In many use cases it is sufficent to operate a OPNsense firewall with smaller server configurations. The OPNsense creators give some recommendations for sizing the firewall server hardware.[1] We have summarised these for you here.
Contents
- 1 Suitable hardware for your application
- 2 Component selection
- 2.1 Impact of special functions
- 3 Firewall Performance Tests
- 4 Hardware compatibility list
- 5 References
Suitable hardware for your application
The following overview shows the recommendations issued by the OPNsense makers.
Important Hint: For an exact sizing of your hardware please contact our sales department, we will find the right hardware for you.
Component selection
The following table shows the minimum configurations recommended by OPNsense:
Scope of application | Equipment | Sample system | ||||
---|---|---|---|---|---|---|
Network throughput (Mbps) | Number of users/networks | CPU | RAM | Disc capacity | ||
Minimum (OPNsense standard features, | 11 - 150 | 10 - 30 | 1 GHz Dual-Core | 2 GB | 4 GB SD or CF card | |
Reasonable (OPNsense standard features, | 151 - 350 | 30 - 50 | 1 GHz Dual-Core | 4 GB | 40 GB SSD | |
Recommended (OPNsense standard functions, | 350 - 750+ | 50 - 150+ | 1,5 GHz Multi-Core | 8 GB | 120 GB SSD |
Impact of special functions
Although most functions have no particular influence on the hardware selection, the following functions can have extensive effects:
- Squid Proxy cache for controlling Web content: high influence on CPU (higher loads) and disk writes (cache).
- Captive portal:[2] several hundred users require more CPU performance than listed in the table above.
- State transition tables: OPNsense logs as firewall with Stateful Packet Inspection[3] the state of all active network connections (Connections/Sessions) going through the firewall. This information is stored in a state table. Two entries are stored for each individual connection (one for the outgoing connection and one for the incoming connection). Each entry in this table occupies approximately 1 KB of RAM.
Firewall Performance Tests
We perform our own in-house Performance Tests with various OPNsense-compatible servers. The test scope includes among others a firewall throughput test, IDS/IPS test, OpenVPN, IPsec and WireGuard VPN test.
Hardware compatibility list
Because OPNsense is based on FreeBSD, it supports at least the same hardware as the respective FreeBSD version:
- OPNsense 24.7 (FreeBSD 14.1): FreeBSD 14.1 Hardware Notes (www.freebsd.org)
- OPNsense 23.7/24.1 (FreeBSD 13.2): FreeBSD 13.2-RELEASE Hardware Notes (www.freebsd.org)
- OPNsense 22.7/23.1 (FreeBSD 13.1): FreeBSD 13.1-RELEASE Hardware Notes (www.freebsd.org)
- OPNsense 22.1 (FreeBSD 13.0): FreeBSD 13.0-RELEASE Hardware Notes (www.freebsd.org)
- OPNsense 20.7/21.1/21.7 (FreeBSD 12.1 / HardenedBSD): FreeBSD 12.1-RELEASE Hardware Notes (www.freebsd.org)
- OPNsense 20.1 (FreeBSD 11.2 / HardenedBSD): FreeBSD 11.2-RELEASE Hardware Notes (www.freebsd.org)
- OPNsense 19.1/19.7 (FreeBSD 11.2 / HardenedBSD): FreeBSD 11.2-RELEASE Hardware Notes (www.freebsd.org)
- OPNsense 18.1/18.7 (FreeBSD 11.1): FreeBSD 11.1-RELEASE Hardware Notes (www.freebsd.org)
- OPNsense 17.1/17.7 (FreeBSD 11.0): FreeBSD 11.0-RELEASE Hardware Notes (www.freebsd.org)
- OPNsense 16.7 (FreeBSD 10.3): FreeBSD 10.3-RELEASE Hardware Notes (www.freebsd.org)
References
- ↑ Hardware sizing & setup (docs.opnsense.org)
- ↑ Captive portal (en.wikipedia.org)
- ↑ Stateful firewall (en.wikipedia.org)
Author: Werner Fischer Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay. |
Author: Thomas Niedermeier Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates. |