Exploring options for running OpenWrt

A year ago I was considering the Sinovoip BPI-R4 board to run OpenWrt and upgrade my router expecting that OpenReach would be installing full fibre within a few months. Well that hasn’t happened and they are no saying that they will be building within the next year, which I now take with a pinch of salt. In the meantime, that BPI-R4 board has doubled in price and now costs 320GBP. You can buy a bundle with a case and power supply, but the PSU does not have a UK plug and looks a bit cheap. It is possible to purchase used hardware by known brands from eBay for much less.

My new provider will be supplying a 500mbit full fibre connection with an Eero router. I will need more than two Ethernet ports and would like a rules-based configurable firewall, not just a basic SPI FW. I would also like to implement a 5G failover solution in some way.

I have therefore been exploring other options and found that it is possible to purchase a Fortigate 50E, 60E or even an 80E for around the 100GPB mark, except that only the 50E currently has OpenWrt firmware for it. All models have two WAN ports, so one for fiber, the other for a 5G modem.

I also came across an Alto Route10 which apparently runs OpenWrt, but some custom version of it with missing features? I understand it is flexible enough to configure the Ethernet ports as required for WAN and LAN, but I would also need to buy SFPs. May need to help there to identify which ones for 2.5Gb or 10Gb Ethernet.

The third option was a RUTX50. These have two SIM slots in addition to a WAN port which would provide the 5G failover I was looking for without requiring extra hardware, but are quite expensive - around the 400GBP mark - requiring the 5G modem investment upfront.

Of course with the Fortigate and Alta Route10 I would have to buy an external 5G modem later.

Is there OpenWrt firmware for the 60E or 80E?

Is there OpenWrt firmware for the Alta Route10?

I have discounted anything Sonicwall based on various comments I have seen online.

Are there any other options I might consider?

UPDATE: one other I might throw into the mix is the D-Link DBR600-P. There is a USB 5G device available for it as well. It doesn’t appear to be supported by OpenWrt yet, but does otherwise have everything I am looking for at a reasonable price. D-Link devices seem to be popular with the OpenWrt community, so I am cautiously optimistic that OpenWrt might becoming available for it at some point, although for now I would have to run the D-Link firmware.

OpenWrt supported devices are listed here: https://toh.openwrt.org/

ISP (Hyperoptic, QuickLine, Trooli and Grain) branded EX5601-T0 off eBay ?

If you are looking for a wired only OpenWrt router I do have a Checkpoint V80 and a Watchguard T70 listed on ebay uk.

The Watchguard interests me. I see that it has two WAN ports and is relatively cheap. Might be worthwhile getting one of those as a starting point. The Celeron CPU puts me off a bit, although as I recall, these did have a good reputation and the specs seem more than good enough for even a 1Gb home broadband connection. I see yours is the one with OpenWrt already installed :-).

Does the console port take a standard “Cisco blue” ? Or is it custom to Watchguard?
(I think I have now found an answer to that)

I am also more than a little curious because the T70 does not appear to be listed as a supported device?

Did they ever solve the problem discussed here:

https://forum.openwrt.org/t/watchguard-t70-hw-discovery/155544/2

I can't find my Cisco usb to console cable so can't check unfortunately.

The T70 is a standard x86/64 machine and these are not individually listed as supported devices. The list would get very long since almost any PC / laptop or thin client with a network interface can run OpenWrt as long as the bios / UEFI allows it to boot and the linux network drivers are available.

The 4th ethernet port on the T70 is wired to the marvell switch. The WatchGuard OS can configure the individual switch ports by using some custom code / driver. This is not available in mainline linux so the resistor has been removed which results in a 5 port dumb switch. This means you can't isolate the traffic on those ports. This has never been an issue for my basic home network but could be a problem if you want to do a more advanced setup.

I’ve made you an offer on the v80. Looking for something with a bit more ‘oomph’ than my current ER605 for my 900/115 FTTP connection. Seems like the v80 might be worth a try…

I just realised that the first two ports are 0/WAN and 1/LAN and port 3 is not designated. At first glance I read that as 0/WAN and 1/WAN. Can ports 1 - 3 be configured individually, i.e. so that either port 2 or port 3 can serve as a second WAN port for failover? Can one of the ports serve as a DMZ?

Yes OpenWrt allows you to configure the ports the way you want so port 1-3 can be configured individually. Only the 5 port dumb switch does not allow any configuration due to the way the hardware is designed.

As far as I know the configuration / assignment of individual ports is possible on any OpenWrt router.

Just looking at the T80, all of the ports seem to be grouped together into one hub. I am curious as to whether that will be a problem if they are all connected to the same Marvel chip in that version. On the T70 ports 0, 1 and 2 are clearly separated from the hub group.

Something with 2.5Gb ports like the D-Link DBR-600-P would be nice, but since my connection will be 500mbit and my internal LAN is 1Gb, then the T70 should be more than adequate and, I am guessing, better than the Eero based on stated throughput. It will also give me all the features that I will need to move my existing hardware over. I can always upgrade later if I change my connection to 1Gb, although its unlikely that I will need that.

I have purchased your T70 and just afterwards got an offer of 35GBP on another one….

Never mind. At least yours already has OpernWrt on it and I don’t have to take it apart and remove the resistor as the mod is already done!

As an alternative idea for my 900mbps fibre as I connect the gaming stuff wired, I opted for a split system.

The router with openwrt is a raspberry pi 4 with 1gb ram which seems fine for openwrt, this is installed on a usb3 SSD so it loads quick and it removes the SD card need which can be a bit flaky. To do usb boot its there out of the box and automatic, but I would recommend installing raspbian first and doing a eeprom update it takes about 10 mins to image, boot and run the update command, but it cannot be done in openwrt. I use the squashfs version so I can upgrade using attended sysupgrade, as the upgrade path is different for ext4 build. Squash takes around 120MB of my 64GB SSD so I have storage partition using f2fs filesystem for the rest, I can mount and with ksmb access as a network drive, also use its used for the luci stats package rrd dB files. This setup gives you one input for internet via a usb dongle {as per the instructions for rpi4 install on the site) and 1 output LAN port so I connect to a vlan capable tp-link switch. So this gives you a quick and performing router and 7 lan ports for an 8 port switch. Note - I have WiFi on the pi turned off

WiFi I have kept it simple with a bought tp-link WiFi controller and 2 ceiling mount eap620 AP’s and a 5 port poe switch as the power source and they pretty much just work, these are also vlan capable.

The vlan bit for info is that is have 3 SSIDs / networks and they connect to 3 vlans for family access and separate networks for guest and IoT usage, openwrt manages this and access controls etc but the net stuff needs to support and understand.

Hope this gives you another idea option…

Thank you for describing your alternative idea. Your WiFi solution is interesting. I have Zyxel Multi M1 routers (running OpenWrt of course) for my WiFi mesh. One tends to see those distributed ceiling mounted WiFi APs in offices and hospitals. I wasn’t aware that something similar was available for the home from TP-Link.

I do use a Pi for another purpose and had heard that one can be used as a router. I could have done that and added a switch, however, I had already purchased the Watchguard Firebox T70 from Konus. It has the advantage that one can configure an additional WAN port which would be handy since I want to experiment with adding a mobile network backup. I might also configure the third port as a DMZ and have the VOIP adapter in there. The 4th port is the 5-port switch whoch will be used for the LAN side. I also recently picked up a Lantronix mobile modem in an auction for a tenner. It supports only 4G LTE and is not 5G capable, but it does give me something to work with. I just need to get a SIM for it. Depending on how that works out, maybe I will get a 5G modem later.

In any case, thank you for pointing out that option. Its useful to know that the versatility of the Raspberry Pi can be called upon even in when a router is required.