Just ordered N100 machine with 16GB RAM from Carousell and 118GB Intel Optane. Also have a spare 860 EVO SSD Lying around.
Disk Configuration
- 860 Evo SSD for Proxmox OS in ZFS (Heard there it helps with data protection even if it is just one disk)
- Optane for my VMs and other LXCs (E.g. Moving my Primary PiHole instance here as well as well as some other Logging stuff like Influx, Elastic)
Plan is to install Proxmox on it and then install OPNSense or pfSense (Read a lot on reddit most switched to OPNSense, however also seems to realised pfSense is more talked about in hwz. anyone able to share their thoughts between this two)
For NIC Configuration
- Do IOMMU/SRIOV Pass Through 2 Ports x for WAN. (1 x for Current WAN, 1 x for Future WAN)
- The problem I have wrapping around my mind is the LAN Port. What is the best approach?
- Pass Through 1 more port for LAN then connect it to switch? But this way i will lose access to my Proxmox GUI correct? So I will need 1 more port just to access to proxmox LAN for it's GUI.
- Or alternatively I should just create a bridge in Proxmox and then pass through a Virtual NIC?
Logging
To be honest I know nothing about security... and this setup is more for educational purposes. I mean it will be a plus point if it is beneficial. Wanting to do a little bit on logging as well.
What logging tools (For the lack of a better term) like Grafana, are you using? Grafana? E.g. with graph/diagram/map showing what are the inbound/outbound IPs. This portion I feel might be too overkilled or too much for the N100. Keen to explore around and turn off/on if needed or I can move it to the 3 Proxmox Host.
VPN - Wireguard
Currently I have 2 x Wireguard LXC running in two different host. In case I need to remotely restart my host, I will still have 1 more Wireguard up. Thus also looking to shift one of the wireguard directly on the Firewall.
Have just tried installing OPNSense on my Proxmox and toyed around with it :
- 4 Cores [Host], 8GB Ram, 2 x Virtual NIC for WAN and LAN (WAN is doubled NAT-ed in my current network)
- Another VM with 1 x Virtual NIC is created and placed at the same LAN as the Firewall LAN for the test for iPerf3 Server/Client
I have installed os-wireguard (meaning it is Kernel based i believe), when I do a local wireguard iPerf, I am only able to get 650 to 700 Mbits/sec. and I give it 4 Cores, I realised the CPU hit 80%+ when i run iPerf. Nothing else is installed. Just purely wanted to see the VPN perfomance.
Whereas wireguard (PiVPN) running on the LXC can easily hit 2.5Gbps without seeing the CPU Spikes.
Any possible idea where what could have gone wrong here?
Security/Plugins
For plugin wise, do you think Crowdsec is enough or do I still need IDS/IPS Suricata/Snort as well? The only thing I am exposing port is my VPN Ports and Jellyfin Ports since I can't really do it via Cloudflare Tunnel due to ToS.
Also what are you guys generally using
Suricata on the WAN? Zenarmor on the LAN Side?
Or CrowdSec is enough on the WAN portion already?
