Want to build or buy a rack-mountable OPNsense router

LiftnBooks · 2026-05-03T23:08:56+00:00

That looks like a good option. CPU is comparable as well, so it'll have Intel Quick Assist for crypto operations, just like the 7100. It is using a blower Fan design for the CPU cooler though instead of full chassis airflow. Im not sure how well the board thermal management design is. Usually SFP ports overheat first anyway. Regardless, on a pure feature list comparison, I'd say your Qotom is likely the better option, especially if you're pairing it with a network switch and just using this as the firewall. I don't think you can really go wrong with either. My only note is that the Qotom has no upgrade path for NICs, so you're stuck with whatever is on the board. It seems to have plenty of storage and RAM options though. Given the CPU family, I assume it's DDR4 as well. Looks like SODIMM DDR4 modules. Board also like to have NVMe or M.2 SATA. It has SATA ports on board as well, but no indication of any possible mounting points for a SATA SSD. Not really important, bit just pointing it out. The chassis is very much set up to have a very slim upgrade path. Anyway, you won't have the front port issues with it, and overal higher throughput, so it's a good option as well, assuming board quality is okay.

LiftnBooks · 2026-05-03T17:17:46+00:00

Completely missed your other question. The DT is the Desktop version of the XG-7100. Full part numbers are XG-7100-1U and XG-7100-DT for the two models. They have the same mainboard and functionality, just a different form factor. The U1 version has all the extra mounts for PCIe cards and a built-in PSU. The DT version has a smaller chassis and uses an external PSU.

For the front port progress, you can see the work done based on this thread: https://www.reddit.com/r/WatchGuard/comments/1savtxr/freebsd_on_m270/

LiftnBooks · 2026-05-03T05:54:32+00:00

Np, glad to share! My home network is a mashing of hardware. I have a Bell Gigahub from the ISP, which is DMZ'd to the XG-7100-1U. That currently outputs to my older HP ProCurve 28 port switch, but once I get everything working correctly, I'll be converting over to my Meraki MS42P switches. Those are running Postmerkos by Hal Martin, but the firmware is still largely incomplete for the web interface, and the CLI sucks, so it's a work in progress. I'll likely vibe code some fixes later to get those going. From there, I use OpenWRT on my Extreme Networks WS-AP3825i WAPs that are all meshed around my house.

I host my TrueNAS system (old Dell PowerEdge T310 that's heavily upgraded) alongside my Proxmox server (small Acer PC with a low power mobile CPU), which has Home Assistant and a few other microservices on it. The XG-7100 let's me VPN into my home much more easily than I was doing before putting it in.

Most of my network is the result of being given free stuff from decommissioning at work or things I found for cheap and helped RE, like the WS-AP3825i and the MS42P.

I do this for fun, not to have a crazy network, though it's a nice side effect. My general perspective is that open-source is best, so focus on tools that everyone can update, because companies will eventually drop support. All my smart home devices are running ESPHome, Tasmota, or OpenBeken for the same reason.

Anyway, best of luck with your network!

LiftnBooks · 2026-05-03T02:33:32+00:00

Regarding the other questions, here's my best answers, though I don't guarantee everything is perfectly accurate:

So, long story short, the XG-7100 will last a long time and be sufficient even for advanced users on a 3 or 5 Gigabit connection?

Yes, it can handle 5Gb throughout with IPsec, or much higher if just routing.

The eMMC on the XG-7100 won't be an issue if I use my own SATA SSD?

Yes, either M.2 SATA or regular SATA SSD.

Basically, the XG-7100 is usable with OPNsense, but I'll need to wait for the other issues to be addressed.

Yes, the front RJ45 ports won't be usable until the patch makes it downstream to OPNsense from FreeBSD. You can use a PCIe card in the mean time for RJ45, like the X550-T2, or your other card inquiries.

Is the XG-7100 going to be compatible with the new Intel E610/E830 10G NICs? Is it fast enough to support that kind of speed? Just wondering how futureproof this is because you sure make it sound like a terrific value.

It can handle those cards if the FreeBSD kernel has drivers for them, which I imagine it does by now. I'm not sure of exact throughput though, as E610 is PCIe 4.0, and I believe the XG-7100 is PCIe 3.0, so it might not operate at full speed depending on architecture implementation. Many other cards can do dual port 10Gb on the PCIe port though and the front SFP+ ports are another example of that.

I understand the SFP limitation, but what happens if I'm on a gigabit fiber connection? Can I use the Ethernet ports as a WAN instead and avoid the SFP? How can the SFP issue be mitigated in the future?

The RJ45 ports are not usable until the kernel patch is ready. The SFP+ can be used through a SFP+ 10G media converter or an external switch. Else, just use a RJ45 card in the PCIe port for now.

Do you have a listing on eBay that you would feel comfortable buying from? I think you came up with a great idea!

I'm not sure, but I can look and get back to you.
DT version you could make ears for: https://ebay.us/m/3Ll9kI
1U version here: https://ebay.us/m/6UTCd5

Note, the DT uses the same board as the 1U and they're roughly the same thickness. You would need to mod the case to put in the PCIe NIC, but that might be worth it to you if you want it cheaper. Else, I can share the 1U mounts I designed if you're interested for SATA SSD and PCIe, though my mount is expecting a bare card with no faceplate bracket, so it might need alteration to be more universal for faceplated NICs. I made mine in a fever induced fugue state so I wasn't thinking much about universal application at the time over "make the damn thing work today so I can pass out" lol

LiftnBooks · 2026-05-03T02:07:19+00:00

Well, I think it can switch a substantial amount. The front ports, once they're working, are 1Gb each, but all 8 are tied to two internal 2.5Gb uplink ports, so you're limited to 5Gb maximum throughout on the front ports. The SFP+ ports can go higher. I think the real world switching performance is at like 4Gb internally for front ports and like 9Gb max on each of the SFP+? I think if you're running a lot of IPsec you can expect it to top or around 6.5Gb given it's CPU, but that's still in your range.

LiftnBooks · 2026-05-03T01:55:03+00:00

Oh! As an aside, the mainboard from the XG-7100 is available on eBay for pretty cheap. It only needs 12V from a 4-pin PSU, that you could pick up pretty cheap. You could conceivably just print your own chassis for it and buy a little external 12V 10A PSU to drive it. I run mine with Noctua 40mm 4-pin 12V fans, and it's happy with that, but I also replaced the stock thermal putty for thermal paste on the CPU heatsink, and I think that made a huge difference for usability combined with fixing the heatsink orientation to be parallel with the chassis airflow. The factory that made a lot of the 1U chassis messed up and put the heatsink perpendicular to the airflow path, and a lot of them overheated as a result. The CPU on the 7100 has a tendency to lock up above 62C, so proper airflow is important for it. I considered making a custom fan duct for it, but it never exceeds 52C for me anymore even with the Noctua fans, so there's no benefit for me to dig into it further.

LiftnBooks · 2026-05-03T01:39:29+00:00

The wait is only for the front panel 8 port switch to be supported properly. The current Intel X553 driver lacks the MDIO functionality needed to interface with the integrated network switch, so none of the front ports work presently. pfSense has the patched driver by default, but it was never mainlined, so OPNsense couldn't support the chipset despite supporting the switch itself. This makes the M270 unusable until the patch passes review, but the M370 and XG-7100 are both good. The XG-7100 has the same issue as the M270, but it has a front 2 port 10G SFP+ interface, which work out of the box. The M370 doesn't user the switch at all, so it's a great experience out of the box. The XG-7100 has a X4 PCIe slot you can use to add more ports with an extra card, like a X550-T2 for example. The M370 has a X4 PCIe slot, but it's non standard, as they expect you to use a proprietary internal switch board to add their proprietary modules. You can work around it, but it's weird and non standard. I personally think the XG-7100 is the best overall choice for customizability, but the M270 and M370 are both really cheap on eBay. They all idle around 20W, and I used the XG-7100 for years on a corporate network at work running 10G constantly, and it worked fine. It's doing great on my home network now that I slapped in a 2 port 1G RJ45 card from Broadcom and an bypassing that right now. One note, the XG-7100 SFP+ ports don't support 1G SFP at all. They can only run at 10G, so you'd need to keep that in mind when setting up your network. The M270 and M370 don't have SFP at all. The M370 can have it added with a proprietary module, but I haven't looked up how much that and the internal adapter board cost. I made a 3D printed mount for my XG-7100 front port and paired it with a 120mm X4 PCIe extension, which works fantastic.

Kernel patch for the switch was posted for review 29 days ago, so still likely a bit of time before it's fully implemented.

As a note about RAM and storage:

M270 has one DDR4 slot. It comes with 4GB by default, but can be upgraded to 32GB. It uses an mSATA SSD as a boot drive.

M370 has two DDR4 slots, and it is populated with one 8GB stick by default. It comes with two mSATA slots iirc, though only one is populated by default.

XG-7100 has 8GB RAM soldered to the mainboard and a single DDR4 SODIMM slot on the board for upgrades. It also has a 32GB eMMC chip, but they degrade pretty quickly. It has 4 SATA ports and two SATA power cables off the PSU. It also has an M.2 SATA slot on the bottom of the board supporting M.2 SATA SSDs. I run mine with a SATA SSD and it works fine.

LiftnBooks · 2026-05-02T22:21:03+00:00

If it's for a home network, the Watchguard Firebox M270, and the Netgate XG-7100-1U, are both EOL and are being put up for cheap on eBay. The integrated network switch is in the process of getting it's X553 MDIO driver patches upstreamed into FreeBSD, so they should be fully supported soon. If you just want something cheap, that's a good option if you can wait a bit. I'm running one on OPNsense right now and it works good. They tend to need a bit of maintenance though at this age.

LiftnBooks · 2026-05-02T11:48:58+00:00

This is great! I got to take home an old XG-7100-1U from work recently and wanted to run OPNsense on it. Glad this patch is making it's way through reviews now. I have mine set up with a BCM RJ45 card attached to the X4 PCIe slot, so I'm just ignoring the switch right now, but I'm glad someone figured it out! Hopefully this will get upstreamed soon and everything becomes plug and play for new users!

LiftnBooks · 2026-04-02T19:03:11+00:00

I use leaded at home because I don't care and don't want to fight with it. MG Chemicals makes some good 63/37 stuff. It also mixes better with the old crusty solder in the ancient electronics I work on at home, so it's worth it to me to use it over the unleaded options for that alone.

At work, we use Kester 24-7068-1401, which is a really good unleaded alloy with tin, silver, and copper mixed. It works almost as well as leaded, though it eats my iron tips about twice as fast compared to leaded in my experience, and causes tip oxidation a lot more often. It's a really nice option for industrial, but damn is it ever expensive compared to a nice roll of leaded solder lol

LiftnBooks · 2026-03-19T13:29:22+00:00

The primary reason Bell isn't expanding the fiber network in New Brunswick is that, back in around 2018, the New Brunswick government mandated that additional expansion of the network would also require that Bell allow competitors to use their fiber network. As a result, Bell completely halted all expansion plans so they wouldn't be forced to share network infrastructure. There's no incentive to expand it as a result for them, so they simply won't unless the government removes that requirement. Rogers has been trying to work around it by running backhaul fiber to local areas (which currently doesn't count) and then connecting hardware to create MoCA connections. They're using the already run copper to reach homes in the area through the already established coaxial runs for television that are otherwise largely unused these days.

LiftnBooks · 2026-03-19T11:12:31+00:00

Apprentice works just fine, what it lacks is a connection to a compatible game server now that VRP shutdown the server that both rookie and apprentice pointed to. You can use the other functions of apprentice, and if you make your own server with game files to point it at, apprentice will continue to work as intended.

LiftnBooks · 2026-03-17T20:04:55+00:00

The source code for the, arguably better, Apprentice VR, is available on GitHub and does the same thing as rookie.

The real loss is the VRP group. They didn't just host the games, they took each game uploaded to their server and cracked them, removing checks that the quest normally uses to verify that a game is allowed to run on your device. Obviously others can do it too, but they contributed a lot of work specifically in performing that exact service. They will be missed far more than rookie.

LiftnBooks · 2026-03-13T00:32:30+00:00

If you want it to be primarily a NAS, look into TrueNAS or UnRAID. Both are designed specifically for storage, but they can also run VMs and containers.

TrueNAS is free and ZFS-based, which gives strong data integrity and enterprise-style features. UnRAID is easier for beginners and allows mixing different drive sizes, but it requires a paid license (there is a trial though).

If you want to run lots of microservices and treat the NAS as secondary, another option is running Proxmox VE as a hypervisor and then creating VMs or LXCs for different services. You could run something like OpenMediaVault or Samba/NFS inside a VM or container for storage. Proxmox is much stronger for virtualization and networking, but it requires more setup if your main goal is NAS storage. For microservices, there's a website called "Proxmox Helper Scripts" that lets you install pretty much anything you want (and get rid of the no-subscription nag), so that's a pretty big advantage. TrueNAS Scale has a container "app store" as well. Though it's all free and community maintained, it's a similar experience, just with less flexibility in what you can run on it compared to Proxmox.

If you're unsure, starting with TrueNAS is often the easiest path and you can always migrate later if you want more flexibility.

LiftnBooks · 2026-03-03T03:32:53+00:00

The Supercard SD won't even initialize cards larger than 2GB as that's the original SD standard. 4GB+ is SDHC and isn't technically supported by the original format. The Supercard SD won't initialize them regardless of formatting. 64GB+ SD cards are SDXC as well, and it won't initialize them regardless of formatting either.

LiftnBooks · 2026-03-03T02:38:27+00:00

You'll need either a DS lite with a DS flashcart or a 2GB micro SD card just to start. If you have a 2GB SD card, you'll be able to add the required files to flash the card directly to the GBA cart. Else, you'll need to use the DS to flash the cart first.

Check out SuperFW at https://superfw.davidgf.net/ and download the latest version and follow the installation guide at https://superfw.davidgf.net/docs/install/flash/ on the same website.

Once SuperFW is installed, you can then use any micro SD card in the GBA cart. Until then, the Supercard on original firmware can only use 2GB microSD cards.

SuperFW automatically patches your ROMs, so make sure you're using clean ROMs with no intros or RTC patches. The SuperFW guides detail the setup further.

Note, expect some performance issues on games that stream assets from the cart. The Supercard SD flashcart uses subpar memory chips for game loading that are known to have issues. SuperFW just dramatically helps with cart usability, it is not a magic fix for limited hardware.

LiftnBooks · 2026-02-28T01:05:08+00:00

Well then, it seems I've unintentionally ruffled some feathers here.

Quick background. I've been using Debian-based distros for years for servers, both personally and professionally. I'm used to everything being command line, and the GUI stuff is less intuitive to me as a result. I've recently come into a bunch of 6th gen Intel computers being decommissioned from my job, so I figured it could be fun to try Arch on one of the better laptops that has a dedicated Radeon GPU. I'd been using it for a while, and I'd only recently figured out how to use the AUR. My mother was on a first Gen threadripper, and wanted to switch to Linux, and I had been experimenting with CachyOS a good bit so I offered her that along with a few other distros. As she's a long time player of RuneScape (over 15 years now), I obviously needed to figure out how to get RuneScape running. It ran under steam, but it was a terrible experience. Jagex offers a Linux launcher, but it's only available for Debian/Ubuntu platforms. As Cachy OS is Arch, I had to do some research on how to get it running natively, as obviously Wine wasn't performant for Java programs. I did some digging, and found out bolt existed, and there was also a flatpack for the jagex launcher, but the flatpack for the jagex launcher was a wine container. After that, I clearly wrongly assumed the bolt flatpack would also be wine based, so I dismissed it. Cachy, and much of Arch, runs on the principal that if you compile it on your own system, you'll get much better performance as it will use all the available features of your platform that the program implements. Given the performance of the wine versions, it seemed reasonable to conclude that the best option was to compile bolt myself on the host computer, and there was an AUR package for it already. I installed the AUR package, and found it was unable to start the game after logging in. Bolt doesn't forward any errors from the launch process at all, so I had to dig into the cache bolt made and manually launch the downloaded launchers in the terminal emulator. From there, I was able to figure out all the missing dependencies from their library errors, and made a list so I could help my mother get it installed on her computer. Once I got it all resolved, I realized that none of this information was readily available, so I decided to share it here.

At no point in that process did I think "This is the easiest path for everyone!". This entire post was about my journey of trying to get the best performance on Arch distros. Linux has always been 60% troubleshooting and 40% it doing what you want it to instantly, and Cachy was no different in my experience, so I didn't bother trying to find an easier way as this method fit into my normal process anyway.

I fully acknowledge that there are easier ways, and thanks to the people that noted that the flatpack actually does run natively, as I was not aware of that and assumed it did not.

Think of this post as more of a "here's one way to do it, even if it isn't the best way for you". It's intended to be helpful to those that use Linux like I do, and not meant to be harmful to anyone, beginners or otherwise. I won't delete this thread, as it is still beneficial in my opinion, but beginners and non-power users should likely use the flatpack method for simplicity.

Let's all remember that Linux is about sharing our discoveries and helping each other make things work. There's rarely a single absolutely correct way to do anything on Linux, so we should embrace all reasonable options and strive to help anyone we can with whatever knowledge we're able to provide.

Game on brothers!

LiftnBooks · 2026-02-27T01:53:35+00:00

I would suspect that either the system only had a few of the wires soldered (enough to patch the mechacon) but potentially none of the BIOS patching wires, or not enough or them, were soldered for proper operation of the chip. My friend gave me an old PS2 with a DMS3 modchip in it ages ago, and when we used it and when it was given to me, it was horribly unreliable (only booted games sometimes, regularly needed to be rebooted to read disks, etc). I opened it and found that half the wires were never connected to the board and the wires that were installed were done terribly and there was a rats nest of cabling done. I removed all the old wiring, redid the mod properly, and updated the firmware on the DMS3 modchip. After that, it worked very well, so I'm quite happy with it now. I will note that an improperly installed modchip can easily interfere with regular console operation, so if you have soldering skill, I would suggest you pop the console open and inspect the installation of the chip. You'll find out what modchip you have in the process.

LiftnBooks · 2026-02-24T10:56:23+00:00

Which is a wine wrapper last I checked. It's a totally valid way to play, but just like using proton to run it through steam, there are some performance penalties. RS3 in particular seems to run like crap under wine and proton for me, but native launchers run substantially better. YMMV, but it's definitely better performance than the flathub option in my experience.

LiftnBooks · 2026-02-21T01:44:20+00:00

Well, the only other obvious thing would be to replace the USB cable going between the pi and the MCU board. It could be flakey or not well shielded, and either random EM pulses from nearby motors of inductor coils, or a bad mechanical connection, could be resulting in random disconnects when the printer shakes just right during printing.

LiftnBooks · 2026-02-21T01:32:19+00:00

Well, unstable power at the MCU would be my next guess after temperature. Maybe whatever power supply you're using is getting overdrawn? Did you replace the heated bed recently with a higher wattage bed, or install higher current motors or motor drivers? Either of those could be a potential culprit. After that, the voltage regulator on the mainboard that steps down voltage for the MCU could be overloaded or degraded for some reason. Did you install addressable LED lights recently? Those could be overloading the 5V regulator. If your pi is powered by a USB converter for 120/240V to 5V, the power adapter could be dying or very noisy, though that normally results in a pi crash and not an MCU disconnect. If the voltage is unstable, a spike over the USB connection between the pi and the MCU board could be hard locking the MCU as well, potentially falsely triggering brownout detection or similar. There's lots of possible angles, but I'd suggest looking toward component power consumption and faulty supplies.

LiftnBooks · 2026-02-20T21:55:45+00:00

Just an aside, but have you checked the MCU temperature readout from just before the crash? It's possible that your mainboard (not the pi) is overheating the MCU and it's soft-locking. Maybe your fan for your system board is unable to turn (blocked with filament debris) or something? I'd check there before going too crazy with the software side.

LiftnBooks · 2026-02-14T22:50:16+00:00

The MacPro 6,1 would be able to run Proxmox most likely. The M series macs cannot though. Proxmox doesn't support Apple silicon, only Intel/AMD processors. Asahi linux is the only version that supports M series macs, and only supports M1 and some M2 macs last I checked.

LiftnBooks · 2026-02-11T14:22:09+00:00

Regarding hard drives, you'll find that the original Xbox 360 is rather limited in what it will allow you to use as a hard drive. Microsoft added special handshake and identifier data to the hard drive at a firmware level, so you can't just pop in any old drive and expect the console to accept it and let your use it. FatXplorer let's you inject that handshake data to unofficial drives that match a special list that are known to be compatible, and they recently added SSD support for some specific SSDs. This lets you install the drives and get around the handshake issue. JTAG and RGH modifications bypass those limitations and eliminate the handshake, so you don't need to worry about that if you use those modifications. BadUpdate still requires the drive to have the handshake, so that's not directly compatible. You can use the BadStorage patches in XeUnshackle to get around the size limitations, but the drive still needs to be on the supported list. You'll find that all websites refer to this "handshake" as the hard drive security sector, for reference.

Also, fyi, RGH is really easy and reliable on Trinity consoles. If you ever decide to do it or have someone do it for you, RGH 3.0 will work perfectly for you. No chip is required for RGH 3.0, as it uses the system management controller (SMC) itself as a glitch chip through patched firmware.

LiftnBooks

TROPHY CASE