OPNsense A10 Quad Core Rack Series DEC2640 (c) 2019 Deciso B.V., AllRights Reserved. [rev.140319] 2019(c) Deciso B.V.,

The OPNsense A10 Quad Core Rack secures your network with high-end features such as inline intrusion prevention, virtual private networking, two factor authentication, captive portal and filtering web proxy. The optional high availability setup ensures stable network performance with automatic failover and synchronised states, minimising disruption. Keep your network secure and the good packets flowing.

Guard Web Access 3.800Mbps Throughput Filtering (SSL) Proxy 550.000 Packets per Second Captive Portal with Voucher support

128GB SSD 487Mbps Inline High Speed Offering Sufficient Space for Intrusion Prevention & Logging & Reporting SSL Finger Printing 8GB RAM for demanding applications and plugins

Fast Filtering System wide two-factor 45.000 new connections per authentication. second (10 second burst) Compatible with Google Low Latency ~137µS Authenticator.

Hardware Assisted Encryption 950Mbps IPsec (AES256GCM16)

Securing Networks

DATASHEET Deciso Sales B.V. • +31 187 744 020 • [email protected] • www.deciso.com HARDWARE DUTCH QUALITY - MADE IN THE NETHERLANDS

DEC2640

DEC2640

Securing Networks

Deciso Sales B.V. • +31 187 744 020 • [email protected] • www.deciso.com SOFTWARE VERSATILE - OPEN SOURCE - FULLY FEATURED

OPNsense is Deciso’s fast growing open source and security platform released under an Open Source Initiative approved license. It’s rich feature set is combined with the benefits of open and verifiable sources.

All features can be used from within the easy to use graphical interface, equipped with a build-in search feature for quick navigation. Protecting your network has never been this easy, utilise the integrated intrusion prevention capable of blacklisting based on SSL fingerprints and the two-factor authentication for safely connecting mobile users.

Keep full insight on the traffic flowing trough your firewall at all times, with its advanced Netflow capture, aggregate & reporting tool ‘Insight’.

High-end Security Made Easy™

Businesses School networks Protect your business network and secure Limit and share available bandwidth your connections. evenly amongst students and utilise the From the stateful inspection firewall to the category based web filtering to filter inline intrusion detection & prevention unwanted traffic such as adult content and system everything is included for free.Use malicious websites. Its easy to setup as no the traffic shaper to enhance network additional plugins nor packages are performance and prioritise you voice over required. ip above other traffic. Backup your configuration to the cloud automatically, no need for manual backups.

Hotels On the road Hotels usually utilise a captive portal to Even on the road OPNsense is a great allow guests (paid) access to internet for a asset to your business as it offers limited duration. Guests need to login OpenVPN and IPSec VPN solution with using a voucher they can either buy or road warrior support and two-factor obtain for free at the reception. OPNsense authentication. The easy client exporter has a build-in captive portal with voucher make configuring your OpenVPN SSL support and can easily create them on the client setup a breeze. fly.

Remote Offices & SOHO Utilise the integrated site to site VPN (IPsec or SSL VPN) to create a secure network connection to and from your remote offices. Enjoy the easy configuration and online searchable documentation with simple how-to type of articles to get you started, quickly.

Securing Networks

Deciso Sales B.V. • +31 187 744 020 • [email protected] • www.deciso.com SOFTWARE FEATURE OVERVIEW

• GUI ๏ Integrated rulesets Backup & Restore • SSH / Console • SSL Blacklists ๏ History & Diff support Certificates • Feodo Tracker ๏ File Backup Stateful firewall ๏ Certificate Authority • Emerging Threats ETOpen ๏ Cloud Backup ๏ Filter by • Create or Import CA’s • ET Pro Telemetry (Optional / free SNMP • Source • Create or Import Certificates subscription offered by Deciso) ๏ Monitor & Traps • Destination ๏ Let’s Encrypt (Plugin) ๏ SSL Fingerprinting Diagnostics • Protocol • Automated (Trusted) CA ๏ Auto rule update using ๏ Filter reload status • Port 802.1Q VLAN support configurable cron ๏ Firewall Info (pfInfo) • OS (OSFP) ๏ max 4096 VLAN’s ๏ ET Pro ruleset (paid subscription) ๏ Top Users (pfTop) ๏ Limit simultaneous connections on Link Aggregation & Failover Captive Portal ๏ Firewall Tables a per rule base ๏ Failover ๏ Typical Applications • Aliases ๏ Log matching traffic on a per rule ๏ Load Balance • Guest Network • Bogons bases ๏ Round Robin • Bring Your Own Device (BYOD) ๏ Current Open Sockets ๏ Policy Based Routing ๏ Cisco Ether Channel (FEC) • Hotel & Camping Wifi Access ๏ Show All States ๏ Packet Normalisation ๏ 802.3ad LACP • Template Management ๏ State Reset ๏ Option to disable filter for pure Other Interface types • Multiple Zones ๏ State Summary mode ๏ Bridged interfaces ๏ Authenticators ๏ Wake on LAN Policy organisation ๏ Generic Tunnel Interface (GIF) • All available authenticators ๏ ARP Table ๏ Alias Support ๏ Generic Routing Encapsulation • None (Splash Screen Only) ๏ DNS Lookup • IP addresses ๏ 802.1ad QinQ ๏ Voucher Manager ๏ NDP Table • Port ranges Network Address Translation • Multiple Voucher Databases ๏ Ping • Domain names (FQDN) ๏ Port forwarding • Export vouchers to CSV ๏ Packet Capture • Geolite2 Country IP ๏ 1:1 of ip’s & subnets ๏ Timeouts & Welcome Back ๏ Test Port ๏ Interface Groups ๏ Outbound NAT ๏ Bandwidth Management ๏ Trace route • Create security zones with equal ๏ NAT Reflection • Use Traffic Shaper Monitoring rules Traffic Shaping ๏ Portal bypass ๏ Zabbix Agent (Plugin) ๏ Rule Category ๏ Limit bandwidth • MAC and IP whitelisting ๏ Monit (Plugin) • Easy access rule sets ๏ Share bandwidth ๏ Real Time Reporting • Proactive System Monitoring Granular control state table ๏ Prioritise traffic • Live top IP bandwidth usage Enhanced Reporting ๏ Adjustable state table size ๏ Rule based matching • Active Sessions ๏ Network Flow Analyser ‘Insight’ ๏ On a per rule bases • Protocol • Time left • Fully Integrated • Limit simultaneous client • Source • Rest API • Detailed Aggregation connection • Destination Virtual Private Networks • Graphical Representation • Limit states per host • Port ๏ IPsec • Clickable and Searchable • Limit new connections per • Direction • Site to Site • CVS Exporter second IGMP Proxy • Route based (tunnel) ๏ System Health • Define state timeout ๏ For multicast routing • Road Warrior • Round Robin Data • Define state type Universal Plug & Play ๏ OpenVPN • Selection & Zoom ๏ State types ๏ Fully supported • Site to Site • Exportable • Keep Dynamic DNS • Road Warrior ๏ Traffic Graph • Sloppy ๏ Selectable form a list • Easy client configuration • Live Traffic Monitoring • Modulate ๏ Custom exporter Network Monitoring • Synproxy ๏ RFC 2136 support ๏ (Plugin) ๏ Netflow Exporter • None DNS Forwarder • Full mesh routing • Version 5 & version 9 ๏ Optimisation options ๏ Host Overrides ๏ ZeroTier (Plugin) • Local for ‘Insight’ • Normal ๏ Domain Overrides • VPN, SDN & SD-WAN Firmware • High latency DNS Server ๏ PPTP (Legacy) ๏ Support Virtual Installs • Agressive ๏ Host Overrides ๏ LT2P (Legacy) • VMware tools (Plugin) • Conservative • A records High Availability • Xen Guest Utilities (Plugin) Authentication • MX records ๏ Automatic hardware failover ๏ Easy Upgrade ๏ External Servers ๏ Access Lists ๏ Synchronised state table • Reboot warning for base • LDAP DNS Filter ๏ Configuration synchronisation upgrades • Radius ๏ Supports OpenDNS Caching Proxy ๏ SSL Flavour selectable ๏ Integrated Servers DHCP Server ๏ Multi interface • OpenSSL • Local User Manager ๏ IPv4 & IPv6 ๏ Transparent Mode • LibreSSL • Vouchers / Tickets ๏ Relay Support ๏ Support SSL Bump ๏ Selectable Package Mirror • FreeRadius (Plugin) ๏ BOOTP options ๏ SSL Domain only (easy filtering) ๏ Reinstall Single Package Authorisation Multi WAN ๏ Access Control Lists ๏ Lock Package (prevents upgrade) ๏ User Interface ๏ Load balancing ๏ Blacklists ๏ Audit Feature • Local User Manager ๏ Failover ๏ Category Based Web-filter • Check installed packages for Accounting ๏ Aliases ๏ Traffic Management known security vulnerabilities ๏ FreeRadius (Plugin & External) Load Balancer ๏ Auto sync for remote blacklists ๏ Plugin Support ๏ Vouchers / Tickets ๏ Balance incoming traffic over ๏ ICAP (supports virus scan engine) REST API 2-Factor Authentication multiple servers Virus scanning ๏ ACL support ๏ Supports TOTP Network Time Server ๏ External engine support (ICAP) Online Documentation ๏ Google Authenticator ๏ Hardware devices ๏ ClamAV (Plugin / C-ICAP) ๏ Free & Searchable ๏ Support services: • GPS Reverse Proxy • Captive Portal • Pulse Per Second ๏ HAProxy - Load balancer (Plugin) • Proxy Intrusion Detection & Prevention Online Identity Protection • VPN Inline Prevention - Anonymity online (Plugin) ๏ ๏ Securing Networks

Deciso Sales B.V. • +31 187 744 020 • [email protected] • www.deciso.com SPECIFICATIONS PERFORMANCE &

DEC2640 Hardware Specifications GbE RJ45 Ports [ 10/100/1000Mbps ] 4 USB Ports 1 Console Port 1 Internal Storage 128GB Memory 8GB DDR3 CPU Cores 4 (2.0Ghz) Virtual Interfaces (802.1q VLANS)1 4093 System Performance Total Firewall Throughput (physical limit) 6600 Mbps (3800Mbps) Firewall Packets Per Second 550000 Firewall Port to Port Throughput 950 Mbps Firewall Port to Port Packets Per Second 349000 Concurrent Sessions 7000000 New Connections Per Second 45000 Firewall Latency ~137 uSec Firewall Policies (Recommended Maximum)1 10000 IPsecAliases) VPN Throughput (single tunnel) 950 Mbps IPsec) VPN Packets Per Second 80000 SSL VPN Throughput (single tunnel) 240 Mbps SSL VPN Packets Per Second 20000 Threat Protection Throughput (IPS) 487Mbps High Availability with State Synchronisation Requires Two Dimensions Height x Width x Length (mm) 44 x 485 x 335 Height x Width x Length (inches) 1.74 x 19 x 13.2 Form Factor Rack Mount 1U Weight (Kg) 3,75 Environment Power Requirements 100-240VAC, 50-60Hz Maximum Current 0.8A Power Consumption (Typical) 30W Heat Dissipation 85 BTU/hr Operating Temperature 0 to +45°C Storage Temperature -20 to +70°C Humidity 10-90% non-condensing Regulatory Compliance FCC part 15 Class A, CE, Rohs

1 The user interface is designed for normal business usage, large rulesets, high number of users or interface assignments may be less practical. Firewall Throughput is the maximum theoretical throughput and is defined as the maximum packets per second under test multiplied with a standard package size of 1.514 bytes. The maximum packets per second is measured using stateless traffic and an internet mix profile (IMIX) with an average packet size of 360 bytes. Latency test is an average at 80% of the maximum port to port traffic with UDP packets of 256bytes after 60 seconds of activity. Connections per second is measured by generating a 10 second burst of TCP connects from simulated clients. The value recorded is the maximum where no connections where dropped. Concurrent sessions are based upon memory available, where one state consumes 1KB of memory and 1GB of memory is reserved for system tasks.

IPS performance is measured using ETPro Telemetry ruleset of march 14th 2019, with all rules enabled and a realistic traffic profile (EMIX) containing stateful traffic, test duration is 100 seconds, average package size after full test is ~700bytes.

IPsec packets per second is measured using AES256GCM16 and the throughput is defined as the maximum packets per second under test multiplied with a standard package size of 1.514 bytes. SSL VPN is measured using AES256CBC.

OPNsense version used for performance tests was 19.1.4.

Securing Networks

Deciso Sales B.V. • +31 187 744 020 • [email protected] • www.deciso.com