[wepple]

I’ve pulled apart router firmware plenty of times, and am never surprised to see nbtscan, nmap, and all sorts of other tools on there.

A lot of ISPs will perform remote diagnosis by connecting into your router and scanning your internal hosts to see if there are any problems.

Between that capability and general appalling security of routers, you’re basically on Starbucks WiFi from a security perspective even at home.

important note: buying an off the shelf netgear/tplink/linksys/whatever might stop your ISP remoting in, but is still wildly full of vulnerabilities.

[markwaldron]

This is very informative! What router would you suggest purchasing?

[alyandon]

Usually, anything you can install a third party firmware on like openwrt, dd-wrt or tomato (shibby's version of tomato is the one I used the most).

However, I gave up on consumer hardware and went with Ubiquiti for wifi AP and Mikrotik as my router. It was a bit of a pain to set up all my NAT rules in the Mikrotik router because unfortunately consumer devices do a lot of extra work behind that scenes (like setting up NAT reflection) to facilitate having NAT work painlessly. I'm perfectly content with the end result now though.

[a012]

Opposite on me, I'm having a Mikrotik hAp ac and considering to use it as AP only then buy a Ubiquiti ER-X in front of it.

[alyandon]

I did consider going with a pure Ubiquti solution but after borrowing a friends ER-Lite and comparing it to running RouterOS in a VM I decided that Mikrotik was a better overall fit for me from a technical standpoint. The RB3011 having a powerful cpu + the integrated 10 port (actually two different switches) switch helped push me that direction.

There was something almost zen-like watching 300Mbps of traffic transiting my RB3011 and seeing it utilize 6% cpu.

Ultimately, either is a fine solution and an ER-X is going to be a lot less fiddly to setup.

[swinglock]

I would stay away from Ubnt routing. Which features that requires disabling packet processing off-loads and the performance impact is not well documented and varies between models and software versions.

There appears to be many bugs related to off-loading as well. The below example is what finally made me decide not to consider Ubnt routers. It may be fixed now, maybe, but even if it was broken for way too long and shrouded in too much mystery, not even making it obvious which models are effected (the thread title was not always that specific either). I can't take Ubnt seriously, even for a home environment, after seeing how basic forwarding is that poor and it's not even their highest priority.

The only good thing that this proves is that at least they don't censor their forums, trying to hide issues.

https://community.ubnt.com/t5/EdgeMAX/UDP-packet-loss-on-Cav...

[Wheaties466]

I'll never move on from a mikrotik router and UBNT wireless.

also mikrotik routers comes with a standard config that comes with NAT w/ masquerade pre configured. But I agree there is a TON that is done behind the scenes. That level of granularity is what I am looking for.

[justsomedood]

I'm in the exact same scenario. Mikrotik Router and a Ubiquiti API. I do have an older 2011, the 3011's are much faster.

The 3rd party firmwares aren't as powerful as mikrotik's RouterOS, and the Mikrotik hardware is really pretty cheap - though the UI is pretty bad for it. They're great once you get used to the UI

[TheRealDunkirk]

I built my own, several years ago, on a (fanless!) board like this:

http://www.pcengines.ch/apu3a4.htm

It has 3 NIC's, for inside, outside, and DMZ. You can also put a wifi radio on it, and make it an access point.

I run a full Ubuntu on it, with local DNS, DHCP, Shorewall, etc.

[nerraga]

I picked up a couple of these and I have to say I'm pretty impressed. They're pretty inexpensive little machines and they ship quick from pcengines.

I have openbsd on one and ubuntu on the other. I'm using the openbsd one for dns, tftp, and a handful of projects. I was thinking about making the ubuntu one into an ap but I'm not sure about what kind of performance to expect vs my current off the shelf router. Have you used it as an access point?

[tinix]

I have an older APU1C4 with two WLAN cards (WLE200NX) and it's hosting two physical APs and a few virtual ones (diff BSSID/subnet one running at 2.4 ghz other at 5). I just run vanilla Debian on it... The SD card has finally become corrupted over the years, however. When I reboot it, all my changes that were supposedly flushed to disk are lost. Thankfully I only reboot it occasionally when there are critical kernel updates. I just rsync over the filesystem in memory to facilitate restoring the previous configurations.

Anyway, I run various services on it, aside from hostapd... It acts as my firewall, gateway, access point, and runs some other services like nginx to proxy some services from my LAN across subnets (like plex, etc) and motiond as a security camera monitor. I've used it as an SSH style VPN at times, in a pinch. When our WAN goes down I can simply plug my phone in to the APU via USB and tweak some iptables rules to use the LTE connection from the phone over USB network interface.

I also have a newer APU2C4, along w/ an AC WLAN card and an msata drive... have had it for years just sitting there, grr. I really only got the newer one since it has AES-NI support on the processor and I can do much heavier VPN traffic, but the SD card issues have become annoying, so I think this post has encouraged me to finally set it up this weekend... Thanks :P

Anyway, I wouldn't hesitate to pull the trigger on any of the pcengines stuff... Go for it!

Just make sure the WLAN cards you use are well supported via hostapd. :)

[nerraga]

I installed OpenBSD on my apu and picked up a Ubiquiti AP AC Pro for wifi. I also picked up a couple wifi nics that I'd intended to use with hostapd as you suggested. However, I had some spare amazon pts to throw at the Ubitquiti hardware, so I figured I'd give it a shot. It was all super simple to set up, and I'm more than happy with it so far.

Previously I was using an ASUS RT-N66U with tomato/shibby, but it had been acting a little flaky for a while - 5ghz would stop a few times a week, eth connections would drop, overall wifi connectivity was mediocre at best. The performance was pretty similar before flashing with tomato.

My new solution is likely drawing a little more power, but I've had no problems with it. Also, I'm impressed with OpenBSD's simplicity. I've tinkered with FreeBSD in the past and found it a little complex. OpenBSD has proven to be significantly more straightforward and easy to configure.

Thanks for the encouragement!

[_x5tx]

I was planning to build a firewall/router using an ESPRESSObin http://espressobin.net/

They cost 50$ and have 3Gigabit ethernet ports

[woolvalley]

Whats the power consumption of this setup?

[tinix]

Negligible... I run an APU1 w/ dual WLAN cards, and am using all of the internal NICs, and running a pile of services on it. It uses less power than a light bulb, even under full load.

[jimpudar]

A very secure solution is building your own box to run OpenBSD. There are some good guides on how to set up OpenBSD as a typical NAT router / firewall here: https://www.openbsd.org/faq/pf/example1.html

I like PF a lot more than IPTables. I've found it to be far simpler to configure.

[user9182031]

Once you use PF, you can't really go back to iptables. The fact that you still can't create anchors or anything equivalent in iptables blows my mind. I can look at any of my older configurations from PF and understand what I was doing very quickly compared to iptables which is much harder to read and much less intuitive.

[phs2501]

Can you briefly explain how a PF anchor is not equivalent to a iptables chain? From a very short perusal of the PF documentation it appears to be the same concept to me (i.e. a set of filtering rules you can branch to from another part of the ruleset...)

[woolvalley]

Usually the issue in setting up a PC to do this kind of stuff is power consumption. Typically it's a minimum of 60W to run an idle PC, while an ARM router would run at 1-5W and have multiple ethernet ports.

[jimpudar]

Correct me if I'm wrong - I haven't tried it - but it looks like you should be able to run OpenBSD on ARM https://www.openbsd.org/armv7.html

I'll check what the energy consumption on my router is. I'm using an AMD chip which I had lying around. You're probably right that it uses a bit more power than necessary.

I was thinking about getting something like this: https://www.amazon.com/Firewall-Micro-Appliance-Gigabit-Bare... which uses 10W. It should be easy to install *BSD on something similar.

[tortasaur]

Plenty of routers can be flashed with open source third-party firmware like OpenWRT.

[dsr_]

I built my own.

These days, you can rely on Linux on fairly low-end CPUs to handle a gigabit of traffic, including IPv4 NAT, IPv6, firewalling, DHCP and DNS.

For serious firepower, Jetway sells a 10 x 1 Gbit tiny fanless machine with a J1900 Celeron and up to 8GB of RAM, under $400 (without RAM or disk). All most people need is 2 gigabit ports and maybe a good WiFi interface -- although I prefer to scatter consumer WiFi boxes around my house in bridge mode.

[Mister_Snuggles]

I've gone with a Ubiquiti UniFi Security Gateway.

It's not too fancy (but getting fancier as updates are delivered) and does the job well. I wasn't satisfied with the VPN options, so I port-forward to an internal host and set up static routes as required.