If you want the full control use https://opnsense.org/ on a mini pc or in a VM on your home server.
this post was submitted on 11 Aug 2023
103 points (97.2% liked)
Selfhosted
40407 readers
340 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Can this work with the "off the shelf" mesh routers.
This seems like it's geared toward higher power hardware that's not generally available on a consumer-grade router.
You could buy a $300 consumer router and it would be worse than just using an old PC with OPNsense.
Except that the old PC is probably less efficient at a lower clock than an AR based consumer router. You'll get more performance and features, but it will be more expensive to run.
load more comments
(2 replies)
Please don’t host a router on a Hypervisor VM. That does not benefit security. First of all a router is an integral part of the (home) network, therefore it should not be dependent on anything, like a hypervisor. You want to be able to replace or update your server/ hypervisor independently from each other, for example in 5 hrs your router might be still rocking all data, but you would want to upgrade your home server / hypervisor. Furthermore all those OpenWRT, PFsense, OpenSense kernel/ OS hardening is more effective on the hardware itself, especially all RAM/ Memory based security measures. Also if you truly want to be more secure, you use dedicated hardware for multiple reasons, performance is dedicated to only routing/ firewall processing (no other service/ VM can block or slow down packet processing), reducing the attack surface (less software, less attack surface), easier to update.
I bought a mini pc with four Ethernet ports and turned that into a router
This right here. get something cheap, throw opnsense or pfsense on it and start learning. It will probably be incredibly frustrating at first but when it starts to click then it is really fun and rewarding.
I bought an old dell r210ii years ago and threw pfsense on it then swapped to opnsense and could not be happier. It is still in use today, a good 6 years later.
I did mine by just adding some iptables rules to set up NAT. It's all of four commands:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
iptables –t nat -s 192.168.0.0/16 –A POSTROUTING –o $wan0 -j MASQUERADE
iptables –A FORWARD –i $wan0 –o $lan0 –m state --state RELATED, ESTABLISHED -j ACCEPT
iptables –A FORWARD –i $lan0 –o $wan0 –j ACCEPT
Just set $lan0 and $wan0 to your LAN and WAN interfaces. For wifi I've got a couple Unifi access points around the house for good coverage.
Yes, I know IPv6 is better and yadda yadda yadda but I can't remember the addresses let alone type them so I'm not changing anything.
load more comments
(4 replies)
Noob here. How fast can my LAN be with such a setup?
mine can push a gig around no problem.
As fast as the slowest denominator in your LAN. So give the PC that you're going to host this on a decent Ethernet card and you should be flying.
load more comments
(5 replies)
You already have some good suggestions, so i just want to mention openWRT which can be flashed on off-the-shelf router combo (just check their supported devices first, if you go this route)
Love OpenWRT!
As a networking noob I spent more than a week configuring it to get it right, including needing to SSH into it because I flashed the wrong firmware (do not get NA and EU confused, the difference is enough to flat line your modem).
But in the end, I eliminated my bufferbloat with SQM; a feature the stock device lacked. I also set up a USB to act as expanded storage to install more software.
load more comments
(6 replies)
Everyone has some great recommendations. I didn't see anything about Ubiquiti so I'll throw it out there since I've had a good experience with them. The Dream Machine is for home/small office setups and is fairly inexpensive for what it does: https://store.ui.com/us/en/collections/unifi-dream-router.
Edit: it's now the dream router. They changed the name it seems.
I wish they had more 2.5G or even SPF+ options in this range. I'm lucky enough to have a >1gigabit home connection but router options are surprisingly limited if I want that full connection speed going to my server
load more comments
(3 replies)
This is interesting, I hadn't seen this from them before and I'm in the market for a new router! Does this play nicely with additional access points?
They work with existing Ubiquiti AP's no problem. I have the Dream Machine (I guess Dream router now) and it's awesome. Wish I got the Dream Machine Pro which is switch-like and comes with no AP's so you have to add them as needed and it supports cameras.
load more comments
(1 replies)
load more comments
(3 replies)
My only complaint is that coming from a networking background, Ubiquity's OS is awful and makes me want to gouge my eyeballs out. Navigating the interface to find settings makes no sense, it's not very granular in how you can configure certain filtering settings, dual wan setups are difficult to manually change over, and good luck looking at logs to troubleshoot any traffic flow issues (hint: you can't).
For someone who just needs a firewall and a VPN endpoint, it's great. If you need anything more than that, get opnsense/pfsense. Pairing one of those with Ubiquity APs (which are actually pretty terrific) is a really solid setup.
load more comments
(3 replies)
Pfsense or opnsense are really powerful options.
You'll need a wireless access point as well, but those two are quite powerful and can run on quite powerful hardware.
I cannot recommend any consumer router brand, at least not with stock firmware, because any of them don’t have guaranteed update policy. Further, some of the stock firmware contains insecure protocols, like telnet (yes, still), outdated ciphers (SSL, TLS 1.0), and some feature you want is always missing. Further they often lack innovative features like WireGuard in updates, mostly bug fixes and security patches.
That’s why I would urge you to consider using one of the router/ gateway distributions listed below.
Depending on your requirements, I can recommend the following router OS:
- OpenSense (router without WiFi)
- OpenWRT (router with WiFi)
If you have an old laptop or pc to spare, you could at least give those two a try.
Someone already mentioned it, OpenSense runs only on x86 / PC Hardware (and MiPS). OpenWRT can be flashed onto a lot of consumer routers as well as be installed on traditional x86 / PC hardware.
OpenWRT has a hardware table on their website for supported models. Some of them come cheap if you buy them used and are pretty decent.
If you like more flexibility, I can recommend building your own router. Used thin clients, Iike for example Fujitsu Futro S920. Thin clients are basically low-powered PCs, which are often cheap on the used market and provide a variety of hardware interfaces. Most use Intel NICs, some have secondary NIC, can hold SATA disks, provide interfaces for WiFi (pice, miniPCIe, m.2) or extension cards, have high efficient power supplies and are in majority are passive cooled. Or get some SBC/ Low-Powered board with the interfaces you need. It doesn’t need to be new hardware.
I second OPNsense and Fujitsu Futro S720/920 (from €20/30 on eBay) with secondary NIC (or even router on a stick with VLAN enabled switch). I'd leave WiFi to a dedicated AP.
servethehome.com has a series about these fanless, multi-gigabit firewall for a while, might be interesting if you have a 200-300 USD budget?
https://www.servethehome.com/tag/firewall/
I've used a very similar setup in the past (J1900 CPU, 4x1 Gbps network ports) and I only replaced it due to reasons. Not noticed any performance bottle necks with that setup.
The latest N100/N200/N300/N305 CPUs from Intel looks really interesting, similar performance as my workstation but at a 10th of the power usage. N305 also has 8 cores in a passively cooled case, amazing stuff!
I don't know if it's the best one, but I've been using Mikrotik Hex S for years and it's been a great experience so far.
It all depends on the features you want in that router and how much you’re willing to spend. I bought a MikroTik hAP ax3, which has many enterprise features (that can come handy to us selfhosters as well) that I found myself not necessarily needing, but definitely enjoying.
I'm using a ~30 USD thin client with a 4 port networking card (~20 USD), just using plain nftables on Debian. It routes handles my network just fine (complex rule set with many subnets & rules, 250/100 Mbps connection). Also using codel/cake for traffic shaping, avoiding lousy ping times even when downloading/streaming et c.
I use two TP-Link EAP 245v3 (ancient by now, but I can still use all my WAN speed from all rooms) for WiFi. Works great.
If I would redo it I'd use VyOS, OpenWRT or maybe OPNSense, but still using x86 hardware due to cost/power usage/performance. And then newer ceiling access points.
I've had amazing luck with the Synology routers. You can start with one then if you want/need you add more to create a mesh network. I find the interface easy as well. My 2 cents of course...
Another vote for Synology here. I have 2 RT2600 and 1 RT1600 between myself and my parents houses. They have been completely bullet proof and the oldest one is going on 7 years old now.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| AP | WiFi Access Point |
| DNS | Domain Name Service/System |
| NAT | Network Address Translation |
| PiHole | Network-wide ad-blocker (DNS sinkhole) |
| RPi | Raspberry Pi brand of SBC |
| SAN | Storage Area Network |
| SATA | Serial AT Attachment interface for mass storage |
| SBC | Single-Board Computer |
| SSH | Secure Shell for remote terminal access |
| SSL | Secure Sockets Layer, for transparent encryption |
| TLS | Transport Layer Security, supersedes SSL |
| Unifi | Ubiquiti WiFi hardware brand |
| VPN | Virtual Private Network |
13 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.
[Thread #26 for this sub, first seen 11th Aug 2023, 15:25] [FAQ] [Full list] [Contact] [Source code]
load more comments
(1 replies)
something running openWRT. I for example have a Turris Omnia, which is running their own fork of openwrt. https://www.turris.com/en/omnia/overview/
Can you give us some details about your house?
My house was built in the golden age of having voip landlines that needed CAT 5e cable but before cell phones were the norm so I have a wired backhaul mesh.
Edit: it occurs to me you probably mean like a router-router being that this is self hosted lol. So disregard haha
I live in a town house with relatively good Wifi signal coverage with no extenders needed. I am planning on eventually paying a professional to get wall Ethernet ports installed so I can hook up my most network dependent devices (gaming desktop, gaming devices) and use the router with the rest that wouldn’t make sense to hook into Ethernet.
I like the fritzbox ones but I think in USA the best is the base Unifi one (dream router)
Or a cheap decommissioned thinkcentre tiny m700 with opnsense
load more comments
(2 replies)
I'm a noob, but I'm running a Frirzbox router and it seems great to me. 0 problem in configuration and happened to have lots of useful features now that I'm exploring self hosting (it support woreguard VPN natively and have automatic wakeonlan feature for my server)
I always found the software updates of AVM - the manufacturer of those "Fritz!Box"es - to be of questionable quality. If you take a look at the source code that they have to release upon request of the GPL'ed source code they use, you'll notice that they use ancient versions of the Linux kernel, Busybox and other tools. By ancient, I mean many years old, unsupported by upstream for years. Also, they only publish those sources manually when someone asks for them, which doesn't bode well for their internal development processes. If they used CI/CD pipelines, they could easily push out updates of those sources with every new release…
load more comments
(4 replies)
I’m a professional in software development, sometimes tasked with administration stuff.
At home I love my FRITZ!Box. The only thing I’m missing is DNS rewriting, but I can work around that. If you don’t know what that is you don’t need it anyway.
load more comments
(2 replies)
Here is something I wrote previously under a similar post: "Check out the OpenWRT Table of Hardware, it has a list of firmware mod-able off the shelf WiFi routers that work with, you guessed it, OpenWRT. It's rather versatile as it's Linux based and can handle VLANs, multiple SSIDs, and of course, you can change the DNS servers." As I said, OpenWRT is very versatile and runs on many different routers, just find one you like and install it! Many of the supported routers provide Gigabit switching, and some even have multigit for your server connection.
ASUS RT-AX86U + asuswrt-merlin is what I've used. Completely stable since day 1 unlike my old netgear router.
Raspberry Pi 4 with a UE300 and OpenWrt can comfortably do 1 gig with SQM. I don't know if it's the most cost effective way to do it but it's one way and it's working well in 3 setups I'm looking after.
UniFi Dream Router is also a nice router for internet speeds up to 700 Mbps.
load more comments
(1 replies)
The Firewalla is pricey but amazing. I am running the Gold at home, and it runs Linux and supports Dockers so I'm running PiHole on the router.
Not sure about your budget, but I switched to a udm se and it's pretty awesome, for me the benefit comes in with cameras and access control. the UI and off the shelf tooling is very nice with it.
Opensense is another more diy option.
I used an edge router 4 before the udm for a few years and it was pretty ok.
My main router here is a RPi4 with 4GB memory, Debian and an USB interface for the connection to internet. The switches are Netgear (324 and a gifted 724) and tthe main server is an RPI 4 as well, but with 8G mem.
It depends your necessity but If you want a reliable and secure router is a good option a router that is compatible with OpenWRT for example.
view more: next ›