I am planning to eventually build my own home server, and when I do I will hook it up via ethernet. But I do want to switch away from the generic FIOS router and use my own for more control over my data and security. Any recommendations?
I bought a mini pc with four Ethernet ports and turned that into a router
This right here. get something cheap, throw opnsense or pfsense on it and start learning. It will probably be incredibly frustrating at first but when it starts to click then it is really fun and rewarding.
I bought an old dell r210ii years ago and threw pfsense on it then swapped to opnsense and could not be happier. It is still in use today, a good 6 years later.
I did mine by just adding some iptables rules to set up NAT. It’s all of four commands:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.confiptables –t nat -s 192.168.0.0/16 –A POSTROUTING –o $wan0 -j MASQUERADEiptables –A FORWARD –i $wan0 –o $lan0 –m state --state RELATED, ESTABLISHED -j ACCEPTiptables –A FORWARD –i $lan0 –o $wan0 –j ACCEPTJust set
$lan0and$wan0to your LAN and WAN interfaces. For wifi I’ve got a couple Unifi access points around the house for good coverage.Yes, I know IPv6 is better and yadda yadda yadda but I can’t remember the addresses let alone type them so I’m not changing anything.
I did this as well, but I’m wondering if it was the wrong call. It’s harder to work with firewalls (particularly if docker is involved), and I’ve struggled with stuff like SyncThing.
Most likely more learning could solve it, but I wonder if I should switch to a dedicated router OS where more support resources are available.
I’ve got almost all of my services running on a separate, bigger system and only have a couple ports open on this one. Iptables isn’t too hard once you understand the shorthand.
I think my problem is trying to run docker at the same time. Docker messes heavily with iptables and makes it a real pain.
The only docker containers I run on my router are a simple search proxy and an Infrared instance that routes Minecraft server connections to another box on my LAN. But IIRC that took a bunch of fiddling
Noob here. How fast can my LAN be with such a setup?
mine can push a gig around no problem.
As fast as the slowest denominator in your LAN. So give the PC that you’re going to host this on a decent Ethernet card and you should be flying.
Got a suggested device?
Thank you! Seems like its unavailable in Europe unless you pay a hefty premium.
There are many similar. The best is GoWin R86S
Fujitsu Futro S720 with a 90° 4x PCI adapter and an Intel NIC. It consumes about 6W (maybe something more with the additional NIC). You can get the former for about 20/30€ on eBay and the rest for about 30/40€. If you have a VLAN enabled switch, you can even just use the onboard Ethernet port.
Firewalla is also great if you want most things setup for you.
I just got a MikroTik RB5009UPr+S+in and I’m loving it so far. I’m going to pair it with their AX ceiling wireless AP if I can ever catch it on sale again.
I want that router, but I don’t have a good reason to give my wife why our RB4011 needs to be upgraded…lol
I think this is the best homelab router out there. If you are new to Mikrotik there is definitely a steep learning curve.
Openwrt is fairly good too, but I think documentation can be lacking and confusing for some edge applications. My other concerns with openwrt is performance since it is compatible with a wide variety of hardware is difficult to know how it will perform without testing it.
Yeah, it definitely took me a minute to get things set up properly, and I had to get a new VPN service, but it’s been great so far.
I’m using a ~30 USD thin client with a 4 port networking card (~20 USD), just using plain
nftableson Debian. It routes handles my network just fine (complex rule set with many subnets & rules, 250/100 Mbps connection). Also using codel/cake for traffic shaping, avoiding lousy ping times even when downloading/streaming et c.I use two TP-Link EAP 245v3 (ancient by now, but I can still use all my WAN speed from all rooms) for WiFi. Works great.
If I would redo it I’d use VyOS, OpenWRT or maybe OPNSense, but still using x86 hardware due to cost/power usage/performance. And then newer ceiling access points.
servethehome.com has a series about these fanless, multi-gigabit firewall for a while, might be interesting if you have a 200-300 USD budget?
https://www.servethehome.com/tag/firewall/
I’ve used a very similar setup in the past (J1900 CPU, 4x1 Gbps network ports) and I only replaced it due to reasons. Not noticed any performance bottle necks with that setup.
The latest N100/N200/N300/N305 CPUs from Intel looks really interesting, similar performance as my workstation but at a 10th of the power usage. N305 also has 8 cores in a passively cooled case, amazing stuff!
The Firewalla is pricey but amazing. I am running the Gold at home, and it runs Linux and supports Dockers so I’m running PiHole on the router.
Here is something I wrote previously under a similar post: “Check out the OpenWRT Table of Hardware, it has a list of firmware mod-able off the shelf WiFi routers that work with, you guessed it, OpenWRT. It’s rather versatile as it’s Linux based and can handle VLANs, multiple SSIDs, and of course, you can change the DNS servers.” As I said, OpenWRT is very versatile and runs on many different routers, just find one you like and install it! Many of the supported routers provide Gigabit switching, and some even have multigit for your server connection.
Pfsense or opnsense are really powerful options.
You’ll need a wireless access point as well, but those two are quite powerful and can run on quite powerful hardware.
I’ve used this with much success (NanoPi r4s). It’s a mini board based off raspberry pi like system with an extra Ethernet out. It does not have Wi-Fi so you’d need to get an AP, but it’s swappable if you ever want to upgrade. With that and a switch for more Ethernet it’s fully open and customizable to put things like OpenWRT or whatever else you may want. Plenty of storage too.
Off the shelf something like and EdgerouterX is great,
I cannot recommend any consumer router brand, at least not with stock firmware, because any of them don’t have guaranteed update policy. Further, some of the stock firmware contains insecure protocols, like telnet (yes, still), outdated ciphers (SSL, TLS 1.0), and some feature you want is always missing. Further they often lack innovative features like WireGuard in updates, mostly bug fixes and security patches.
That’s why I would urge you to consider using one of the router/ gateway distributions listed below.
Depending on your requirements, I can recommend the following router OS:
- OpenSense (router without WiFi)
- OpenWRT (router with WiFi)
If you have an old laptop or pc to spare, you could at least give those two a try.
Someone already mentioned it, OpenSense runs only on x86 / PC Hardware (and MiPS). OpenWRT can be flashed onto a lot of consumer routers as well as be installed on traditional x86 / PC hardware.
OpenWRT has a hardware table on their website for supported models. Some of them come cheap if you buy them used and are pretty decent.
If you like more flexibility, I can recommend building your own router. Used thin clients, Iike for example Fujitsu Futro S920. Thin clients are basically low-powered PCs, which are often cheap on the used market and provide a variety of hardware interfaces. Most use Intel NICs, some have secondary NIC, can hold SATA disks, provide interfaces for WiFi (pice, miniPCIe, m.2) or extension cards, have high efficient power supplies and are in majority are passive cooled. Or get some SBC/ Low-Powered board with the interfaces you need. It doesn’t need to be new hardware.
I second OPNsense and Fujitsu Futro S720/920 (from €20/30 on eBay) with secondary NIC (or even router on a stick with VLAN enabled switch). I’d leave WiFi to a dedicated AP.
If you want the full control use https://opnsense.org/ on a mini pc or in a VM on your home server.
Please don’t host a router on a Hypervisor VM. That does not benefit security. First of all a router is an integral part of the (home) network, therefore it should not be dependent on anything, like a hypervisor. You want to be able to replace or update your server/ hypervisor independently from each other, for example in 5 hrs your router might be still rocking all data, but you would want to upgrade your home server / hypervisor. Furthermore all those OpenWRT, PFsense, OpenSense kernel/ OS hardening is more effective on the hardware itself, especially all RAM/ Memory based security measures. Also if you truly want to be more secure, you use dedicated hardware for multiple reasons, performance is dedicated to only routing/ firewall processing (no other service/ VM can block or slow down packet processing), reducing the attack surface (less software, less attack surface), easier to update.
Can this work with the “off the shelf” mesh routers.
No, off the shelf routers are usually ARM and opnsense is x86 only.
…or MIPS…
This seems like it’s geared toward higher power hardware that’s not generally available on a consumer-grade router.
You could buy a $300 consumer router and it would be worse than just using an old PC with OPNsense.
Except that the old PC is probably less efficient at a lower clock than an AR based consumer router. You’ll get more performance and features, but it will be more expensive to run.
I guess if you live in a place where electricity is super expensive this will matter. A good majority of self-hosted people don’t seem to care much as they have server racks full of old hardware.
The Fujitsu Futro S720 consumes about 6 Watts and it’s great for OPNsense!
ASUS RT-AX86U + asuswrt-merlin is what I’ve used. Completely stable since day 1 unlike my old netgear router.
I don’t know if it’s the best one, but I’ve been using Mikrotik Hex S for years and it’s been a great experience so far.
It depends your necessity but If you want a reliable and secure router is a good option a router that is compatible with OpenWRT for example.
