Home networking can be an incredibly rewarding hobby, especially when you start building and configuring your own OPNsense or pfSense router and firewall. Recently, I transformed a Ugreen DXP4800 Plus NAS into a dedicated OPNsense box, and the results surprised me, largely due to the quality of the Ugreen NAS hardware. During this process, I did a lot of research on the essential components and quickly learned there are certain hardware requirements you simply shouldn’t skimp on.
While everyone’s network setup will vary, there are some universally important considerations when assembling your own OPNsense or pfSense firewall. Here are the hardware components that are absolute non-negotiables, why they matter so much, and how choosing the right parts will significantly enhance your networking experience.
4
High-quality Network Interface Cards (NICs)
Also known as Network Interface Controllers
Making sure you have high-quality NICs is arguably the most important thing to pay attention to when it comes to building your own router. Not only will all of your connections ultimately flow through these, but you need to be aware of the actual drivers that are used for them as well. Not all NICs will have FreeBSD drivers available, which is why my OPNsense deployment is virtualized in Proxmox so that I can benefit from Linux drivers. That’s the other side of it, too: sometimes, the drivers on Linux will have better performance depending on your NIC, meaning that even if they’re supported on FreeBSD, you might still get better performance overall by virtualizing your OPNsense or pfSense instance.
The most important piece of advice here is to simply avoid Realtek NICs. Intel NICs are the gold standard, but you’ll still need to do research to find which ones are right for you. The Ugreen NAS has two separate NICs, with one being the Intel I226-V 2.5GbE and the other being the Aquantia AQC113 10GbE. The latter does not have any native FreeBSD drivers, whereas the former, despite being Intel, has had issues in the past. I haven’t experienced those issues, but your mileage may vary. Still, make sure you go for the right NICs for the job, especially if you want to have multi-gigabit connections between your devices, or you have a multi-gigabit internet connection.
3
More RAM, not faster RAM
You don’t need blazing-fast DDR5 speeds here
When it comes to building your router and firewall, more RAM should be a priority rather than faster RAM. At least in the case of OPNsense, caching is used extensively, which means data is being stored in RAM for referencing in the future. When your RAM fills up, the system will move to swap memory, which is a lot slower and will impact performance significantly compared to the difference between slower and faster RAM.
For an example of this, we can take a look at the type of memory used in enterprise devices built with the goal of deploying systems such as OPNsense. The OPNsense company sells official hardware for deploying your own instance, and RAM options start at DDR3, which is incredibly outdated these days. However, when deploying firewalls like Suricata and ZenArmor, you’ll likely see your system using a lot of the RAM you give it. Even in my case, with only 4GB of RAM allocated to my OPNsense instance, I’m using 3.3GB of it with just a few additional services deployed.
2
Single-threaded CPU performance is important
Especially for VPNs, IDS/IPS, and PPPoE
If you have a PPPoE connection, or you plan on using VPNs or intrusion detection/prevention, single-threaded CPU performance will be important. When it comes to PPPoE, you can improve performance by virtualizing OPNsense or pfSense, as the Linux-based host will then forward those packets through the virtual bridge, and the VM can process those incoming packets across all cores. For other uses, single-threaded performance is important as consistent data streams will be kept to a core at a time, as this can then ensure strict packet ordering for protocols that require it.
To be clear, you don’t need to go all out, and what CPU you require will depend on your internet’s capabilities. I have a gigabit FTTH connection, and with my Pentium Gold 8505, I can saturate that entire connection without any problem. It’s not that you need to spend hundreds on a great CPU with excellent single-threaded performance, but you do need to make sure you get the right CPU. Clock speed and IPC will matter a lot more than individual CPU core count in most personal use cases.
1
Enough ports to make it useful
So you can connect from other devices
While your typical ISP router will lack in many key areas, there’s usually one place it won’t lack, and that’s in ports. The downside of using the Ugreen NAS in my case is that it only has two Ethernet ports, with one connecting to my Optical Network Terminal (for connecting to my ISP) and the other connecting to a network switch. This network switch gives me ports for distributing the connection to other devices, but it would be nice to have more ports available to me directly from the device running OPNsense itself.
To be clear, this isn’t a big deal in the grand scheme of things. The minimum number of ports required is two, and so long as your LAN interface can connect to a switch to distribute that connection to other devices, it’s fine. You’ll just need to keep in mind that you’ll need a way to connect to more than just one device, so either ensure that you have more ports or pick up a managed or unmanaged network switch. Mine is a simple, unmanaged TP-Link SG108.
You don’t need to go all out
For most consumer-level internet connections, you don’t need fantastic hardware to manage a few devices. Even in my case, I have 8GB of DDR5 RAM, and I would sooner care about how much RAM I have than the speed of it. As for the actual processing speed, the Pentium Gold 8505 works perfectly on my gigabit connection. You don’t need to worry about much, just make sure you get the right hardware.
