Looking for (wired) router/firewall recommendation

M

metropole

Limp Gawd
Joined
Apr 11, 2009
Messages
302
Hi,

I am looking for some help selecting a standalone wired router appliance. I would like a device that offers above average security, that is not easily hijacked, and offers support such as updates when needed. I like not to exceed $400.

Initially, I thought that like the idea of integrated virus scanning. But it was pointed out to me that his adds limited value as most email is transported encrypted from/to ISP and that the AV protection doesn't extend to other ports.
Inbound VPN is not very important. However, I like a device with a good UI. I am no stranger to IT but I would like to limit the time spend learning. It would be nice if the device has a lot of default filters/rules built in for popular applications (e.g. SIP, XBOX, ...). Also I like to have a good online monitor that allows me to see allowed/blocked traffic easily to tweak rules.


I started to do some research:
1.) Some folks like the Ubiquiti Edge devices. One concern might be the UI.
2.) Came across pfSense. Do not know much about it. Similar to Ubiquiti concept?
3.) Another popular brand is ZyXel. Seems to receive general good review
4.) Sophos seems to be another good brand that has one model that scales down
5.) Cisco has lower end devices as well. But I don't see Cisco much discussed

There are many more: SonicWall, Watchguard, Microtik,..

Any input is appreciated.
 
1. EdgeRouter Lite - Pretty good device IF you can use hardware acceleration (a lot of features kills this) making it quite slow (250mbit-ish) and it has also issues with firmware corruption due power outages. Nowdays I'd personally look at the Turris Omnia if you're looking for gigabit performance ootb. The WebUI is being worked on but you'll need to use the CLI which can be akward if you're not familiar with VyattaOS syntax.

EdgeRouter X - Doesn't do hardware acceleration at all for now but is quite a bit faster than the Lite router in this mode (about twice as fast). Very barebone otherwise, no idea about firmware stability on this model but should be better than the ERL as it's stored in flash. As far as features go I'd expect these do be pretty similar.

If you're paranoid you pretty much need to go for a fully fledged open source solution as vendors are quite slow (if they even care) to update firmwares due to vulns.

2. pfsense and/or opnsense only runs on x86, unless you have a 600+mbit connection this is just a waste of money and electricity. Pretty much anything is managed using a WebUI. Pretty prompt about firmware updates downside is that you're wasting power (both processing and electricity) since the platform is limited to firewalling/routing. Does have more graphs and stats ootb compared to other solutions. I'd recommend you to setup vanilla FreeBSD (what pfsense and opnsense uses) or OpenBSD as it gives you much more flexibility. Might be a bit steep learning curve if you haven't used Linux/Unix before.

3. Works fine, the consumer routers are just as bad/or good as your generic brand. The Zywall series are mostly aimed for SMBs so don't expect the fancy stuff you use at home.

4. Being closed source and you have very good alternatives if you're going to x86 route I don't really see this as an option...

5. Business only in general, not really suited for home users that likes WebUIs.

In your case I'd recommend the Turris Omnia which pretty much does exactly what you're looking for and doesn't eat electricity. If you are used to Linux in general I'd highly recommend you to look at the OpenWRT project and a supported the device. The Edgerouter boxes mentioned earlier are supported but you can find better hardware cheaper that's support in this case. Most can be handled using a WebUI but you will probably have to use the CLI at some point.
 
I've always liked pfsense, you can get some super low power micro boards to run it and it will have more than enough horsepower to handle anything.

Secondly i'd echo diizzy on the vanilla bsd install and doing it all yourself if you want to learn.

Best option for money IMO is OpenWRT and a supported router.
 
Thanks for all the help. So, open source approaches tend to be more secure?

I have done my fair share of DIY solutions. Also (Sadly) I have no Linux experience.
This time I wanted to get a ready to go solution. pfSense has an option to buy. But you have to buy form them.

(BTW: I am upgrading from a Microsoft ISA server 2006 which is no longer supported - this was overkill, but I wanted to learn about it for work)
 
Well, pfsense is "pre-packed" but it surely isn't click --> install --> done when it comes to additional packages. In that case it's just as good/bad as OpenWRT (which will most likely serve you great as Eickst pointed out) but it does come with less graps and whatnot by default. How fast is your connection and can you get your modem (if any) into bridge mode? Also, where do you live (country?)
 
diizzy said:
Well, pfsense is "pre-packed" but it surely isn't click --> install --> done when it comes to additional packages. In that case it's just as good/bad as OpenWRT (which will most likely serve you great as Eickst pointed out) but it does come with less graps and whatnot by default. How fast is your connection and can you get your modem (if any) into bridge mode? Also, where do you live (country?)
Click to expand...

USA, I have a SB6120 modem on Comcast. Not sure about the speed. I believe 75Mbs.
 
Edgerouters: Great for the price. GUI is weak in places but covers all the basics pretty well. If you're OK with a CLI the rest is readily accessible. Generally, unless you're doing something weird and/or contrary to recommendations you'll have no issue with losing hardware acceleration on the Lite (i.e., pretty much nothing you'd ever set up at home will cause an issue here). The problems with the Lite's USB flash were, AFAIK, resolved long ago and were never too widespread to begin with. Pretty good user community and developers/staff are active in their forums. You'll need to buy a separate WAP.

pfSense: Unless you're repurposing your old PC to run it power consumption isn't so much an issue. Nice GUI for the most part, no CLI. Very extensible via plugins (e.g., Snort, Blacklists, etc.). Large user community, so finding help should be easy. If you have one of those recent small Atom/Pentium/Celeron systems available (or even an old PC for trial purposes) definitely give it a shot. Again, a separate WAP will be needed.

OpenWRT/DD-WRT: Nice options, though it can be hard to find current hardware to run it on as support takes time to catch up. Maybe look for hardware that's been out for a while, and be sure to consult the hardware compatibility list of each release. Consumer-level routers don't have the best reputation for durability/longevity, even when running these releases. Extensible via packages. Pretty good user communities.

Turris Omnia: No. No one really knows what it is or has ever used one, there's only the promises the developers made for the campaign. Being based on OpenWRT it has a good foundation at least, but currently there's no telling what's going to be built on top of that. It won't even be available until April (at the earliest) for those who got in early on the funding, no telling when you'd get one if ordered now. I'd only consider this for someone who's comfortable spending time/money being on the bleeding edge. Maybe check back on this effort in a year or so and see where they're at.

Cisco: Expensive, as I'm sure you know. Especially when you start getting into licenses for extending features. I'd only consider using one if a) I got some kind of insane deal w/all the features I needed, or b) had a business that was a Cisco shop and needed hardware for satellite offices/homes/etc. If you're looking to learn Cisco for CCNA/etc. you'd be better off buying cheap IOS routers/switches for a lab. ASA has a GUI available, but you really should know the CLI (which is just different enough from IOS to be highly irritating). I'd put the likes of Fortinet/Netscreen/etc. in the same category.

Routerboard: I don't know much about them myself. Seems to be liked by a fair number of people. Probably worth a look.

Soekris: Nice, low-power x86 hardware. Perfect for running pfSense, VyOS, etc. But holy hell, are they expensive for what you get.
 
The ERL USB isn't resolved, quite sure it's still even a disclaimer in the WebUI about it.

Regarding OpenWRT is not hard at all to find supported hardware if you bother to have a look at the wiki pages. Also, I do find it quite hilarious that you're praising the ERL (which has very bad durability rep overall) compared to "consumer routers" which may/can work even better. Atheros SoC that uses 74Kc arch are a perfect example of that, WD MyNet series, TP-Link WDR3X**.WDR4300 series etc. I have such devices running for years by now....

Turris Omnia: On the contrary people do know what to expect, please read their compaign and about the Turris project before making claims that aren't true.

Soekris isn't nice hardware no matter how you look at it...
 
diizzy said:
The ERL USB isn't resolved, quite sure it's still even a disclaimer in the WebUI about it.
Click to expand...

No, there's nothing in the GUI about this (at least that I could find). There is a blurb in the manual, similar to what you'd find for other like devices. FWIW, I've pulled the power on my own ERL multiple times over the >2.5 years I've owned it and have never had an issue. If you go through the Ubiquiti forums the subject rarely comes up anymore.

Regarding OpenWRT is not hard at all to find supported hardware if you bother to have a look at the wiki pages.
Click to expand...

Pretty sure this is basically what I said. Except that I added that it's uncommon for the latest-and-greatest hardware to be supported and to be aware of such.

Also, I do find it quite hilarious that you're praising the ERL (which has very bad durability rep overall) compared to "consumer routers" which may/can work even better. Atheros SoC that uses 74Kc arch are a perfect example of that, WD MyNet series, TP-Link WDR3X**.WDR4300 series etc. I have such devices running for years by now....
Click to expand...

The fact is, most consumer-level devices are not engineered to last. They can and often do outlive their actual usefulness, but counter to that you often see threads here and elsewhere about devices that aren't that old that need constant attention (i.e., reboots), or puttering out and dying.

Not sure why you cited a particular SoC. I wasn't making any kind of comparison of the merits/drawbacks of particular platforms.

Turris Omnia: On the contrary people do know what to expect, please read their compaign and about the Turris project before making claims that aren't true.
Click to expand...

Yes, we all know what to expect based on what they've promised in the campaign. Nothing I said was untrue. What I was saying, if you'd bothered with reading comprehension, is that at this point we don't know how it'll bear out. Maybe it'll ship feature-complete with everything working properly, or maybe a bunch of features will be missing and/or broken. Maybe the hardware will be solid, or maybe it'll be flaky. Nothing will be be known for certain until people actually start receiving and installing them.

To be clear, I have nothing against the project. On the contrary, I hope it works out well. I just advise waiting unless you know what you're getting into and are not adverse to the inherent risk of such a product. Right now I think it's a poor choice for most people, including the OP, who just want something that is mostly a drop-in known solution you can actually get now with some kind of support structure in place in case things go awry.

Soekris isn't nice hardware no matter how you look at it...
Click to expand...

Agree to disagree. I like the basic hardware and form factors. The pricing kills any enthusiasm I have, though. I just thought I'd mention it as it often comes up when people start talking about pfSense appliances.
 
Actually you seem to have skipped quite a bit that they've had the Turris project running for years and already been providing the service they're promising for free. :)

net5501 --> Hello 96, and VIA ethernet on top of that (you can find much better platforms in that regard).
net6501 --> Better, but you can still do better and performance is well not that great.
 
pfsense and/or opnsense only runs on x86, unless you have a 600+mbit connection this is just a waste of money and electricity.
Click to expand...

This is generalized and not true. My pfSense draws as much as the R7000. Even the newer SOHO over the counter routers draw around ~20W, and a little higher. With the correct hardware, you can get tremendous ability and security at low power and cost per watt.

Personally, pfSense over OPNsense (I like OPNsense a lot, but prefer pf IMO). Also, I rather use around 30-40 total watts and use a third party firmware router, such as the R7000 with XWRT-VORTEX, than use FreeBSD wireless support for now. This gives me an extra switch, extra abilities (such as DLNA server, etc) and really good wireless performance.

The QC5000-ITX/PH is what I selected due to a better and fatter support than an Atom based core. This gives some instructions that are not supported with lower end Intel architectures. Some of these instructions are MOVBE, AES-NI, AVX. But also due to memory speeds being one of the most important factors; it supports up to 1600 DDR3. Here is a vid of a similar build, and he noted maxing gigabit with it using older Intel PT adapter: https://www.youtube.com/watch?v=z9AToI-fHeg

The Atom C2000 architecture is too costly for uber VPN ability. The AMD APU motherboard cost me $50. The most wanted C2000, even for home, is http://www.supermicro.com/products/motherboard/Atom/X10/A1SRi-2758F.cfm. This is usually at $339, with deal ranging around $289. For the cost of one C2000 motherboard I basically created a router that is fanless, quiet, and high performance with multiple connection options: integrated mini-PCIe, another network interface, included with my selected i350-T2. Even the less expensive C2000 boards are not really worth the cost, IMO.
 
Uhm... A normal router draws 12 2A (tops), your average x86 (or even low-power hw) doesn't go anywhere near that. Hell, my laptop doesn't even go below that even running aggressive power saving.
http://store.netgate.com/ADI/RCC-DFF-2220-board.aspx <-- That's rated 5A which is more than twice as much without anything else not to mention the difference in price. :)
My WiTi board comes with a 3A PSU and that includes powering 2 SATA HDDs so...

As far as throughput goes his connection is less that 100mbit so I doubt that'll be an issue anytime soon and even if it will be later on it'll be cheaper later on to get new model rather than getting something overly beefy and just wastes power if we're going to be cost effective.
 
Uhm... A normal router draws 12 2A (tops), your average x86 (or even low-power hw) doesn't go anywhere near that. Hell, my laptop doesn't even go below that even running aggressive power saving.
Click to expand...

It is all relative. At Idle the R7000 draws around 7.x watts. With full utilization it can max to 33.92 watts according to Netgear: http://kb.netgear.com/app/answers/d...um-power-consumption-for-netgear-wifi-routers. The draw that I do, so far, does not equal that, but it does basically equal under the very small cost of a light bulb for all the hardware and usage. If I was to max out it will still be around the cost of a light bulb.

My point, is that the cost of an x86 router is not necessary a waste of money and electricity.
 
Power consumption does not matter that much to me. And I want to avoid a DIY project.
I would like a device I can unpack and start configuring. BTW. fan less would be nice.

BTW. Is there some kind of certification/test for such solutions?

So, I guess my options are:
1.) Ubiquiti Edge (~$60)
2.) pfSense SG-2440 ($499)
3.) ZyXel - frankly I am not sure which model to add to the list. USG110? (~$600)
4.) Sophos SG 115 (~$460 - but have to be cautious with support packages)

Of course, all with the pros and cons discussed. Are there others I should add?
 
@ Shikami
That seems odd...
"Despite the chunky 42 W wall-plug power supply the Netgear Nighthawk also proved suitably frugal in its power consumption, drawing around 9-10 W from idle to loaded."
http://www.pcadvisor.co.uk/review/w...ighthawk-r7000-80211ac-router-review-3535784/

Regarding that arstechnica article... First of all, he/she/it seems completely ignorant.

"In the consumer world, routers mostly have itty-bitty little MIPS CPUs under the hood without a whole lot of RAM (to put it mildly). These routers largely differentiate themselves from one another based on the interface: How shiny is it? How many technical features does it have? Can users figure it out easily?"

There's a substial difference between a MIPS 24Kc 300Mhz CPU and a dual core MIPS 1004Kc 880Mhz CPU and yes, you can find this in the real world even today. The amount of RAM and connections also differs. Hell, why not lump all x86 CPUs together since they are all 64-bit.

"At the higher end of the SOHO market, you start seeing some smartphone-grade ARM CPUs and a lot more RAM."

Apart from having pretty much nothing in common except the ARM-kernel (at best) this is correct, and again there are quite a bit different in amount of cores, clockspeed and arch.

Smallnetworkbuilder doesn't use iperf, it's not ideal (its very hard to design such a test) but it's at least something to go by. As far as I know no-one has ever claim that it's the law.

"Ultimately, I ended up needing to not only tune nginx, but the Linux kernel itself, in order to reliably deliver the kind of throughput I was looking for." Okay, so you're allowed to tune your server but not the network devices and makes a valid point later on (or not...).

http://cdn.arstechnica.net/wp-content/uploads/2016/01/download.png

Fine, it's faster than the ARM and MIPS SoC out of the box that's no surprise at all. Interestingly he doesn't mention anywhere if the router is tuned or what just that it runs the same software.

http://cdn.arstechnica.net/wp-content/uploads/2016/01/baseline.png

Uhm.. okay, he has a switch that seems lacking in performance and disregards it as "it should be good enough"`? If you're going to do tests at least have hardware that doesn't interfere with the results. Why is it even used at all?

http://arstechnica.com/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/

Obviously you'll need some tuning here, I doubt Netgear spends much time on that however compared to other compaines or software developers. Do some tuning and you'll get much better results, there's a quick example running OpenWRT which more or less uses default settings.
https://wiki.openwrt.org/toh/d-link/dir-860l#performance

Yeah, x86 computers are faster depeding on hardware no one questioned that. Does consumer routers have poorly optimised firmware in general? Yes, they most like have. Does MIPS and ARM suck? No, far from it also, why would it matter if it only does 500-600mbit if your connection barely does 20% of that.

Agreed vendors are usually quite slow to update. Running a 3rd party firmware such as OpenWRT and a few others gives you the same thing as any other operating system.

Also a good question is why he's going to very old platform 2016. The CPU was released in Q1'13 and you can find better deals at that price.

@ metropole
If you don't care about expandability I honestly think that the UBNT EdgeRouter X would be decent choice for you if you can live with the EdgeOS. I would however highly consider the D-Link DIR-860L (B1 revision) which runs OpenWRT (uses the same SoC), offers USB (3G/4G, LTE as backup/main connection or/and even storage etc) and WIFI at the same price. It does also have a recovery mode if something goes really bad which the ERX lacks. The only downside getting the D-Link (for instance) is that you may still get an old A1. http://www.amazon.com/gp/customer-r.../ref=cm_cr_pr_rvw_ttl?ie=UTF8&ASIN=B00CCIL9NU , also over at Newegg (reports dated 2015 sept but they don't mention order date). Might be worth asking D-Link as revisions might be regional. I've deployed several and a pre-compiled version of OpenWRT and they've all been running very well handling connections doing more than 350+ mbit (that includes P2P traffic). It's pretty much flash from stock firmware to OpenWRT and off you go. The UBNT does OpenWRT but from what I understand from the open source community as a whole UBNT has been more "hostile" against 3rd party firmware so don't be too surprised if you get a locked bootloader.
 
Last edited:
As an Amazon Associate, HardForum may earn from qualifying purchases.
@ Shikami
That seems odd...
"Despite the chunky 42 W wall-plug power supply the Netgear Nighthawk also proved suitably frugal in its power consumption, drawing around 9-10 W from idle to loaded."
http://www.pcadvisor.co.uk/review/wi...eview-3535784/
Click to expand...

The load is not defined in that article. I am thinking that the draw is just from a single computer to a single associated station. There is possibly no external drive, nor any Ethernet connection in usage with that example.

As for the Ars' article, I think it explains in terms of performance comparison, and the need in some modern multiple family member homes-including guests at times. We are approaching a time for security, performance, and cost for routers which SOHO does not compare to.

Does MIPS and ARM suck? No, far from it also, why would it matter if it only does 500-600mbit if your connection barely does 20% of that.
Click to expand...

Actually they do suck at networking performance. This is why there are accelerated engines included in the RISC SoC's. Even wireless is offloaded in some routers. Networking is very taxing; the general rule being 1bit equaling 1Hz still applies still even for today. However, as some users found that enabling some features disables acceleration, and they lost networking performance.

What RISC is good at is low power and nominal performance, but they are starting to sky rocket in cost for little features and support.
 
Why you would need a box that does lets say 900mbit if your connection only does 100mbit? This is like getting a GTX 980 for Solitaire, but if you want to waste money it's a great idea.
 
Why you would need a box that does lets say 900mbit if your connection only does 100mbit? This is like getting a GTX 980 for Solitaire, but if you want to waste money it's a great idea.
Click to expand...

Options, and longevity. The TCO is not much for the performance and operation. It is only a waste if the person in question has no use, nor exploit of the supported packages. If that was the case I think he would have purchased a SOHO over the counter router with no inquiry to the forums users.

If the consumer knows they have options, but there is limited knowledge of such, the possible solutions will not be economical at all. The options that Metropole is exploring are going to have some cost. He can easily achieve such, and a low power bill, with pfSense. When the advice was "this is just a waste of money and electricity" I felt that it wasn't true. This is obviously because many use low power x86 architectures for their pfSense routers, and love them because of the security, packages, support, and performance.
 
I think you're just glorifying the reality here really... Longetivity based on what? Irregardless of what you get I'm sure you wouldn't find a 5y old PC/Router/Whatever as reliable as new hardware. Most consider PCs and such to have reached their lifetime after just 3 years. If I said that pfsense would run on lets say the EdgeRouter Lite would you consider that compared to a PC? Many of your x86 platforms are just power hogs and doesn't outperform MIPS or ARM SoCs these days, they're just clinging onto old experiences from 6+ years ago.
 
Just get an Edge Router Lite for your 75M connection. Even if you have to disable hardware acceleration it'll still handle your full connection speed just fine.

I'm running an ERL on my fiber 1Gbps connection just fine. Have had it for somewhere close to or right after a year now. Absolutely no issues. They even released a new GUI with new features sometime around June or July of last year.

For the record. I transfer terabytes of data monthly.
 
diizzy said:
The ERL USB isn't resolved, quite sure it's still even a disclaimer in the WebUI about it.

Regarding OpenWRT is not hard at all to find supported hardware if you bother to have a look at the wiki pages. Also, I do find it quite hilarious that you're praising the ERL (which has very bad durability rep overall) compared to "consumer routers" which may/can work even better. Atheros SoC that uses 74Kc arch are a perfect example of that, WD MyNet series, TP-Link WDR3X**.WDR4300 series etc. I have such devices running for years by now....

Turris Omnia: On the contrary people do know what to expect, please read their compaign and about the Turris project before making claims that aren't true.

Soekris isn't nice hardware no matter how you look at it...
Click to expand...

Just checking my ERL with 1.6.0 firmware, root device is mounted ext3 with journaling and barriers enabled that should be pretty resilient to power loss corruption. I've never had a problem with mine losing power and not coming up.
 
You should grab the 1.7.0 firmware. Has some nice features added to it over 1.6.0.
 
@ devman
Pretty sure all versions used that...

In general:
If you plan to use CoDel or such you're going hit about a 90mbit wall according to users on the forums so if you're going to use QoS or such (which you most likely want since you're on cable) you might want to consider something more powerful or even the Edgerouter X which is faster (than the more expensive EdgeRouter L) in this card due to its SoC. Oh well, you have the options and pros now...
 
Last edited:
How secure is an EdgeRouter (or pfsense). Is there some kind of certification standard?
 
Edgerouter all the way.

For a basic NAT router setup, the edge router is ridiculously fast, easy to setup, reliable and secure. If you don't think/know that, then you don't have enough hands on experience with them.

Pfsense is another great recommendation, though requires more hardware expense and not really much advantage if you are not going to install a bunch of other modules.

OpenWRT is a consumer grade software, great for upgrading AP/router combos, reasonably stable, but not better than an edge router.
 
metropole said:
Just to confirm, the EdgeRouter Lite faster than the EdgeRouter X?
Click to expand...

The Lite is faster if you can utilize hardware offload (typically you can with a basic NAT setup).
The X is faster if you cannot use hardware offload (faster process, but no hardware offload features at all).
 
Why do you think you need a hardware firewall anyway? Is this a home connection?
 
Ocellaris said:
Is an ERL much of a firewall anyway?
Click to expand...

It is technically a router. It does not have Firewall features (inspection, proxy, etc.).

That said, most home connections only have a NAT router leveraging iptables for security. Even pfsense, openWRT, etc. are just routers. (though in the case of pfsense, there are modules that can add firewall features)
 
Grentz said:
It is technically a router. It does not have Firewall features (inspection, proxy, etc.).

That said, most home connections only have a NAT router leveraging iptables for security. Even pfsense, openWRT, etc. are just routers. (though in the case of pfsense, there are modules that can add firewall features)
Click to expand...

iptables and pf are both stateful firewalls. It may not have DPI, do transparent proxy other fancy UTM features, but I disagree with the statement that they are not firewalls.
 
devman said:
iptables and pf are both stateful firewalls. It may not have DPI, do transparent proxy other fancy UTM features, but I disagree with the statement that they are not firewalls.
Click to expand...

Fair enough.
 
metropole said:
How secure is an EdgeRouter (or pfsense). Is there some kind of certification standard?
Click to expand...

If you compare the EdgeRouter series with pf/opnsense and OpenWRT they're at the bottom end as far as security advisories and updates goes. They essentially use the same software apart from the kernel/packet filtering but UBNT doesn't do frequent updates regarding software such as OpenSSL which is heavily used for the WebUI, VPN etc. pf/opnsense and OpenWRT are updating stuff like that pretty much as possible however pf/opnsense pushes these also as end-user updates whereas OpenWRT is kinda like an upstream provider in that regard meaning that you need to compile the firmware yourself. That said, OpenWRT can also utilize mbedtls (former PolarSSL) which has much fewer security advisories making it not much of an issue in that regard. FWIW, the Dutch Government also went for mbedtls when looking for VPN software. https://openvpn.fox-it.com/about.html

There are no official certifications for any of these, mainly a pricing issue but also due to the fact that the hardware can pretty much be anything when it comes to pf/opnsense, OpenWRT.

Interestingly UBNT doesn't seem to keep a CVE list at all?(!)
https://hackerone.com/ubnt?view_policy=true is the closest you get but that doesn't feel very reassuring...

Grentz said:
Edgerouter all the way.

For a basic NAT router setup, the edge router is ridiculously fast, easy to setup, reliable and secure. If you don't think/know that, then you don't have enough hands on experience with them.

Pfsense is another great recommendation, though requires more hardware expense and not really much advantage if you are not going to install a bunch of other modules.

OpenWRT is a consumer grade software, great for upgrading AP/router combos, reasonably stable, but not better than an edge router.
Click to expand...

The advantage with pf/opnsense is that it's more secure due to frequent updates, faster due to more powerful hardware and it can do UTM if you want it to. The latter is however probably not something you usually need at home.

Don't know if you've used recent versions but OpenWRT is pretty much plug 'n play these days and the LuCI user interface covers all your daily firewall stuff without any issues at all. As far as speed goes the EdgeRouter X isn't any faster than let's say a D-Link DIR-860L (b1) which uses the same SoC, in fact OpenWRT likely faster due to the close tracking of upstream (Linux). Comparing speed is more or less pointless unless it's hardware acceleration but then again, do not rely on that feature alone as it will most likely bite you in the end.

Grentz said:
The Lite is faster if you can utilize hardware offload (typically you can with a basic NAT setup).
The X is faster if you cannot use hardware offload (faster process, but no hardware offload features at all).
Click to expand...

That's incorrect, that MT7621 SoC does have hardware acceleration but it isn't used by UBNT (for now at least). It does suffer from the same limitations as the EdgeRouter Lite so in short, go for the EdgeRouter X it's a better platform in the end. There are forks of OpenWRT which uses hardware acceleration (by using Mediateks SDK) as an example.

@ devman
While technically correct that functionality is another kernel module and/or application such as squid or whatever you want to address but it does usually require quite a bit of processing power to not add excessive latency.
 
Last edited:
My suggestions:

ASUS:
RT-AC68? or AC66? loaded with Merlin firmware

Ubiquiti:
If you want the pretty GUI and app integration with the UNIFI AP:

UNIFI Security Gateway (the guts are the same as the ERL)

UNIFI Security Gateway Pro 4 (the guts are the same as the ER PRO) (This is probably what I'll purchase next)

and if you want the more enterprise type view

Edge Router Lite (same hardware as the Security Gateway) (This is what I have now)

Edge Router Pro (same hardware as the Security Gateway Pro 4)

Zyxel Zywall 110 (BSD based, fairly fast, but slows down fast as you tack on features, wonderful web based SSL VPN Client)


I used to run PFsense, for my application the ERL was significantly better/faster that and implementing fq_codel QOS made netflix menus load significantly faster.


ERL Firmware 1.6 is where I am staying for a while. Firmware 1.8 is a newer kernel and although Ubiquiti is close to a stable build, it's still slower than 1.7. 1.7 has a different QOS GUI which isn't as refined as the 1.5 firmware+ the fq_codel wizard add-on. So maybe midyear when 1.9 comes out and they've patched some speed back into the system I'll upgrade.
 
Last edited:
diizzy said:
That's incorrect, that MT7621 SoC does have hardware acceleration but it isn't used by UBNT (for now at least). It does suffer from the same limitations as the EdgeRouter Lite so in short, go for the EdgeRouter X it's a better platform in the end. There are forks of OpenWRT which uses hardware acceleration (by using Mediateks SDK) as an example.
Click to expand...


That's not correct. Even if the SoC has it, what matters is what the device software is setup to use.

At this point the EdgeRouter lite is faster if you can use hardware offload, which most normal setups can.

The X has a faster processor, but no hardware offload functionality. It is simply not as fast in some scenarios.
 
diizzy said:
@metropole
They're all firewalls, I have no idea what that claim was based upon.
https://en.wikipedia.org/wiki/Firewall_(computing)

@Grentz
But simply saying that it doesn't have hardware acceleration incorrect and I did clarify. If start doing QoS it drastically drops in performance way below the ERX. https://www.reddit.com/r/homelab/comments/3w8cho/edgerouter_lite_qos_config/

That said, hw does help but you're very limited in terms of functionality.
Click to expand...

You keep saying this, yet for most basic NAT/Firewall setups you really are not. I use it at many clients with no issue at all. In the early days there were a lot of limitations, not really anymore.

The Edgerouter Lite, even with hardware acceleration turned off, kicks the ass of most routers that consumers are using.
 
You must log in or register to reply here.
Back
Top