Seems like it might be time to build my next router before they become unaffordable. I’ve done some research, but I’d like to get the pulse of the community since other self-hosters may have a similar use care.
Should I use PFsense or OpenWRT? Should I use purpose built or minipc hardware?
This is for a home network (symmetric gigabit fiber). A few of the devices have 2.5LAN ports and it would be nice to make use of that speed locally. Primary uses include streaming Disney+ and YouTube, web browsing, and self-hosting a few services I connect to via wireguard. Sometimes I play games, but not competitively, so an extra ms of ping isn’t going to throw me into a rage. I do use a remote desktop feature like steam link to play gamed on my home office PC from my bedroom. Ping is currently acceptable according to the system with occasional slowdowns when my family is slamming the WiFi.
I will need to provide WiFi access. If my existing router(s) have an AP mode, I imagine I can just plug them in via ethernet?
What kind of wireless AP hardware do I need if I want connections to transfer between a basement and attic AP with minimal interruption?
For the router itself, I see people using what look like barebones routers and others using a minipc with dual LAN. What do you use and what advantages/disadvantages have you experienced as a result.
Can I set up a wireguard VPN server in either pfSense or OpenWRT?
Are there any enshittification risks or open-source purity concerns with either choice?
Is there a significant difference in popularity between pfsense and openwrt?
I will happily accept hardware recommendations for 2.5GB capable router hardware for a home network with 1GB fiber. It needs to be able to handle inbound and outbound wireguard connections. I’m overwhelmed by the many options between all the minipcs and purpose built hardware. Location is USA.
I appreciate any insight you may have. I’m a Linux guy, but networking has always been my weak point so I’m asking for help.
You must log in or register to comment.
I run opnsense on a decomissioned thin workstation I got for free at work. Added a couple of NICs et voila! For wifi I just disabled DHCP on the ISP router and plugged one of the lan ports into opnsense. Packets err… Find a way.
When I got 10 Gbit internet at home I didn’t like the prices of any of the 10G routers for sale so I built my own out of a $80 used ThinkCentre Tiny, $7 PCIe riser, and $20 dual-10G Intel NIC. My APs are the Ubiquiti UniFi APs I was already using (The router I switched from was a Ubiquiti USG3)
Initially I tried opnSense (and pfSense) but no matter what I did I couldn’t get 10G throughput, so I switched to OpenWRT which has been working great. I feel like the Linux kernel will have better support than FreeBSD since it has a bigger user base.
For a 1G/2.5G network you can probably get a way with even cheaper hardware.
If you got a $20 10g Ethernet, chances are you didn’t get one that is well supported on Freebsd. They currently lag behind Linux on the drivers for those. If you had a fully supported card, network throughput often beats Linux (with the caviat that it is going to depend on what you are doing with the firewall and QOS, obviously).
I used pfSense for years and switched to OpenWRT. I highly recommend OpenWRT. pfSense is kinda trash IMHO. I tried to set up traffic shaping, so I could play games while my roommate was watching Netflix, and it just doesn’t work as advertised. I tried like 20 different configurations for the traffic shaping, following all the documentation, guides, countless forum threads, etc, and none of it worked properly when you actually test it. At the end of the day, I concluded that nobody understands how to configure traffic shaping on it and even the developers didn’t realize it was broken.
OpenWRT, on the other hand, just works better out of the box, and has the right level of customizability for home use. It has a way better ecosystem around it where you can download extra packages with GUIs… it’s just much nicer to use, and doesn’t have the QA problems I had with pfSense.
Thanks for the reply. At this point, I’ve decided I’ll need to try both. Fortunately my old router still works. I just need to make some hardware decisions now as I don’t have any hardware with multiple lan ports to try it out on. I don’t want to buy twice, so I’m trying to figure out what I’m going to need to overshoot my requirements a bit but not go crazy overboard and overspending for unused specs. My current router is the GliNet Flint 2 which has an open-WRT advance mode that I’ve messed with a little bit.
I used Pf as my vlan router and it worked fine but was surprisingly clunky and bit resource heavy
Openwrt seems to offer all the same stuff and is shockingly efficient. Also works in lxc containers effortlessly
Couldn’t recommend it more
Opnsense. You can buy Protectli if youbdon’t want to build.
It’s expensive though. I was thinking about Protectli (a year ago) but then I speced something that I could have for less than a 100 bucks self-built and it was 400 bucks in a small non-repairable factor. No thank you sir :)
Opnsense or pfsense are good options. Most people would suggest the former.
If you use your existing router as an AP you need to ensure it has a different IP address then your firewall and turn off DHCP.
If buying APs most would suggest unifi access points for their features and ease of use.
The *sense options let your use wire guard, openvpn, or others like tailscale, tinc.
For hardware any dual nic (in the speed you want) any n95, n100, n150 mini PC should more than meet your needs.
Just go with OpenSense. Fully FOSS and comparable with corporate software feature-wise.
My choice is OpenWrt and specialized hardware. It is much better suited for home use and has much lower power consumption (i.e. silent). Right now I’m looking for replacement for my home router and going to buy one of Banana Pi boards. However in the US the optimal choice may be different.
Removed by mod
Been using OpenWrt on a Pi 4 for many years now. It’s been flawless. I’m using Ubiquiti APs. I’ve now replicated this setup in 4 more households with similar results.
I’m running an older Asus router they is listed on the OpenWrt site. Would it be the most affordable option to just install open wrt on this device and manually bring over my current configs?
Probably. If you use the WiFi on it, make sure to check if its WiFi is supported.
Should I use PFsense or OpenWRT?
I wouldn’t recommend pfSense unless you’re already invested in it (e.g. already have a pfSense setup and want to transfer your config files and settings over). Netgate (parent company) has been moving towards their paid versions (pfSense Plus and TNSR), the Plus version is free if you buy their router otherwise will cost you some money for a subscription. And meanwhile they stopped providing current downloads of full installs/builds of the free community pfSense so actually getting the current 2.8.1 is a hassle now - you’re expected to download their Netgate installer that needs internet access to download the full install while installing the router software, or you need to download/install an older version of pfSense (2.7.0 I think) and then get online to update it to 2.8.1.
Just went through all that doing a re-install, it’s crazy that I need to have internet access to install the router that will provide internet access LOL.
OPNsense is a well known alternative. OpenWRT could work too but I haven’t used it personally.
This is good info. I remember hearing a little bit of that and someone set me straight on DDWRT vs OpenWRT as well. I think I’ll take OPNsense for a spin.
OpnSense is amazing.
I’ve used it for over 10 years after using a ton of other stuff. I run a 10G fiber connection from my router to my 10G network backbone with multiple vLan’s. My ISP provides me a 1Gbps fiber connection to an ONT. I also use a Netgear LM1200 as a wired Cellular backup which OpnSense selects automatically when the fiber loses connectivity.
I am running mine using a Xeon E3-1226 v3 in a Supermicro X10SLL-F with 16GB of RAM and a 128GB Sata SSD. 10G is provided using a Mellanox ConnectX3 and an SFP+ module with OM3 Fiber.
I’m running a Quanta LB6M for my fiber backbone and a Dell PowerConnect 5548 for 1Gbps ethernet connections.
For WiFi I use a pair of TP-Link Omada EAP-650’s with the OC200 controller using POE. It hands over seamlessly as clients move around the house and I’m planning to add a 3rd AP upstairs when I have finished my solar install and competed the building of the master suite.
Sounds like you are pretty far along in your networking journey. I can appreciate the vLans and the 10G backbone, but a lot of the hardware you mention is over my head. :D I’d take the miniPC route, but like you, I’d like to attach my 4g router as a failover.
Yes, I’ve been tinkering for a while. The network piece I have had the longest is actually my 10G switch. Previously I had a couple 8 port switches but when I started wiring the house up I didn’t want to be playing any games.
I buy a lot of used enterprise equipment. If you are planning to have multiple access points that can use POE (power over ethernet) you can buy a new 5 port switch and be ok but if you are thinking about cameras a used 24 or 48 port POE switch from ebay well save you a ton in the long run. The Dell PowerConnect 5548 (48 port 1Gbps switch) I am using provides two 10G connections so that I can use a pair of DAC (Direct Attached Copper) Cables for a total of 20Gbps from my 10Gbps backbone. It’s overkill but it means even with multiple cameras, ap’s and wired clients I don’t have to worry about oversaturating the connection. My camera server also connects via fiber as does my NAS/media server.
Mini pc’s are great right up to the point where you want to expand beyond what they are capable of. Without a PCI Express slot upgrading the network will require the use of a USB adapter but they can be more of a pain than it’s worth. You can find stuff with more ports but there is a point where it will probably be cheaper to just get something you can expand with.
For failover to 4G the Netgear LM1200 has the option to go between your current internet connection and your router and negotiate the connection and automatically switch. I just use it like an ONT (Optical Network Transceiver) or Cable Modem and let OpnSense control the switch over because then I get accurate measurement of the data used and length of downtime. But that also means I need a minimum of three ethernet connections two for WAN and one for LAN.
I purchased my router parts used on Ebay. A similar setup in a 1U format (which I wouldn’t recommend unless you have a place where you can keep it and not hear it in your day to day life, are deaf, or are wrong to swap it into a new case with a different cooler) can be picked up as of right now for 185.00 plus tax and about 35 shipping.
If you have questions though please feel free to ask.
If you have a Soho router already and its compatible with openwrt, use that. Otherwise, build a cheap x86 PC with 2 or more nic ports and use OPNsense. pfSense is probably not a great option anymore for reasons already outlined in other comments.
Thanks for the reply.
I have devices I could use, but they’re earmarked for other projects. I’m looking at acquiring hardware specifically for this project. I could acquire it at a garage sale or a classified ads site. I don’t really want to spend more than $350 if I can help it and even then, I have to be able to justify that to myself somehow. (since that almost enough to add another 2TB of SSDs to my server). Having said that, if the features I want are only present in pricier hardware, I want to find that out now.
I have a 4g WiFi router I carry around when I travel that I call “the hocky puck”. It also has an ethernet port, so when I’m home, I take the battery out and attach it to my router as a backup in case the fiber fails. If I want to do the same thing on OPNsense, I would need to add an expansion card with more network ports, right? That would steer me from miniPCs to barebones router hardware or a small-form-factor PC build where I could add as many NICS as I have PCI slots.
Does wanting a 2nd WAN pretty much rule out mini-PCs for me?
Even in my God Tier build-dreams, I only have 2WANS a LAN and a management LAN. :D
I have seen 6 port minipcs like this one https://cwwkpc.com/products/mini-pc-firewall-c6 so number of ports is not an issue as long as you are prepared to pay for it. I think you’ll find more ports with similar keywords (industrial, firewall, fanless, etc).
My setup, which I think works well, is to have OPNsense on the miniPC as router/firewall, and separate WiFi APs. This setup has lasted me around 5 years now and will probably last as long as OPNsense and openWRT (for my APs) had decent support for my hardware. Well worth the money and effort in my opinion, and separating the router/firewall from the AP allows you much more flexibility.
If you need wi-fi that automatically disqualifies PFSense. Also OpenWRT is Linux and is a bit easier to troubleshoot than PFSense that is FreeBSD.
They will have WiFi AP.
And this is just me, but I never had to troubleshoot the OS part of the OpenWRT or OPNSense.
I see I see.
I actually had to troubleshoot and I was so glad its familiar OS (Linux) rather than something I never touched. It it was something non critical I would probably opt for the unknown to have fun learning, but network is such an important thing that I want something I can fix fast if needed.
I’ve got pfsense on a VM, works great. Opnsense is good too and easier to deal with than digging out a download from Netgate, but doesn’t have pfblocker integrated.
im in the same boat as you. tried opnsense for a week, but the webui is really not that friendly for a total beginner like me. im running ipfire right now, which offers less options but thats a + while im still learning the basics.
Glad to know I’m not alone! Sometimes it feels like everyone else has either figured it all out, or I’m charting new (and potentially silly) territory and nobody knows wtf I’m doing.
I’ve been doing Linux stuff for a long time, but I was still living under my parent’s roof back then so I never had to network anything, I just had the wifi password. After school, out in the world, I still didn’t have my own network for quite some time. Only in the last few years have I really started to grasp how it works well enough to actually do something useful with that knowledge. I’ll take a look at ipfire too. Luckily my current router is still functioning okay, so I have time to play around and see what software will work for me. Right now I have to make some sort of decision about hardware because I don’t have anything with dual ethernet on hand.
i bought a asrock n100 board and put 2 additional nics on it. then i configured ipfire with the red, green and orange mode. (red = wan, green = lan and orange = dmz) that way i can self host a vps inside the dmz and run the lan network without a vlan. i dont know if thats the best way to do it, but there are so much new things to learn i still dont know anything about and want to keep it as simple as possible.
you could start with a simple thin client with multiple nic‘s and get a similar price then my n100 with 4gb ram but i wanted the ability to swap some parts if needed and thin clients are rather limited in that aspect. edit: also i needed a nic with poe for my wan and thats hard to find in a regular thin client. i didnt search that hard though.
