I'm planning on hosting some public-facing services at home on Raspberry Pi(s). Therefore I would like to harden my network. I'm looking for an OpenWRT router recommendation to meet my requirements. Here's what I think my prioritization of features is:
Required:
4 VLANs and a wireless interface (which can be on one of the four vlans). Here's my idea on how I would use them:
VLAN 1: Management ONLY puts on tinfoil
VLAN 2: Private home network
VLAN 3: Publicly accessible from trusted hosts with SSH/VPN private key. (I won't enforce that on the router, it's just the server(s) I put behind it will be more hardened.)
VLAN 4: Publicly accessible from untrusted hosts
High priority:
2.4GHz and 5 GHz WiFi
Medium priority:
Easy to flash/well-supported
Low priority:
WiFi 7aΩ with Quantum Beamsharing
In all seriousness, as long as the WiFi is about as good as my Arris BGW210 from my ISP, I doubt I will have problems.
And here's the form:
How fast is your internet connection? (What speed does your ISP advertise: under 10mbps, 10-50mbps, 50-100mbps, higher?)I measured 55 Mbps down and 20 Mbps up.
Do you need Wi-Fi? (2.4GHz only, both 2.4GHz and 5GHz? Most routers provide both bands these days.)Preferably both.
Do you need Gigabit Ethernet? (For attaching additional devices with an Ethernet cable.)I don't know, it would be nice but I don't think I strictly need it.
Do you need USB ports? How many? USB 2.0 or 3.0? (For attaching external hard drives, printers, etc.)Not needed.
How many family members/devices must the router support? (Most routers easily handle 5-6 people and their devices.)Two people, 7 devices on Wi-Fi (probably 4 at most being used simultaneously though), and 2-3 RPis running as servers (expecting very low traffic).
What other services do you want? (Do you need VPN, media server, web server, etc.?)Currently what I most want is a webserver to host a personal website (static and simple), and personal cloud storage (probably won't run Nextcloud, just a simple sshfs mount will suffice). I may branch out later on to things like an Ethereum staker or a game server or whatever fascinates me.
Finally, please define your price range. Saying “as little as possible” is not helpful. You certainly have an upper limit, therefore let the forum know if it is under $30, under $75, and so on. The forum responses will always mention a least expensive device that meets your requirements, and often suggest alternatives. The price buckets I'm imagining are around $20, around $40, and around $80, based on some of the hardware I've looked at. Of course I would like to stay in the lowest bucket, but around $80 is probably the max before I consider giving up on this project.
I think we need to start with your location and currency (Are you saying USD?) so people can make hardware recommendations that are reasonable.
Given you are outlining 80USD, are you willing to go used?
What's the noise, power consumption/dissipation and mechanical requirements?
For example, wall mount? Fanless. Under 5W. Will sit in the sun.....
Which model of Raspberry pi?
What services?
First thing. Are you planning on using these as the actual vlan ID's?
Do you mean/ just making sure as to me that reads you want untagged on the router to be your management network?
Wifi 7 isn't there yet (for openwrt)? I think if you want to "play" with wifi 7 your option is banana pi R4?
There's not much 6E devices either.
So a slower device is acceptable. Don't need fast wifi unless doing internal transfers.
Plus, hosting internet facing services with 20mbit up? You on VDSL2? What's your access technology?
Gigabit if you want to do internal services is nice. Pi5 still has gigabit ethernet I think?
Anyway. Given your price range I think almost any wifi 5/6 router will do the job.
I'd say mt7621 will do the job and will be cheaper. hard to get 80USD, easy to flash, fast wifi without going used. But I also don't have experience outside Australian market and importing equipment from Japan/US.
You will also need to discuss what "easy to flash" is. TFTP + serial console with u boot acceptable? no bootloader flashing? Command line nmrpflash OK? Or must be factory web interface with upgrade file?
There are quite a few recent forum threads regarding long term and easy to flash forum posts. I think the hard part is within your budget.... IMO I'd go used with separate router, wifi and a managed switch. Or if as you said don't need wifi, go x86 PC + managed switch. That's probably achievable in your budget. Or even use one of the raspi's as the router and go for a managed switch + wifi AP haha.
I hadn't thought about that. I'd mostly like it to be quiet. No other requirements.
I currently have two Pi 2s and a Pi 4. I am uncertain of my performance requirements yet but I will upgrade if I find it necessary after testing.
Oh I think I must have messed up here. I didn't mean these as actual VLAN IDs, I just meant a VLAN specifically for management. All of the VLANs should be tagged so I will fix my original post to start from 1. (It doesn't have to be a VLAN though, what I'm really looking for is making management allowed only from one physical port, however that might be achieved.)
I was joking
To me, easy to flash means not having to open the device up and having a low risk of bricking. I don't know about all of these flashing methods but they sound doable to me.
If we're talking 80USD it opens up more options. Especially used. I can't really speak for the US market for new equipment.
I know if you have more budget people are recommending ARM based platforms. But I think if you went used mt7621 platform it would be the cheapest and give you a DSA switch and reasonable wifi.
I think most people are recommending gl.inet gl-mt6000 or something. Butt that's ~160USD. Similarly Openwrt one is more expensive again.
80USD used:
Fortinet FG50/FG51/FG52 or fortiwifi of the same. (More flash, more ram, USB)
Then get separate access point. (or many because PoE switch potentially =P)
Then get as separate managed switch. (preferably openwrt, perhaps JG920A/JG921A because fanless?)
Or spend the whole budget on a mini x86 PC and a managed switch given no wifi requirements.
Okay so let's add not having to open up the device and solder to get to a serial console, if we need a serial console to flash?
I think that pretty much leaves the following:
used enterprise devices which have an easily accessible serial console.
A device which has a factory recovery method built into their bootloader
A device which you can flash from stock to openwrt from stock in the web interface
Snort IDS/IPS requires quite some horsepower
See ie https://github.com/openwrt/packages/pull/23904
=> I recommend to stretch your budget and look for GL.iNet GL-MT6000
=> an alternative lightweight solution (instead of Snort) is banIP (blocking malicious hosts only)
I got myself a Cudy WR3000 half a year ago. Not because I needed something, but because it was really cheap and I wanted to play around with it.
On Amazon, the US price is 30% over the price here in Germany ($70 is 65€, I got mine for 30€ half a year ago, currently, it's 45€, which would be $49).
But still a pretty nice device, and I'd even buy it for the US price if I needed something right now.
I'm not saying this is the best device in the world, or the best fit for you. It's just a pretty recent device I have right now, and I'm pretty excited about it because of the hole package.
You wouldn't! I was trying to speak generally in case you had other ideas on the "router" side and/or wanted more ports.
More that JG920A/JG921A+router+ap is within your (stretch) budget.
If you have it in your power budget. It does mean rebooting your router doesn't take out your switch and internal service communications.
Similarly if you do maintenance on your switch you don't take out your router.
Similarly if one was selecting a separate wifi AP.
Thank you all for your suggestions. I've found at least two candidates that look good: Netgear R6260 for about $20 used and FortiWifi 51E for around $60 used. I'm sure there are more options that I can find.
When I'm comparing these two (and when comparing devices in general), how do I tell what I'm getting in the FortiWifi for $40 more? How do I compare router specs? What affects performance, and how?
Edit: I did some reading here and found the Linksys WRT1900ACS available used for a nice price, but with significantly better specs than the Netgear. I will keep looking.
After sifting through the TOH, I'm getting the impression that within my price range, I can either have a beefy and cheap WiFi 5 ARM router, a slightly less beefy ARM router with WiFi 6 at the top of my price range, or a MIPS router with WiFi 6 in the lower end of my price range.
I know I joked that I didn't need advanced WiFi capabilities, but now I am curious. Would it be good value for me to sacrifice WiFi 6 in exchange for the beefy Linksys router? Or would I gain something from a WiFi 6 router that outweighs the hardware advantage of the Linksys?
The Cudy WR3000 is available new on amazon in US for $60 after you click the 15% off coupon. This has decent current hardware at a reasonable price and supports WiFi6.
Sure, you can save a bit going with an older generation CPU and/or WiFi5, but if you get too aggressive chasing a used bargain (trash?) bin find, I suspect you'll be asking here for recommendations for its replacement before too long.
The Cudy WR3000 flash is a little tight at 16 MB, but with careful selection of packages you can install a reasonable collection of goodies. You won't be limiting yourself to a severely stripped down firmware.
These packages fit on my 16 MB flash Reyee RG-E5 with 1.87 MiB to spare (current main snapshot built with firmware selector)
Something to consider is if you don't like taking out your primary network / router for maintenance? (or your users will complain... =P).
Need to make a determination on what packages will fit as well.
50mbit/20mbit isn't exactly fast by modern standards so do you expect to receive a speed increase over the lifetime over the router?
I would optimise for routing/SQM/wireguard speed and not wifi performance. I would only get wifi 6 if I wanted slightly newer / better radios to improve performance at the edge of the network.
My opinion is you can always add faster/better wifi later without needing to mess with your primary router.... You did mention not needing wifi on this router?
The other alternative is to just by for the requirements now. (i.e. 50mbps SQM/wireguard speed, 16MB flash, 128MiB ram, DSA switch....) Then buy something even better for the remaining 40-60USD in a year or two? (i.e. when things are potentially even cheaper.....).
I need WiFi. It doesn't have to be the best WiFi, though.
I don't expect it, no.
I'm currently looking at something like a used Linksys EA7500 or Netgear R6300. Both have either an ARM or MIPS processor depending on the version, and 256 MiB of RAM. Most other routers at a slightly lower price point have 128 MiB RAM, slightly higher 512 MiB. Two questions:
Is it advantageous for me to go with 256 MiB over 128 MiB with the processors they have?
Are there similarly specced routers with better OpenWRT support or that are more popular in the community?
I've had good experience with mt7621 and mt7615 4x4. No specific experience with the linksys ea7500 though.
I'd try to see if you could get any "arm" platform though. the mt7621/MIPS in general sadly is leaving a little to be desired on the CPU front.
Is this RAM or storage?
Really depends on what you're going to be running on your router.... 128M ram is pretty much the minimum now for good support? So prefer 256M ram+ unless you are only looking for a short term solution I'd say?
I don't have a good breakdown for you but here's my examples:
My 4x4 mt7615 radio mt7621 routers with 128M ram (Which i'm using as access points) are sitting at 78% memory usage with 23.05.5 (I haven't tried snapshot, but it will be more?).
My 2x2 mt7915 based mt7621 router with 256M ram (which i'm using as AP) is sitting at 55% memory usage on 23.05.05 (I haven't tried snapshot, but it will be more?).
This is going to require further input I guess. Especially if you're really looking at 30USD and less like I've seen ea7500v2 on ebay?