• 1 Post
  • 4 Comments
Joined 1 year ago
cake
Cake day: October 29th, 2023

help-circle
  • Having L3 at the access switch layer have other benefits.

    Thx. for the response. I bit the bullet and bought a second identical machine (lenovo tiny m720q) to what I’m running now with pfsense. When it gets here and I get it together I’ll run the second machine with opnsense, in parallel to the current pfsense setup. I’ll probably do something like a double-nat and use opnsense for my esxi and homelab stuff so I can keep pfsense running the rest of the house.

    What do you mean other benefits? ACLs? I have pfsense (2x sfp+ lan lacp, 1x mobo gigabit wan), then a Cisco SG500X-24 in L2 mode, then from there I’ve got the mikrotik crs317 and a bunch of cisco sg300 switches. If I make a change I’d probably offload the dhcp server too. What else am I missing?

    Should I try to replace pfsense 1:1 with opnsense for now, and then make changes later (or don’t change anything once I’m comfortable)? I’ve been using essentially the same setup for so long I don’t really know much else.


  • Why are you considering that?

    Because the Netgate appliances I’d need to replace my whitebox appliance are either the 6100 or the 8200. So if I offload most of the routing into a L3 switch, and I can put dhcp somewhere else too, then all I need is a little 1100 or 2100 appliance to just do firewall.

    My current setup has all my switches in L2 mode and all firewall/routing is done in pfsense. If I break out the routing portion (and dhcp) then I don’t need nearly as much hardware for pfsense.


  • Why not just move to OPNsense?

    I’m buying some hardware that I can run in parallel. I don’t want to just switch to OPNSense, I’d like to know and understand the differences in the software before I just deploy OPNsense.

    moving to a level 3 switch.

    Moving to a layer 3 switch: Right now I am doing firewall+router on the same appliance. A layer 3 switch will let me break out the firewall/router so that the L3 switch does routing (most of it) and the netgate appliance would do the firewall work.

    Since ~2008 all I’ve used is pfsense so moving to opnsense is a little unknown. I’m buying a second piece of hardware so I can try a few different setups and run something in parallel for a few months so I can make an educated decision. I don’t know much about OPN so I don’t want to comment until it’s up and running.



  • I think that’s a really solid setup, you should be happy.

    Mine isn’t Dell but pretty similar to yours. Mine is a Fractal 804 with SuperMicro x11-ssl-f mobo. I started with e3-1220v5 cpu and eventually swapped that out for e3-1268Lv5 cpu (just a low power/low tdp cpu). My mobo only has gigabit NICs so I used a AOC-STGN-i2s (dual SFP+). I have 2x 10GbE uplinks in LACP and even that e3-1220v5 was able to saturate a 10gb link so as long as you aren’t running a ton of VM’s and stuff it should be plenty fast.

    I’m TN-Core only. Nothing else and my drives are all in mirrored pairs because that’s where my VMs live. I’ve got same dell h310, 64gb ecc udimm ddr4, 8x 4tb drives (mirrored pairs), 4x 2tb ssd (also mirrored) and 2x ssd’s for boot (mirrored). I think boot drives are 256gb? I forget.

    My second NAS is also TN-Core but a VM with pci-e device passthrough. That machine has 8x 12tb in rz2. I’m not sure that I’d want to risk a rz1 pool with drives up over 6tb, but maybe I’m being too conservative. Inside the case of each of the servers I have a “cold spare” drive (extra 4tb and one extra 12tb).

    Of all things: I actually lost a boot drive. Only way I’d run a NAS without mirrored boot drives is probably if I did PxE (network boot).

    Maybe pick up another 8tb drive so you have even # 8x drives? (that’s just my OCD not wanting 7x drives)