big features of OPNSense.  Depending on your application, you may not want/need these features, and *way* smaller hardware is totally acceptable!

- MSATA slot, and cheap SSD's....  If you wish to use the OPNSense onboard Netflow traffic analysis tools <https://wiki.opnsense.org/manual/netflow.html>, or any of the anti-malware IDS/IPS rulesets, <https://wiki.opnsense.org/manual/ips.html>: you simply need some fast onboard disk to store netflows.  For this case, the APU2 boards come at an excellent price point, (their 20Gb SSD is quite reasonably priced, and way more than enough space).  These are *absolutely* features which are a no-go for systems using flash based media, not only because of speed, but burning them out with writes capturing all that network i/o.

- Plenty of CPU/Mem for other fun, and the GigE NICS are well supported by FreeBSD.

- The boards are really flexible- little things like slightly variable power requirements make it so that many wall-warts in a drawer will happily power the board, (within bounds).  This has saved my tail after power surges and the like.

- The boards are super solid.  I've been through nearly 100 APU series boards, and never have I received a dead one- (ALIX either), and knock on wood, none I own or manage have died.  I'm having a better run that I did with Soekris back in the day, but I remember only 1 board which came DOA, (and Soekris gear was high quality as well- I loved that gear too).

- Open Hardware, which I care a *lot* about.  The full hardware design spec is online, and PCEngines has been very nice answering specific details about chips on the board, etc...  In a world of hardware-compromised blackbox machines, this model is terribly important to me- how can one build securable networks with mystery stuff in the hardware?

Those are the things that matter to me, at home, and in applied use professionally.

As an aside, (not quite what you want), I've also built out slightly larger systems using Lanner hardware, http://www.lannerinc.com/ - basically just larger boxes than PCEngines, (more GigE NICS, for my applied use).  More expensive than PCEngines, but comparing per-port pricing in a build it's on par with PCEngines.  Hard part, their raw gear is hard to get- they sell mostly to VARS and don't do retail.
But, as an alternative, I've had similarly rock-solid experiences with this gear and OPNSense, (sized just below getting into big stuff with commodity server hardware).


