Hello everyone. I'm new to OpenWrt and ready to purchase my first hardware. I am looking for the least expensive option that is going to give me a good first experience. This is for a wired-only setup to replace my TP-Link ER605v1. I already have separate EAP225's that I think I can flash later.
I am a relatively advanced user having used pfSense previously at home and in a small-medium business environment and I have tons of experience with Linux servers/networking. That said, I'm looking to get started with a relatively simple setup and tinker later, when I want to take the time.
My long-term goal is to have all of my network gear easy to configure via scripts, loading relatively simple config files, or perhaps managed with Ansible so I can drop in replacements and get back up and running quickly when something fails.
Services I'm planning to run on OpenWrt:
DHCP
On-router DNS for internal network(s) + DNS caching
Ad-blocking (and preferably separate "safe browsing" filters for my kids)
Probably WireGuard when I get around to setting it up
Requirements:
Supports 100 Mbps symmetric connection to ISP
Supports 50 Mbps WireGuard
Runs stock OpenWrt / easy to copy config to a newer device
Priorities in order of importance:
Price, <$30 is ideal
At least 2 LAN ports in addition to WAN port
Gigabit routing on the LAN side
Nice to haves, but I'd rather go cheaper now and expand if/when needed:
Even more LAN ports
Support for faster ISP connection (just in case)
Support for faster WireGuard
I did some initial searching/research on these forums and the web, but I'm still overwhelmed at the options. Thanks in advance for your help, and please let me know if you need more information.
The beauty of x86_64 hardware is that it works, always - and unproblematic in all regards. Plenty of performance, no fun with exotic offloading or other things that only work on a sunny day.
The downside is
identifying devices with decent features and low idle power for cheap
resisting the urge to make it 'more than a router', just because you have x GB unused on the SSD, X GB unused RAM and spare CPU cycle
resist the temptation to use virtualization (you want to control the the hardware directly, the network cards, virtualization just gets into the way).
But at the end of the day it's still foremost a router and security is paramount, so be smart and realize that reducing the attack surface is a priority and keep it being 'just' a router, on dedicated hardware and no (few) non-routing services.
It could end up being more like $45 to snag one of those devices plus a power brick, but I'm 90% sure that's what I'll do as soon as Dec 1 rolls around.
You pretty much had me at "unbrickable" but once the light bulb came on that it's simply a headless x86 box with a bunch of NICs, I can't pass up the flexibility. If for some reason OpenWrt isn't my cup of tea, I could switch back to pfSense/OPNsense (or whatever else I want to try) on the same hardware.
You need to understand that Wireguard is computationally intensive. There’s a dataset of Wireguard performance tests on this forum:
Take a look and see what kind of hardware matches your future performance expectations.
Generally speaking, Wireguard performance depends on the processor’s capabilities (speed, number of cores, optimizations) and cooling.
As to specific devices, I have to declare my bias: I LOVE OpenWrt on x64. Some affordable (if bought used) x64 devices, in addition to what @frollic has recommended, are:
AppNeta m35 (it’s a rebranded Lanner FW-7525, as is CloudGenix ION 2000 recommended by @frollic)
The original FW-7525 sold under Lanner brand is occasionally seen in the wild as well
Lanner FW-7551 rebranded for Silver Peak (this one used to be unworkable, but recently, BIOS passwords for it were extracted, so now it’s completely tame)
If you get lucky, you could stumble into an affordably priced Lanner NCA-1513 or even NCA-1515 (this post was written about the 1515, but it applies to the 1513 as well)
Please note that secondary market prices tend to fluctuate. Often (though not always), there’s this one seller who just wants the device gone (usually, a user of stock firmware who upgraded to a newer device and doesn’t know what to do with the old one). So some eBay trawling may be needed to find that seller and their wares.
Non-x64 ideas:
Luxul ABR-4500 and XBR-4500 (specifically the 4500 models; there are 4400 and 5000 models that look very similar, but OpenWrt is not available for them, so read the sticker on the bottom of the device carefully). These are interesting for some use cases because they have integrated power supply (no power brick; the device plugs directly into the wall) and occasionally come with rack mounts, even though they are very much desktop-size.
Ubiquiti ER-Lite / ER-4 / USG. Compact, passively cooled. ER-4 has an integrated power supply. Out of the box, perform poorly, but once you enable offloading and packet steering, things improve drastically.
Just one word of caution regarding the Sophos devices, there the exact hardware revision matters a lot - they've kept the same model name for years, but kept changing the actual hardware quite significantly depending on the h/w rev.
Likewise the branded Lanner devices often come with a password protected BIOS, so don't expect to get BIOS access there.
Ive gone full virtual running my router on my proxmox cluster of 5 mini PCs, with keepalived fail over between two VMs on separate hardware. cost about 45W of power in total for the cluster. Marginal cost about 0 for the router VMs. If you understand what youre doing the security implications are manageable. I wouldn't do it like this if I had the Iranian govt spying on me (like a friend I know who does international human rights stuff) but Im confident its safer than running most plastic routers with factory firmware which is what 99% of the internet does...
Easily routes a gigabit with shaping on 10 year old celeron hardware.
It was meant a simplification of "...unless you go full enterprise, with a cluster, hot-failover, HA, on systems with a battery-backed rtc, etc.".
I stand by that for the 'normal' case discussed here, single host, cramping VMs into it and no fallback strategy, nor having tested 'desaster' bootstrapping (what happens after a multi-hour internet outage, what happens after a power outage/ cold reboot of the system (staged ntp, etc.), what's your plan for hypervisor updates, what happens if the hypervisor gets upset (troubleshooting, driver/ image downloads doesn't work all too well without (alternative) means of internet access).
It's a matter of, 'if you have to ask, you can't do it' and are better served by keeping it simple and bare-iron. As you need to be quite on top with your hypervisor and its networking stack (and have to do quite a few of your networking setup effectively twice).
If you know what you're doing AND want to make it your job/ fulltime hobby, fine - but then you're not the recipient of my advice
Otherwise, KISS - keep it simple and sace yourself a lot of trouble by keeping it bare iron.
I am a heavy user of (qemu-)kvm myself, I do know what I'm doing (and could run a virtual router - and do so, for optional/ not mission critical (test-) networks), but for my basic internet access I prefer keeping it simple and reliable (as well as easily replaceable/ cold-standby, just replug two cables - wan-in, lan/trunk-out). Because at home, I don't want to make this my job nor spend dollars on additional hardware and idle wattage (~0.40 EUR/ kWh) and KISS. My old fw-7543b will march on, at 11 watts idle (yes, this could be slashed in half with new hardware).
When it comes to idle power consumption, the futro s740/ s7010 with a 1 GBit/s single-port ethernet card in the M.2 A+E 'wlan' slot and the rj45 on a ribbon cable in the serial breakout could be an option as well; idle 3 watts (assume +1 watts for the addon ethernet card).
It is difficult to identify the good bargains on the second hand markets (and guesstimating their features - and power consumption), on top of that the favourites change quickly.
These days N100/ N97/ N150 based alderlake-n mini/ firewall PCs with four 2.5 GBit/s ethernet cards start around 120 EUR (delivered) at Jack Ma' market place, so those are strong contenders. Today I'd go that way.
Sophos is based in the UK, so they definitely sell in the EU. I’ve actually seen their devices offered on ebay.de. I’ve been told Rohde & Schwarz has rebranded Lanner hardware, but there’s a BIOS password in those units. I’ve seen Nexcom devices (same ones Sophos uses) rebranded for a couple of Italian network security vendors, but the names escape me right now… So the hardware definitely exists, just under a different set of names…
Also, I believe (perhaps incorrectly) that the EU’s Extended Product Responsibility (EPR) rules encourage users to return end-of-life equipment to vendors (and the vendors are required to recycle it), which makes the secondary market in the EU smaller compared to North America.
I hesitate to recommend something with a relatively slow MT7621 CPU by today’s standards, but it is plenty fast to meet all your performance requirements and OpenWrt supports hardware offload, which will help keep the hardware relevant with time. Used MT7621 options will also be much closer to your desired price point of ~$30.
Options could be a used Edgerouter X, MikroTik RouterBOARD 750Gr3 or TP-Link ER605 v2. Your ER605 v1 is not supported by OpenWrt (as you know, or you wouldn’t be here), but the v2 version is supported.
Flashing openwrt can be a bit tricky on these, so do your research first. But you at least will not need to connect to the serial header. Installation is still all software steps. If you get an Edgerouter X (they seem to be going for ~$40 shipped on ebay), be sure to upgrade to the latest EdgeOS boot loader version before beginning the steps to flash OpenWrt so that you can recover from any mistakes more easily.
