My home network is one that I have setup to provide as much security, for the least amount of money. My home internet connection is a 500/200Mbps connection on a FTTP NBN with Aussie Broadband. In order to meet both the least amount of money, and as secure as possible I needed to look at using one of the open-source routers software packages with security features such as an Intrusion Prevention System, stateful firewall, advance DNS filtering and a solid track record of updates.

My two options I explored in depth were pfSense, and OPNsense; ultimately choosing to use OPNsense. Prior to the use of these types of routers in my home, I had used basic systems from my telco, ubiquiti edge routers, and low-end TP-link routers. This was a step up in that I needed to find a suitable compute device to run the router OS. My requirements were going to be simple, a dual NIC device in a small package to allow for direct replacement of the existing router.

I had a Zimaboard on hand that fit the requirements well (at this time, I had a 100/40 FTTC). Setup of the OS was straightforward, and the initial configuration was easy with the built-in wizard.

The internet was flowing, and the I was getting the speeds that the ISP provided. Now was time to start layering in the security specific functions. My first was to open up a few ports to be pointed at a proxy service in my network to facilitate Home Assistant, Emoncms, and other services (and not installing the universal plug and play extension). Second thing was my first deployment of the Intrusion Detection package, and the activating of the various rule sets.

As this was a primarily a home network, there were services and devices in my network that I was certain that the Intrusion Prevention System (IPS) was going to block. So instead of enabling all rules at once, I enabled a set of 5 at a time, and every day I reviewed what was blocked, what was allowed, and what in the network broke. Over the course of 2 weeks, I had enabled the entire rule set, and tweaked some of the specific rules to allow some websites to operate (false positives).

Once the entire rule set was enabled, my throughput plummeted. I now needed to figure out if there were dials, switches, or options to give me some performance back. Briefly, the tweaks I made were:

• Install the NIC drivers
• Change the IPS Pattern matcher to Hyperscan.
• Setting up firewall shaper rules.

With these tweaks, I was now back to my 100/40 speeds, and could see both the RAM usage, and CPU was down.

A few weeks later, I got an upgrade to the FTTP, where I bumped up my plan to 250/100. At these speeds, I was still getting full throughput, but the CPU was noticeably hitting 100% utilisation more regularly. About a year and a bit later, my ISP drop the price of the 500/200 plan, which I jump onto. Now the Zimaboard could no longer give me the full throughput with the IPS enabled. My speeds through the router did increase, to 325/185, by this was shy of the capacity that the ISP could give me. I researched and did not find any additional dials, switches, or options that I could tweak to give me more performance.

I decided that if I was going to upgrade, I needed to upgrade to something that would give me the full throughput, with overhead for additional capacity in the future. I decided to purchase a minisforum device. This device is a i7-13620H, with 32GB RAM, and dual Intel 2.5gbps NIC.

One of the most incredible parts was how easy it was to transfer from the Zimaboard to the minisforum device by simply taking a backup, and then restoring to the minisforum device, there was a small task in setting the interfaces correctly and downloading the various plugins, but it all worked!

With little else, I now had my new router giving me the full speeds that my ISP offered.