Openwrt all the way

Ubiquiti is the most recommended, but this happened recently: https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/

I am not sure the others are much better, but just FYI in case you haven’t seen it yet.

I can really suggest Mikrotik. They are cheap and very powerful. I have one running in my home as router and access point and it’s work fine from years.

I had a bunch of ARM boards running Docker Swarm, but I am planning to migrate them to some refurbished x86 boxes because they struggling too much with CPU intensive applications (think about ELK). Anyway ARM boxes works fine for DNS or home automation services like HomeAssistant.

DD-WRT router between my network and the ISP router to keep as much in my control as possible and just use their box as an upstream connector, it’s pretty good at that but its UI is restrictive and nasty. Had all sorts of WiFi hassles until I just knuckled down and bought powerline Ethernet connectors for every room with WiFi access points in each one. Gave the 5Ghz and 2.4Ghz networks the same SSIDs and credentials, let the access points sort out the channels between themselves by setting “auto”, and let the clients sort out hopping where they want. Total awesomeness.

https://www.turris.com/en/omnia/overview/

Open Hardware, Free Software. The only blob is for 5GHz WiFi.

Now I just need some libre power line adapters.

I’ve been running a minimal setup with a MikroTik hAP AC2. Related to your Pi-hole comment, I added some NAT firewall config to redirect port 53 requests to the local Pi-hole. Full disclosure: approaching 2 years since I dove down that rabbit hole so the solution I found may be out of date now.

• apu2 with openbsd

• unifi UAP-AC-Pro

• self-hosted unifi controller

My setup might be a bit unconventional to some but I currently have my setup like this:

My Cable Modem is set to bridge mode to avoid double-NAT issues and is connected to a computer running OpenBSD / pf.

The OpenBSD machine takes care of DHCP from the standpoint of both getting its IP address from the ISP as well as giving out IP addresses to my devices. I also do my own DNS in case the ISP DNS goes haywire. You could also do this for a bit of added privacy for your domain lookups.

The computer also has 3 physical NIC cards: One is connected to the Cable Modem, one is connected to a switch for wired devices in the house and one is connected to another switch for DMZ use (such as WiFi WAP for phones, tablets, IoT devices, your own public facing servers, etc…).

I like to keep wireless devices on the DMZ (and the WAP on the DMZ has its own subnet) because I cannot control who is intercepting my signals outside the house. I don’t broadcast my SSID, but that does not go very far.

Since I own the house, I ran CAT-6 cable to rooms that needed it.

I am considering swapping my DMZ switch for a managed one to place different types of devices on their own VLAN. If someone hacks my thermostat or WAP for instance, it might slow them down from island hopping.

Finally, since my devices don’t change very often, everything has its MAC address reserved. If a foreign device hits the network, an IP address is not given out to it. I have a second reservation list for guests.

This also makes it easy for me to see “at a glance” in the logs what my devices are up to since I know which IP address is going to which device.

This setup has served me well for well over a decade. I have heard way too many stories of off the shelf firewalls having hardcoded, backdoor login credentials and what not so I only trust my OpenBSD machine for NAT/DHCP/Firewall, etc…

I have a PCEngines apu4c4 running NixOS as my router, using a custom zone-based firewall script, a pile of OpenVPN tunnels that share routing information using a combination of BGP and OSPF. Within my apartment, I host wifi using Ubiquiti gear (an AC Lite and a nanoHD) with a locally-hosted controller. I see no need to use their cloud offering, and given that my modus operandi is to host everything I can myself, I find it unlikely that I ever will.

For switches, I’ve been using a Netgear GS324T and GS108E depending on how many ports I need; they’re not the most full-featured things I’ve used, but they’re cheap and good enough.

My NAS lives on the other end of one of the VPN tunnels for noise reasons; it’s a used HP DL380e Gen8 server that I’ve packed to the gills with RAM. It’s also running NixOS, and has enough horsepower to handle running a pile of VMs for miscellaneous vendor appliances as well as some publicly accessible services (Matrix, Plex, etc).

All told, it’s simple, reliable, and I can have a full backup of everything necessary to bring back a clean slate on a single floppy disk. If I were doing it again, the only change I might consider is using a custom-built mini PC instead of the APU; it’s not that there’s any problem with the APU, but running nixos-rebuild takes just long enough to be irritating.

In 2014 I decided that I was willing to spend more than the usual $50-150 on a router/firewall, if I could be sure that:

• it would not be a bottleneck on a gigabit symmetrical fiber connection
• I would not find it de-supported in 1-3 years, or lacking in an upgrade to some vital subsystem to prevent RCEs and DDOS.

After a bit I concluded that building a mini-ITX x86 machine and running Debian stable on it would work well.

It’s now seven years later and I should probably replace the USB stick that I use for a daily rsync of the contents.

The machine is described here: https://blog.randomstring.org/2014/11/09/a-new-firewall/

Because it runs a nicely supported OS, I get mail from it when there are necessary package updates. It handles firewalling, IPv6, wireguard, DNS, DHCP, and some basic stats collection.

It connects to a dumb 24-port gigabit switch that handles the other machines in the home office, and then has cross-house runs of ethernet to two other switches and three wifi access points, which are configured in bridge mode and don’t supply NAT or DHCP. I tend to assign consistent IPs via DHCP to every non-guest device, and keep a pool of 30 addresses for guests.

I use an APU2 running pfSense (will be switched to opnsense when I have time) as my router. I have a secondhand cisco sg200-26 switch for my ethernet devices. Wifi is powered by a Unifi AP and I run the controller in a jail on my FreeNAS storage box.

I run a pfSense firewall, a Univention domain controller (which handles DNS and DHCP), and a locally-hosted virtual Unifi controller that controls my Pro access point and my tiny Flex Mini switch. It has been incredibly reliable and I hardly ever need to do anything with any of the components. I could live without the domain controller now, but it has been really handy for managing logins on our family devices and works so reliably that I don’t really have a reason to decommission it.

A Fritz!Box with fiber modem (currently 500MBit synchronous), switch and 802.ac WiFi access point (provided by our ISP, XS4ALL) near the fuse box. Ethernet to the living room and my desk. Most devices are hooked up through Ethernet. We also have a Fritz!Box 802.11ac repeater, hooked up to Ethernet as an additional AP in the living room. Fiber + ethernet has been super-reliable (only a brief downtime once since we moved in here 2.5 years ago). Never had any issues with WiFi through the Fritz devices either.

I haven’t researched AVM (the makers of Fritz! devices) in detail. But they seem like a decent/reliable privately-owned German company that do not do ‘growth hacking’ and other shenanigans. Also, they seem to provide firmware updates for quite a while. I could be wrong, but my impression as a long-term customer has been pretty good.

I have outfitted both my (appartment) as well as my family’s (multi-story house) place, as well as some customer sites with Ubiquiti AP’s. I use them with a “L3 controller” setup where the Ubiquiti Controller runs on a VM in my colocation rack, and all the AP’s report (via the internet) to there to get their updates, configuration, etc. As far as I know, the recent “UBNT is serving ads” discussion only concerns the “hosted controller” variant (where they host the controller for you).

The access points are grouped into “sites” by household, so I can create dedicated accounts for people that may need to change the Wifi password once in a while. They only do WiFi, routing is done separately (and with varying degrees of sophistication). The central management allows me to schedule and perform firmware upgrades which might otherwise get ignored (once installed, most people never look at their infrastructure again, nor do they want to). This is something most “controller-based” systems can do, though, not especially specific to UBNT.

For installation I did a basic site survey for AP placement, laid CAT6 to good locations for the AP’s and installed a central PoE switch to power them. Works fine so far.

The AC Lite hardware is decent for the price and manageability, the pricier models can be worth it if your clients support newer standards and your use-case supports/requires better transfer rates (ie., fast internet connection or lots of local traffic).

In general, I’d recommend running dedicated wiring for AP’s over any sort of mesh solution.

Personally my experience with Ubiquiti hardware is great so far. In my parent’s house, I have installed one UniFi Lite AP (the older one, 802.11ac only) and one newer UniFi 6 Lite AP (this one supports 802.11ax). Both work perfectly but the UniFi Lite AP has a quite weak antenna gain and thus doesn’t have a great range (but this is on purpose: it’s designed for high density networks, where you have many short-range APs instead of one long-range AP). The newer UniFi 6 Lite AP nearly covers the whole house.

So if you want to buy one of these access points, just keep in mind that they are primarily designed for the enterprise, and some of their characteristics (range, PoE power supply, lack of a built in web UI) are a bit different from most consumer hardware.

ISP sucks here in Central London, all I can have are ADSL+ 10mb connections so I opted to buy a 4G home broadband router. It is a Huawei one and it is not bad, it usually gives me a bit more than 10mb but not much more. I attach it using ethernet cables to my trusted Mikrotik Cloud Router Switch (https://mikrotik.com/product/CRS125-24G-1S-2HnD-IN) which can kinda do anything but that I use as mostly a dumb wifi router with cables going to my dock and video mixer. That router is strong enough for me to pick it across the street (it is in front of a large glass window)

Ubiquiti: I have 5 unifi AP ACs at work for the last 6 months, mixed bag. Very nice wifi performance when they work, pretty appearance when mounted on walls, PoE powered. One unit was warrantied a few weeks back (tripping PoE in a loop, not booting) and the rest are having weird behaviours with their built-in guest network feature. Every few minutes all packets from clients on the guest network (and only the guest network) stop routing anywhere. We use ICMP redirects in our environment, so I wonder if that’s playing with their traffic inspection rules. I’m going to try putting OpenWRT on them (I think they might be a supported target), that will make me happier (and let me do easier packet caps to work out the causes of future problems, without having to hookup of external capt equipment south of a PoE injector!).

Home: PCengines APU2 + openwrt for the past year, it has been amazing. Rock solid reliability (much better than all of the SOHO routers I have used over the years, both stock firmware and OpenWRT). No crashes, oddities or mysterious miasmas.

Sadly the APU2 is expensive, around $200AUD with case, mSata SSD and shipping. Given that it’s essentially a low-power x86 box with multiple intel gigabit NICs: check what old computers you have handy and see if they will fill the role. At the time the only units I had that were small enough for my target location were unfortunately pre-2011 computers (Core 2 duos I think?), which according to my calcs at the time would use most of $200AUD idling for three years :P

I’m also using a cheap mediatek wifi router (running OpenWRT) as a wifi AP. It does not provide amazing wifi performance and I have had issued in the past with the wifi conking out (requiring a restart of the interface and/or a reboot); but it seems to have been going ok the past few months. Ideally I’d put an mPCIE wifi card in my APU2, but I stole the last good one I had to use in my laptop. I’m too cheap for anything else, I spent all my Timtam money on the APU2.

I’ve been using a UDM plus additional UAP-AC-Pro for the last few years. I wouldn’t really recommend them — when they work it’s fine, but it also constantly feels like an unfinished product:

• Management interface keeps changing, many things don’t work, or stop working;
• Sometimes all traffic just grinds to a halt in a way where I’ve learned the fastest way to get going again is give in and reboot both devices;
• Windows devices hate my network until I manually disable their IPv6 interface (???? I don’t use IPv6 internally or externally);
• A few months back they rolled out a major firmware automatically that led to me being locked out of all management interfaces for a few fun hours;
• Using multiple APs in a mesh works on some devices, but others continuously cycle between the APs and effectively are locked out of the network, so I had to add special SSIDs for those devices that only listen on one AP;
• Wireless uplink is not performant enough for anything latency sensitive.

I really wanted to like their stuff, but they don’t live up to the expectations they set out for themselves. I don’t think I’ll be adding any more Ubiquiti gear in the future.

PC Engines apu1 running NetBSD performing standard routery things like DHCP, firewall via NPF, etc, with some PoE WiFi access points.

Cable modem (includes router) my ISP provides in the hope that this setup requires the least amount of energy. As long as it gets updated in okay with that.

I absolutely love my Mikrotik RB4011iGS+5HacQ2HnD-IN (https://mikrotik.com/product/rb4011igs_5hacq2hnd_in)

It’s complete overkill, but RouterOS is extremely configurable. You can even configure it with Ansible. I believe you can do Terraform too, but I’ve never tried that.

I seem to rebuild my router at least once a year before purchasing a pfsense appliance.

I did finally write down the minimal viable how-to for me for the next time though: https://jjasghar.github.io/blog/2020/02/14/centos-8-as-my-new-router/

[Comment removed by author]

My firewall is a Protectli FW6C running OPNsense. My wireless access point is a PC Engines APU2 running HardenedBSD.

Eero and Amplifi, depending on a given week.

They are both meh. I am a network engineer by day. I don’t want to mess with that stuff at night. Something something cobbler’s children.

But I’m about at my wits end and about ready to deploy a Microtik/Edgerouter or something.

My home network is used for gaming, streaming media, and webdev work from home. I use Ubiquity APs and consumer switches. I haven’t been affected by the toxicity from the company.

• when I need to extend wifi I buy whatever the latest reasonably priced thingy is from Ubiquity. I disable auto discovery and set a password by SSHing into the unit directly before I install it. Sounds like with latest firmware you also should disable telemetry.
• I don’t use the “cloud stuff”. I have a Linux box I built that runs the UniFi controller software in a Docker container. I control when updates are delivered to the APs. Some scant details on my server: https://jake.tl/notes/2019-11-09-cozy-server
• my switches are dumb generic switches. I don’t care about VLANs or whatever. I buy a new $20 switch when I need one.

Just upgraded from a terrible tp-link modem+WiFi router to a Linksys velop mesh dual band (tp link still handles modem+routing). Internet is 60/20 so really no need for anything more powerful. Powerline links the modem to primary velop node, and also provides Ethernet to the office (end of garden). Pretty good overall, impressed with the velop performance even over dual band, more than keeps up with our internet.

I used to have a Unifi setup with multiple access points. But my new apartment gets excellent WiFi coverage from a single central location, which happens to be next to a coax port for my modem. So now I just have a TP-Link Archer AX50 and 2 TP-Link TL-SG108E switches. But the AX50 can also run in access point only mode, so if I needed more coverage I would just buy more of them and wire them up through the wall.

WiFi 6 is really a game changer. If I shove my phone into the far corner of the furthest room from the AP, I still get 200+ mbps. It’s so stable and fast that I use my desktop over WiFi with a TP-Link TX3000E PCIe card. I get better latency and jitter wirelessly than another PC in the apartment with a mediocre onboard Ethernet chipset. Granted, my desktop’s antenna stand has direct line of sight to the AP. I only tried it because there aren’t any Ethernet wall outlets by my desk, and was pleasantly surprised.

The guest network also supports full client isolation, the most important enterprise-y feature for me. It’s a really great piece of hardware for the price, and dead easy to set up. Been running it for months with zero problems.

Already mentioned, but +1 Ubiquiti for AP’s with self hosted or if possible no Controller install and Mikrotik for small but powerful home router.

Ubiquiti stuff generally very easy to get going fast with and super friendly and pleasant to use.

Mikrotik’s routers are super powerful for the price, you can do a huge amount with a $50 or $100 device but have a steeper learning curve. I’d recommend investing a few hours in setting one up though because it gives you a whole toolbox of powerful low level networking tools in one little box - the opposite of what it sounds like you have now - more UI complexity but much better control. All basic stuff (DHCP, DNS, routing) is reasonably straightforward; then I found that things at the next level of complexity like VLANs, QoS/traffic shaping came in extremely handy from time to time. E.g. In Ubiquiti devices you can assign an SSID to a specific VLAN. So you could configure different VLAN’s in a Mikrotik router with different properties (e.g. internal only with no internet gateway; only allowed traffic through the gateway on specific ports; services/destinations (e.g. streaming) prioritised, bandwidth limited, etc.), so devices are connected to one of these depending on the SSID they connect to.

Also a Mikrotik device with PoE out doubles as your PoE power supply which kills two birds with one stone.

I used to use Google WiFi (and actually worked on the first version) but wanted more advanced nerdy features so switched to Ubiquiti UniFi gear and haven’t really used the power features.

I currently use a ubiquiti edgerouter network firewall (and isp handoff), and unifi[1] on the internal network (switches, access-points). Been looking into other platforms lately though, in case I need to switch due to ubiquiti’s quality slipping further than it has lately.

[1]: unifi controller is a cloud key, but with “cloud login” disabled – only local login

We have DSL. For a router, I have a virtual machine running on an old Linux box with two physical NICs. One NIC is connected to the DSL modem, and the other is connected to a switch. Hanging off of the switch is a wireless access point from … Ubiquiti.

I used to use a couple of USB wifi adapters as an access point, by means of hostapd. It was kind of flaky. Everyone was always complaining about the wifi, so I bought the Ubiquiti.

250 Mbit fiber + TimeCapsule + Ubiquity AC Pro

I’m in the middle of setting up a network with TP-Link’s Omada line. So far it’s been a positive experience. Controller will detect new devices and adopt with a single click. This weekend, I’m setting up outdoor point-to-point across ~300 meters with a couple of their Pharos access points, and I’m hoping everything on the other end gets recognized just the same.

Tiny celeron box with OPNsense for gatewaying, Aruba 1930 for switching, good old Archer C7v2 (OpenWRT) for wirelessing.

Kinda want to upgrade the AP but… current “Wi-Fi 6” devices aren’t OpenWRTable? 6GHz is coming but due to regulations that’s just who knows when? Arghh wake me up when the state of 11ax is not a mess.

If anyone wants a story of what NOT to use, here you go:

I recently moved somewhere where Xfinity was the only option. They said that Fios would be coming within 2 months, so I decided to go with the router rental fee while waiting for the chance to splurge on a nice fiber-optic modem. Still waiting on Fios five months later.

The Xfi router has been nothing but pain. Things I haven’t had to do in a decade, I have to do again. Power cycling the router constantly, being VERY cautious during video calls about how much bandwidth I’m using, you’d really think I was paying for the cheapest option. (A side note: I know equipment is recycled by ISPs but do you really have to send me scratched and dirty routers?)

In terms of NAS, I keep it simple, running an SMB share on a Raspberry Pi. I’ve never had throughput issues, though directory listings take a little while in macOS Finder. Pretty great setup for the price, but no matter how secure I keep it, having it plugged into a router that wants to run an extra unauthenticated network for “subscribers” makes it moot.

How big is your house? What speeds do you need? Do you need low latency e.g. for gaming?

We have a two story house (+ basement) with 600 sq-ft per floor. We have grownups and kids with various devices, video conferencing and streaming video mostly on the first and second floor. No gamers.

I have a single TP Link router (AC1750) positioned on the ceiling of the basement at the center of the house. Serves us just fine.

• x86 hardware for routing & firewall, currently running VyOS (and configured using an ansible playbook I wrote when learning ansible). Using a few vlans to segment the network.
• TP-Link EAPs for WiFi, with a controller running in a container. One controller on each floor, with a few SSIDs on each. I have one of their PoE switches as well, works great with their controller software
• SBC for pihole/dhcp
• A few switches throughout the house (basement, main floor, second floor)

I’m currently setting up a Debian based machine for firewalling/routing with nftables. VyOS is great but I wanted an excuse to learn nftables, which so far has been very fun to learn. Will probably run dns/dhcp on this machine as well. Once I’ve setup the firewall I’ll setup the rest with ansible.

Next step after that will buying and setting up a cli based switch with more ansible. Just for the fun of it!

I’ve used unify stuff in the past and it’s been great, but gave it away to a relative and had some other hardware laying around. Hence the current situation.

I have one Ubiquite AP (the round non-expensive one) but I’ve never been happy with it (except the wifi quality) as I’ve had major problems with it (I seem to be a rare case, many people I know are really happy with the administration) - so if it died I’d definitely buy something different.

Before that I had a WNDR and before that an actual WRT54G with OpenWRT, apparently my needs in this apartment are pretty modest. Wifi coverage is important and it doesn’t have to be completely stupid or lack features I need, but I couldn’t tell you which those are.

I have a Fritzbox 5530 with two Mikrotik Switches connected via Single Mode BiDi to each other and cAP AC from Mikrotik as access points. I had a old telephone cable with a very some hole between the basement and first floor and with Single Mode LC/LC cable from fs.com it was not necessary to make the hole bigger to replace it.

As someone who would rather not spend any time thinking about home networking, I use the router that Comcast gave me and an Eero mesh network, and this setup works really well for my ~2000sqft, 2 floor house. (pre-Eero the wifi was really bad if you were too far from the router).

I run a x86 machine as my router using Alpine Linux as the OS and iptables as the firewall, unbound as the dns server, and dhcpd as the dhcp daemon. My firewall isn’t that extensive, here’s the output of iptables -S (a few forwarded ports have been omitted for brevity):

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Connected to this router are two Unifi AP Lites for WiFi and a few other small x86 boxes for VPN and NAS.

I wanted to run conduit when we moved into our house, but it’s 120 years old and it wasn’t going to be doable with our budget, so we settled on Netgear Orbi mesh. It’s … fine? but we pay for 1.5Gb/s FTTP and I’d really like to be able to get closer to those nominal numbers than the Orbi can provide.

I’m running OpnSense on a Protectli Box as edge router and firewall. A 24p Ubiquiti switch as the main switch. Two small outdoor Ubiquiti switches with POE to power cameras around the house. Another small Ubiquiti switch for the home office.

Three Ubiquiti APs around the house.

Not too happy about the development of Ubiquiti as a company and the latest news in particular.

I have a EdgeRouter Lite with OpenBSD on it. It is simply plugged to a GigE switch and a Unifi AP for wireless. Works really well.

I just burned out my Linksys router. While I used to love the product, they have documented flaw in their chipset.

I switched to a d-link. The interface isn’t as robust, but it says it can support streaming up to 6 devices.
I can get away with only one router in a two story house because I’ve threaded the cat6 from the modem all the way to the center of the house where I put the router. HTH