Can OpenWRT Replace My Fritzbox Setup? Suggestions welcome!

Hardware Questions and Recommendations
1

Hi everyone,

I'm considering replacing my current Fritzbox 7590 setup with an OpenWRT-based solution. Reason is, that I am not feeling comfortable anymore with all those IoT Devices in my network without a possibility to put them in a separate VLAN (I know the guest WiFi of the Fritzbox but then I can't access the Devices with the regarding apps anymore - so no solution) and would love your input on whether it's feasible and what hardware would be best.
Current Setup:

Internet: FTTH 600/300 MBit (German Telekom) via fiber modem

Routing & WiFi: Fritzbox 7590 (connected to the modem via WAN)

Switches: Several Netgear "dumb" switches + Mikrotik CRS326-24G-2S+RM (currently in dumb mode)

WiFi Access Points:

    FRITZ!Repeater 3000 AX (Ethernet backhaul)

    FRITZ!WLAN Repeater 1750E (Ethernet backhaul)

Services Currently Handled by the Fritzbox:

Dynamic DNS update (DuckDNS, soon moving to own domain)

Telephony (Fritz!Fon + Fritz DECT repeater)

Port forwarding

WiFi roaming between access points (AVM "mesh")

VPN site-to-site connection to another Fritzbox 7590

Plan/Goals for the OpenWRT Setup:

Basically maintain the same service.

Add VLAN support, also make use of the Mikrotiks ability to be managed.

Ensure stable WiFi performance. Especially WiFi Roaming in our three story building is most crucial to me. I want to be able to walk through the house, having a video call, and not experience any interruptions. I think I need 801.11r/k/v.

I'd like to keep the Fritzbox as client to handle the telephony part.

Questions:

Can OpenWRT fully replace my Fritzbox setup while keeping all services running? Is it possible to build a site2site tunnel to a foreign Fritzbox?

What hardware would you recommend for routing and WiFi? I am thinking about a x86 based router running OpenWRT (I have a Asrock Deskmini 110 with Pentium 4560 laying around, I'd add a second ethernet interface), as well as three dumb access points (Currently Zyxels NWA50AX PRO seems to be a good choice).

Any potential pitfalls I should be aware of?

I had already checked almost every Wifi manufacturer and system there is, but mostly there is no Wifi Roaming Support in Standalone configuration, and Cloud-based management is an absolute no-go for me, so I am especially interested if Wifi Roaming would work fine in that setup. Mikrotik seems to promise that if I would use a mikrotik router, but their WiFi seems to be below average.

I have some experience with the very first OpenWRT, on the original Linksys WRT54G, so my experience is dated but the sympathy is unbroken :smiley:

Thanks in advance for your insights!

2

Get some used cheapo Openwrt capable router or AP, connect all those IoT devices through it.

Block access to the main LAN in the firewall, but allow internet access.

Or you could get a T-56 from wifilinks.nl, AFAIK they still haven't started rolling out the locked bootloader fw version on those.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

3

Thanks for the suggestion. Since the Fritzbox does not offer me any options for routing or vlans, I am not sure how I could accomplish that.

4

Of you hook up an additional device, you don't need any VLANs ?

Read the link provided.

5

Depends on the services...

Yes to the above.... totally easy.

If the site-to-site uses a standard protocol like WireGuard or OpenVPN, yes. If it uses proprietary 'magic', no.

Yes to roaming, but actually this is a client side process, so not (directly) relevant to your router/APs. More on this below.

No, AFAIK this will not be supported.

Yes, OpenVPN works well with VLANs. However, you should not use an unmanaged switch with VLANs, and your Wifi APs may or may not actually support VLANs and multiple SSIDs.

Yes, but... The stability of your wifi depends a lot on the entire system configuration, and not just the OpenWrt router. In fact, it has very little to do with OpenWrt if you end up with a wired-only router (i.e. x86) and also if you're just flashing one device to OpenWrt. That said, I will reiterate that roaming is a client side process. For it to work well, you need to set the same SSID (on 2.4G + 5G radios, and on all APs), same encryption type and same passphrase. Then, adjust the power levels and channels, as well as physical location (to the best of your abilities) to be able to optimize the performance. To be clear, 802.11k/v/r is not necessary, and is often actually detrimental to roaming performance. It should only be used if there is a demonstrated need for it and only after you have fully optimized the other things I mentioned above.

This will largely depend on your requirements and constraints. Price, internet speeds, inter-VLAN routing bandwidth requirements, number of physical ports required, floor plan for wifi coverage, location (i.e. country/market availability), etc.

You mention an old x86 system -- consider that it may consume far more electrical power than a modern "plastic box" wifi router, which means it is more expensive and also detrimental to the environment to repurpose the x86 box for this use than to buy a new bit of kit.

Also, if you go with an x86 system (or any SBC type device), wifi performance won't be all that great compared to a purpose built wifi AP (or combo wifi router device). The recommendation at that point is to use the x86 device as a wired only router, and use purpose built external wifi APs.

This is entirely incorrect as it is the client device's responsibility to roam. But it is important to recognize that you need to configure your devices properly to create an optimal roaming environment, and that requires that the right controls are exposed to the user. OpenWrt will always have those controls available, as will business grade APs with their own firmware.

OpenWrt doesn't need any kind of cloud based management. And there are vendors like Ubiquiti (Unifi) and TP-Link (Omada) that have their own single-pane-of-glass management system -- these can be used locally only, cloud, or hybrid local/cloud.

6

Let's look at this slightly differently.

So you have:

  • a 'fibre modem' (ONT) from your ISP
    this means your router gets ethernet via rj45
  • one 24-port managed 1000BASE-T switch
    your unmanaged switches can still be used on the perimeter, as leaf switches, as long as they only get to see a single untagged VLAN
  • wired ethernet connections to the locations for your APs
  • an AVM Fritz!Box 7590

These AVM Fritz!Boxes can be configured in IPoE (client-) mode (with SIP keepalive pings every 30s) behind another router, and still serve all phone features:

  • SIP pbx
  • DECT/ cat-iq 2.1
  • SIP ATA
  • voice box
  • fax machine

This means you can keep your existing 7590 as-is with the OEM firmware (Fritz!OS 8.xx) to handle your existing phone requirements, without any changes there (apart from reconfiguring it to IPoE mode and putting it behind your router). Older (7430) Fritz!Box had issues (packet reflection) to use their internal switch in IPoE mode, while I'm not sure if this also applies to your newer device, it is advisable to use the Fritz!Box exclusively for its phone features, only a single ethernet cable (lan1) connected, WLAN disabled.

You have at least one managed switch and wired connections to the locations for your APs, which is also a very good starting position. Just be aware that the unmanaged switches must never be exposed to VLANs, so they are only useful as leaf-switches carrying only a single untagged VLAN.

What you need now:

  • an OpenWrt router with sufficient performance to handle 600/300 MBit/s with PPPoE and your VPN requirements at those speeds
  • two OpenWrt capable wifi6 APs, maybe three if you go with a wired-only router
    looking at your particular repeaters, it seems that both of them can be reflashed with OpenWrt, which would be required if you want them to handle multiple VLANs/ BSSIDs

In other words, your existing setup is rather good for your desired configuration, you only need a decent OpenWrt capable router.

x86_64 can be a decent choice for this, it has the performance - and it can also be power-efficient, but your 'old gaming box' typically is everything but power efficient (power-efficient SFF systems without magnetic disks, monitor disconnected and no dedicated graphics cards might get away with 20 watts, 11-15 watts if you're very lucky, magnetic disk +10 watts, discrete graphics card +30 watts, … etc. pp.; everything from 15-130 watts idle can be seen here, that does show up on your electricity bill for 24/7 operations), so it might be sensible to look for more purpose-built power-efficient hardware instead.

Filogic 830 could be a decent choice for this, e.g.:

Advantage: (good) wireless included
Disadvantage: performance probably sufficient, but limited headroom (with PPPoE, VPN and future speed upgrades in mind)

If you look at x86_64, there are plenty offers for "four 2.5GBASE-T port N100/ N97" alderlake-n systems (OpenWrt is fine with >= 1 GB disk space and >= 1 GB RAM; obviously you don't need to ride the lower limit) on the various market places (including Jack Ma's) starting around 120-250 EUR. These usually have a rather good power efficiency (~5-6 watts idle), while also offering a lot of performance.

Advantage: plenty of performance at very reasonable power requirements
Disadvantage: no included wireless (so you may need a cheap extra AP if you want to cover the immediate surrounding of the router; no, you can't just add wireless cards to cover this on the x86_64, the forum search will give you detailed explanations why)

Services Currently Handled by the Fritzbox (your code boxes make this much harder to read):

  • Dynamic DNS update (DuckDNS, soon moving to own domain)
    --> https://openwrt.org/docs/guide-user/base-system/ddns
  • Telephony (Fritz!Fon + Fritz DECT repeater)
    --> keep your existing devices as-is, just reconfigured for IPoE mode
  • Port forwarding
    --> https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_nat#destination_nat_dnat
  • WiFi roaming between access points
    --> you have OpenWrt capable hardware that can be used as APs with a wired backhaul, so all set (IEEE 802.11k/v/r optional, but possible)
  • VPN site-to-site connection to another Fritzbox 7590
    --> Fritz!OS offers IPsec/ IKEv1 or wireguard for VPN features, for the former you'd need to set up strongSwan (provided by OpenWrt), for the later you can use wireguard. This is very well possible, but probably the 'biggest challenge' here (not saying that it's particular difficult, just relatively speaking the biggest challenge).

--
There is one thing AVM can do well, and that's telephony (as long as you don't exceed their limits), everything else may look easy, but you're locked into a rather tight cage in terms of functionality.

1 Like
7

if you're a budget, get a fan less Fujitsu S920 off eBay, they're 30€.
add PCIe riser (~10€) and a 2nd NIC of your choosing (10€ and up)

8

Thank you for the very helpful insights!

Sounds great, that's what I was hoping for. I would deactivate WiFi and also not use the integrated switch, telephony only.

I am aware of that, thanks. Most likely I would send the old, unmanaged switches into retirement.

Good thought! My ASRock Deskmini 110 is a small Mini-STX-based system, the CPU also supports AES-NI. I used it as media center for a few years. In idle, the whole system draws 14W. I also have the luck to have a 13kwp PV system on the roof and a battery installed, so I do not pay anything for electricity most of the year (that is, until the heatpump kicks in in the winter :wink: ). Reviews of N100 based systems state it draws anything from 7W to 14W in idle, so I think it would be pointless to replace the Deskmini right off the start - or am I overlooking something? Would something like the GL.Inet GL-MT6000 give me any advantage (besides integrated WiFi)? The Deskmini should only do routing/firewalling, no WiFi - I would be perfectly fine to use separate APs for that.

I expected it to work on paper - but I agree that this might be the most challenging point. I think Wireguard should work fine, but if it doesn't: Would it be possible to let the Fritzbox still build up that tunnel (I am not sure if the option is there if it is configured in IPoE mode), and create a custom route in my future OpenWRT-router, that makes sure all traffic from any client in my LAN directed to the other site's LAN is routed to the Fritzbox?

Thanks for the clarification. As far as I know, the AP (or the router?) can only make certain suggestions, which the client may or may not obey, right? My understanding was, that 802.11k/v/r would be necessary or at least beneficial for that seamless wifi experience? So if I get you correcty, as long as I use the same SSID (on on all channels and APs), same encryption type and same passphrase, it might be sufficient to adjust the power levels and channels and switching between APs would be fast enough without any extra tweaks?

So I need Multi-SSIDs to support WiFi-VLANs as far as I understand, right? Does any compatible AP support that, once I flash it to OpenWRT? For example: My current AVM 1750e does not support VLANs or multiple SSIDs in the way I need it now - would it after flashing it to OpenWRT?

Again - thanks for your support!