More and more internet providers offer speeds of 10 gigabits or even higher and also mainboard manufacturers have reached the point where 10-gigabit network connections are being installed. If you are thinking of upgrading your home network to 10 gigabits, including a firewall, but don’t want to spend much money, this article is just right for you.
I explain which components I have used for my self-built firewall, which points to consider when selecting network cables, and which switches are reasonably priced for 10-gigabit cabling.
Disclaimer: This article is not sponsored by any manufacturer or online store mentioned. It is intended as a guide, with specific products mentioned to help you easily purchase them on your own.
Hardware
Firewall Components
While firewalls from major manufacturers such as Check Point or Fortinet with one-gigabit connections can now be purchased at a good price, models with 10-gigabit or higher speeds are still quite expensive if you are looking to buy them for a home lab rather than a business environment. I had the same experience and therefore decided to build my own firewall and install a good but inexpensive 10-gigabit network card.
My self-built 10-gigabit firewall has now been running for over 1.5 years without any problems, and I spent around 250 to 350 Swiss francs on its components. It consists of the following components:
Network Card – The Heart of the Firewall
The Mellanox ConnectX network interface cards, now distributed by NVIDIA, are high-performance network interface cards designed for data center and cloud environments. They support both Ethernet and InfiniBand protocols and offer data transfer rates of up to 56 Gbps (FDR for InfiniBand and 40 GbE for Ethernet). These cards are known for their low latency, high bandwidth and high efficiency, making them ideal for demanding applications such as high-performance computing, storage solutions, and virtualization. They support features such as RDMA (Remote Direct Memory Access) and enhanced virtualization capabilities (SR-IOV) for optimized network and storage performance.
These network cards are now 5 years old or older and are already being phased out by large data centers. For private users, this means that data center hardware can be purchased for a reasonable price. The Mellanox ConnectX-3 network card offers two 10 Gbit SPF+ connections, which is perfect for our firewall.
The best part is that OPNsense provides compatible drivers for this card, making it easy to integrate.
These second-hand cards can be found in online stores for between 30 and 100 Swiss francs as you can see below.
Mainboard, CPU, RAM, SSD
For the remaining components, high-end consumer hardware that is two, three, or four years old is suitable. An AMD Ryzen 7 3700X or 2700X, or even an Intel Core i7 from the tenth or eleventh generation, will work well. A Ryzen 5 or an Intel Core i5 from the same release year also offers sufficient performance. Often, CPU, mainboard, and RAM bundles that are three or four years old are sold together on online platforms. I was able to purchase my AMD Ryzen 5 3600X, along with 16 GB of DDR4 RAM and a matching Asus mainboard, for 220 francs.
Here is an example:
If you don’t find a bundle that includes an SSD, like in the example above, you will need a small SSD with around 120GB of storage, which is sufficient.
Case and Power Supply
All the components need to be housed in a suitable case. A large computer case, like those typically used at home, might be too big for most people. Cube cases are ideal enclosures. They’re relatively small but offer enough space for all components. I was able to purchase a Fractal Node 804 at a reasonable price, which I can highly recommend as the housing of the firewall.
The power supply unit doesn’t play a major role either. Since we don’t have a graphics card that requires a lot of power, you might already have an older power supply lying around, or you can buy a suitable one cheaply on the second-hand market. However, it makes sense to use a power supply unit that has good energy efficiency, as the firewall is to be used in 24/7 operation.
SFP+ Modul to RJ45
The Mellanox ConnectX-3 network card has two 10 Gbit SFP+ connections. SFP+ is still not a common connection type used in home networks, as the RJ45 connector remains the most widely used. However, there are corresponding SFP+ modules that enable an RJ45 output. I have had good experiences with the modules from the manufacturer Ubiquiti. These work wonderfully with the Mellanox network cards. The manufacturer’s exact model designation is UACC-CM-RJ45-10G.
10Gb Switch with RJ45 Ports
To connect multiple devices to the new 10-gigabit network in your home, a suitable network switch is required. Since I already have Ubiquiti devices in my home network, I chose the Ubiquiti UniFi Flex XG, a 5-port switch from Ubiquiti. This model features 5 RJ45 ports, all of which support 10-gigabit speeds.
Cables
The last point from a hardware point of view that most people forget, or neglect is the importance of cables to connect the computer to the switch or the switch to the firewall. I had many Cat 5e cables in my household, but Cat 5e only supports speeds up to 1 gigabit. For 10-gigabit speeds, you need at least Cat 6 cables. However, I decided to go with Cat 7 cables, as they support longer distances of over 100 meters. Inexpensive network cables are available in Switzerland at https://kabelschweiz.ch/. They make a good impression in terms of quality and have been performing flawlessly in my home lab to this day.
Software
As an operating system, we use OPNsense. OPNsense is an open-source firewall and routing platform based on FreeBSD, designed to provide enterprise-level security and performance features. It is a fork of the popular pfSense project but with additional features, a more modern user interface, and an active development community. OPNsense is widely used for network security, monitoring, and management in both small and large-scale environments, including home networks, businesses, and data centers.
OPNsense can be downloaded and installed from https://opnsense.org/download/
I won’t be explaining how to install and set up OPNsense in this article, as there are already plenty of videos and tutorials available online.
Enable Driver for the Network Card
To ensure that the Mellanox ConnectX-3 is recognized and its driver is loaded by OPNsense, a new entry must be added under System -> Settings -> Tunables.
Here is an example for the ConnextX-3 card:
If you want to use other ConnectX cards, here are the corresponding values for the entries:
Network Card | Tunable entry |
---|---|
Chelsio | cxgbe_load |
Mellanox ConnectX-2, ConnectX-3 | mlx4en_load |
Mellanox ConnectX-4, ConnectX-5, ConnectX-6 | mlx5en_load |
Broadcom NetXtreme-C/NetXtreme-E | if_bnxt_load |
Comparison
If you want to make a comparison in terms of prices, you can take a look at the FortiGate 100F, for example. This is the latest and smallest FortiGate firewall from Fortinet that offers 10-gigabit connections. However, it is priced at over 3000 Swiss francs. In contrast, our self-built OPNsense solution costs only around 600 Swiss francs, which is just a fifth of the price of the FortiGate.
Conclusion
If you want to tinker a bit in your home network from time to time, I highly recommend the self-built OPNsense. Of course, you have to think a bit yourself and figure things out or assemble the firewall yourself, but that’s what makes it fun at the end of the day. While you won’t have manufacturer support, you can save a significant amount of money, and in a non-professional environment, that’s certainly a reasonable trade-off.
Links
https://www.avantec.ch/loesungen/fortinet/
https://www.boll.ch/de/fortinet/fortigate.html
The Giant
The Giant ist Security Engineer bei AVANTEC AG. Er interessiert sich vor allem für PAM-Lösungen und sichere Authentisierung aber auch für Netzwerksicherheit. In der Freizeit bastelt er gerne am Heimnetzwerk rum, mag Videospiele aber auch Sport.