Replacement or relocation of the firewall

This article is about moving or replacing the firewall, because even though the mini PCs are available in a variety of configurations, they all have one thing in common: delivery times are on average 2-3 weeks.

Introduction

A long time ago I reported in several parts about how I upgraded my network, so to speak, or rather separated it into different areas. The starting point was the KingNovy PC, which is equipped with the Intel CPU N5105 and a total of 6 2.5 GBIt network ports.

This mini PC has enough power to run an OPNSense firewall even in a Proxmox environment. And after a few attempts I separated my network into LAN, WLAN and DMZ and only operate the FritzBox 7590 as a WLAN point and as a client in the network.

It’s all running smoothly now, but when I imagine that this mini PC might give up  and I would then have to go without internet and other things for 14 days to 3 weeks, that’s not a nice thought.

Replacing the firewall

I had already tried to build a replacement with the Glovary PC, but unfortunately this device was defective. But this attempt showed me how important a replacement is here, because these devices are available in every variation (CPU, number of ports, number of SSD and or NVMe drives), but hardly any of these devices are in stock here in Europe (if you leave out the rather expensive Protectli).

To avoid this, I wanted to keep a second mini PC in reserve, so to speak, just in case the other PC fails. The idea behind it is to simply swap the SSD and it should work again. That would work, because these mini PCs hardly differ from each other. The differences are very minimal and sometimes you can also replace parts, such as SATA cables or the base plate.

The small differences

There are tons of firewall appliances with 5-6 Ethernet ports. I had already mentioned with the Glovary Firewall that I wanted a more powerful firewall but not one with an i3-N305. So I chose a HUNSN with an N100 CPU. Here too, the structure is practically the same:

Space for 1 SO-DIMM module DDR5 and for 2 NVMe and a SATA SSD. And when idle with 5 network ports occupied, I saw 12 W as the lowest value, which is very good when you consider that the performance is more than 30% higher than the N5105 CPU.

The small difference, however, comes from the PCI devices when you display this lspci.

With the KingNovy Firewall, the NMVe SSD is device 1 and then the 6 Ethernet ports are numbers 2-7. The new HUSN firewall looks a little different:

Here, the Ethernet ports come first with numbers 1-5, then the NVMe SSD with number 6 and then another Ethernet port. Of course, I had to take that into account, especially since the first Ethernet port is passed directly to the OPNSense firewall as a PCI device. This can be done by making the appropriate adjustment in /etc/pve/qemu-server/100.conf. The different order of the Ethernet ports can be mapped in /etc/network/interfaces.

This also enabled the new firewall to boot up properly and I even wrote a small script that exchanges the two files.

The small problem

I thought at first that I had found a very good replacement for the KingNovy, but unfortunately a problem arose here:

I partially monitored the functions of the firewall (good thing there is the small Azorpa monitor) and reproducibly after each backup to the Proxmox backup server, the ETH1 connection, which is connected to my LAN, was no longer available. The rest still worked, both the Internet and WiFi were available.

Since I didn’t feel like getting to the bottom of it (among other things because the return period at Amazon is now only 14 days), I decided to return it.

Conclusion

The HUNSN firewall is well equipped and also a power-saving device and at a price of €200 as a barebone it is quite cheap. In terms of performance, the small mini PC was also more than sufficient to run other LXC containers and VMs in addition to Proxmox and OPNSense.

ciao tuxoche