Hello all! I am in the process of planning my future install of a transparent bridge firewall and I think I want to go with a 2.5Gb x 4 port device (not negotiable). I’m still shopping for a NUC manufacturer/model but I’m also thinking about how to set it up. I know that I want to install OPNSense (not PFSense, not negotiable) but I’m unsure if it makes more sense to install it directly onto the NUC or to first install something like Ubuntu server and then install OPNSense on top. I like the idea of having a separate management port from the bridge as opposed to integrating the two and going with a smaller, cheaper, 2.5Gb x 2 port device. I’d appreciate any advice on a NUC and on the Pros and Cons of the two install approaches. Thanks.
My approach with routers is to go bare metal in order to reduce attack surface on the device that’s exposed to the wild. Running OPNsense in a vm or container just adds more little nooks and crannies that may be exploited.
Thanks for the reply. That could be a downside but the attack would have to be very sophisticated. On the upside I would be able to create backups of the install. This would make it more robust in case of corruption and reinstallation / reconfiguration would be very fast. I would need to install Proxmox on the appliance and then OPNSense as a VM in Proxmox.
UPDATE: I thought it might be possible to install Proxmox on Ubuntu server but it seems it can only be installed on Debian server. A bare metal install is looking like the better option.
Yeah, true, I keep forgetting that our home labs are not a commercial/gov target with lots of exposed ports and APIs and all that. Likely 99.99% of those who are attacking CPE are going for lowest hanging fruit, looking for TP-Link junk to add to their botnet, so an x86 running BSD or Linux isn’t on their radar, ping it and move on…