Old PC Server Build for OPNsense Firewall, Pi-hole, and Web Server, VMs & More

[SomePoster]

Build’s Name: SuperFunTime

Operating System / Storage Platform:

• Primary OS: Ubuntu Server 24.04 LTS / Linux Mint / Windows 11 (depending on final testing)
• Storage Platform: Mushkin Tempest 256GB PCIe 3.0 x4 NVMe M.2 SSD for OS and VMs, 2x 1TB Western digital Blue HDDs for personal data and backups

CPU:

• Intel Core i7-6700K @ 4.5GHz

Motherboard:

• ASUS Maximus VIII Hero

Chassis:

• Antec AX20 Fixed-Mode Rainbow RGB Windowed Tempered Glass Black ATX Mid-Tower Desktop Chassis

Drives:

• 1x Mushkin Tempest 256GB PCIe 3.0 x4 NVMe M.2 SSD (OS and VMs)
• 2x 1TB Western digital Blue HDDs (personal data, backups)

RAM:

• 16GB DDR4 2666MHz

Add-in Cards:

• 3x TP-LINK TG-3468 10/100/1000Mbps Gigabit PCI Express Network Adapters

Power Supply:

• Antec VP450P Value Power Plus 450W 80 Plus 230V EU Non-Modular Black ATX Desktop Power Supply

Other Bits:

• Standard cooling and fans as included with chassis
• Will be used as a headless server
• Old Galax GTX 970 4GB GPU to use if needed

Usage Profile:

• Primarily for running OPNsense as a firewall in a VM (configured in transparent bridge mode) to manage my home network securely.
• Additionally, it will host VMs for Pi-hole (ad-blocking DNS server), back-ups, remote storage & file access, and a web server for personal projects. The setup aims to create a secure, manageable home network environment without the need for additional dedicated hardware for each service.

Other Information:

I’m based in South Africa, so parts availability and pricing were key factors in the build. I recently upgraded my PC, so this build is made of the old hardware and new.

I have no formal skills, everything I have learnt is self-taught – to give you insight on my position.

I’ve chosen to stick with my existing 6700K and ASUS Maximus VIII combo, which still performs well and offers enough horsepower for running multiple VMs without any noticeable slowdowns.

I found good deals locally on the Antec Power Supply and Chassis, Mushkin SSD and the TP-LINK NICs, which fit the budget-friendly approach I’m aiming for.

The goal is to keep everything running smoothly on a single server to save on power and space while maintaining a high level of security and control over my network.

I’m open to any feedback or suggestions, particularly if the setup will work, is it secure, and setting up the optimizing the NICs & VM setup or enhancing network performance with the hardware listed.

I really appreciate input from the community on the above. If there is further information needed, just let me know.

Thank you for your time!

 

[Tech Junky]

Ubuntu / Mint are fairly interchangeable when it comes down to it. W11 won't install on a 6th gen and frankly it's not positioned for what you want to do anyway.

You could slim down the NIC w/ an Intel I-350 quad port on a single card for under $50

The GPU might be useful for things like Plex / video playback depending on if you're into that. However, I use an A380 because I'm running AMD and it flies through video conversions.

The only other concern would be the # of cores / RAM when it comes to VM use. As long as you're not running more than one at a time it shouldn't be an issue.

For the FW I just run IPTables as it's really only ~10 lines of rules to secure things. It also can hit line speed beyond 1gig.

 

[BoredSysadmin]

A few comments: 16 GB memory could be tight, depending on what other VMs/Containers you'd need to run. For an all-in-one box 32 GB would be my starting point.
I would not run any VMs from HDs, so storage-wise your 265 GB SSD could also be tight.
These TP-Links NICs are ok since essentially built on Intel chips, but rather than 3 individual ones, I'd recommend getting a single PCIe NIC with 4 ports.
As for OS - You could do it all on Ubuntu/KVM (ideally server edition to save resources), but your best bet is to start with ProxMox VE and build VMs on top of it. Much easier to manage.

 

[SomePoster]

@ Tech Junky

Thanks for your feedback, much appreciated!

OS Choice:
Silly me, slip of the mind, for Windows 11, you’re right!

NIC Suggestion:
The Intel I-350 quad port NIC sounds like a great idea, I am guessing it is easier to configure on one card? As well as freeing up PCIe slots. I’ll definitely look into that option. Are there any specific models you recommend?

GPU:
Exactly my aim, it should be more than enough for my use case.

Cores and RAM for VMs:
I have worried about running out of resources with more than one VM. I hope to get away with though if I follow something like BoredSysadmin said using Ubuntu/KVM or ProxMox VE.

Firewall Configuration:
Interesting to hear you use IPTables with such a minimal setup—sounds efficient! I’m going with OPNsense for the additional features (like intrusion detection), but I’ll keep IPTables in mind if I decide to simplify things down the road.

Thanks again for the insights - this really helps refine the build and keep it practical!



@ BoredSysadmin

Thanks for your feedback and suggestions, really helpful insights!

Memory Considerations:
I appreciate the heads-up on the RAM. I was hoping 16GB would suffice, but I understand it might get tight, especially with multiple VMs. If I fall short, I’ll look into upgrading to 32GB to give me some breathing room for future expansions.

Storage Setup:
Good point on the SSD space—I plan to keep the most critical VMs on the NVMe SSD for speed and performance. The HDDs were meant more for personal data and backups, but I’ll definitely be mindful of VM storage demands. If space becomes an issue, I might have to go with a 512GB NVMe then or add another SSD dedicated to VMs.

NIC Configuration:
I’m hearing a lot of support for switching to a single quad-port NIC instead of using multiple cards, so I’ll definitely explore that option. Thanks for the confirmation on the TP-Links; it’s good to know they’re Intel-based and solid performers. I heard that intel chips are what I need.

Operating System and Virtualization Platform:
I’ve considered Ubuntu Server for its lightweight nature, but I see your point about Proxmox VE—it seems like a great fit for managing VMs more efficiently. I’ve read that Proxmox also handles networking setups quite well, which would be a plus with OPNsense. Do I understand correctly that if I wanted to run OPNsense, pihole and Webserver separately, I would spin them up their own VMs with an OS? Any specific tips on getting started with Proxmox, or things to watch out for when setting up the VMs?

Thanks again for all the advice; it’s great to get perspectives from those who’ve been there. I’m looking forward to refining this build even more!

 

[Tech Junky]

easier to configure on one card

The point of the quad port is to simply not use more than one slot. The ports appear as separate ports like separate nics would. '

Also, you can get 2.5/5GE cards as well with quad ports. 2.5 cards go for about $100 and 5ge for about $200. These higher speed options are good for hanging an AP off the box for WIFI. Also, using an AP vs traditional off the shelf routers is cheaper when it comes to upgrading to the next standard. You can even get entry level WIFI 7 APs right now for under $200. If you want the full speed options though you'll want one with a 10ge port that can do at least 4x4 on each band. Kind of depends on how many devices you'll be running concurrently.

intrusion detection

IDS needs IPS to be of any value. Once you start doing packet inspections though it slows the speed down. If you block everything coming in except for any sessions you start it negates the need for either.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:PERMIT-FWD - [0:0]
:PERMIT-IN - [0:0]
:PERMIT-OUT - [0:0]
-A INPUT -j PERMIT-IN
-A FORWARD -j PERMIT-FWD
-A OUTPUT -j PERMIT-OUT
-A PERMIT-FWD ! -i wwan0 -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o wwan0 -j MASQUERADE
COMMIT