I just found out about OpenWrt a couple days ago and I really like the idea of it. I'm at the start of my career in a cybersecurity position and I use Linux a lot, both at work and at home. I'm a huge fan of Linux and FOSS in general. However, I am lost on what to buy to set this up.
I currently have serious internet speed and connectivity issues, and I believe it's because of my modem and router (2 separate units). I have a 1200 Gbps cable plan with my ISP but on Wi-Fi I can't even get to 200. So I basically want to start from scratch with OpenWrt.
I have done some reading and it sounds like the ideal setup for most home environments (if it can be done) is a modem, a router with only wired capabilities, and access points for Wi-Fi. Unless someone can correct me and tell me there's a better design, I believe this is what I should do. Please tell me if I'm missing something there, I'm not sure if I need a managed switch for this setup or not. Money is not a concern, I am willing to save for anything expensive as long as its performance justifies the price. My hope is to use this same exact hardware for my new house in the next few years so I see this as an investment. I simply don't know which brands, models, etc. are worth my time.
As far as desired features and use cases, I'd say I'm fairly vanilla. I want to maximize my internet speed for sure, and reliability is one of my largest concerns. I live in a fixer upper and things break on me all the time, I do not want to add any more to the mix. I don't know how resource-intensive it is to have a VPN client running on the router but I would like that too. Overall, I would like to have overpowered hardware in case I decide later to do more with it. Please educate on me on where I should look. Thank you!
Towards and -especially- beyond (where it probably becomes unchallenged) 1 GBit/s WAN speeds, separating these functionalities as you laid out does make sense.
modem
whatever matches your ISP's- and speed requirements, as long as it can be configured to be just a modem, with the external WAN IP being terminated on your router
router
capable x86_64 with 2+ ethernet ports of the desired speed (so >=2.5GBASE-T in your case)
new N95/ N100 systems with 4 2.5GBASE-T ethernet ports (150-250 EUR/ USD on the big "market places") or cheap/ used SFF brandname systems (haswell i3/ i5 or newer) with slim-bracket ethernet cards in the PCIe slots come to mind.
dedicated 802.11ax wireless APs (respectively wifi routers configured as AP)
as per your requirements (wired backhaul strongly preferred)
multiple cheaper ones in different locations tend to beat a single high-end one, as long as your can connect them to a wired backbone)
Managed switches widen your options when it comes to pushing multiple networks over a single trunk port, e.g. lan-, guest-, voip, surveillance cameras and IoT networks pushed through to all of your APs (VLANs ~= managed switches required). While you can implement a poor man's solution of this using multiple ethernet ports (-cards) on the router, each with their own subnet (no VLANs, plain access ports) and unmanage switches from there, managed switches make this a lot more flexible.
For 1000BASE-T and considering the prices for used (even OpenWrt capable-) L2 managed switches with 8-24 ports, I would recommend going the (L2-) managed way. For 2.5GBASE-T and beyond, prices for unmanaged switches are already quite high, with managed options excessively so - here it really depends on your budget and requirements. A hybrid approach with a large (16-24 ports) 1000BASE-T (L2-) managed switch (PoE or not) and a small (~4-8 ports) 2.5GBASE-T or 10GBASE-T 'multi-gig' switch to connect your fast desktop computers/ servers might be sensible. Under good circumstances (short range, little interference, HE80), your typical 2x2 clients (as found in notebooks/ desktops) may push 700-800 MBit/s over wifi6 (you'll only profit from wifi6e/ 6 GHz in congested environments, via reduced interference/ congestions, not top speed), so the AP backbone might still use the 1000BASE-T switch without losing much.
The rest depends on:
your budget
your expectations
e.g. the things you have not told us, as in sqm/cake (~QoS) desired, router-side VPN gateway, adblocking, IDS features, …
your local environment (area to cover, number of rooms/ walls, building materials, outside coverage)
your location (densely populated apartment building --> high interference/ congestions --> 6 GHz may be beneficial, no neighbours in sight --> 5 GHz will do easily)
regional availability and -pricing of potentially interesting devices
your willingness to get down to the metal and set this up, as well as to maintain it long term
abilities to install a wired ethernet backbone throughout the house
Once you've figured this out, take a step back and reconsider your needs, your expectations, time- and efforts required and your budgets, you might come to the conclusion that a simpler/ flatter (1 GBit/s) topology might do 90% of what you want it to do, for 10% of the budget and 5% of the effort.
--
I've gone with an x86_64 router, wired backbone, L2 managed switches running OpenWrt and dedicated APs for a WAN speed well below the 1 GBit/s barrier myself and don't want to look back from this level of service separation again, but I still look at the infrastructure as a whole, keeping it sensible and fault tolerant (with easily replaceable components). While I'd like to push beyond 1 GBit/s lan-side, prices are not sensible for that, yet.
What sort of infrastructure do you use for doing stuff like pen testing or what have you at work? Do you set up VMs with virtual switches and routers, and run attacks between the hosts?
If so, you can set up a similar system at home. Got a host that's running kvm/qemu, proxmox or whatever? You can install OpenWrt on that, set up a virtual switch on the downstream to some local VMs and have your own little playground to learn OpenWrt prior to deploying it live.
I've got OpenWrt running on various bare metal devices, but more often than not I use one that's on Hyper-V (for historical reasons, don't ask), to experiment. The upstream gateway is my "real" router (an x86 PC-Engines APU2) to get internet access, but the OpenWrt VM is peer to some workstations so they look to the VM like they are outsiders. I have another Linux VM that is on the VM's subnet, so I can play with firewalls or intrusion detection/prevention or whatever I feel like, all without repercussion if I really break things.
My recommendation:
Router - Intel N100 minipc (search forum to see what brands others are using)
Switch - managed switch with POE+ ports i.e. Netgear MS108EUP
Access Points - Netgear WAX220 (with 2.5G-port)
Cables - Cat6e
On the router install additional packages:
Adblock-lean for centralized adblocking
SQM QoS for traffic shaping to prevent bufferbloat
x86 with 2 of 2.5 gbps ports, with SFP+ 10gb card
RUCKUS ICX 7150-C12P switch, poe, license for 10gbps
RUCKUS R650 Indoor Access Points w/ 2.5gbps ports, 1 per floor
WIFI 6 laptops, desktops, phones, & other devices
App- Ruckus Unleashed, control AP's and switch
You brought up some really good points to consider. I had not considered adblocking and IDS at all, but I would definitely like those implemented. I do think QoS would be good as well given that I play video games from time to time. Is there a guideline on what specs the router should have to perform all of these functions without resource over-utilization?
My organization is so small that we don't do our own pentesting, but I sure wish we did because I'd be first in line to do it. Using a VM to test out OpenWrt before pushing it out to "production" is a very good idea, thank you!
Thanks for the specificity of your recommendations! I will look into these. I do have one question: I often see people on the forum say "x86" as you did in your post. Are people just abbreviating x86_64 or are there actually a lot routers or other devices that are 32-bit?
Yeah, "x86" is sort of all-encompassing around here, usually means /64 as that's probably the most common (various mini-PCs, SBCs, old desktops or laptops...). Go to https://firmware-selector.openwrt.org/ and type in x86 and you'll see the two generic x86/32 and x86/64, and a couple of builds for specific hardware. All of my x86 installs (two bare metal, one VM) were done with the x86/64 generic image.
If you look at the "Builds by target" at https://sysupgrade.openwrt.org/stats/d/LM1HE4E7k/attended-sysupgrade-server you'll get a sense of the mix of hardware. Right now I see 8% for x86/64 and 0% for 32-bit, for what that's worth. I have no idea how closely this mirrors the actual installed base for OpenWrt, as it's only one of several ways you can get an image.
So I'm seeing some good looking mini-pc options, however what I'm finding isn't listed on the Table of Hardware. I also see posts (like this: Mini PC or router?) that indicate people are using devices that aren't listed on the Table of Hardware. Is it the case that basically any mini-pc can run OpenWrt and the ToH is just for devices specifically designed as routers?
Mini PCs are almost always just generic x86/64 devices, so no special mention is made for them. You could use the same image to convert a laptop, desktop or whatever into an OpenWrt router.
It has two RJ-45 ports that max at 1000mbps but that's fine because I never get beyond 1000mbps from the modem to the router anyway. My questions about this are 1. Is it okay to have 2 Ethernet ports but only one NIC? I see no indication in the specs on Newegg that this device has multiple NICs. 2. Is the processor good enough? 2 cores up to 2.6GHz. I'm just not sure what routers typically need.
Unless you are looking for super-low power consumption, I'd be tempted to spend $40-50 more for a more modern processor than the circa 2017 N4000. There are now N100/N200 devices on aliexpress for almost that price, and they'll run rings around the N4000. Need advice, should i buy x86 or ARM based hardware? - #9 by efahl
Barely anything that breathes will "work". For example, an Archer C7 from 2015 will run the current 22.03 release, and provide decent basic functionality (1-core MIPS @720 Mhz with 128 MB ram, 16 MB flash).
An OpenWrt router's CPU requirements depend on work load, but SQM is probably the most intensive one that is widely used. Here, more is better, some number of cores at 2+ GHz is probably necessary to get 500+ Mbps throughput while managing the queues (that'd be across the WAN interface, not your intranet/LAN traffic).
You don't need much disk, unless you want lots of persistent logging, which would go to an "external" drive anyhow. OpenWrt is tiny, here's my VM install with all sorts of useless packages (note that /tmp is RAM, so it doesn't even count!):
For RAM, it depends. If you are going to run lots of ad blocking with big DNS lists, maybe 1GB? If you're going to try running deep packet inspection/intrusion detection, using say the snort package, then 2-4 GB would be useful (certainly more that 1 GB is required by my testing). (Snort is also a major CPU hog, but since it's not widely used, I didn't mention it above.)
12th Gen Industrial Fanless Mini PC N100 N5105 Soft Router 4x 2.5G i226 i225 LAN NVMe Intel Firewall HDMI2.0 OPNsense PVE ESXi
The config I'm thinking about is 8GB DDR4 128GB NVMe and N100 i226-V DDR5. I know it's a bit overkill, but at $189.48 it's still competitive with alternatives I could find on Newegg and this guy should be future-proof for a long time with these specs, I think. I'm still a little confused about the whole multiple NICs vs. multiple ports on a single NIC deal, and the specs page aren't very clear about that, but I looked up the NIC and Intel's page on it says it's a single port configuration so I'm guessing that means this is multi-NIC. Unless there are any good objections to this device, I will place an order on it soon.
As far as I know, all the x86 boxes have individual NICs, there's no switch matrix like you'd have in a all-in-one WiFi router (all-in-ones usually have one WAN port on a dedicated NIC, then a switch matrix with 2-5 ports on the switch presenting as a single interface inside the router). What this means for the miniPCs is that the CPU is involved in handling all the packets crossing the device. When you have a switch device, it handles local traffic between ports as "layer 2", where the packet is just shuttled from one port to the other without any CPU involvement.
That one you've linked is almost identical in specs to my N5105 box, which I've had running since early December. Power draw has averaged about 8.9-9.0 watts over that time. I think I recall that the N100s are running at lower draw than that, due to the more modern CPU architecture (possibly other tweaks).
For testing, I wired mine up like this:
workstation -> router <-> switch <- NAS
With the workstation having an MSI mobo with built-in 2.5 GbE Realtek NIC. The switch is a Zyxel XGS1210-12 with 2.5 GbE to the workstation, and 10G SFP+ to the NAS using a DAC cable. Iperf3 runs between the workstation and NAS were all at ~2.3-2.4 Gbps total, so no issues with just ramming data through it (I used this setup to test that all the NICs on the router were functioning and capable of advertised speed).