@@spicybaguette7706 it shows clearly how many people in the comments do not understand what the hardware is. This shouldn't be on ShortCircuit to be honest. They need a dedicated enterprise hardware channel. It's just a bunch of consumers here bocking at the prices. This device is for an enterprise/business, it's not really for home use. There's other solutions for this on aliexpress with 10g and 25g sfp+ ports for a fraction of the cost.
i work as an it professional and installed similar deciso hardware in different customer scenarios. every unit works like a charm to this day. i really like opnsense, so simple to setup everything and rock solid. cheers
As someone who works with rack mount HW all day every day, redundant PSU's are not helpful if they are not hot swappable. If one fails the unit has to be taken out of service for an extended period in order to replace the bad one. That isn't something you're going to do on the floor, too loud etc., so all a redundant PSU does is delay when the outage occurs.
It does give you the option of putting the outage into a designated maintenance time frame. For example, I would assume LMG doesn't really need their firewall Saturday 3am.
non-hotswap PSU devices should then be deployed in pairs, or in a HA situation - this allows the devices to keep running - even tho with 1 failed PSU. Once the fault it identified, you should either fail over to redundant device, or schedule a downtime window to replace faulty component.
@@netrixtardis Which is exactly what Jake said they are doing. for what it's worth, for the small business sort of customer a device like this is aimed at, it doesn't seem like a big deal to schedule 15 minutes of down time, after the 2 or 3 days it will take to have a new PSU shipped out to you. No one is keeping spares on the shelf for this.
Technically, they are hot swappable. If you leave all cables long enough to take the unit out of the rack and risk electrocuting yourself, you can pull it off. Having two PSU lets you connect it to two different power sources. Which you don't get to do with just one. But you are right, it's wayyy more convenient to just pull the defective PSU and load a new one.
A dead PSU is not that kind of problem. OPNsense is build with HA in its base. If one unit fails, the second will take over all services, until the problems with the first unit is solved. This goes back to the roots, inside PFSense.
@@SuperNGLP every time they catch fire due to lack of monitoring, cooling, care and they keep upgrading their internet line to unnecessarily fast connections.
I thought it took me the whole video to realize Jake was wearing an M539 Restorations shirt but he switched right at the end 😂 If anyone reading this is into BMW's or just cars in general it is one of the best automotive youtube channels by far!
Streten just started a new series about some solid maserati quadroporte GTS he bought for 18k€ it is sooo awesome to watch him work on that stuff. That is some nice support from Jake here!
@@dermozart80 Agreed the Maserati content is a nice change from the normal BMW wrenching he does but honestly I could watch Sreten restore a bicycle and be just as equally entertained 🤣
@@gamebrigada2 DEC4280 is 60Gbps total firewall throughput with 21Gbps port-to-port at a time, where the fastest port is 25Gbps at the physical level. Even said that in the video. Idk where you got the 20Gbps number...
love OPNsense. I switched from pfSense VMs to a pfSense dedicated old desktop and finally to an open-source-BIOS / OPNSense based miniPC. It's the best of both worlds, small power usage like a traditional router, but completely configurable (and I got 2.5G ports for future upgrading my 1G setup)
Love LTT folks touching data center stuff. But this thing is missing a few things. 1. Hot swap psu is a must. 2. Hot swap raid1 hw/sw storage is a must 3. Ports designed / additional ports for LAG or H/A - failover. So when running active/active or active/passive has that communication. Yea you could always trunk and use others for similar features but better to have dedicated ports
I thought this too. At the very least, 2x 256gb SSD/NVME would of been more cost effective unless you would need 512? I personally don't see the need. The Dual PSU but not hot swappable makes the dual PSU pointless almost? As you would likely need to shut down to replace it. 6K for something really only worth 1.2k feels a little 👀👀👀👀👀
am i the only one that find it infuriating that an open source router has a "warrantee void if removed" sticker on it and has 0 hotswap parts while also using annoying torx bits
I agree about the open source and warranty void sticker, the no hotswap and torx I don't 100% agree with. They have redundancy at least, so you can schedule your maintenance outage at a time convenient to you. I don't see a device like this being used in many large enterprises, no hotswap, no global distribution chain for support and parts. More likely SMB or prosumer customers like LTT. Can't stand phillips screws, alright rounding over or striping. I found torx so annoying, until I actually owned a good set of torx bits and torx drivers. They are the superior screw.
Big fan of the customization devices like these offer as routers. I've been using pfSense on a mini PC for a few years now and it's been wonderful. It's quite refreshing to finally experience something so reliable that it has multiple years on the uptime counter.
@@EFazy It’s not at a business so I don’t have to worry about any dumb policies. I’ve never heard about anything that would impact pfSense’s efficacy as a firewall on a secure network, so what do I care?
Agreed. I got tired of perfectly functional home routers losing software support so soon so I took bought a mini PC with 2.5gbe ports and installed OPNsense and hopefully I can run that for a long long time and just upgrade my WAP as WiFi standards improve. And I always buy the last version of WiFi WAPs that flood eBay barely used as businesses migrate to New hardware. So much more cost efficient than new.
EPYC Embedded 3451 uses the same dies (essentially 2x Ryzen 7 1700) as Zen 1 Ryzen and Zen 1 standard EPYC's. All of them have 10Gbit on die but it's rarely exposed (this being an obvious exception).
You guys should do a video sometime on exactly why OPNSense is better than PFSense. Or why you "prefer" it over PFSense, if you don't want to get into which one is "definitively better"...
Indeed. I've seen some people say they prefer pfSense because OPNSense updates TOO often and runs into upgrade issues due to that, whereas pfSense wait until there is a good reason to update and run into less issues due to a longer testing period. A big reason I'm still on pfSense though is having to port over my configuration would be a pain. Plus once you've learnt how the UI works it seems more of a chore to learn the difference than just stick with what you already know. I've not seen a compelling argument for why I should switch, more that OPNSense is easier if you don't already know how the pfSense UI works.
@@alexatkin Those reasons are pretty much the reason I will not use OPNSense. I want a *very* stable network appliance, not the latest and greatest updates. I find pfSense to be extremely intuitive as well and have yet to have any issues with it *knock on wood*. Best practice in the network world is to generally update only about once or twice a year anyway unless there's a serious vulnerability discovered in the OS running on the appliance. Other than that, you don't want to be disrupting your customers all the time just to upgrade for no really good reason.
@@AC-cg4be Updates once or twice a year? Please tell Fortinet to do that with their firewalls. Seems I have to update it almost every other week now. It's ridiculous. It's so bad now that the latest version can now update itself which I do for branches. I set it to update itself after 7 days of it's release to make sure it's stable. Side note I've stopped buying Fortigates and started buying Netgate appliances instead. Fewer headaches.
I used to OPNSense on a Core2Duo laptop, was great to have the built in battery (was new). Using a ProtectLi now, highly recommended. Last router you'll need for 20+ years.
@@dro3m you need to change hardware if you want 10 gbe. I have this case now. My opnsense can 2.5 gbit but my line could do 10 gbit. If i want to use it, i need to change hardware and this after two years of use.
Love the infrastructure content. I know its a little more niche but I always love this type of content. I would 100% subscribe to a enterprise or infrastructure centric channel.
Been running opnsense for a few months and it's a network engineers wet dream. From PPPoE to LTE to OVPN layer 2 bridges to physical ports you can do a bunch of complicated stuff. But by far the best feature is the ipv6 subnet support. Been missing that on every other router... You can even delegate a subnet as a prefix to a down the line router. Amazing IPv6 experience! IPv4 works aswell of course, you can even give v4 lower gateway priority so you get the ipv6 speed boost...
60 Gbps is a nonsense number that’s derived from using a 1500 byte packet size for all packets at 5 million packets per second (which is the real number to be focusing on). At a more realistic 578 byte (IMIX average) packet size that’s 23 Gbps. At line rate (64 byte packet size)? That’s only 2.5 Gbps. And that’s not even going into the absolutely abysmal threat prevention rate which takes packets per second down to 625 thousand. For something that’s costs $6,000+ one would expect better.
Hi Jake, I like your T-thirt. Very happy to see cross-referencing going on like this... Also wanted to note that you got me into networking and servers, many thanks for that!
I just built myself a Sophos firewall, I used an old dell optiplex with a dual intel gigabit NIC. Got the hardware all for about $120. For home use, its overkill. Sophos offers a free home version of their OS. It can do packet decryption and re-encryption (which breaks stuff but its fun to play with). The home based version does limit to you a 4 core CPU and 6GB of RAM. Which is fine for home use. Probably fine for a small business but the EULA likely states not to use it for a business environment. I had been using the setup for a PfSense deployment, but I wanted something that did deep packet inspection. Mostly just to play with.
I'm really impressed by the power of this device and the neatness of its hardware. Agreed, adding dual SSDs would make it more versatile. The price is a bit high, but for specialized use and considering the performance, it could be worth the investment for some businesses.
The one question that came up was about not installing a 2nd SSD. Network appliances almost always come in pairs, so in the event one fails, another is there to pick up the slack automatically. Instead of adding redundancy inside the device, you make the entire device redundant (Save for power, because power failures are some of the most common issues with data centers). Logs should be streamed to a local logging server, and configs need to be shipped off whenever a change occurs, so the data on the device is not an issue. This means, that if you ever need to service it, you can just power it down, let your network failover to another router, and then swap with one that has already been imaged, restore your configs, and it's back in service. If the drive fails, the entire device fails and the 2nd router will automatically pick up the traffic. Will a 2nd drive allow that failure to be delayed? Yes, but now you are running a router that is not at full capacity and on a degraded drive, not an ideal situation, but still, that would allow you to manage when to bring that device down instead of dealing with it right away. So there is value, but it adds complexity. Maybe they will add one in the production build, but that also adds cost, so there are always trade-offs that you need to consider. At least there is a 2nd nvme slot to let the customer make the choice.
"less advanced shape than I was thinking" - simplicity often wins. Get deciso to send you (us) some sweet animations or extra screens of the computational fluid dynamics (CFD)
Oh neat, they're actually using the 10G Ethernet MACs built into the EPYC SoC. Those have been in EPYCs for a long time but I never saw anyone actually use them. Couldn't be sure if there was some problem with the hardware or if vendors just chose to use stuff from Intel et. al. because they knew it would work.
I haven't looked in to the datasheets for it, but I would assume that the dedicated intel NiCs have more fixed function hardware onboard and can do a great deal of offloading tasks, freeing up CPU ressources.
@@RobinCernyMitSuffix yeah, I assume if someone uses the ports are a switch, they can just do that without going through the CPU. It's how a simple DSL-router does it too when they have multiple ports.
For 6000€, you can get much more better 1U rack servers... maybe they need a bit more power, but you can expand later with NICs (or other stuff), but you can get proper long term vendor support, and proper iRMC/iLO/iDRAC/whatever bmc, to manage the sever independently to the main OS.
Seems like a bad idea to reuse that thermal compound on an exposed die CPU where adequate coverage is so important. Hope he at least spread it out. I dont see any obvious springs on those heatsink screws either, so that seems like an accident waiting to happen.
Pinching the airflow, then widening it and then pinching it again basically "combines" the pulses of airflow, as it is put comes in pulses from the fanblades. This makes the airflow much smoother after that smart inlet.
Absolutely love opnsense, running an arris sb8200 with tplink ax1800, started getting slower and slower speeds to the point my gb was now 400mb, had an old xeon thinkserver laying around, popped a usb with opnsense on it and I'm now getting my full speed plus able to have internet even if my access point dies, also have stable 32ms or less on every ping test where as before I'd have random 200+ms pings on ethernet and 400ms pings on wifi. Was even able to snag a 2.5gb switch with 10gb sfp+ for $60 so now i have Gb internet and 2.5gb local network
Bit of a stretch in other dialects, though! Route and rout are different words with different meanings, spellings, and (outside of NA) pronunciations. "A thing which routes" and "a thing which routs" both being spelled "router" is an awkward quirk of English.
Netgate 8300 is a better choice IMO. Actual hot swappable power supplies, true IPMI, higher throughput for firewall and VPN. Oh... and it's less expensive.
I run OPNsense on a chinese N100 system for 150 bucks. Partly cheating because I had spare parts laying around but hey. Even with IPS/IDS I get the full gigabit on a home network. You really don't need a lot. But as an organization it's better to go all the way for decent support especially if your entire business is reliant on your infra.
Americans pronounce route and rout the same, for some reason. The fact that "a thing which routes" and "a thing which routs" are both spelled "router" further confuses things.
For your use case its a great machine. For home use i would suggest the dec695. Still expensive but also has the same feature set as this one in the video, sure not as fast but its still there.
@@alexatkin also true, but i like supporting FOSS when i am able. In my case i would but the dec695 behind a router since PPPoE isnt multithread process.
You know what though, for the price if it's WORTH it for YOUR business network, it's a tax write-off here in the US so whatever. The cost of doing business and doing it securely and safely and knowing it's top quality open hardware. I love it.
I really wanted to like OPNSense but after a couple months I switched back to PfSense since opn is considerably lagging behind in features. I really hope they catch up in the future since both the UI and business practices are much preferable.
I am running a fortigate at my house myself a 60F. When you throw in the additional licenses and the facts that it is a true zone based firewall its hard to justify the opnsense hardware in my opinion.
Plus OPNsense is quite inferior to pfSense in both speed and quality - I would never recommend that firewall to protect any business. Fortinet is really good, but their price hike since Covid-19 is getting out of hand now + their few recent major CVE are making me and clients reconsider is I will remain with them or not.
@@Traumatree Fortinet shop here. Yep, their prices are insane now and I've been buying Netgate appliances the past three years. Eventually we may phase out Fortinet stuffs in favor of pfsense.
@@Traumatree i we t through CDW for mine was expensive but seemed reasonable for full UTM for 3 years. As for their CVEs they are all for SSLVPN which is a feature I will never use through this firewall and instead use a wireguard VPN.
I'm sure Decisio is happy they sold at least two DEC4280s. I don't know what market this is for. If you want to run OPNsense you can buy some used enterprise hardware that will offer more benefits (like hot swappable PSUs, more RAM, more storage) and spend ~$1000 to match the feature set. They made it quiet but 99.99% of rackmount products are going into a datacenter where noise doesn't matter. Too expensive for a homelab but not built for the enterprise.
@@DarkAbyss9 To my knowledge, he never claimed to be a networking engineer, and LTT is catering to an audience whom are not familiar with enterprise networking.
Those little flares on the inner edge of the fan ducts kinda look like a laminar flow nozzle, they must be doing something funky there to try and straighten out the airflow.
always buy hot swap power supplies. It is one of the only computer parts that still breaks on occasion. I take care of a few racks, and in 10 years we have replaced 3 PSU's. and one server.
It seems quiet enough for a small business that just has something like 12U rack under a desk, or a smaller one wall mounted... but it would be a bit overkill for those places.
I am generally surprised of that The power supplies are not hot swappable and there is no raid with 2 drives for device that is acting as both a firewall and main router. However, the expected redundancy seems to be that you have two of these devices or more connected. That will not be my preferred option for pricing but it's Enterprise and I normally do SOHO. I do wish the test have been done with the full set of firewall rules but there are channels dedicated to firewalls.
I'm surprised you guys don't have some exfo test equipment, portable and lets you test all these networking equipment at a desk on video. Used them for years of testing, when i was a lab tech, was juat uodated to 400g testing by the time i left ages ago.
Really nice firewall hardware. Looks really cool. That said, Jake continues to keep saying that OPNSense is "more up-to-date" than pfSense. pfSense is on a newer FreeBSD release (14) and OPNSense is on an older one (13.2). Not sure why he keeps saying this every video they make about OPNSense, because it's not true. I spend a fair bit of time supporting pfSense firewalls and I just don't understand why they keep repeating this over and over.
When he says "more up-to-date" he's talking about the speed of patches and updates made by OPNsense when compared to pfSense. From what I can tell, OPNsense patches are also backported from newer FreeBSD releases anyway. Bigger Number doesn't automatically mean it's better in all ways. Not to say anything the shadiness of Netgate and their business practices.
@@jakedhale pfSense is more cut down and has fewer things to patch. They also have patch manager to distribute patches without a new release. Having less frequent necessary updates on my router is a plus in my book.
@@jakedhale That isn't what Jake said. He said "I just like the fact that it's more up-to-date", directly comparing it to pfSense. He said nothing about update frequency. Nobody in the networking world wants to be installing patch releases 50-70 times a year. Unless there is a security vulnerability or serious bug, there shouldn't be that many patches. People who manage fleets with hundreds of devices are not going to want to be rebooting so often. By contrast, Netgate looks to release 2-3 major releases a year of pfSense Plus, which is pretty predictable, and a couple of point releases once and a while for bugs or vulnerabilities.
You seemed to have strong opinions regarding your choice of OPNsense over pfSense... Why? I have to make some purchase decisions at my small/medium sized business, and I had been thinking of using pfsense (possibly on my own hardware though). You should do a video (soon!) that covers the topic of those two versus each other...
FortiGates rip on throughput as long as its something the ASICs support, but as soon as it gets punted to software it drops a fair bit, PPPoE is a really great example of this. What's the cost of updates like? Fortinet charge a chonk for annual FortiCare/FortiGuard licence, depending on licence/bundle you get all the AV/IDS etc updates but it builds up for the overall cost (got about 1600 of them in production and use a 40F on FTTP at home on my lab)
Stop using 30/40/60/80-F models to do SSL/TLS decryption and PPPoE and buy a real business oriented one. And at least, Fortigate has ASICs to do some heavy lifting, while with OPNsense, everything needs to go through that general purpose CPU that will choke like the rest of them when it needs to decrypt packets.
OPNsense supports QAT for cryptographic acceleration, and the various NIC offloads. Business support is around 4-500 euro a year depending on what package you want.
What's the downside of 3D printed parts? All of the individual parts are not cheap + personal, etc. Everything they use is for non-structural reasons so I see no downside.
@@burnstick1380 They are substandard to injection molded parts and far more prone to breakage in high heat or high airflow environments. They are not substantially more cost effective at a large manufacturing scale to justify their use over injection molding or other methods of making plastics, are often more expensive to manufacturer, and they often take longer to make and result in more waste than traditional methods of making plastic parts. Basically, it's a company trying to be hip and cool and they are wasting money and driving up their overhead and passing the cost along to you while giving you an inferior product.
At least with 3D printed parts, if the part breaks you don't have to rely on the company to have spares in a warehouse. usually custom parts like that you can pay an exorbitant amount because of the low demand
Jake either brings shockingly cheap server hardware or gut punching expensive. There is no in between.
And it's poorly spent every time. He could spend literally a bit more for a real firewall.
@@gamebrigada2wdym it is a real firewall, it's literally a security appliance
@@spicybaguette7706 he's just a hater.
@@spicybaguette7706 it shows clearly how many people in the comments do not understand what the hardware is. This shouldn't be on ShortCircuit to be honest. They need a dedicated enterprise hardware channel. It's just a bunch of consumers here bocking at the prices. This device is for an enterprise/business, it's not really for home use. There's other solutions for this on aliexpress with 10g and 25g sfp+ ports for a fraction of the cost.
Ubiquiti is perfectly in-between which is why they are so popular among IT professionals.
"I can spend 3 hours talking about all the OPNSense features" - yes please
Going into a 3 hour deep dive would definetly be nice!
That would probably end up a floatplane exclusive
LMAO this dude don't know first thing about networking.
Do won't alone time for the bone you from opnsenes
And that would be brief I want a 6 hours video explaining everything
i work as an it professional and installed similar deciso hardware in different customer scenarios. every unit works like a charm to this day. i really like opnsense, so simple to setup everything and rock solid. cheers
Wonder if it's relabeled stuff or proprietary...
@@mrmotofy for the pcb itself i dont know. but they put a lot of efford into custom cooling like 3d printed stuff
As someone who works with rack mount HW all day every day, redundant PSU's are not helpful if they are not hot swappable. If one fails the unit has to be taken out of service for an extended period in order to replace the bad one. That isn't something you're going to do on the floor, too loud etc., so all a redundant PSU does is delay when the outage occurs.
It does give you the option of putting the outage into a designated maintenance time frame.
For example, I would assume LMG doesn't really need their firewall Saturday 3am.
non-hotswap PSU devices should then be deployed in pairs, or in a HA situation - this allows the devices to keep running - even tho with 1 failed PSU. Once the fault it identified, you should either fail over to redundant device, or schedule a downtime window to replace faulty component.
@@netrixtardis Which is exactly what Jake said they are doing.
for what it's worth, for the small business sort of customer a device like this is aimed at, it doesn't seem like a big deal to schedule 15 minutes of down time, after the 2 or 3 days it will take to have a new PSU shipped out to you. No one is keeping spares on the shelf for this.
Technically, they are hot swappable. If you leave all cables long enough to take the unit out of the rack and risk electrocuting yourself, you can pull it off.
Having two PSU lets you connect it to two different power sources. Which you don't get to do with just one.
But you are right, it's wayyy more convenient to just pull the defective PSU and load a new one.
A dead PSU is not that kind of problem. OPNsense is build with HA in its base.
If one unit fails, the second will take over all services, until the problems with the first unit is solved. This goes back to the roots, inside PFSense.
You guys change backend equipment as much as I change underwear for my backend
Every few years?
@@SuperNGLPwhat, you change yours more often?
@@SuperNGLP every time they catch fire due to lack of monitoring, cooling, care and they keep upgrading their internet line to unnecessarily fast connections.
@YKSGuy it's a tax write off.
Yeah, it's a bit silly, but, they also get tax benefits, as well as videos out of it.
I thought it took me the whole video to realize Jake was wearing an M539 Restorations shirt but he switched right at the end 😂 If anyone reading this is into BMW's or just cars in general it is one of the best automotive youtube channels by far!
Streten just started a new series about some solid maserati quadroporte GTS he bought for 18k€ it is sooo awesome to watch him work on that stuff. That is some nice support from Jake here!
@@dermozart80 Agreed the Maserati content is a nice change from the normal BMW wrenching he does but honestly I could watch Sreten restore a bicycle and be just as equally entertained 🤣
Seeing Jake with a M539Restauration shirt is just awsome
LMAOOOOO i just saw that and i was, is that m539Resto? its literally my next recommended video lol
Carbon fiber
Ya!!!
Jake is just THE networking guy now
He got bit by UbiquitI and was never the same again.
Funded by his bosses tax write offs - he is very powerful.
He knows his stuff, but please dont cable racks like LTT does :)
@@TheAlaskaAdamno he doesn't. Who the hell buys a router/firewall that has 150gbps in connectivity and 20gbps in capacity
@@gamebrigada2 DEC4280 is 60Gbps total firewall throughput with 21Gbps port-to-port at a time, where the fastest port is 25Gbps at the physical level. Even said that in the video. Idk where you got the 20Gbps number...
@@gamebrigada2 If you're going to be a hater, at least get the facts right. I mean at least watch the video and actually listen
Could you do a video when integrating these into your network? Like going through everything from connecting everything and setting up afterwards
Really any OpnSense vid will show that
I am not a network guy. i only have basic knowledge of networking for the home. But i always get excited when jake and linus talks about this stuff.
Thanks for the mention guys, keep up the great work!
love OPNsense. I switched from pfSense VMs to a pfSense dedicated old desktop and finally to an open-source-BIOS / OPNSense based miniPC. It's the best of both worlds, small power usage like a traditional router, but completely configurable (and I got 2.5G ports for future upgrading my 1G setup)
Love LTT folks touching data center stuff. But this thing is missing a few things.
1. Hot swap psu is a must.
2. Hot swap raid1 hw/sw storage is a must
3. Ports designed / additional ports for LAG or H/A - failover. So when running active/active or active/passive has that communication. Yea you could always trunk and use others for similar features but better to have dedicated ports
I thought this too. At the very least, 2x 256gb SSD/NVME would of been more cost effective unless you would need 512? I personally don't see the need.
The Dual PSU but not hot swappable makes the dual PSU pointless almost? As you would likely need to shut down to replace it.
6K for something really only worth 1.2k feels a little 👀👀👀👀👀
Fantastic t-shirt of one of the greatest car youtube channels
am i the only one that find it infuriating that an open source router has a "warrantee void if removed" sticker on it and has 0 hotswap parts while also using annoying torx bits
I agree about the open source and warranty void sticker, the no hotswap and torx I don't 100% agree with.
They have redundancy at least, so you can schedule your maintenance outage at a time convenient to you. I don't see a device like this being used in many large enterprises, no hotswap, no global distribution chain for support and parts. More likely SMB or prosumer customers like LTT.
Can't stand phillips screws, alright rounding over or striping. I found torx so annoying, until I actually owned a good set of torx bits and torx drivers. They are the superior screw.
It is annoying when something *doesn't* use the superior torx bits.
Nice T-Shirt !! We love M539 too !
it's not just m539, it's @M539Restorations t-shirt. Very special to everyone that follows Sreten.
It's merch from UA-camr M539 Restaurations
Big fan of the customization devices like these offer as routers. I've been using pfSense on a mini PC for a few years now and it's been wonderful. It's quite refreshing to finally experience something so reliable that it has multiple years on the uptime counter.
In business IT: Uptime counter === unsecure/obsolete software running for YEARS... good luck with that if you have an audit :)
@@EFazy It’s not at a business so I don’t have to worry about any dumb policies. I’ve never heard about anything that would impact pfSense’s efficacy as a firewall on a secure network, so what do I care?
Agreed. I got tired of perfectly functional home routers losing software support so soon so I took bought a mini PC with 2.5gbe ports and installed OPNsense and hopefully I can run that for a long long time and just upgrade my WAP as WiFi standards improve. And I always buy the last version of WiFi WAPs that flood eBay barely used as businesses migrate to New hardware. So much more cost efficient than new.
EPYC Embedded 3451 uses the same dies (essentially 2x Ryzen 7 1700) as Zen 1 Ryzen and Zen 1 standard EPYC's. All of them have 10Gbit on die but it's rarely exposed (this being an obvious exception).
UA-cam.com/@Level1Techs or UA-cam.com/@ShortCircuit can you dive into this more?
You guys should do a video sometime on exactly why OPNSense is better than PFSense. Or why you "prefer" it over PFSense, if you don't want to get into which one is "definitively better"...
Indeed. I've seen some people say they prefer pfSense because OPNSense updates TOO often and runs into upgrade issues due to that, whereas pfSense wait until there is a good reason to update and run into less issues due to a longer testing period.
A big reason I'm still on pfSense though is having to port over my configuration would be a pain. Plus once you've learnt how the UI works it seems more of a chore to learn the difference than just stick with what you already know. I've not seen a compelling argument for why I should switch, more that OPNSense is easier if you don't already know how the pfSense UI works.
OPNsense is not better than pfSense. Having a nicer UI doesn't make it better or faster. It is much the reverse in reality.
@@alexatkin Those reasons are pretty much the reason I will not use OPNSense. I want a *very* stable network appliance, not the latest and greatest updates. I find pfSense to be extremely intuitive as well and have yet to have any issues with it *knock on wood*.
Best practice in the network world is to generally update only about once or twice a year anyway unless there's a serious vulnerability discovered in the OS running on the appliance. Other than that, you don't want to be disrupting your customers all the time just to upgrade for no really good reason.
@@AC-cg4be Updates once or twice a year? Please tell Fortinet to do that with their firewalls. Seems I have to update it almost every other week now. It's ridiculous. It's so bad now that the latest version can now update itself which I do for branches. I set it to update itself after 7 days of it's release to make sure it's stable.
Side note I've stopped buying Fortigates and started buying Netgate appliances instead. Fewer headaches.
PFSense treats their paying customers and community like garbage.
Decent product but trash company run by trash people.
I used to OPNSense on a Core2Duo laptop, was great to have the built in battery (was new). Using a ProtectLi now, highly recommended. Last router you'll need for 20+ years.
yea until your isp give you fibre and 10 gbit for the same price.
@@thescandalchannel They'll still give you a shitty modem and sometimes a router. Not sure how that's relevant anyways.
@@dro3m you need to change hardware if you want 10 gbe. I have this case now. My opnsense can 2.5 gbit but my line could do 10 gbit. If i want to use it, i need to change hardware and this after two years of use.
Great video!!! Love that HW seems very well designed, i had OPNsense running on my Sophos box for years now, love it.
Love the infrastructure content. I know its a little more niche but I always love this type of content.
I would 100% subscribe to a enterprise or infrastructure centric channel.
I love opnsense, a 2012 Macbook makes a great free router, berter than most consumer grade stuff, rock solid reliable and battery backed.
Been running opnsense for a few months and it's a network engineers wet dream. From PPPoE to LTE to OVPN layer 2 bridges to physical ports you can do a bunch of complicated stuff. But by far the best feature is the ipv6 subnet support. Been missing that on every other router... You can even delegate a subnet as a prefix to a down the line router. Amazing IPv6 experience! IPv4 works aswell of course, you can even give v4 lower gateway priority so you get the ipv6 speed boost...
Speed boost because of ipv6 😂😂😂😂
@@Frugaltail more efficient Routing, faster dns lookup etc. Its just better
3:30 It's one of those cases where someone opens up the unknown and the insides look beautiful.
60 Gbps is a nonsense number that’s derived from using a 1500 byte packet size for all packets at 5 million packets per second (which is the real number to be focusing on). At a more realistic 578 byte (IMIX average) packet size that’s 23 Gbps. At line rate (64 byte packet size)? That’s only 2.5 Gbps. And that’s not even going into the absolutely abysmal threat prevention rate which takes packets per second down to 625 thousand. For something that’s costs $6,000+ one would expect better.
Hi Jake, I like your T-thirt. Very happy to see cross-referencing going on like this... Also wanted to note that you got me into networking and servers, many thanks for that!
friction vibing is something different, Jake
Jake repping Sreten and M539 Restorations feels wholesome for some reason!
You won't find a better BMW-restoration channel anywhere!
Appreciate the M539 merch!
I just built myself a Sophos firewall, I used an old dell optiplex with a dual intel gigabit NIC. Got the hardware all for about $120. For home use, its overkill. Sophos offers a free home version of their OS. It can do packet decryption and re-encryption (which breaks stuff but its fun to play with).
The home based version does limit to you a 4 core CPU and 6GB of RAM. Which is fine for home use. Probably fine for a small business but the EULA likely states not to use it for a business environment.
I had been using the setup for a PfSense deployment, but I wanted something that did deep packet inspection. Mostly just to play with.
I use the SFOS XG line in a corporate environment, absolutely rock solid stable with all the tooling we need. Great kit.
I have little to no idea what's Heidi in this or any other video LMG but I love watching them. That's a testament to the entertainment value.
I love the M539 shirt!
I'm really impressed by the power of this device and the neatness of its hardware. Agreed, adding dual SSDs would make it more versatile. The price is a bit high, but for specialized use and considering the performance, it could be worth the investment for some businesses.
The one question that came up was about not installing a 2nd SSD. Network appliances almost always come in pairs, so in the event one fails, another is there to pick up the slack automatically. Instead of adding redundancy inside the device, you make the entire device redundant (Save for power, because power failures are some of the most common issues with data centers). Logs should be streamed to a local logging server, and configs need to be shipped off whenever a change occurs, so the data on the device is not an issue. This means, that if you ever need to service it, you can just power it down, let your network failover to another router, and then swap with one that has already been imaged, restore your configs, and it's back in service. If the drive fails, the entire device fails and the 2nd router will automatically pick up the traffic. Will a 2nd drive allow that failure to be delayed? Yes, but now you are running a router that is not at full capacity and on a degraded drive, not an ideal situation, but still, that would allow you to manage when to bring that device down instead of dealing with it right away. So there is value, but it adds complexity.
Maybe they will add one in the production build, but that also adds cost, so there are always trade-offs that you need to consider. At least there is a 2nd nvme slot to let the customer make the choice.
"less advanced shape than I was thinking" - simplicity often wins. Get deciso to send you (us) some sweet animations or extra screens of the computational fluid dynamics (CFD)
Oh neat, they're actually using the 10G Ethernet MACs built into the EPYC SoC. Those have been in EPYCs for a long time but I never saw anyone actually use them. Couldn't be sure if there was some problem with the hardware or if vendors just chose to use stuff from Intel et. al. because they knew it would work.
I haven't looked in to the datasheets for it, but I would assume that the dedicated intel NiCs have more fixed function hardware onboard and can do a great deal of offloading tasks, freeing up CPU ressources.
@@RobinCernyMitSuffix yeah, I assume if someone uses the ports are a switch, they can just do that without going through the CPU. It's how a simple DSL-router does it too when they have multiple ports.
For 6000€, you can get much more better 1U rack servers... maybe they need a bit more power, but you can expand later with NICs (or other stuff), but you can get proper long term vendor support, and proper iRMC/iLO/iDRAC/whatever bmc, to manage the sever independently to the main OS.
I believe the 3D printed section near the exhaust port are venturies to help with cooling.
I thought that too
Jake has grown up, really good vid! I like him much better showing his skills, instead of being a chill! 😉
Seems like a bad idea to reuse that thermal compound on an exposed die CPU where adequate coverage is so important. Hope he at least spread it out. I dont see any obvious springs on those heatsink screws either, so that seems like an accident waiting to happen.
Yeah, uneven distribution on a bare die with no springs is asking for a cracked die.
This should have been on the main channel. I almost missed it
Pinching the airflow, then widening it and then pinching it again basically "combines" the pulses of airflow, as it is put comes in pulses from the fanblades. This makes the airflow much smoother after that smart inlet.
Really nice hardware layout. Rare you see something well-done as that.
Absolutely love opnsense, running an arris sb8200 with tplink ax1800, started getting slower and slower speeds to the point my gb was now 400mb, had an old xeon thinkserver laying around, popped a usb with opnsense on it and I'm now getting my full speed plus able to have internet even if my access point dies, also have stable 32ms or less on every ping test where as before I'd have random 200+ms pings on ethernet and 400ms pings on wifi. Was even able to snag a 2.5gb switch with 10gb sfp+ for $60 so now i have Gb internet and 2.5gb local network
I switched to OPNSense on a Qotom Q750G5 and love it.
Nice.
Currently building a Micro N100 Firewall with OPNsense for IRL livestreaming. Great timing. i could really use this 😅
I don't see how a brief review of a $6000 device is relevant to you building a $300 router.
4:10 the bottle neck shape on the fans in a venturi tunnel which results in increased wind speed (venturi effect)
Looks well designed and pretty good looking (for a router!)
"its a router, it rips"
I see what you did there!
Bit of a stretch in other dialects, though!
Route and rout are different words with different meanings, spellings, and (outside of NA) pronunciations.
"A thing which routes" and "a thing which routs" both being spelled "router" is an awkward quirk of English.
Netgate 8300 is a better choice IMO. Actual hot swappable power supplies, true IPMI, higher throughput for firewall and VPN. Oh... and it's less expensive.
The price for this hardware is insane. Those CPUs are Zen 1 from 2018. I can build a faster 3rd gen Epyc firewall for a quarter of the price...
It's all about silence system. The engineering behind that has a price.
I run OPNsense on a chinese N100 system for 150 bucks. Partly cheating because I had spare parts laying around but hey.
Even with IPS/IDS I get the full gigabit on a home network. You really don't need a lot. But as an organization it's better to go all the way for decent support especially if your entire business is reliant on your infra.
Exactly The support is really important when things go down in a bussinuss.@@The_Cinder
"Route" for pronunciation refer to Bobby Troup "Route 66" and all subsequent covers of that song.
Americans pronounce route and rout the same, for some reason.
The fact that "a thing which routes" and "a thing which routs" are both spelled "router" further confuses things.
For your use case its a great machine. For home use i would suggest the dec695. Still expensive but also has the same feature set as this one in the video, sure not as fast but its still there.
For home use an N100 off Aliexpress is more than enough.
@@alexatkin also true, but i like supporting FOSS when i am able. In my case i would but the dec695 behind a router since PPPoE isnt multithread process.
So glad yall corrected the included mini usb cable in the beginning. That could have been a disaster 😅
The thing that i like the most about these are their 60gb throughput and SFP28 ports. I like that much more than just the SFP+ ports.
Pretty solid throughput. However the cost for what appears to be off the shelf components is pretty crazy. (Yes in a custom board)
You know what though, for the price if it's WORTH it for YOUR business network, it's a tax write-off here in the US so whatever. The cost of doing business and doing it securely and safely and knowing it's top quality open hardware. I love it.
the VHS sound was noticed. well done.
I really wanted to like OPNSense but after a couple months I switched back to PfSense since opn is considerably lagging behind in features. I really hope they catch up in the future since both the UI and business practices are much preferable.
I am running a fortigate at my house myself a 60F. When you throw in the additional licenses and the facts that it is a true zone based firewall its hard to justify the opnsense hardware in my opinion.
Plus OPNsense is quite inferior to pfSense in both speed and quality - I would never recommend that firewall to protect any business. Fortinet is really good, but their price hike since Covid-19 is getting out of hand now + their few recent major CVE are making me and clients reconsider is I will remain with them or not.
@@Traumatree Fortinet shop here. Yep, their prices are insane now and I've been buying Netgate appliances the past three years. Eventually we may phase out Fortinet stuffs in favor of pfsense.
@@Traumatree i we t through CDW for mine was expensive but seemed reasonable for full UTM for 3 years. As for their CVEs they are all for SSLVPN which is a feature I will never use through this firewall and instead use a wireguard VPN.
The PSUs inside are actually somewhat normal Lighting power supplies. They are INSANELY cheap and actually quite good
I'd love to see a video of why you prefer OPNsense to PFsense!
seems like a good use sheet of graphene TIM.
I'm sure Decisio is happy they sold at least two DEC4280s. I don't know what market this is for. If you want to run OPNsense you can buy some used enterprise hardware that will offer more benefits (like hot swappable PSUs, more RAM, more storage) and spend ~$1000 to match the feature set.
They made it quiet but 99.99% of rackmount products are going into a datacenter where noise doesn't matter.
Too expensive for a homelab but not built for the enterprise.
And I thought my OPNsense box was overkill with a Ryzen 2200g and a couple of 2.5 NICs! It's fun to see the professional level version
How long until Jake has two DEC4280s in each rack?
With a cold spare just in case :)
5 weeks
I have something similar at home. Embedded Epyc 3451 on a Supermicro board. Noise level is about the same, but no 25Gb ports.. also running OPNsense.
I always enjoy these more technical deep dives!
im a hardware guy too so Jake's networking reviews are great for me.
I am stunned how fast Jake is able to change his shirts...
Non-hotswap PSU is a deal breaker on a router for commercial use IMO...especially when they are $6k. Can buy a really nice SMB Palo for that.
16:24 I think the word you're looking for is what we old timers simply used to call "routing"
+1 for anything OPNSense
do i understand anything jake is saying in this video? no.
do i still watch it coz for some reason it's interesting to me? yes.
Jake and networking gear, name a more iconic duo 🥰
More up to date, except for the EOL libSSL in OPNsense, hope they fix that soon
In reference to the cooling, turbulence is actually beneficial for transferring heat away from a surface.
Everytime Jake opens his mouth about networking, it makes me want to drive to Canada and give him a proper network education.
Underated comment. To any body who doesn't know networking he sounds like a genius.
Meanwhile real network engineers are cringing
@@DarkAbyss9 To my knowledge, he never claimed to be a networking engineer, and LTT is catering to an audience whom are not familiar with enterprise networking.
@vFoxArts no but it certainly seems like he is doing just that at LTT.
This isn't enterprise networking, that's the point.
@@DarkAbyss9their network isn't overly complex to justify real network engineer
@@vFoxArts Amateur night in networking?
You got me really excited with that programmable flexoptix DAC cable, unfortunately the box to program the cable is like 1,5 grand.
Meh... :/
Around 500€ before taxes here for the newest version, 300€ (before tax) for the older one if don't need qsfp-dd
Can't wait to see more Jake and networking stuff
I'd love to work with you Jake, the stuff you work with is exactly what I love!
I hate that I'm becoming a hybrid of Alex and Jake in terms of goofy ass electronics and networking projects. Thank you for the inspiration, I think?
Those little flares on the inner edge of the fan ducts kinda look like a laminar flow nozzle, they must be doing something funky there to try and straighten out the airflow.
always buy hot swap power supplies. It is one of the only computer parts that still breaks on occasion. I take care of a few racks, and in 10 years we have replaced 3 PSU's. and one server.
This would most likely be put in a data center or server room, then sound level is less of a issue. Looks like a good design !
It seems quiet enough for a small business that just has something like 12U rack under a desk, or a smaller one wall mounted... but it would be a bit overkill for those places.
I could watch a turbonerd edition of how to network
The closing of the throat at the end there may increase the velocity of the air, alowing for a lower fan speed.
I am generally surprised of that The power supplies are not hot swappable and there is no raid with 2 drives for device that is acting as both a firewall and main router. However, the expected redundancy seems to be that you have two of these devices or more connected. That will not be my preferred option for pricing but it's Enterprise and I normally do SOHO. I do wish the test have been done with the full set of firewall rules but there are channels dedicated to firewalls.
bailiff, put this video in the networking playlist 👨⚖️
IDK if when Jake said "It RIPs" he meant that as a routing joke or just that it's fast. Maybe both. Either way, I dig it.
These are some of my favorite videos
I’ve seen worse ducts, e.g in supermicro. Back in the days it was horrible. These are actually good.
I'm surprised you guys don't have some exfo test equipment, portable and lets you test all these networking equipment at a desk on video. Used them for years of testing, when i was a lab tech, was juat uodated to 400g testing by the time i left ages ago.
6:27 I thought Jake missed out a good opportunity to plug the Honeywell PTM7950 on the store, but thankfully he did at 7:38
that was only on the NIC. He reused the crap that was already applied to the CPU. Why? I have no clue. He had the PTM right there the whole time
Really nice firewall hardware. Looks really cool.
That said, Jake continues to keep saying that OPNSense is "more up-to-date" than pfSense. pfSense is on a newer FreeBSD release (14) and OPNSense is on an older one (13.2). Not sure why he keeps saying this every video they make about OPNSense, because it's not true. I spend a fair bit of time supporting pfSense firewalls and I just don't understand why they keep repeating this over and over.
He means more regularly updated
He is not referring to the BSD version
When he says "more up-to-date" he's talking about the speed of patches and updates made by OPNsense when compared to pfSense. From what I can tell, OPNsense patches are also backported from newer FreeBSD releases anyway. Bigger Number doesn't automatically mean it's better in all ways.
Not to say anything the shadiness of Netgate and their business practices.
@@jakedhale pfSense is more cut down and has fewer things to patch. They also have patch manager to distribute patches without a new release.
Having less frequent necessary updates on my router is a plus in my book.
@@jakedhale That isn't what Jake said. He said "I just like the fact that it's more up-to-date", directly comparing it to pfSense. He said nothing about update frequency.
Nobody in the networking world wants to be installing patch releases 50-70 times a year. Unless there is a security vulnerability or serious bug, there shouldn't be that many patches. People who manage fleets with hundreds of devices are not going to want to be rebooting so often.
By contrast, Netgate looks to release 2-3 major releases a year of pfSense Plus, which is pretty predictable, and a couple of point releases once and a while for bugs or vulnerabilities.
You seemed to have strong opinions regarding your choice of OPNsense over pfSense... Why? I have to make some purchase decisions at my small/medium sized business, and I had been thinking of using pfsense (possibly on my own hardware though). You should do a video (soon!) that covers the topic of those two versus each other...
FortiGates rip on throughput as long as its something the ASICs support, but as soon as it gets punted to software it drops a fair bit, PPPoE is a really great example of this. What's the cost of updates like? Fortinet charge a chonk for annual FortiCare/FortiGuard licence, depending on licence/bundle you get all the AV/IDS etc updates but it builds up for the overall cost (got about 1600 of them in production and use a 40F on FTTP at home on my lab)
Stop using 30/40/60/80-F models to do SSL/TLS decryption and PPPoE and buy a real business oriented one. And at least, Fortigate has ASICs to do some heavy lifting, while with OPNsense, everything needs to go through that general purpose CPU that will choke like the rest of them when it needs to decrypt packets.
OPNsense supports QAT for cryptographic acceleration, and the various NIC offloads. Business support is around 4-500 euro a year depending on what package you want.
love the OPNsense, very easy and comfortable.
At over $6,000 USD I don't want a single 3D printed part on it. Additive machining is for cheap stuff, not something that cost this much.
What's the downside of 3D printed parts? All of the individual parts are not cheap + personal, etc. Everything they use is for non-structural reasons so I see no downside.
@@burnstick1380 They are substandard to injection molded parts and far more prone to breakage in high heat or high airflow environments. They are not substantially more cost effective at a large manufacturing scale to justify their use over injection molding or other methods of making plastics, are often more expensive to manufacturer, and they often take longer to make and result in more waste than traditional methods of making plastic parts.
Basically, it's a company trying to be hip and cool and they are wasting money and driving up their overhead and passing the cost along to you while giving you an inferior product.
Yeah, that is too bad.
At least with 3D printed parts, if the part breaks you don't have to rely on the company to have spares in a warehouse. usually custom parts like that you can pay an exorbitant amount because of the low demand