Greetings
Looking at setting up an Odroid H2+ for use as a router.
So what would be the suggested specs for things like
looking for say 5 years of use if that's reasonable
(am thinking of adding wireless after the switch - - - - - routers job is routing
the router is followed by a hardware firewall - - - - thinking opnsense at this point.)
TIA
Router IS a firewall. There is no reason to have a second firewall
Sorry - - - - - that wasn't the question that I asked.
Regards
Probably hard to find DIMMs in smaller sizes than 4gb, but 4gb works.
If you want to run Openwrt as OS, 16gb ssd or nvme is more then enough for your use case.
NVMEs in sizes <128gb are probably hard to find too.
1 4GB SO-DIMM is the minimum, 32GB eMMC probably reasonable for a dedicated router, and required should you want to utilise the netcard.
What is a 'netcard' - - - please?
"hardware firewall"? All firewall appliances are also routers.
pfsense/Opnsense is a router/firewall. OpenWrt is also a router/firewall.
Why are you placing two router/firewalls in a daisy chain like that?
You can install Opnsense on the Odroid directly (it's supported, with latest version also the "netcard" network addon card is supported https://forum.opnsense.org/index.php?topic=18290.0 ) and use that as your only router/firewall.
As for resources, if you just want to run OpenWrt as a router/firewall with no additional services, RAM footprint is like 60 Mb so whatever RAM you get is fine, and SSD is absolute overkill and you can do fine with a 4Gb USB drive (OpenWrt does not write to the system drive unless you are saving configuration or installing packages, this because it evolved from embeded device firmware)
If your usecase differs from that please state what services you want to install (VPNs and whatnot for example), as that will affect system resource requirements.
Using a x86 system like that as a router/firewall is usually overkill for most home networks and makes sense only if you have a lot of Internet bandwith (so the router has to be powerful enough to NAT 400+Mbit of traffic) or you run VPNs and additional services on it.
Also note that since the "hardware firewall" is also a router, it has to be at least as powerful as your router because it's still doing NAT on the same amount of traffic, plus doing firewall rules. Hence my suggestion to not daisy chain them unless you really have to.
the router is followed by a hardware firewall - - - - thinking opnsense at this point.)
"hardware firewall"? All firewall appliances are also routers.
pfsense/Opnsense is a router/firewall. OpenWrt is also a router/firewall.
Why are you placing two router/firewalls in a daisy chain like that?
You can install Opnsense/pfsense on the Odroid directly (it's supported, with latest version also the "netcard" network addon card is supported) and use that as your only router/firewall.
As for resources, if you just want to run OpenWrt as a router/firewall with no additional services, RAM footprint is like 60 Mb so whatever RAM you get is fine, and SSD is absolute overkill and you can do fine with a 4Gb USB drive (OpenWrt does not write to the system drive unless you are saving configuration or installing packages, this because it evolved from embeded device firmware)
If your usecase differs from that please state what services you want to install (VPNs and whatnot for example), as that will affect system resource requirements.
Using a x86 system like that as a router/firewall is usually overkill for most home networks and makes sense only if you have a lot of Internet bandwith (so the router has to be powerful enough to NAT 400+Mbit of traffic) or you run VPNs and additional services on it.
Starting with the simple stuff.
Hoping to have the possibility of a gigabit connection pdq.
This will be an independent fibre to the switch (not shared fiber).
I might be wanting more bandwidth well before I want to be replacing the hardware.
At present looking at running something like Wireguard on the router as well.
On the firewall - - - - a mentor has long suggested running squid.
I'm a lot anal re: security and privacy - - - seperating the two functions can enhance both functions.
I don't think that what I already have would be a 'home' network and
its complexity is NOT going to go down. I am trying to keep things
simple and I would rather not have to manage all that stuff but I
am presently having a system where graphics instability in increased
due to various very pushy vendors etc who so desperately want to
increase the data slurp from here - - - - I would rather deny such
devious inputs from being able to find any even hard to get into
part of my network.
Do find it interesting that it would be considered 'normal' to quiz
a user as to why they want a level of hardware rather than just
offer an answer.
Regards
That would have been a good idea long time ago, these days… not so much.
--
Yes, intercepting proxies are possible - but, to be honest, do you really want to configure the proxy on all of your systems (including phones and IoT devices) and add your own man-in-the-middle CA as well...?!
Not to mention that MITM isn't ideal (if you want to catch pretty much "any" data as the majority uses HTTPS these days. 
@ajoeiam
Depending on how paranoid you are be aware that J4115 does have quite a few hardware vulnerabilities and that your milage may vary using Realtek NICs. There is most likely no point at all to have two firewalls after each other (and will break port forwarding, UPNP etc), just run opnsense if that's what you prefer.
Then what I said above does not change much (Wireguard is very light on resources), whatever RAM you can install is OK and whatever storage you install is OK.
Squid can be run on OpenWrt too (there is a package), but caching proxies nowadays where HTTPS is commonplace requires to break point-to-point HTTPS encryption between the device and the server since it has to pass through the proxy, and to do that you must add your own custom certificate to all clients so they can validate the traffic. This is a massive pain to do, especially on mobile and IoT devices, and you are doing a MITM on yourself, if someone compromises the firewall now can inject all they want in your encrypted traffic and you have no way of telling.
Depending on why you wanted to run a proxy, there might be better ways to accomplish that like a VPN to your own cloud server, setting up a recursive DNS and/or encrypting DNS requests (which you should probably set up regardless).
It can also hamper them. Apart from the fact that you are duplicating both functions and not separating them, a daisy chain configuration will hamper the "firewall" in your proposed setup.
Since the firewall is seeing a NATted traffic from the router it has no idea of what each client in your local network is actually doing so you can only implement rules that apply to everything. No filters based on MAC, port forwarding for a specific client must be done twice (once on the "router"'s firewall and once on the "firewall's firewall) and so on.
Running two router/firewalls in daisy chain like that is increasing complexity as I mentioned above, since you can't split router from firewall so you have all issues of a double NAT setup. I suggest to reconsider.
I find it interesting that it would be considered "normal" to ask a hardware size question without telling the usecase. Resource usage varies wildly depending on your home network size, your internet bandwith and what services you install and run in OpenWrt.
Something something Intel Management Engine something something
Although none of that is a major problem for a router/firewall as it's not running untrusted applications or VMs. Also afaik the IME cannot communicate over the network if the device is not using Intel NICs.
Squid is still usable for access control at least until encrypted SNI becomes common. This use case is quite important for things like time of day access to websites or creating quotas for data usage like for youtube...
afaik you can do that also with time-based firewall rules https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls#time_restriction_of_internet_access and quota-based firewall rules Set monthly quota
so a proxy isn't your only option
That's the least of your issues....
I wasn't clear enough, with "none of that is a major problem for a router/firewall as it's not running untrusted applications or VMs" I was talking of both the IME and the spectre/meltdwon and related vulnerabilities.
The list do not include the intel j4115 so probably not affected by this vulnerability.
Given what causes these vulnerabilities is a deep architectural flaw, and also that processors 3 generations later made years after it are still vulnerable that's a definite X doubt for that.
I don't think that table is an exhaustive list of all affected CPU models, if a family or gen is affected all cpus of that family/gen are affected.
It sure does "Gemini Lake"