My old router is reaching its end of life and I need to get a new one. The hardware of the current one is fine for my purposes, but the manufacturer stopped updates a while ago, so I no longer consider it secure.
I am wondering if it would make sense to get a SBC or similar with 4 RJ45 ports (in, server, 2 wireless APs), and run a custom Linux distribution on it. If someone has explored options like this, I would appreciate suggestions for both the hardware and the software part.
Software should be FOSS, ideally Linux. Security and a viable community are the most important. I don’t need stellar throughoutput, <1 Gb/s is fine, or even 0.5.
Note that I am not asking about various 3rd party firmware solutions for stock routers. I admire how they cram so much functionality into hardware so basic, but I found all of them fiddly and would rather spend more and get a Linux machine, however puny, that I can keep running for a decade with updates. It just needs to do this one thing.
my friend was also using one of those *sense distributions. Then i tought him about nftables … and now the router is a tumbleweed with my nftables-service package. but he has a DSL router in front of it. but linux on one of those opnsense boxes is probably fun. I love nftables because it can do sets for basically everything and doing action + logging in one rule.
personally I am using a mikrotik router which is also a 16port switch as my GW host.
in germany they had to open up that a few years ago. the last hold out where fiber operators and their fiber modems. but even those have to allow user devices now.
I wish… For Portugal maybe in 30 years we’ll have those protections. Sadly ISPs have quite a strong monopoly and gov influence. Couple that with boomer politicians and yeah, not looking good.
I am getting a fixed IP address from my ISP, which means that their modem/router combo will be running in “quasi bridge” mode (their terminology, whatever it means). Practically, my understanding is that their modem/router box will pretend it does not exist, and my own router will be the entry point. Hence the request for advice.
Thanks! I did not know about that brand and I will look into it, as seems like a cost-effective solution that is being updated from time to time, although not FOSS (if I am reading it correctly).
I looked into these options, but the mini PCs I see available don’t have card expansion slots… but it is worth exploring.
I am getting this idea too. Maybe I will go with the OpenWRT One, as Turris is not yet available a bit expensive.
After looking at various options, I am wondering if I actually am actually overthinking this, because I am not sure if I need all the extra features pfsense/opnsense/ipfire provides.
I am especially skeptical about needing IDS like Suricata. Sure it would be nifty, but all the clients are Linux machines (laptops + server), updated regularly, running stock Ubuntu, with unprivileged users who cannot and don’t install anything. Basically, and endpoint security model.
But if I don’t need those things, a simple Mikrotik wireless AP router should suffice. It is my impression that RouterOS is updated regularly and fairly secure. It would be router 1 in the scheme below:
--- ISP modem --- router 1, the one I am buying, also wireless AP 1 --+
|
|
router 2, an old Asus, also wireless AP 2, bridge mode
| |
| |
server printer/scanner
(both wireless APs have various devices connected by Wifi)
tbh if your mikrotik device has enough ports you can probably kill the asus one.
mikrotik router OS comes with firewalling. vlans and all the things you want to separate out things into different security zones. and all that packed in with a nice cli and webui.
one small improvement suggestions then: if your main mikrotik device is POE power source … they have APs that can run on POE only (the l0009 has one poe-out port, if you need more rb0009)
and if you get their APs you can centrally manage them via CAPSman
Probably worth to find out how it behaves in detail, e.g. is it really transparent, or does it fulfill its routing and filtering tasks and you can (only) chain your own router behind it.
Would also be my question, answer obviously depends on your context, tasks/goals and users. E.g., do you need VLANs at all, different DHCP ranges, VPN, …? Maybe all your requirements can be fulfilled by a simpler solution.
TBH I haven’t looked at their prices, AFAIK they have different models. Some HW is needed for OpenWRT as well, obviously.
It a bugfest. To give you an idea: to get fixed DHCP assignments for a particular MAC address, you enter the relevant pair into the table. At which point the router goes crazy and stops routing until you reboot. But don’t worry, it is still crazy, you have to remove the entry, and from then on it will remember the entry and assign it correctly. Again, it is no longer in the table.
It only goes downhill from there. But I am stuck with it as the ISP insists on their own modem they can diagnose/manage remotely. So my best bet is to use it in bridge mode, whatever that does.
I had good experience with PC Engines apu2 system boards - unfortunately, they are EOL now and it looks like no replacement is coming
However, there is a broad selection of ARM based and also x86 devices (and possible RISCV too…) you can use.
My APU.1C4 runs on vanilla Debian - 24/7 since 11 years now.
I even added a UPS using a OpenUPS
I originally responded with a “why not get a MikroTik” style response, but since it is not FOSS I deleted it.
RouterOS gets updates, and they are perpetual*. I have been using the non-enterprise level gear for 6-7 years with no complaints.
*There are some mikrotik devices that are not able to be switched over to v7 because of hardware.
You can load routerOS on any old x86 machine, but pay attention to the licensing details and how it stores the keys. For my case it was cheaper/ easier just to get a couple of their boxes.
