More Than Just Hardware, It’s a Work of OPNsense Art!
In the search for hardware to install OPNsense, just after ditching the Ubiquiti garbage that was not capable of handling 1 Gbps on PPPoE with Suricata IPS/IDS turned on, I stumbled upon the dedicated devices provided by Deciso - OPNsense®. When I saw the DEC 850 V2, it was instant love. Despite the fact that the price was a bit over my budget, and honestly, the hardware is a bit overkill for a home environment, I finally committed and bought one. I have no regrets.
The device is an engineering marvel, and I say this from the perspective of someone who has worked for more than 12 years with enterprise hardware equipment. Having such a powerful device also gave me the opportunity to test add-on solutions like CrowdSec and Zenarmor, both of which have remained installed alongside Suricata. I would also like to extend my thanks to the friendly and helpful team in the Netherlands for their assistance with the technical questions I had before ordering the device.
I won’t bother listing all the technical details, but you can find them here https://bit.ly/dec850v2 The mini USB console port is convenient, requiring no RS232 adapter or drivers. From a Linux or macOS terminal, use the command screen /dev/ttyXXX 115200 to connect to the console for debugging purposes or in case something goes wrong with an update. The BIOS is also accessible from the console for boot options and other settings.
The temperature shown below is under normal operation at a room temperature of 26°C. The highest temperature I have seen was 55°C under load. I have the device mounted on a wall in an upright position using the provided wall accessories.
And YES, it handles 1 Gbps PPPoE without any problem. I’m anxiously waiting for Digi (RCS & RDS) to finalize its 10 Gbps infrastructure. Not that I would ever need such speed in a home environment, but it’s always nice to have, especially since internet prices in Romania are dirt cheap.
For those wanting to use 1GB SFP modules,I have seen an issue where after reboot, the SFP modules that actively auto-negotiate on axgbe, are slow to come up in link state, which can cause a race condition.
However, one would expect that after booting, removing and reinserting the SFP would eventually cause dhclient to recover and obtain an IP address for the interface once the link is up. Instead, the driver remains in an “off” state, where only outgoing traffic is visible in tcpdump, and the device does not receive any incoming traffic.
A workaroud to solve the issue is creating a script named “90-axgbe” in the “/usr/local/etc/rc.syshook.d/start” directory. Change the permissions of this script to root by issuing the “chmod 755 90-axgbe” command.
#!/bin/sh
Ifconfig ax0 down && ifconfig ax0 up
Ifconfig ax1 down && ifconfig ax1 up
<< end of script
More info on this topic can be found here: https://bit.ly/1G-SFP