I want to add that there is an ongoing effort to stabilize SELinux on OpenWRT[1] as well. Security on OpenWRT has been shaping up very nicely for a while now.
I did a Networking BSc and so for the longest time, used aftermarket / open source routers. The last one being a Linksys running openWRT (ACS1900, or something).
I spent countless hours messing with that thing trying to get decent performance out of it, and simply couldn't.
The router provided for free by my ISP is superior in real world usage.
I get the principles in play here with privacy and security and open source etc., but in practice it's a fight I'm done with. Just give me internet that works well out of the box so I can forget about it.
I'm using openWRT on a Zyxel Armor Z2 router. Today they are $170 on Amazon.
The flashing process was exactly the same as the factory firmware. After that I had to configure it just as I would any new router.
It's better than the factory firmware in every way except user friendliness, but even that isn't bad unless you are trying to something more advanced.
The CPE from Comcast was so much slower and worse in every single way. Now it only acts as a modem for the Zyxel.
An important part of my experience is that I deliberately set out to buy a good router that was very well supported by openWRT, because in the past I have had experiences similar to your post (but with dd-wrt in the long long ago).
I really believe if you plan the project like you would a production project you'll have an extremely good experience.
That said, I did have a number of non-standard things I wanted to do on my home network without paying thousands for enterprise level hardware so it was worth it for me to do that work. If I was just getting on line with a couple computers, phones, and tv's I wouldn't have bothered to flash with openWRT.
> The router provided for free by my ISP is superior in real world usage.
I’m impressed. The ones issued by Rogers in Canada are all-in-one-units and complete garbage.
I think they want your mobile phone to drop its wifi to chew through your $10/gb data, prevent sharing with your neighbours and minimize your peak utilization speeds to cut their network spend.
But you probably live in a country where ISPs compete for your business.
the coddling of our dairy and telecom industry is frankly ridiculous. I was hoping that some American company would enter the Canadian Market but that doesn't seem like something that will happen anytime soon.
I'm a huge OpenWRT fan, but it definitely isn't easy to figure out a reasonably priced router to use it with where you'll get good Wi-Fi performance. I usually stick with the same model recommendation for quite a while.
I get that OpenWRT doesn't want to favor one brand over another, but it'd be really nice if their homepage had a list of 5-10 routers that are really solid with the latest OpenWRT release.
My last router experience with openwrt ended up with me installing a random PR's staging build on my router because that was the only version of openwrt I could find that supported my router's chipset. And then I eventually just upgraded to a completely different router because I couldn't solve the bufferbloat issues created by a gigabit connection without hardware performance improvements.
First I tried the tp-link TL-WDR4300, which was very well supported at the time.
I then moved to the tp-link Archer C7.
Along the way I went from a "regular install" of openwrt, to build the LEDE fork myself, then back to building openwrt.
It's actually quite straightforward after you get over the hump.
$ git clone https://git.openwrt.org/openwrt/openwrt.git
$ cd openwrt
$ ./scripts/feeds update -a
$ ./scripts/feeds install -a
$ make menuconfig
$ make -j $(nproc)
I got away from the GUI and now do most configuration via the config files in /etc/config.
my current router is a wrt-1900acs, which took a while to get stable. I sit it on the shelf for a good year.
Because I learned how to build openwrt, I also have two mikrotik rb3011uias-rm 10x gbe switches. I wish the touchscreen worked.
It's not in the main tree but I followed this thread:
It's a community build, but it is stable and works well.
If you want to play with openwrt, it's a little saner to have two routers. Have one that works, and one that you can break without having to stay up all night to get online.
> If you want to play with openwrt, it's a little saner to have two routers. Have one that works, and one that you can break without having to stay up all night to get online.
There is a learning curve when using openwrt. When my girlfriend demanded that I stop effing up the wifi at some point. That's when I decided to get a second router to test new and complex configurations.
For those thinking of trying this, you may have trouble with throughput on certain chipsets. I'm extremely happy using OpenWRT on my rPi v4 with 2 UE300 USB-to-ethernet adapters and gigabit Internet.
It's also a bit cheaper to do this than buy high-end consumer equipment as nimbius mentioned.
> Actually, consumer router running openWRT is quite good
Really? Can the *WRT releases finally run at full speed? Can they ping from the wired to the wireless? Can they actually do MIMO?
As much as I love open source, the *WRT developers have a bad hand and it's not their fault. There are a zillion router variants that change with zero notice, no documentation from anybody, and not enough people.
This really is a spot where an actual open source hardware design is probably the only real solution.
consumer routers that can actually run the latest version of either of these cost around $200, which in my opinion is better spent on something more powerful and hacker friendly like Alix https://www.pcengines.ch/alix.htm
I run a combination USB 2.4ghz AP and 5ghz pci-e from one. In addition, it runs a podman rootless pihole container and handles wireguard.
You don't need a $200 router to run the latest versions of OpenWRT. You only need to spend that much if you want high-end WiFi radios and fast CPU cores. If you're fine with mid-range WiFi capabilities and slower MIPS CPUs that can't do QoS beyond 100-200Mbps, then there are plenty of options well under $100.
My under $100 router didn’t work because it had too little ram and flash storage to work. It was a few years ago though so maybe the situation has changed. I’d be interested in seeing which routers under $100 are working well with OpenWRT.
i really like my https://www.gl-inet.com/products/gl-ar750s/ : comes with a GUI on top of openWRT that allows easy static IP assignment from MAC, wireguard config as either server or client, etc. you can always drop into LuCI as well, or reflash with latest openWRT. plenty of storage for additional services and packages if that's your thing.
Problem with all alternative firmwares is that you don't know whether your relatively new product will be supported or not. Sometimes it's matter of product revision.
You can say the same about running Linux on your laptop. The answer is that you don't buy the random $20 routerat Walmart and hope that you can install openwrt on it. Instead, you buy the router specifically to install openwrt on it. It's certainly a bit more painful but you get used to the idea of using a bit older gen hardware but enjoy excellent software supoort.
Over time, with enough people do it, the manufacturer will realize that and cater to you (see the Linksys 54gl router, archer c7, dell laptops, and Lenovo Thinkpad -- the manufacturer all know people buy the hardware to run the software they want)
Isn't Merlin just the Asus firmware with some additional features? From a security perspective it does not seem like an upgrade since it still includes many proprietary Asus blobs.
How much does the "proprietary blobs" matter, for something like a router? It sort of makes sense a cellphone where there's basically a parallel operating system running in the baseband, but that doesn't really apply for a router. The biggest threat is probably out of date services, but AFAIK most of those (eg. dnsmasq) are open source and are kept up to date.
Depending on the router, a whole bunch: I had an ASUS router that could only maintain about 150-200 Mbps of NAT traffic using the CPU whereas with the magic cut-through blobs it could do a full 1 Gbps.
Merlin can be uploaded as a normal firmware. No flashing or external apps required. If you have a compatible asus I highly recommend Merlin.
If you’re interested in doing as-blocking on the router itself there’s a tool called diversion which does take a bit of work to get installed, but is a bit simpler than trying to get oí-hole running on it: https://www.snbforums.com/threads/diversion-the-router-ad-bl....
True, but the stock software on any cheap router you buy is also all running as root, assuming that there's even a concept of users, or any other kind of isolation, in the OS it's using.
The standards on that stuff are shockingly low. I mean, think about the stupidest, laziest, most slipshod shit you can imagine, and then be assured that it's worse than that.
... and "small business" routers are only slightly better. Even "enterprise" equipment isn't all that stellar.
Personally, I use real Linux as a router, and a separate WiFi access point behind it that gets as little trust as I can manage.
Yes, but so is having the password check happen on the client-side, which I have seen happen in two different routers' stock firmware I've owned in the past.
[1] https://aparcar.org/running-openwrt-with-selinux/