[firefistace77]

I'll take this opportunity to ask the community, what is a recommend router?

It's going to be me and my roommate only (with friends and family over) and I would like to get something secure and also reliable (and preferably on the cheaper side)

Any suggestions? I believe we have Cox if that is any factor....

[agentx3r]

Ubiquiti makes great prosumer stuff, if you're willing to pay ~$120 for the 'router', and then another ~$100 for the wireless access point. That's not 'cheap', but it's about on par what you'd pay for a fancy consumer router that looks like a spaceship.

You'll get a great interface, frequent firmware updates with new features and security fixes, and you'll have a good strong signal at your neighbour's house if you're going for a visit.

[ipython]

You can get the EdgeRouter X for ~$50 and that will scale to symmetric gigabit connections, if your needs are simple (ie. you're just doing basic routing & firewalling, not trying to do traffic shaping, etc). Budget AP option then is a UAP-AC-Lite which you can buy off Amazon for ~$80, bringing your total to $130 all said and done.

That's cheaper than most all-in-one routers, and while you won't get the best single-client bandwidth, you will get much better management/configuration options.

[wtallis]

> That's cheaper than most all-in-one routers,

It really isn't. There are plenty of consumer router+AP combos in the $75-90 range that offer equal or better performance to the ER-X + UAP-AC-Lite combination.

[ipython]

I explicitly mentioned that you could beat single stream performance with high end all-in-one routers.

However, no router in that price point gives you the ability to easily expand past one AP, RADIUS VLAN support, the Unifi web interface and so forth.

My last setup was an ASUS N66 dedicated as the router with an Archer C7 as the WAP. Good performance but the configurability and stability (even with ddwrt on the asus) doesn’t compare to the ubiquiti combo I run now.

[wtallis]

> However, no router in that price point gives you the ability to easily expand past one AP, RADIUS VLAN support, the Unifi web interface and so forth.

You must be assuming that the user insists on sticking with broken vendor software, instead of switching to OpenWRT. The only software benefit that you don't get just as easily from OpenWRT is centralized management of multiple APs. Adding and configuring APs one at a time is very easy and since home networks never require more than 2-3 APs the lack of centralized management is not a significant issue. RADIUS and VLANs are fully supported by OpenWRT, and the web interface is fine except for the aforementioned limitation that you're only managing one AP at a time.

I suspect your stability issues with the ASUS router were a consequence of you using DD-WRT hobbled by proprietary WiFi drivers, instead of an OpenWRT-supported router. The DD-WRT "project" is a mess compared to OpenWRT, which actually puts out stable releases and operates more like a proper Linux distribution. Third-party firmware distributions aren't all the same.

[ipython]

As far as I can tell, you can’t do dynamically assigned VLANs on wireless via RADIUS on ddwrt, at least not when I looked a few years ago.

I used Merlin ddwrt which was supposed to be dedicated to ASUS hardware. At some point fiddling with wrt takes more time than the nonexistent price difference with the ubiquiti equipment :)

[copperx]

Such as ...?

[semi-extrinsic]

Not OP, but I've been very happy with a $60 Buffalo N300, running since 2015 with no issues. I run DD-WRT on it, 200 Mbit symmetric fiber uplink, 3 devices connected via ethernet and the rest via wifi covering the whole (wooden) house, and I have port forwards for ssh and https to the server in the garage. Does everything I need and more.

I've been looking for an excuse to go down the Ubiquiti route, but I really can't find one.

[wtallis]

The TP-Link Archer C7 has long been one of the best choices for an 802.11ac-capable wireless router, due to being well-supported by OpenWRT. It's currently $75. The only downside is that the CPU is a bit slower than the EdgeRouter X (though faster than the other EdgeRouters), so I looked on WikiDevi [1] for something with the same CPU as the ER-X. Out of the dozens of options, I picked a recent mid-range D-Link and found it listed for $89.99 on Amazon, though I didn't check for OpenWRT support.

I'm personally using a TP-Link Archer C2600 that was on sale for $70 from Newegg in January.

[1] https://wikidevi.com/wiki/MediaTek_MT7621

[ipython]

I deliberately left the OEM firmware on my Archer C7 because OpenWRT cuts the WiFi performance by ~40%: https://wiki.openwrt.org/toh/tp-link/tl-wdr7500

In the end mucking with open source firmware, while interesting, just wasn’t worth it. I found the ubiquiti solution stable and the UniFi management software (especially their iOS app) are excellent for my needs. Plus mounting my AP in the ceiling means I can cover the entire house from one AP and at the same time keep the rest of my networking equipment stored away in the basement.

[copperx]

I'm ashamed by this Networking 101 question, but what prevents you from connecting the UAP-AC-Lite directly to the ISP's device? (Assuming you don't want a physical ethernet connection at all). Is it for DHCP and assigning IPs to the clients?

[Macha]

Nothing. I do this. I think the AC-Lite even has it's own DHCP, but I'm using the ISP router for that personally.

Usually the ISP router just sucks at wifi, but I have seen ISP routers which have only 100mbit/s uplink ports when the internet connection is higher. In that case you'd want a custom router also. Or if they ship some router with some features you dislike that you can't disable (like public hotspots, unpatchable insecure config interfaces, etc.)

[FredFS456]

I believe that the ER-X doesn't scale to gigabit symmetric, while the EdgeRouter Lite does.

[wtallis]

ER-Lite has a really weak CPU, and can only get close to 1Gbps using its hardware offloads, which limit what you can do to the traffic passing through the router. ER-X has a faster CPU and can get reasonably close to 1Gbps with software packet forwarding for simple rules, and can handle traffic shaping at far higher speeds than the ER-Lite (though neither can shape anywhere close to 1Gbps).

[vvanders]

Another +1 for Ubiquiti. Had a bunch of high end prosumer stuff, ddwrt/tomato, etc. It really is fantastic stuff at least on part with ddwrt and well matched hardware to boot.

Their cloud management stuff is solid(and free with spare PC!) which is great if you help your family set anything up.

Ars did a great deep-dive a whole back[1], it's a pretty good read.

[1] https://arstechnica.com/information-technology/2018/07/enter...

[wyldfire]

Can I use Ubiquiti devices with some kind of slave or WDS mode with my ISP's wifi AP/router?

I just want to extend the range without monkeying with the existing router or running cables. Ideally configuring the slaves to use the existing SSID/WPS config if that's possible.

I don't care (much) about the impact to latency or throughput, it seems like there's excess capacity now.

EDIT: downvoters please join the discussion, seems like an innocuous question to me.

[izacus]

You really want to get rid of any kind of ISP provided router and Wifi as soon as possible.

[wyldfire]

I've been very particular about using my own router and/or wifi in the past, installing one of openwrt/dd-wrt/tomato and tweaking to my heart's content. I would create a DMZ for one or more servers, do the dynamic DHCP, the whole bit.

But now, the ISP provides a single device that is where they terminate the DOCSIS connection and originate the Wifi router. And casual investigation leads me to believe that I "can't" replace this device. I don't want/need a DMZ or my own public servers. Also, I have less patience for tracking down my own breakage these days. The ISP's device works and performs spectacularly. I know of no public vulnerabilities for the provided router.

So IMO no I don't "really want to get rid of any kind of ISP provided router and Wifi".

[Willamin]

You can purchase a modem as a separate device that you could then use with any router. It could save you some money depending on whether or not your ISP charges you for renting their hardware.

[izacus]

Hmm, no idea for your ISP, but most of the ISPs I've used had the option to switch their equipment to so-called "bridge mode", where it just did the DOCSIS/DSL thing, gave you one unfirewalled external IP and let your router do NAT etc.

They usually didn't advertise that though.

[mc32]

How do you like the netgate pfSenses in comparison?

[gonzo]

Well, I like it, but I have obvious bias.

[Osmium]

In particular, recommendations for consumer routers would be welcome. Last time this came up, the line seemed to be "consumer routers are trash, if you want security you have to use an enterprise router." There might be some truth in this, but it isn't helpful. Surely not all consumer routers are equally bad?

[zrm]

So there are two main issues with consumer routers. The first is that the hardware is garbage. This isn't universally true, but it's a strong general rule, and models get released and discontinued all the time so the short list of models that aren't garbage changes every year.

The main security issue is that the vendors stop issuing security updates after they stop selling the router even though people are still using it, and the software that comes on it is usually crap to begin with. The solution to this is to get one you can install OpenWRT or Debian or whatever you prefer on it, do that as soon as you buy it and then it doesn't matter what the vendor does. But note that not all routers are supported by the software you want to use.

Also remember that a router is just a computer with multiple network ports on it. Adding another network port to your old laptop is a time-honored tradition. The hardware will be faster, the drivers are usually better, it has a built-in battery to survive power bumps, etc.

[HankB99]

My first firewall was a Thinkpad 750Cs. ;) I can't recall the distro I was running at the time - likely Debian or Slackware. At one point I returned from vacation to find that the hard drive had failed a couple days earlier. Since the firewalling was in the kernel, all I lost was logging. IIRC the last log message was that it was remounting the root filesystem readonly. It continued operating for a couple more weeks until I could arrange to replace it.

[zanny]

I've always wanted to just use an old junk PC as a router instead of paying for what is basically an overpriced Pi with a 4 jack ethernet card attached. But the problem then is that getting enough ethernet ports in the thing to equal the average router is price prohibitive.

I wish there were $20-$30 PCI-E bridge cards of >2 1Gbit ethernet jacks but they don't exist.

[zrm]

> But the problem then is that getting enough ethernet ports in the thing to equal the average router is price prohibitive.

Unless you actually need the ports to do some kind of network segmentation, one solution is to just plug the inside port into a five port switch (~$15). Which is how a lot of the consumer grade routers are implemented internally anyway.

You also can find quad port gigabit cards around those prices. Currently $22: https://www.amazon.com/HP-NC375T-Gigabit-Ethernet-539931-001...

There are scads of used quad port cards for even less on eBay.

[untangle]

Dual-port start at $18 on amzn ($35 for Intel)? But single-port will do ($12). The add pfSense, Untangle, etc. to complete the solution.

[izacus]

I've found the ASUS RT-AC series to be pretty good (both 56U and 66U can route my gigabit internet connection and provide about 400Mbit worth of wifi). But for a bit more you can get a Ubiquiti router + AP for an even better experience.

[Osmium]

Are Ubiquiti decent? It looks like they have a consumer line (AmpliFi).

Cost is not a primary concern, within reason. Wanting a consumer focused router is more about wanting to minimize set-up time and maintainence. Frankly, I’m not sure I have the time or trust myself to set up OpenWRT correctly/make sure it’s updating regularly/I’m installing the correct version etc.

[wtallis]

> Frankly, I’m not sure I have the time or trust myself to set up OpenWRT correctly/make sure it’s updating regularly/I’m installing the correct version etc.

As long as you're not going out of your way to install a nightly build of OpenWRT and you just stick with the stable releases, it's no more difficult than installing new firmware from the manufacturer and configuring it. The web interface for configuring OpenWRT is comparable to what most consumer routers provide, except that OpenWRT's UI is shared across all hardware platforms instead of being laden with vendor-specific branding and snake oil features.

[untangle]

Yes, the AmpliFi line is excellent on the wireless side. I use a MictoTik wired router in conjunction with the AmpliFi to provide add'l features and security. Works well.

[gascan]

Also important, they are popular. Which means more continued support, and more forks.

[izacus]

Yes, I was surprised that my 1st gen 66U (which is now quite a few years old) is still getting security updates. The fact that it runs ddWRT by default also means that I don't have to flash it at all.

[auslander]

> consumer routers are trash, if you want security you have to use an enterprise router

These are trash too, full of closed code with backdoors. Buying small x86 mini PC and flashing it with OPNsense will take an hour. You get open source with GUI on FreeBSD, bulletproof.

[justaj]

Albeit a bit expensive, Turris Omnia is fully open source down to schematics level. It's also pretty beefy with dual-core ARM CPU at 1.6 GHz and 1 GB DDR3.

Its documentation is however a bit lacking unfortunately.

[pimeys]

Been running a home network with over ten devices and a fast internet connection with an Omnia Turris for almost two years now. It gets regular updates automatically, is fast and the UI is nice. Fixing things like bufferbloat was easy with the community instructions.

Oh and it's openwrt under the hood, with lxc containers for things such as grafana.

[NickBusey]

Careful if you started using lxc like I did before they added warnings not to use them with the internal flash storage. You need to have added additional storage via the mSATA slot, and designate that as your storage location before using lxc. Otherwise according to Turris you will burn through your internal memory very quickly.

[kqr]

I did something slightly different: I was donated various low-power, low-noise PC parts from a friend, one of which was a motherboard with two ethernet ports. Chucked FreeBSD on it, configured one port as WAN and the other LAN, connected LAN to cheap-ish switch and from there also to wifi bridge.

Never had a better setup.

It blows any consumer router I've used out of the water in terms of stability, performance, flexibility, security, and user experience.

Getting emails for potential security issues, custom DNS domain for local network, fail2ban bruteforce prevention, QoS, alerting when WAN goes down, and so on, has all been a breeze to set up.

[milcron]

This is quite possibly overkill, but I'm pleased with this setup at home:

    Cost | Purpose        | What
    $109 | Router         | PCEngines apu2c2 http://pcengines.ch/apu2c2.htm
     $10 | Router Case    | http://pcengines.ch/case1d2blku.htm
     $17 | Router Storage | http://pcengines.ch/msata16g.htm
     $30 | Gigabit Switch | https://www.amazon.com/D-Link-Gigabit-Unmanaged-Desktop-DGS-108/dp/B000BCC0LO/
     $80 | Wifi           | Ubiquiti Unifi Lite https://www.amazon.com/Ubiquiti-Unifi-Ap-AC-Lite-UAPACLITEUS/dp/B015PR20GY/

With this setup, the router only does _routing_, so you also need a Wireless Access Point (WAP). Connect it like so: Modem->Router->Switch->WAP.

Install pfSense on the router, configure the Unifi using Ubiquiti's Java app, and you're done. It's about $250 all together which _is_ more expensive than consumer routers, but IMHO it's worth the superior quality. The APU board is well-documented (PCEngines provides schematics!) and the firmware is based on Coreboot. The processor supports AES acceleration for faster encryption (great if you use VPNs!) PfSense is an enterprise-grade router/firewall with scads of graphs and features. And the Unifi has a great antenna with excellent range. Not to mention this setup leaves you with six spare ethernet ports on the switch.

[rb808]

I have always used consumer routers and they worked great. I finally got persuaded by the "consumer routers are garbage" attitude and bought an Ubiquiti edgerouter and instantly regretted it. Yes I can now do very complex configurations and control lots of things I couldn't before. But I really dont want to do that and I can't notice the difference in performance so it was a bit of a waste.

My guess the if you get a wireless router, wifi signal strength is most important part, aside from that any mainstream router is probably OK.

[wtallis]

> and I can't notice the difference in performance so it was a bit of a waste.

That's because Ubiquiti Edgerouters and APs use the same processors and radios as consumer routers. If there's any truth to the memes about hardware quality, then the differences lie in things like the power supplies. Most of the perceived improvement in stability that Ubiquiti Edgerouters offer comes from having software that is actively maintained and not stuck on decade-old software branches. You can get all the same software benefits (more, really) by running OpenWRT on consumer hardware.

[Piskvorrr]

...if you're willing to actively maintain your setup. Probably a safe assumption here; for a normal user, that would be too much of a burden.

[ebikelaw]

I've had my Google OnHub for three years now and it works flawlessly, regularly updating itself without any detectable downtime. It is by far the longest that I've had any wifi access point, and it is the only one I haven't had to personally check and update for security issues.

[mattnewton]

I used to use Apple routers. They were pricey but reliable and very easy to configure, especially from inside the apple ecosystem. Now? I have no idea what I’ll upgrade to when the time comes.

[wmf]

Since this thread is about security: Google WiFi. It has secure boot and it auto-updates (although there seem to be few updates released lately).

[auslander]

Device from Ad company with access to all your traffic? No, thanks.

[nextos]

I'm using a Compulab Fitlet 2 (a really nice and cheap fanless Intel machine with multiple Ethernet ports designed for Linux) and NixOS.

It's easy to set up and run multiple services (think XMPP, ssh, IP over DNS...).

[philipri]

I'm actually pretty happy with my Netgear Velop mesh system. I had a Netgear Nighthawk X8, but when I moved it was great for the new house. The Velop mesh has been seamless.

[fghtr]

I would recommend an FSF-certified ThinkPenguin router that respects your freedom:

https://www.fsf.org/resources/hw/endorsement/thinkpenguin

[ronnier]

I use one is the ASUS ones and like it. But from my understanding is that security wise, all consumer routers are bad. I have nothing to back up that claim with. I keep mine as updated as possible.

[HankB99]

I have an Asus router too. (RT-AC68W - W => white) It used to provide my security and as near as I can tell it did a reasonably good job of it. Things that lead me to believe it rates as above average: - Does not enable management on the WAN port by default. - Reasonably frequent updates - Not named as often as some other brands when security problems are publicized. - I think it made me enter a management password when I first set it up, but it's been a while and I can't be certain about that. OTOH I just searched "RT-AC68W security problems" and there seems to be no shortage of problems. :(

Some time ago I decided to get a little more serious about security and put a mini-PC running pfsense between my home LAN and the Internet. Hopefully that is more secure though a similar search wouldn't prove that. Perusing some of the critical vulnerabilities at cvedetails.com seems to show that the only critical vulnerability for either of these is for versions of the software older than what I'm running. And I also see the flashing yellow "!" on the Asus management page that indicates an update is available.

That latter part is really a concern. I don't get a notification for an update unless I go look for it. Logging to either is not something I do every day.

[legulere]

AVM Fritz!box

[notriddle]

Do Synology routers count as consumer?