Looking for router recommendations

[Tony0945]

[NeddySeagoon]

Tony0945,

Shorewall looks worse than it is. I tested it with a collection of VMs.
My rules drop everything incoming and deny everything outgoing then individual rules permit things.
The bit I struggled with is that the firewall itself is its own zone.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[erm67]

[mvaterlaus]

Hi Tony0945,
I personally use a mikrotik [1] router and am very pleased of its features and performance. You can do all the things which are possible with a linux kernel. The mikrotik routerOS works for many archs, including arm and x86. The OS is opensource, you only buy the hardware. I personally have two RB2011UiAS-2HnD-IN in use. For all the features the hardware and os provide, the price is not to expensive.


[1]https://mikrotik.com/
[2]https://mikrotik.com/product/RB2011UiAS-2HnD-IN


[edit]Correction: amd64 is not listed: https://mikrotik.com/download[/edit]
_________________
For calming down your eyes or clearing your mind: www.patrickwehli.ch

[erm67]

Join one of the lagest botnets in the world

https://securityboulevard.com/2018/03/the-mikrotik-routeros-based-botnet/
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net

[mvaterlaus]

@erm67
yes, if you do not follow the Mikrotik security guide, you will have the winbox port open and are a happy part of this botnet. As always, one who has followed the security guidelines of the vendor and turns off all other things which are not needed, is not a member of this botnet.
_________________
For calming down your eyes or clearing your mind: www.patrickwehli.ch

[pa4wdh]

I'm also looking for router hardware and found PC Engines APU4d4: https://pcengines.ch/apu4d4.htm
Does anyone have any experience with them?

The MikroTik hardware looks nice too, can they run Gentoo or are they tied to MikroTik's OS?
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com

[erm67]

Since the OP already has a wifi AP and a good eth switch, what about this as gateway/firewall:

http://wiki.friendlyarm.com/wiki/index.php/NanoPi_R2S

1G is too little for native gentoo but good for cross compile.
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net

[mvaterlaus]

@pa4wdh
I don't know if the hardware is flashable with another os than their own routerOS. I never tried that, since I'm satisfied with their routerOS.
_________________
For calming down your eyes or clearing your mind: www.patrickwehli.ch

[pa4wdh]

Thanks for the info.
Since i can't find any reports on regular distro's running on MikroTik hardware i assume it can't be done, which means it doesn't fit my use case.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com

[dvNuLL]

I recommend the Ubiquiti EdgeRouter (https://www.ui.com/edgemax/edgerouter-4/). They have a 3 port with POE. Their Unifi switches are good, and you can run the management controller on a VM. The controller has an ebuild though it's masked.

pa4wdh mentioned the PCEngines board and they run VyOS well (which is what is used by the EdgeRouter). You might be able to install Gentoo on it.

I like Mikrotik/RouterOS as well, but some of the hardware especially the low end may not be reliable. Their RB2011 is a work horse though.

[Tony0945]

I've looked at the EdgeRouter and it looks promising. I did get lost in the documentation as most of the terminology is unfamiliar.

[dvNuLL]

Since the EdgeRouters use a fork of VyOS (with their own GUI on top of it), you can reference the VyOS documentation available at https://docs.vyos.io/en/latest/. VyOS itself is the open source fork of Vyatta before it was bought by Brocade.

You can install and run VyOS on any x86/x86_64 hardware you want. I use the iso in vms (kvm/qemu) to test out network configs before deploying to production hardware.

The EdgeRouter GUI has wizards to get you set up and running. I recommend learning the cli as it will make your life much easier. If you end up using or deploying their USG variant elsewhere (uses the Unifi controller), understanding the cli will allow you to override settings and set up custom configurations for your specific use cases.

If you end up getting the Mikrotik, their Winbox tool is good, but the cli always gets things done faster.

If you have any questions on configuring VyOS or RouterOS, post here and I will try to help as much as I can.

[pjp]

[dvNuLL]

Not for the Unifi series, but they do have the Edge Series switches which can be configured via cli or web ui.

If you want to have a web way of managing all your devices, Ubiquiti has a UNMS controller (free download) which can manage Edge series devices.

Basically,

Unifi series hardware requires the controller.
Edge series does not, and can be configured via cli or local webui.

[dvNuLL]

Also, did the both of us join these forums on the same date or is it the date of a previous forum move ?

[pjp]

Thanks. They seem to have unclear documentation on stuff like that, so I've not purchased anything from Ubiquiti yet.

I prefer CLI on the device. Anything else that makes it easier is nice, but I don't want to have to run a VM to configure something. I'm not a fan of web only interfaces (another rreason I've delayed making a purchase).


As far as I know, that's the day we both joined. I don't recall the exact date, but that month seems reasonable, and I don't recall any moves from around then (it wasn't until later that I became a moderator).
_________________
Quis separabit? Quo animo?

[dvNuLL]

The cli tools work great. It is basically Vyatta/VyOS. So if you don't find something specific on the ubiquiti documentation site or forums, you should be able to lookup docs on the VyOS site which are a bit more extensive. In the past I have played around with various routers/switches and these devices supporting both cli and webui made me happy. I could do the simple stuff in the web ui and do the more complex configurations in the cli. This helps when setting up IPSEC, as the ubiquiti ui names IKE ESP groups as FOOX where X is a number. With one tunnel, its not a problem, with multiple FOO0 and FOO1 make no sense.

When you make a change in the cli and commit it, you get a notification on the web ui, and vice versa. This is a nice touch so that people don't commit on both and overwrite each other.

I have the Edgerouter Lite (3-port) that I purchased back in 2014 and it's still running today. I run the Pro-8 port one in my rack at the data center.

[pjp]

I've considered one of the Edge routers. But that necessitates buying a separate switch and wireless device (I'm presuming an AP). And if I segment the wireless to be in a DMZ, it gets more complicated and requires more planning . Then there's the mounting / placement of the AP. Plus, those 3 devices seem to be more costly than I'd hoped. Which led me back to consumer based all-in-one wifi / router/ switches. And then I get tired of looking at the options.
_________________
Quis separabit? Quo animo?

[dvNuLL]

I work a lot more from home these days, so IPSec was something that was needed. The ER Lite was at the right price point, had all the features. I think total between the router, switch and AP, I paid around $350. I bought each of the components over the course of a year. The fact that I can access a log file to troubleshoot each item sealed the deal.

I did segment the network into an internal wireless and a guest wireless, all the devices support VLANs and freeradius+samba ensures I have one set of credentials for the internal wifi. I have a VM running pi-hole which takes care of ad blocking.

[pjp]

I had originally hoped to find a solution for not more than $200. I suppose I could find a switch and AP and add the router later.
_________________
Quis separabit? Quo animo?

[erm67]

[pjp]

[dvNuLL]

There is an EdgeRouter-X which is in the $60 range. So thats around $40-$50 cheaper than the 4 port. Same software and configuration options.

And a 10X, with 10 managed switch ports so that should leave just an AP for you to purchase.

[erm67]