Our BIG network upgrade! - OPNsense DEC4280
Вставка
- Опубліковано 15 тра 2024
- Monitor your systems from anywhere using Pulseway at: lmg.gg/LTT23
We've got to support and secure a LOT of devices on our office network which can be a challenge for even the beefiest routers and firewalls. Today Jake is showing off one of the TWO new OPNsense DEC4280s we got to show off why this expensive piece of open-source equipment is worth it for us.
OPNsense overview videos to check out:
• Beginner's Guide to Se...
• Ultimate Beginner's Gu...
• OPNSense - a powerful,...
Check out the OPNsense DEC4280 Rack Security Appliance: lmg.gg/gXMxD
Purchases made through some store links may provide some compensation to Linus Media Group.
Want us to unbox something? Make a suggestion at lmg.gg/7s34e
► GET MERCH: lttstore.com
► GET EXCLUSIVE CONTENT ON FLOATPLANE: lmg.gg/lttfloatplane
► SPONSORS, AFFILIATES, AND PARTNERS: lmg.gg/partners
► PRODUCTS WE USE ON THE SHORTCIRCUIT SET: lmg.gg/scset
FOLLOW US ELSEWHERE
---------------------------------------------------
Twitter: / shrtcrctyt
Instagram: / shortcircuityt
TikTok: / linustech
Facebook: / shortcircuityt
CHAPTERS
---------------------------------------------------
0:00 A very special brown box
0:37 Unboxing and port walkthrough
2:07 Taking a look at the insides
8:35 Sponsor - Pulseway
8:56 Finishing reassembly
9:44 Setting everything up and dashboard walkthrough
14:10 Programming cables and running tests
17:10 Overall thoughts and pricing
17:58 Outro - Наука та технологія
"I can spend 3 hours talking about all the OPNSense features" - yes please
Going into a 3 hour deep dive would definetly be nice!
That would probably end up a floatplane exclusive
LMAO this dude don't know first thing about networking.
Do won't alone time for the bone you from opnsenes
And that would be brief I want a 6 hours video explaining everything
Jake either brings shockingly cheap server hardware or gut punching expensive. There is no in between.
And it's poorly spent every time. He could spend literally a bit more for a real firewall.
@@gamebrigada2wdym it is a real firewall, it's literally a security appliance
@@spicybaguette7706 he's just a hater.
@@spicybaguette7706 it shows clearly how many people in the comments do not understand what the hardware is. This shouldn't be on ShortCircuit to be honest. They need a dedicated enterprise hardware channel. It's just a bunch of consumers here bocking at the prices. This device is for an enterprise/business, it's not really for home use. There's other solutions for this on aliexpress with 10g and 25g sfp+ ports for a fraction of the cost.
Ubiquiti is perfectly in-between which is why they are so popular among IT professionals.
You guys change backend equipment as much as I change underwear for my backend
Every few years?
@@SuperNGLPwhat, you change yours more often?
@@SuperNGLP every time they catch fire due to lack of monitoring, cooling, care and they keep upgrading their internet line to unnecessarily fast connections.
@YKSGuy it's a tax write off.
Yeah, it's a bit silly, but, they also get tax benefits, as well as videos out of it.
i work as an it professional and installed similar deciso hardware in different customer scenarios. every unit works like a charm to this day. i really like opnsense, so simple to setup everything and rock solid. cheers
Wonder if it's relabeled stuff or proprietary...
@@mrmotofy for the pcb itself i dont know. but they put a lot of efford into custom cooling like 3d printed stuff
As someone who works with rack mount HW all day every day, redundant PSU's are not helpful if they are not hot swappable. If one fails the unit has to be taken out of service for an extended period in order to replace the bad one. That isn't something you're going to do on the floor, too loud etc., so all a redundant PSU does is delay when the outage occurs.
It does give you the option of putting the outage into a designated maintenance time frame.
For example, I would assume LMG doesn't really need their firewall Saturday 3am.
non-hotswap PSU devices should then be deployed in pairs, or in a HA situation - this allows the devices to keep running - even tho with 1 failed PSU. Once the fault it identified, you should either fail over to redundant device, or schedule a downtime window to replace faulty component.
@@netrixtardis Which is exactly what Jake said they are doing.
for what it's worth, for the small business sort of customer a device like this is aimed at, it doesn't seem like a big deal to schedule 15 minutes of down time, after the 2 or 3 days it will take to have a new PSU shipped out to you. No one is keeping spares on the shelf for this.
Technically, they are hot swappable. If you leave all cables long enough to take the unit out of the rack and risk electrocuting yourself, you can pull it off.
Having two PSU lets you connect it to two different power sources. Which you don't get to do with just one.
But you are right, it's wayyy more convenient to just pull the defective PSU and load a new one.
A dead PSU is not that kind of problem. OPNsense is build with HA in its base.
If one unit fails, the second will take over all services, until the problems with the first unit is solved. This goes back to the roots, inside PFSense.
I thought it took me the whole video to realize Jake was wearing an M539 Restorations shirt but he switched right at the end 😂 If anyone reading this is into BMW's or just cars in general it is one of the best automotive youtube channels by far!
Streten just started a new series about some solid maserati quadroporte GTS he bought for 18k€ it is sooo awesome to watch him work on that stuff. That is some nice support from Jake here!
@@dermozart80 Agreed the Maserati content is a nice change from the normal BMW wrenching he does but honestly I could watch Sreten restore a bicycle and be just as equally entertained 🤣
Seeing Jake with a M539Restauration shirt is just awsome
LMAOOOOO i just saw that and i was, is that m539Resto? its literally my next recommended video lol
Carbon fiber
Came here to say the same thing.
Ya!!!
Jake is just THE networking guy now
He got bit by UbiquitI and was never the same again.
Funded by his bosses tax write offs - he is very powerful.
He knows his stuff, but please dont cable racks like LTT does :)
@@TheAlaskaAdamno he doesn't. Who the hell buys a router/firewall that has 150gbps in connectivity and 20gbps in capacity
@@gamebrigada2 DEC4280 is 60Gbps total firewall throughput with 21Gbps port-to-port at a time, where the fastest port is 25Gbps at the physical level. Even said that in the video. Idk where you got the 20Gbps number...
@@gamebrigada2 If you're going to be a hater, at least get the facts right. I mean at least watch the video and actually listen
Thanks for the mention guys, keep up the great work!
Great video!!! Love that HW seems very well designed, i had OPNsense running on my Sophos box for years now, love it.
Could you do a video when integrating these into your network? Like going through everything from connecting everything and setting up afterwards
Really any OpnSense vid will show that
Nice T-Shirt !! We love M539 too !
it's not just m539, it's @M539Restorations t-shirt. Very special to everyone that follows Sreten.
It's merch from UA-camr M539 Restaurations
You guys should do a video sometime on exactly why OPNSense is better than PFSense. Or why you "prefer" it over PFSense, if you don't want to get into which one is "definitively better"...
Indeed. I've seen some people say they prefer pfSense because OPNSense updates TOO often and runs into upgrade issues due to that, whereas pfSense wait until there is a good reason to update and run into less issues due to a longer testing period.
A big reason I'm still on pfSense though is having to port over my configuration would be a pain. Plus once you've learnt how the UI works it seems more of a chore to learn the difference than just stick with what you already know. I've not seen a compelling argument for why I should switch, more that OPNSense is easier if you don't already know how the pfSense UI works.
OPNsense is not better than pfSense. Having a nicer UI doesn't make it better or faster. It is much the reverse in reality.
@@alexatkin Those reasons are pretty much the reason I will not use OPNSense. I want a *very* stable network appliance, not the latest and greatest updates. I find pfSense to be extremely intuitive as well and have yet to have any issues with it *knock on wood*.
Best practice in the network world is to generally update only about once or twice a year anyway unless there's a serious vulnerability discovered in the OS running on the appliance. Other than that, you don't want to be disrupting your customers all the time just to upgrade for no really good reason.
@@AC-cg4be Updates once or twice a year? Please tell Fortinet to do that with their firewalls. Seems I have to update it almost every other week now. It's ridiculous. It's so bad now that the latest version can now update itself which I do for branches. I set it to update itself after 7 days of it's release to make sure it's stable.
Side note I've stopped buying Fortigates and started buying Netgate appliances instead. Fewer headaches.
PFSense treats their paying customers and community like garbage.
Decent product but trash company run by trash people.
Fantastic t-shirt of one of the greatest car youtube channels
I have little to no idea what's Heidi in this or any other video LMG but I love watching them. That's a testament to the entertainment value.
I am not a network guy. i only have basic knowledge of networking for the home. But i always get excited when jake and linus talks about this stuff.
I used to OPNSense on a Core2Duo laptop, was great to have the built in battery (was new). Using a ProtectLi now, highly recommended. Last router you'll need for 20+ years.
love OPNsense. I switched from pfSense VMs to a pfSense dedicated old desktop and finally to an open-source-BIOS / OPNSense based miniPC. It's the best of both worlds, small power usage like a traditional router, but completely configurable (and I got 2.5G ports for future upgrading my 1G setup)
EPYC Embedded 3451 uses the same dies (essentially 2x Ryzen 7 1700) as Zen 1 Ryzen and Zen 1 standard EPYC's. All of them have 10Gbit on die but it's rarely exposed (this being an obvious exception).
UA-cam.com/@Level1Techs or UA-cam.com/@ShortCircuit can you dive into this more?
Looks well designed and pretty good looking (for a router!)
Hi Jake, I like your T-thirt. Very happy to see cross-referencing going on like this... Also wanted to note that you got me into networking and servers, many thanks for that!
3:30 It's one of those cases where someone opens up the unknown and the insides look beautiful.
Can't wait to see more Jake and networking stuff
I always enjoy these more technical deep dives!
"Route" for pronunciation refer to Bobby Troup "Route 66" and all subsequent covers of that song.
Love the infrastructure content. I know its a little more niche but I always love this type of content.
I would 100% subscribe to a enterprise or infrastructure centric channel.
Big fan of the customization devices like these offer as routers. I've been using pfSense on a mini PC for a few years now and it's been wonderful. It's quite refreshing to finally experience something so reliable that it has multiple years on the uptime counter.
In business IT: Uptime counter === unsecure/obsolete software running for YEARS... good luck with that if you have an audit :)
@@EFazy It’s not at a business so I don’t have to worry about any dumb policies. I’ve never heard about anything that would impact pfSense’s efficacy as a firewall on a secure network, so what do I care?
These are some of my favorite videos
Absolutely love opnsense, running an arris sb8200 with tplink ax1800, started getting slower and slower speeds to the point my gb was now 400mb, had an old xeon thinkserver laying around, popped a usb with opnsense on it and I'm now getting my full speed plus able to have internet even if my access point dies, also have stable 32ms or less on every ping test where as before I'd have random 200+ms pings on ethernet and 400ms pings on wifi. Was even able to snag a 2.5gb switch with 10gb sfp+ for $60 so now i have Gb internet and 2.5gb local network
Jake repping Sreten and M539 Restorations feels wholesome for some reason!
You won't find a better BMW-restoration channel anywhere!
I'd love to work with you Jake, the stuff you work with is exactly what I love!
Really nice hardware layout. Rare you see something well-done as that.
Brooo I needed this video!
Appreciate the M539 merch!
I have something similar at home. Embedded Epyc 3451 on a Supermicro board. Noise level is about the same, but no 25Gb ports.. also running OPNsense.
So glad yall corrected the included mini usb cable in the beginning. That could have been a disaster 😅
friction vibing is something different, Jake
Jake has grown up, really good vid! I like him much better showing his skills, instead of being a chill! 😉
the VHS sound was noticed. well done.
Ive been using OPNsense for a couple years. Its great. Stability at levels consumer units dream of.
This video must be a could months old. I didn't see the updated kea DHCP options.
I love the M539 shirt!
This should have been on the main channel. I almost missed it
I love opnsense, a 2012 Macbook makes a great free router, berter than most consumer grade stuff, rock solid reliable and battery backed.
The thing that i like the most about these are their 60gb throughput and SFP28 ports. I like that much more than just the SFP+ ports.
I switched to OPNSense on a Qotom Q750G5 and love it.
Nice.
The one question that came up was about not installing a 2nd SSD. Network appliances almost always come in pairs, so in the event one fails, another is there to pick up the slack automatically. Instead of adding redundancy inside the device, you make the entire device redundant (Save for power, because power failures are some of the most common issues with data centers). Logs should be streamed to a local logging server, and configs need to be shipped off whenever a change occurs, so the data on the device is not an issue. This means, that if you ever need to service it, you can just power it down, let your network failover to another router, and then swap with one that has already been imaged, restore your configs, and it's back in service. If the drive fails, the entire device fails and the 2nd router will automatically pick up the traffic. Will a 2nd drive allow that failure to be delayed? Yes, but now you are running a router that is not at full capacity and on a degraded drive, not an ideal situation, but still, that would allow you to manage when to bring that device down instead of dealing with it right away. So there is value, but it adds complexity.
Maybe they will add one in the production build, but that also adds cost, so there are always trade-offs that you need to consider. At least there is a 2nd nvme slot to let the customer make the choice.
Jake looks fresh, good presentation!
4:10 the bottle neck shape on the fans in a venturi tunnel which results in increased wind speed (venturi effect)
Those little flares on the inner edge of the fan ducts kinda look like a laminar flow nozzle, they must be doing something funky there to try and straighten out the airflow.
I just built myself a Sophos firewall, I used an old dell optiplex with a dual intel gigabit NIC. Got the hardware all for about $120. For home use, its overkill. Sophos offers a free home version of their OS. It can do packet decryption and re-encryption (which breaks stuff but its fun to play with).
The home based version does limit to you a 4 core CPU and 6GB of RAM. Which is fine for home use. Probably fine for a small business but the EULA likely states not to use it for a business environment.
I had been using the setup for a PfSense deployment, but I wanted something that did deep packet inspection. Mostly just to play with.
I use the SFOS XG line in a corporate environment, absolutely rock solid stable with all the tooling we need. Great kit.
"its a router, it rips"
I see what you did there!
For your use case its a great machine. For home use i would suggest the dec695. Still expensive but also has the same feature set as this one in the video, sure not as fast but its still there.
For home use an N100 off Aliexpress is more than enough.
@@alexatkin also true, but i like supporting FOSS when i am able. In my case i would but the dec695 behind a router since PPPoE isnt multithread process.
"less advanced shape than I was thinking" - simplicity often wins. Get deciso to send you (us) some sweet animations or extra screens of the computational fluid dynamics (CFD)
Jake and networking gear, name a more iconic duo 🥰
Love LTT folks touching data center stuff. But this thing is missing a few things.
1. Hot swap psu is a must.
2. Hot swap raid1 hw/sw storage is a must
3. Ports designed / additional ports for LAG or H/A - failover. So when running active/active or active/passive has that communication. Yea you could always trunk and use others for similar features but better to have dedicated ports
I thought this too. At the very least, 2x 256gb SSD/NVME would of been more cost effective unless you would need 512? I personally don't see the need.
The Dual PSU but not hot swappable makes the dual PSU pointless almost? As you would likely need to shut down to replace it.
6K for something really only worth 1.2k feels a little 👀👀👀👀👀
Been running opnsense for a few months and it's a network engineers wet dream. From PPPoE to LTE to OVPN layer 2 bridges to physical ports you can do a bunch of complicated stuff. But by far the best feature is the ipv6 subnet support. Been missing that on every other router... You can even delegate a subnet as a prefix to a down the line router. Amazing IPv6 experience! IPv4 works aswell of course, you can even give v4 lower gateway priority so you get the ipv6 speed boost...
Speed boost because of ipv6 😂😂😂😂
@@Frugaltail more efficient Routing, faster dns lookup etc. Its just better
love the OPNsense, very easy and comfortable.
I believe the 3D printed section near the exhaust port are venturies to help with cooling.
I thought that too
Currently building a Micro N100 Firewall with OPNsense for IRL livestreaming. Great timing. i could really use this 😅
I don't see how a brief review of a $6000 device is relevant to you building a $300 router.
Been running opensense on a 1u dq77kb for years now, threw on a x550t2 for 10gbe
im a hardware guy too so Jake's networking reviews are great for me.
Ayyy, my new home server is also rocking a 7402P
The closing of the throat at the end there may increase the velocity of the air, alowing for a lower fan speed.
I'm really impressed by the power of this device and the neatness of its hardware. Agreed, adding dual SSDs would make it more versatile. The price is a bit high, but for specialized use and considering the performance, it could be worth the investment for some businesses.
I am generally surprised of that The power supplies are not hot swappable and there is no raid with 2 drives for device that is acting as both a firewall and main router. However, the expected redundancy seems to be that you have two of these devices or more connected. That will not be my preferred option for pricing but it's Enterprise and I normally do SOHO. I do wish the test have been done with the full set of firewall rules but there are channels dedicated to firewalls.
Pinching the airflow, then widening it and then pinching it again basically "combines" the pulses of airflow, as it is put comes in pulses from the fanblades. This makes the airflow much smoother after that smart inlet.
And I thought my OPNsense box was overkill with a Ryzen 2200g and a couple of 2.5 NICs! It's fun to see the professional level version
I hate that I'm becoming a hybrid of Alex and Jake in terms of goofy ass electronics and networking projects. Thank you for the inspiration, I think?
I'm surprised you guys don't have some exfo test equipment, portable and lets you test all these networking equipment at a desk on video. Used them for years of testing, when i was a lab tech, was juat uodated to 400g testing by the time i left ages ago.
Networking stuff and a car shirt means I'm sold
@15:27 “caaahhhmming up! An expensive German engineered router”
infront the fan maybe de Laval nozzle ? make the airflow speed faster
Oh neat, they're actually using the 10G Ethernet MACs built into the EPYC SoC. Those have been in EPYCs for a long time but I never saw anyone actually use them. Couldn't be sure if there was some problem with the hardware or if vendors just chose to use stuff from Intel et. al. because they knew it would work.
I haven't looked in to the datasheets for it, but I would assume that the dedicated intel NiCs have more fixed function hardware onboard and can do a great deal of offloading tasks, freeing up CPU ressources.
@@RobinCernyMitSuffix yeah, I assume if someone uses the ports are a switch, they can just do that without going through the CPU. It's how a simple DSL-router does it too when they have multiple ports.
I would love to hear more about the FLEXBOX!
seems like a good use sheet of graphene TIM.
I really wanted to like OPNSense but after a couple months I switched back to PfSense since opn is considerably lagging behind in features. I really hope they catch up in the future since both the UI and business practices are much preferable.
Warranty void stickers are actually illegal in the US. Magnuson-Moss Warranty Act 1975.
they aren't illegal, just unenforceable. they still put them on since there are no repercussions and they are counting on scaring people who don't know any better.
Considering they are in Canada
@@gaffcain doesnt really matter when the company is american
+1 for anything OPNSense
The PSUs inside are actually somewhat normal Lighting power supplies. They are INSANELY cheap and actually quite good
More up to date, except for the EOL libSSL in OPNsense, hope they fix that soon
De Cisco 😅
Pretty solid throughput. However the cost for what appears to be off the shelf components is pretty crazy. (Yes in a custom board)
extra points for the M539 tee shirt
The price for this hardware is insane. Those CPUs are Zen 1 from 2018. I can build a faster 3rd gen Epyc firewall for a quarter of the price...
It's all about silence system. The engineering behind that has a price.
I run OPNsense on a chinese N100 system for 150 bucks. Partly cheating because I had spare parts laying around but hey.
Even with IPS/IDS I get the full gigabit on a home network. You really don't need a lot. But as an organization it's better to go all the way for decent support especially if your entire business is reliant on your infra.
Exactly The support is really important when things go down in a bussinuss.@@The_Cinder
In reference to the cooling, turbulence is actually beneficial for transferring heat away from a surface.
Cool, maybe you could do a review for a home solution like the Firewalla
this little form factor packing this much power ? daaayum
I actually have a minisform ms-01 and tried doing opnsense on that but the problem is they do not support wake on lan or power on after power loss so if you lose power it's dead till you turn it back on manually. Really saddened me and I had to swap off it even though it worked well
It's interesting. Although I prefer netgates approach to their hardware, as it's more modular. Definetely want to add a OPNsense instance on my test lab at work though heard is that bit better than pfsense.
The only benefits I'm aware of is the UI is easier and updates are more frequent. If you already know the pfSense UI the first is irrelevant, and the second can be a negative too as more updates means more chances of problems. Seen a few people say they prefer pfSense as its less prone to glitches from updates due to the longer period between releases.
Could you do comparisons to other Firewall manufacturers, like the SonicWall NSa 6700?
"This is my test bench!" Has an Epyc in it... Wow!
I'm honestly surprised this was put on short circuit, won't get the reach or love it would do as an expanded ltt video. Maybe ltt could do with a network specific channel but would like to see this when deployed (if it is due to be deployed at lmg)
always buy hot swap power supplies. It is one of the only computer parts that still breaks on occasion. I take care of a few racks, and in 10 years we have replaced 3 PSU's. and one server.
How is the support for at product like this? with 25 gigabit it looked like it might be able to handle east west traffic and I really want that.
This is so weird, I've just been setting up an OPNsense firewall today. Granted mine is a hacked together miniPC, but still :D
For cooling don't you want turbulent flow rather then smooth?
You got me really excited with that programmable flexoptix DAC cable, unfortunately the box to program the cable is like 1,5 grand.
Meh... :/
Around 500€ before taxes here for the newest version, 300€ (before tax) for the older one if don't need qsfp-dd
You should do a video on luminex networking kit, you wont ever see it in IT but its massively popular in concert production.
Was hoping for a Fortigate
Fortigates are expensive but damn are they hard to beat
i'm starting to really want to make my own server rack, since i just finished my education i really have got the love for networking, but at my school we only used Cisco gear but they were old gen so i mainly have experience with cisco but id really like to just try other companies so i can about them and how they work :)
Switching:
Brocade, Junpier: Cisco clones.. almost identical configuration system, only small changes, just to cannot copy-paste
HP: They reinvented the wheel in this regard :/