Picking a home router

Discussion in 'Networking & Security' started by compgeek89, Feb 23, 2019.

  1. compgeek89

    compgeek89 Limp Gawd

    Messages:
    142
    Joined:
    Nov 30, 2018
    I'm in the process of choosing a router and I'm having a hard time settling on anything.

    History of routers for me, I used a Linksys WRT54G for a long time with DDWRT/Tomato.

    After that I used a WRT1200AC with DDWRT and overall was happy with it.

    Bottom line is, I am moving to a new place and won't have the WRT1200 anymore. It looks like the WRT3200ACM was a favorite for open source firmware, but in reviews I've been reading about issues with recent revisions and DDWRT compatibility. Open source isn't an absolute requirement, but I've never liked factory firmware in the past. Always led to needing regular reboots and other issues. Maybe there are better options these days. If anyone has expertise in this area I'm interested in your input!

    I'm not a gamer, but I need reliability for day trading. I also plan to be hard-wired for that, though I have some wireless devices. I'd like something reliable, cost-effective and that will be sufficient for the long haul.
     
  2. MrGuvernment

    MrGuvernment [H]ard as it Gets

    Messages:
    19,169
    Joined:
    Aug 3, 2004
    Grab an APU2 and put PFSense on it then get some Ubiquiti AP's and you got a high end firewall and awesome AP's vs likely exploitable and poorly updated "consumer" routers :D
     
    acascianelli, FNtastic and extide like this.
  3. compgeek89

    compgeek89 Limp Gawd

    Messages:
    142
    Joined:
    Nov 30, 2018
    I am incredibly intrigued by the idea of a DIY router. Where could I get more info on this?
     
  4. Mackintire

    Mackintire 2[H]4U

    Messages:
    2,891
    Joined:
    Jun 28, 2004
    DDWRT has been a pile of dung living off of its history running on the Lunksys WRT54G for over a decade. If you'd like to migrate into this decade, look at any of the superior forks such as Shibby Tomato the supported hardware for shibby's tomato is here: http://tomato.groov.pl/?page_id=69

    And then use that hardware list to load the improved HTML 5 interface available here: https://advancedtomato.com/

    If ASUS is your flavor you can install Merlin firmware (which is slightly more feature rich than the factory version available here: https://asuswrt.lostrealm.ca/

    There's a number of us who love ubiquiti router hardware and are sitting on firmware 1.10.8 and use something else for wireless.

    Zyxel make the VPN50 if you need robust commercial grade VPN at a somewhat reasonable cost.
     
  5. extide

    extide 2[H]4U

    Messages:
    3,434
    Joined:
    Dec 19, 2008
    Yeah I have been running PFsense for years -- it's friggin great. Check it out for sure. You will want a separate Wifi AP though, because the wifi support on freebsd sucks.
     
    FNtastic likes this.
  6. compgeek89

    compgeek89 Limp Gawd

    Messages:
    142
    Joined:
    Nov 30, 2018
    Appreciate this input. I am out of the loop. What are the top open source options at the moment? Is Shibby Tomato the standard?
     
  7. MrGuvernment

    MrGuvernment [H]ard as it Gets

    Messages:
    19,169
    Joined:
    Aug 3, 2004
    compgeek89 and FNtastic like this.
  8. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    compgeek89 likes this.
  9. compgeek89

    compgeek89 Limp Gawd

    Messages:
    142
    Joined:
    Nov 30, 2018
    I'm sold. I'm gonna go this route. On the pcengines site, what all do I need? I can't quite tell. I assume I'll want a case, do I also need an AC adapter or anything else?
     
  10. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    Visit pcengines.ch and click on the Shop at the top. The tabs you need are "apu", "misc", and "flash" to put this together. I've also added assembly just in case you don't want to complete that step yourself. You'll also want to spend the couple of dollars on the debricking tool to have it in case anything goes wrong, so you're not stuck with a paperweight. And, trust me, just buy the USB to serial cable they sell.
    Here's a screenshot of the parts you'll want to put in the cart to purchase Screenshot_20190224-083416__01.jpg

    Of course, you can change the version of the board to the 2GB version. And, you have the option to choose whichever SSD you like. I just put the smallest SSD on there as a starting point.
     
    compgeek89 likes this.
  11. compgeek89

    compgeek89 Limp Gawd

    Messages:
    142
    Joined:
    Nov 30, 2018
    Many thanks! Is the Ubiquiti Unifi Ap-AC Lite from the thread you linked to a good choice for the access point?
     
    FNtastic likes this.
  12. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    Generally for 1000-2000 sqft. Any more, and you're going to want multiple, or the higher end models.
     
    compgeek89 likes this.
  13. rtangwai

    rtangwai [H]ard|Gawd

    Messages:
    1,369
    Joined:
    Jul 26, 2007
    OP, before you go buying a bunch of extra hardware if you have a spare desktop computer and a couple of NICs lying around you can build a pfSense box to test out first. That way you can have a better understanding of whether it meets your specific needs.

    Also, if you run a server at home that is a Type-1 hypervisor (Hyper-V, ESXi, etc.) you can run pfSense in a VM. I am running pfSense on ESXi now, I'm about to switch to Hyper-V and I have tested pfSense successfully in that environment too so I know it works. If you use good NICs (Intel is highly recommended) you don't have to passthrough the NICs and the paravirtualized drivers are nearly bare-metal speed, I have no throughput issues at all on my 500mbps Internet connection. In fact when I was testing pfSense on a 1gbe Internet fiber connection it was 20% faster in speed tests than the HomeHub 3000 fiber modem/router my service comes with.

    pfSense works quite well with my Ubiquiti UAC-Lite, but the Ubiquiti AP does require controller software to configure (doesn't need to be running all the time for the AP to work). If you have a server handy then you can run the Unifi controller software full-time (I currently run it on a Windows Server VM).
     
    compgeek89 likes this.
  14. compgeek89

    compgeek89 Limp Gawd

    Messages:
    142
    Joined:
    Nov 30, 2018
    Unfortunately, I don't have a desktop around that would be good for trying this out, though I did consider that route. I don't have much experience with the T1H tech either, though that is an intriguing route.
     
  15. rtangwai

    rtangwai [H]ard|Gawd

    Messages:
    1,369
    Joined:
    Jul 26, 2007
    Type-1 hypervisors are very useful but not what I'd call "user-friendly". If you have a workstation w/2x NICs you can run pfSense on a Type-2 hypervisor like Virtualbox (or if you are running Win10 Pro you can use Hyper-V). That way you can poke around in pfSense and especially check out the plugins like pfblockerNG and Squid.

    pfSense is great but it does take a bit of time to master, which is why I'm suggesting you give it a trial run before committing resources.
     
    compgeek89 likes this.
  16. compgeek89

    compgeek89 Limp Gawd

    Messages:
    142
    Joined:
    Nov 30, 2018
    I'll definitely give it a look. Thanks for the insight!
     
  17. ThreeDee

    ThreeDee [H]ardForum Junkie

    Messages:
    10,669
    Joined:
    Sep 5, 2001
    I'm lazy .. I use an Edgrouter and a free OpenDNS account
     
  18. tedych

    tedych Limp Gawd

    Messages:
    372
    Joined:
    Jan 18, 2013
    You can look at Mikrotik devices. Also not very user-friendly for first-timers but very sophisticated, reliable, stable and cheaper than similar devices from big names like Cisco etc. They have a range of routers/switches (and APs) for every need and price. Their main product is the RouterOS operating system but they have hardware paired with it since long.
    My Mikrotik is currently on its ~140 days uptime with no issues, and I only restart it when I update it (updating is very easy and fast).
     
  19. Shikami

    Shikami Gawd

    Messages:
    653
    Joined:
    Apr 5, 2010
    Hands down if you can use pfSense. I would seriously recommend it; at least just for locking and securing your DNS requests is a good enough reason for it (https://docs.netgate.com/pfsense/en/latest/dns/blocking-dns-queries-to-external-resolvers.html). I wouldn't get an APU(x) system due to the fact that gigabit it starting to get really common, but also due to what user packages you may wish to install because you add filtering, and that can start to tax a system. Only negative is user configuration to get proper networking speed (q.v. flow control off, interrupts a second, et al for an Intel Ethernet) For within the $500 range you can get a lot of performance that will last you a long time and be within the power wattage that isn't a waste. Just attach the previous router as an AP, and all is set.

    Built mine three years ago with a ASRock QC5000-ITX/PH, Intel 350-T2 (the best since it has virtualization queue support and perfect performance for 1Gb), a 400w fanless PSU, and an SSD. I feel you get more for your money with supported instruction features with AMD than Intel. The lesser chips are gimp'd and lucky that they at least have AES, but may not have any BMI 1-2 (BMI 1 is TCP related), or even AVX which can speed up VPN with AES too. Good thing is, you can retire it as a game cabinet, or kid's computer, or something later.

    This is a decent channel for pfSense too. May help out some: https://www.youtube.com/channel/UCHkYOD-3fZbuGhwsADBd9ZQ
     
    Last edited: Feb 25, 2019
  20. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    This is a good point if you're getting in to gigabit. I will add that I have 100mbps ISP connection. I run filtering, OpenVPN server, DNS blocking, DNS over TLS, and almost any other service available on the pfsense. The APU is not going to do all this at 1gbps and keep up top speed. Although, I haven't found anything in the same price range that will get you into gigabit with all of those features enabled. The motherboard you recommend, alone, cost more than the whole pcengines solution.

    If you plan to go gigabit and want every drop of that connection along with IPS/IDS, DNS blocking, OpenVPN server, etc, etc all running, youll want to look at spending more money than an APU. If you don't need every drop of that bandwidth (most people will never notice), and/or you don't want to run all those packages/filters, the APU is a perfectly good fit at a pretty reasonable price!
     
  21. OFaceSIG

    OFaceSIG [H]ard|Gawd

    Messages:
    2,019
    Joined:
    Aug 31, 2009
    That is what I did except with old used hardware (see my sig for hardware configs) and it runs GREAT.

    Yup!
     
    Last edited: Feb 25, 2019
    compgeek89 likes this.
  22. OFaceSIG

    OFaceSIG [H]ard|Gawd

    Messages:
    2,019
    Joined:
    Aug 31, 2009
    Another huge advantage just found out is as of 2.4.4 pfsense DNS over TLS is a GUI feature, no longer an obscure command line option. Keeps totally cuts your ISP out of your browsing.
     
    compgeek89 likes this.
  23. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    Works a treat too!
     
    compgeek89 likes this.
  24. compgeek89

    compgeek89 Limp Gawd

    Messages:
    142
    Joined:
    Nov 30, 2018
    So last question ... Maybe :)

    Should I go with the APU2? Or should I look for a good cheap mobo/cpu/ram combo in the classifieds? I'm looking at $200 for the APU setup. I'd happily spend that or a bit more for a stronger setup with a VGA port if it were worthwhile, but I can't get a good feel for what the pros/cons would be from my research.

    Let's say I go with some desktop hardware, what should I be looking for in an ideal architecture?
     
  25. compgeek89

    compgeek89 Limp Gawd

    Messages:
    142
    Joined:
    Nov 30, 2018
    My last response essentially a reply to your post here Shikami
     
  26. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,446
    Joined:
    Oct 29, 2000

    Agreed with this. Can't beat pfSense.

    If you don't need high bandwidth OpenVPN running on the router, there are many mini-PC's that are suitable.

    How much bandwidth are you trying to support?

    In general, any modern CPU will do, and you don't need much RAM at all. You will want to make sure that any pfSense box you buy or build has two Intel NIC's. Don't even bother with anything realtek based.

    Unlike with a consumer router though, you will need a separate switch. (you can bridge internal NIC's to make them behave sortof like a switch, but performance is usually poor, so you'll want a dedicated hardware switch.

    If you want to add WiFi, do it separately. I think very highly of Ubiquiti's Unifi enterprise class WiFI Access Points.


    A few years ago, I couldn't find any NUC's or equivalent mini-PC;s with dual Intel NIC's, but now they are seemingly everywhere. Instead I built my own with the following specs.

    It sits nice and pretty with ~6.5W power draw from the wall at idle according to my Kill-A-Watt. This may not meet your "affordability" requirement, but I went a little overboard with the CPU as I wanted to push OpenVPN running directly on the router as fast as it will go. You can definitely do this cheaper.
     
    compgeek89 likes this.
  27. OFaceSIG

    OFaceSIG [H]ard|Gawd

    Messages:
    2,019
    Joined:
    Aug 31, 2009
    Two years ago they made the move to require x64. Now for the next version 2.5 AES-NI hardware encryption is going to be a requirement in the CPU. Many older Intels, comply, but only the more recent low wattage AMDs apply. https://en.wikipedia.org/wiki/AES_instruction_set

    I've only run Pfsense on pre-built older, and custom desktops. Never had an issue with reliability. Most recent build is in my signature.
     
    MrGuvernment and compgeek89 like this.
  28. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,446
    Joined:
    Oct 29, 2000
    The APU series are cool small embedded devices. I used to use the APU2C4 for my router. It was great if you didn't want to run OpenVPN on it. The CPU just couldn't keep up with that. Compared to a custom built box, you also lose flexibility to change things should the need arise. The price is great though, the form factor small, and it uses very little power compared to a desktop (which is great for a 24/7 device). If you do get one, make sure you get the model with Intel NIC's

    Biggest nuisance about them - IMHO - is the fact that while they are called "APU" they are NOT an APU like we usually use the term. The box has no graphics on board at all. You have to install your OS using telnet via a serial cable, and this can be a pain in the ass, especially since most modern computers lack serial ports, and the first couple of USB to serial adapters I tried, didn't work properly with the device.

    It's a neat concept, but I think I would lean towards mini-ITX hardware instead. Unless you want to try to push OpenVPN, you really don't need much of a CPU. Even used hardware could be a good place to get a deal. Try to find Mini-ITX boards with dual Intel NIC's like the Asrock one I mentioned above, and then plop the cheapest compatible CPU you can find in it. Celerons will do just fine. I also really like the PicoPSU's and M350 MiniITX enclosures from mini-box.com. With those my i3-7100 router idles at ~6-7W at the wall according to my Kill-A-Watt. You need much ess power than you think. The lowest end 60W PicoPSU is Prime95 stable at stock clocks on my i3-7100. Only downside is that it doesn't have the 4 pin power connector, so I used a molex adapter for that.


    The M350 is a great little functional case (not my pics)

    AB94_1_201609061264260631.jpg marshalltown_m350.jpg


    The PicoPSU is a really cool concept, that uses an external brick for 12V power, converts it into everything the system needs, and is very efficient: (my pics)

    IMG_20170331_213702.jpg IMG_20170331_213838.jpg

    You just screw the panel mount connector to the hole in the case and can then plug in the power brick on the outside.



    At first I was concerned the Intel stock cooler wouldn't fit, but it just barely made it in:

    IMG_20170331_215359.jpg IMG_20170331_215912.jpg IMG_20170401_141906.jpg

    Voila:

    IMG_20170401_141021.jpg
     
    compgeek89 and FNtastic like this.
  29. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    All great points. And, an overall good recommendation. I will note that the box you have in the picture only has 1 ethernet port, which is a huge disadvantage. The APU2 comes with 3. Much more flexibility there. Ultimately, it's about what you're goal is. I run OpenVPN on mine without issue. And, it pushes a lot of bandwidth (20+ GB in about an 8 hour period when it's used) and the rest of my services are unaffected. I'm guessing the people complaining about OpenVPN on the APU2 are people with a 1gbps connection and are expecting to get that when they try to download a file over the VPN from another connection? I've successfully streamed 4K over OpenVPN, so I'm not really sure what use case the APU2 OpenVPN application fails in. I'm genuinely curious!
     
    compgeek89 likes this.
  30. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,446
    Joined:
    Oct 29, 2000

    As I mentioned the first two assembled pictures were not my pics. I just googled them to show what it looks like assembled, as I didn't take pics of that.

    The ASRock board I went with has dual Intel NIC's
     
    compgeek89 likes this.
  31. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    I glossed right over it the first time. Any idea where OpenVPN application is failing to meet expectations? Streaming 4K seems like a great test to me. I'm also not one of the guys looking to download a file over my home internet connection at 1gbps
     
  32. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,446
    Joined:
    Oct 29, 2000

    Also, yes, I use OpenVPN to tunnel my entire network through a VPN provider, and I have Gigabit Ethernet.

    I wanted to get as close as possible to having always on whole network VPN without any bandwidth compromises.

    With my i3-7100 build I can get ~650MBps via VPN, but I think it is remotely limited, as the CPU load never goes over 20%.

    The AES-NI acceleration on the APU2C4 was much weaker, but my memory is failing me as to what the real world OpenVPN performance was. I want to say maybe 60 MBps?
     
    compgeek89 likes this.
  33. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,419
    Joined:
    Jul 6, 2013
    Thanks for the real-world feedback on a scenario where one could benefit from the higher end hardware.

    I haven't measured my throughput over the VPN. Haven't had to, since 4K streaming looks beautiful. I already have plans to move to 10gb on my home network. So, my pfsense may get an unneeded upgrade anyway :cool:
     
  34. OFaceSIG

    OFaceSIG [H]ard|Gawd

    Messages:
    2,019
    Joined:
    Aug 31, 2009
    I second the Pico-PSU idea. I run two, one on my router build and one on my NAS build.
     
    compgeek89 likes this.
  35. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,446
    Joined:
    Oct 29, 2000
    Interesting. What does your NAS build look like? I've never tried using one of these with multiple spinners. I would have expected that to push the power use up a bit.
     
  36. OFaceSIG

    OFaceSIG [H]ard|Gawd

    Messages:
    2,019
    Joined:
    Aug 31, 2009
    NAS : i5 2390T | ASRock H61M-VS4 mATX | 8GB DDR3 | Seagate 3TB ZFS Mirror | Intel PRO/1000 DP NIC | picoPSU-160 | FreeNAS 11.6


    How did you get a CPU power lead on the 60w picoPSU? The reason I went with the 120w for my router build was for a CPU power lead. I definitely didn't need it.
     
    compgeek89 likes this.
  37. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,446
    Joined:
    Oct 29, 2000

    I know I did OpenVPN speed testing with the APU2C4 before I sold it, but I just can't find the data.

    Here is the comparative OpenSSL benchmark testing between the APU2C4 and the i3-7100 though.

    First the PcEngines APU2C4:

    Code:
    [2.3.1-RELEASE][root@pfSense.localdomain]/root: openssl speed -elapsed -evp aes-128-ecb
    You have chosen to measure elapsed time instead of user CPU time.
    Doing aes-128-ecb for 3s on 16 size blocks: 23413097 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 64 size blocks: 18438085 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 256 size blocks: 7473361 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 1024 size blocks: 2115520 aes-128-ecb's in 3.01s
    Doing aes-128-ecb for 3s on 8192 size blocks: 279464 aes-128-ecb's in 3.00s
    OpenSSL 1.0.1s-freebsd  1 Mar 2016
    built on: date not available
    options:bn(64,64) rc4(8x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
    compiler: clang
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-ecb     124869.85k   393345.81k   637726.81k   720221.92k   763123.03k
    Now the i3-7100:

    Code:
    [2.3.3-RELEASE][admin@router.localdomain]/var/log: openssl speed -elapsed -evp aes-128-ecb
    You have chosen to measure elapsed time instead of user CPU time.
    Doing aes-128-ecb for 3s on 16 size blocks: 242729953 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 64 size blocks: 207367303 aes-128-ecb's in 3.01s
    Doing aes-128-ecb for 3s on 256 size blocks: 69510589 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 1024 size blocks: 17831161 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 8192 size blocks: 2219499 aes-128-ecb's in 3.00s
    OpenSSL 1.0.1s-freebsd  1 Mar 2016
    built on: date not available
    options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
    compiler: clang
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-ecb    1294559.75k  4412345.31k  5931570.26k  6086369.62k  6060711.94k
    Looks like an average of about an order of magnitude improvement across the board. I should note that by the time I ran the second test, the router was already up and I didn't want to take it down, so the i3-7100 aren't necessarily reflective of a dedicated test. There may be other traffic in the background.
     
    compgeek89 likes this.
  38. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,446
    Joined:
    Oct 29, 2000
    Nice!



    One of these!
    0221350_685123.jpg


    I usually don't trust adapters, as they are rarely made with the right power specs, but I figured with something this low powered the risks are low or non-existant.
     
    compgeek89 likes this.
  39. OFaceSIG

    OFaceSIG [H]ard|Gawd

    Messages:
    2,019
    Joined:
    Aug 31, 2009
    I'm there with you. Hadn't even thought about one of those. No issues so far?
     
  40. OFaceSIG

    OFaceSIG [H]ard|Gawd

    Messages:
    2,019
    Joined:
    Aug 31, 2009
    Crazy part is, even with an encrypted volume, only two mirrored HDDs, I'm still nearly maxing out the gig interface, about 970ish Mbps. ZFS rocks the house.
     
    compgeek89 likes this.