I am planning to eventually build my own home server, and when I do I will hook it up via ethernet. But I do want to switch away from the generic FIOS router and use my own for more control over my data and security. Any recommendations?
If you want the full control use https://opnsense.org/ on a mini pc or in a VM on your home server.
Can this work with the “off the shelf” mesh routers.
No, off the shelf routers are usually ARM and opnsense is x86 only.
…or MIPS…
Please don’t host a router on a Hypervisor VM. That does not benefit security. First of all a router is an integral part of the (home) network, therefore it should not be dependent on anything, like a hypervisor. You want to be able to replace or update your server/ hypervisor independently from each other, for example in 5 hrs your router might be still rocking all data, but you would want to upgrade your home server / hypervisor. Furthermore all those OpenWRT, PFsense, OpenSense kernel/ OS hardening is more effective on the hardware itself, especially all RAM/ Memory based security measures. Also if you truly want to be more secure, you use dedicated hardware for multiple reasons, performance is dedicated to only routing/ firewall processing (no other service/ VM can block or slow down packet processing), reducing the attack surface (less software, less attack surface), easier to update.
I bought a mini pc with four Ethernet ports and turned that into a router
This right here. get something cheap, throw opnsense or pfsense on it and start learning. It will probably be incredibly frustrating at first but when it starts to click then it is really fun and rewarding.
I bought an old dell r210ii years ago and threw pfsense on it then swapped to opnsense and could not be happier. It is still in use today, a good 6 years later.
I did mine by just adding some iptables rules to set up NAT. It’s all of four commands:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.confiptables –t nat -s 192.168.0.0/16 –A POSTROUTING –o $wan0 -j MASQUERADEiptables –A FORWARD –i $wan0 –o $lan0 –m state --state RELATED, ESTABLISHED -j ACCEPTiptables –A FORWARD –i $lan0 –o $wan0 –j ACCEPTJust set
$lan0and$wan0to your LAN and WAN interfaces. For wifi I’ve got a couple Unifi access points around the house for good coverage.Yes, I know IPv6 is better and yadda yadda yadda but I can’t remember the addresses let alone type them so I’m not changing anything.
I did this as well, but I’m wondering if it was the wrong call. It’s harder to work with firewalls (particularly if docker is involved), and I’ve struggled with stuff like SyncThing.
Most likely more learning could solve it, but I wonder if I should switch to a dedicated router OS where more support resources are available.
I’ve got almost all of my services running on a separate, bigger system and only have a couple ports open on this one. Iptables isn’t too hard once you understand the shorthand.
I think my problem is trying to run docker at the same time. Docker messes heavily with iptables and makes it a real pain.
The only docker containers I run on my router are a simple search proxy and an Infrared instance that routes Minecraft server connections to another box on my LAN. But IIRC that took a bunch of fiddling
Noob here. How fast can my LAN be with such a setup?
mine can push a gig around no problem.
As fast as the slowest denominator in your LAN. So give the PC that you’re going to host this on a decent Ethernet card and you should be flying.
Got a suggested device?
Fujitsu Futro S720 with a 90° 4x PCI adapter and an Intel NIC. It consumes about 6W (maybe something more with the additional NIC). You can get the former for about 20/30€ on eBay and the rest for about 30/40€. If you have a VLAN enabled switch, you can even just use the onboard Ethernet port.
Thank you! Seems like its unavailable in Europe unless you pay a hefty premium.
There are many similar. The best is GoWin R86S
Everyone has some great recommendations. I didn’t see anything about Ubiquiti so I’ll throw it out there since I’ve had a good experience with them. The Dream Machine is for home/small office setups and is fairly inexpensive for what it does: https://store.ui.com/us/en/collections/unifi-dream-router.
Edit: it’s now the dream router. They changed the name it seems.
My only complaint is that coming from a networking background, Ubiquity’s OS is awful and makes me want to gouge my eyeballs out. Navigating the interface to find settings makes no sense, it’s not very granular in how you can configure certain filtering settings, dual wan setups are difficult to manually change over, and good luck looking at logs to troubleshoot any traffic flow issues (hint: you can’t).
For someone who just needs a firewall and a VPN endpoint, it’s great. If you need anything more than that, get opnsense/pfsense. Pairing one of those with Ubiquity APs (which are actually pretty terrific) is a really solid setup.
This is interesting, I hadn’t seen this from them before and I’m in the market for a new router! Does this play nicely with additional access points?
They work with existing Ubiquiti AP’s no problem. I have the Dream Machine (I guess Dream router now) and it’s awesome. Wish I got the Dream Machine Pro which is switch-like and comes with no AP’s so you have to add them as needed and it supports cameras.
They don’t supply Poe, mind. I’m planning an ubiquiti deployment:
5-6x AP 6 Pro 1x TL-SG1016PE PoE switch (yuck, but cheap) 1x R86S running opnsense and docker VMs, with unifi controller and pihole in docker
The R86S is the same price as the dream machine, but good luck running pihole on the DM
I have an older version but I think they all work pretty much the same. It should work fine for you depending on the brand/voltage of the APs you have currently.
I have a couple Asus CT8’s that are dying on me, so I’d like to see if I can turn them in to AP’s. While I’d eventually like to get on to an OpnSense box I need a near term solution (as that will be a steep learning curve for me).
Is there a resource available that documents compatability?
I’d say they should work fine if you can disable the routing and have them act just like WiFi access points. Then connect the LAN ports to the Ubiquiti and you should be good. That said, I’m not familiar with those devices so take this as you will.
The only compatibility issues I was thinking about was PoE-related mainly but those look like they need their own power supplies. Ubiquiti used to push a nonstandard PoE spec with some of their APs but I don’t think that’s the case anymore.
I’ve considered upgrading to a dream machine. I’m still rocking an old USG
I just retired an Edgerouter lite for a UDM Pro. Finally happy with it after moving on to the 3.x firmware.
Glad to hear it. I went from edge router to usg and haven’t seen anything since to move to. After all the problems I was hearing about UDM I didn’t end up trying it
You already have some good suggestions, so i just want to mention openWRT which can be flashed on off-the-shelf router combo (just check their supported devices first, if you go this route)
Love OpenWRT!
As a networking noob I spent more than a week configuring it to get it right, including needing to SSH into it because I flashed the wrong firmware (do not get NA and EU confused, the difference is enough to flat line your modem).
But in the end, I eliminated my bufferbloat with SQM; a feature the stock device lacked. I also set up a USB to act as expanded storage to install more software.
It also works on x86 and has better bufferbloat mitigation than the BSD based router systems (*sense), which means lower latency/pings under heavy WAN (internet) load.
Pfsense or opnsense are really powerful options.
You’ll need a wireless access point as well, but those two are quite powerful and can run on quite powerful hardware.
I cannot recommend any consumer router brand, at least not with stock firmware, because any of them don’t have guaranteed update policy. Further, some of the stock firmware contains insecure protocols, like telnet (yes, still), outdated ciphers (SSL, TLS 1.0), and some feature you want is always missing. Further they often lack innovative features like WireGuard in updates, mostly bug fixes and security patches.
That’s why I would urge you to consider using one of the router/ gateway distributions listed below.
Depending on your requirements, I can recommend the following router OS:
- OpenSense (router without WiFi)
- OpenWRT (router with WiFi)
If you have an old laptop or pc to spare, you could at least give those two a try.
Someone already mentioned it, OpenSense runs only on x86 / PC Hardware (and MiPS). OpenWRT can be flashed onto a lot of consumer routers as well as be installed on traditional x86 / PC hardware.
OpenWRT has a hardware table on their website for supported models. Some of them come cheap if you buy them used and are pretty decent.
If you like more flexibility, I can recommend building your own router. Used thin clients, Iike for example Fujitsu Futro S920. Thin clients are basically low-powered PCs, which are often cheap on the used market and provide a variety of hardware interfaces. Most use Intel NICs, some have secondary NIC, can hold SATA disks, provide interfaces for WiFi (pice, miniPCIe, m.2) or extension cards, have high efficient power supplies and are in majority are passive cooled. Or get some SBC/ Low-Powered board with the interfaces you need. It doesn’t need to be new hardware.
I second OPNsense and Fujitsu Futro S720/920 (from €20/30 on eBay) with secondary NIC (or even router on a stick with VLAN enabled switch). I’d leave WiFi to a dedicated AP.
I’m using a ~30 USD thin client with a 4 port networking card (~20 USD), just using plain
nftableson Debian. It routes handles my network just fine (complex rule set with many subnets & rules, 250/100 Mbps connection). Also using codel/cake for traffic shaping, avoiding lousy ping times even when downloading/streaming et c.I use two TP-Link EAP 245v3 (ancient by now, but I can still use all my WAN speed from all rooms) for WiFi. Works great.
If I would redo it I’d use VyOS, OpenWRT or maybe OPNSense, but still using x86 hardware due to cost/power usage/performance. And then newer ceiling access points.
Mikrotik hex are stupid cheap for the speed and features you get
Big fan of Mikrotik, but it helps to have some experience.
Haven’t tried hex, but RB2011 would be my default recommendation, and I’ve seen RB4009 for ~£120 (bargain of the century!)
Anyone tried out the L009UiGS-RM? Seeing that it could also run my pihole seems like a big advantage. My edgerouter lite is getting old.
It all depends on the features you want in that router and how much you’re willing to spend. I bought a MikroTik hAP ax3, which has many enterprise features (that can come handy to us selfhosters as well) that I found myself not necessarily needing, but definitely enjoying.
I don’t know if it’s the best one, but I’ve been using Mikrotik Hex S for years and it’s been a great experience so far.
something running openWRT. I for example have a Turris Omnia, which is running their own fork of openwrt. https://www.turris.com/en/omnia/overview/
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters AP WiFi Access Point DNS Domain Name Service/System NAT Network Address Translation PiHole Network-wide ad-blocker (DNS sinkhole) RPi Raspberry Pi brand of SBC SAN Storage Area Network SATA Serial AT Attachment interface for mass storage SBC Single-Board Computer SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL Unifi Ubiquiti WiFi hardware brand VPN Virtual Private Network
13 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.
[Thread #26 for this sub, first seen 11th Aug 2023, 15:25] [FAQ] [Full list] [Contact] [Source code]
I like the fritzbox ones but I think in USA the best is the base Unifi one (dream router)
Or a cheap decommissioned thinkcentre tiny m700 with opnsense
if you run a router on a computer like you suggest, can you also do other stuff with the computer like file serving? or is it a single function device for reasons of security or system resources?
theoretically you can install it as a VM on a computer that does many other stuff, but the more stuff it does, the more chances you need to take it down to reconfigure, reinstall, install updates and so on. When that computer is down, you’re offline
Here is something I wrote previously under a similar post: “Check out the OpenWRT Table of Hardware, it has a list of firmware mod-able off the shelf WiFi routers that work with, you guessed it, OpenWRT. It’s rather versatile as it’s Linux based and can handle VLANs, multiple SSIDs, and of course, you can change the DNS servers.” As I said, OpenWRT is very versatile and runs on many different routers, just find one you like and install it! Many of the supported routers provide Gigabit switching, and some even have multigit for your server connection.
Can you give us some details about your house?
My house was built in the golden age of having voip landlines that needed CAT 5e cable but before cell phones were the norm so I have a wired backhaul mesh.
Edit: it occurs to me you probably mean like a router-router being that this is self hosted lol. So disregard haha
I live in a town house with relatively good Wifi signal coverage with no extenders needed. I am planning on eventually paying a professional to get wall Ethernet ports installed so I can hook up my most network dependent devices (gaming desktop, gaming devices) and use the router with the rest that wouldn’t make sense to hook into Ethernet.
