Recently, I decided that I needed to upgrade my home network from an old Sophos UTM 110/120 that I converted a few years ago to pfSense. First, I’ve decided to move on from pfSense. I have many reasons, but the first is that if enshittification was a company, Netgate would be the perfect definition. I’ve shared my thoughts in previous blog posts. Second, while the Sophos UTM 110/120 was probably good in 2012, it’s been holding my network back. It’s powered by an Intel Atom N450 and this CPU is the largest bottleneck. When I would stream something from YouTube, I’d see the CPU spike up to 60%. I never watched it during the normal work day, but I have had my fair share of issues with it.
Going Small
When I initially started looking at what to replace this old firewall hardware with, I eventually settled on a Lenovo ThinkCentre M920q mini PC with an Intel Core i5-8500T 2.1 GHz CPU, 8 GB of DDR4 RAM, and a 256 GB SSD. As-is, this PC also sports a single gigabit NIC, and the eBay seller I purchased it from pre-installed Windows 11.
Thinking I wanted to replicate my current setup, I ordered a Lenovo proprietary riser card to take advantage of the PCIe expansion slot. And this is one of the reasons why this mini PC is popular, even for using as a low-power virtualization host.
Now, I did decide last minute to change the setup. The original 4 port NIC I ordered was “too big” to fit in the proprietary Lenovo bracket, so I decided why not just do router on a stick and just use the single NIC?
Router on a Stick
If you’re reading this blog post, maybe you are in a similar position. Perhaps you have one of these mini PCs or one from another vendor such as HP or Dell. HP and Dell, to my knowledge, may have two NIC options but they’re generally single NIC. So how do you get around this limitation? Router on a Stick! If it has been a hot minute, let me introduce you to my favorite lollypop.
That’s it. I’m sorry to disappoint you if you were expecting more. But what really gets interesting is the configuration. In order to follow along and to do this, you’re going to have to have a managed switch. That is a switch that can do VLANs. You’re also going to need two ports on the switch.
Pick an available switch port and configure it to be an access port in a VLAN that is not in use. For example, my “WAN” VLAN is 20. So I have put this switch port on VLAN 20. The reason why we need to do this is so that traffic coming in from the modem is going to be untagged. We need to tag it as VLAN 20.
Next, pick another port on your switch. This switch port needs to be configured as a trunk. Allow all VLANs since this is going to be your LAN port as well.
Now when you configure OPNsense, things will get a little weird. First, you’re going to have a single physical interface. What you’re going to have to do is go into option 1 from the console, which is Assign Interfaces. From here, you’re going to be asked if you want to create LAGGs. Type N and press Enter. The next question will be if you want to create VLANs. This is where you will want to type Y and enter. Enter the physical interface name (should be em0, but double check on your setup). Then enter the VLAN number. In this case, enter 20. Then you’ll be prompted for the physical interface. Repeat until you’ve setup all required VLANs.
Once everything is configured, you’ll want to go back into Assign Interfaces. Your WAN port you will want to assign to the interface em0_vlan20 (or whatever VLAN you used). Your LAN port will be the actual physical interface (em0).
And that’s pretty much it!
Firewall Setup and Tweaks
At this point you should have enough of a working configuration to login and make your adjustments. Set your firewall policies (remember: only your LAN will have default rules – don’t forget to add rules for your other VLANs!). You’ll be good to go!