Recommendation for a no-wifi router capable of handling 1 Gbps fiber

I have just read the very insightful topic on routing >500Mbps speeds on all-in-one type routers, and have to confess I'm feeling a little dispirited now as I'm looking for a router suited for a 1Gbps fiber connection and thought I could just purchase something off-the-shelf.

I'll still ask away as I'm not looking for an all-in-one router. Here are my requirements:

• no WIFI, as using Internet provider's router/modem in bridge mode
• able to handle sustained speeds of 800-900 Mbps, though it'll be rare when this happens
• doesn't need many ports as my LAN is connected to a 1 Gbps switch; can have a single output port AFAIC
• would love to get the NanoPi R4S but looking for something convenient that I can buy and plug & play

What are my options?

Raspberry Pi 4 with an USB dongle.

raspberry pi CM 4 with the dfrobot dual gigabit carrier board (if you don't like dongles and prefer non-usb connection to the second network port)

If you're in bridge mode, you won't be able to use the provider's router/modem's wifi -- that will be completely bypassed. So you'll need an access point or your own router will need integrated or add-on wifi.

Do you even need your provider's modem/router? With fiber, you should be able to connect the router of your choice to the Optical Network Terminator's ethernet port. If that's the case you can give their router back or let it gather dust.

raspberry pi CM 4 with the dfrobot dual gigabit carrier board (if you don't like dongles and prefer non-usb connection to the second network port)

This is hands down the solution I'd go for as the hardware has just the right specs and processing speed to handle the demands of high-throughput routing with, I suspect, capacity to spare to run a DNS server and additional stuff I currently run on an amd64 server. Unfortunately, it's not really an option for me because it is likely to be a time-consuming project and, not being a network engineer myself, I'm likely to run into difficulties/grey areas along the way while assembling/setting everything up. Not too important but dfrobot.com doesn't even seem to sell cases for the board.

Not relying on a USB dongle makes this the best recommendation though! (in theory at least )

If you're in bridge mode, you won't be able to use the provider's router/modem's wifi

Damnit, I didn't know this. Looks like I'll need a separate WAP then! Thanks for pointing this out and teaching me something.

Do you even need your provider's modem/router?

I think so because the router takes a BNC coaxial cable, but the WAN itself is fiber.

If you are in the US:

What do you mean exactly for "bridge mode"?

Because different manufacturers call "bridge mode" different things.

see this article https://openwrt.org/docs/guide-user/network/wan/bridge-mode

If you are just daisy-chaining (attach the WAN port of the OpenWrt router to the LAN port of the ISP's modem/router) and in many cases also if you do half-bridge mode you can still use the wifi of the ISP device, but it will be outside of your OpenWrt's LAN so devices on wifi will not share the same network or firewall features (adblocking for example).

Not strictly true, you can set up routing on the ISP's modem such that the OpenWRT is on a DMZ and doing all the routing, DHCP serving etc, disable the ISP modem's DHCP, then connect a second network cable from your LAN side on the OpenWRT to the LAN side of the ISP's modem and have any devices connected there send all their internet bound traffic to the OpenWRT. Here's a video explaining exactly how to do that (but with an Edgerouter instead of an OpenWRT device):

I know, I had to get a cheap and cheerful eBay aluminium case for mine:

https://imgur.com/a/v4hKlD5

The carrier board is mounted upside down by those 4 bolts, the CM4 board is between the carrier board and the case top, with thermal pads in between so the case is acting as the heatsink (not required as I ran it just sitting on a piece of cardboard in free air for a few weeks while waiting for the case to arrive). CPU temp now sits between 35 and 39, but without the case or any heatsinks it was around 55.

The tricky bit was drilling the mounting holes in the right spot, and then drilling and filing the faceplate for the network ports and the power socket.

I'm not sure what it is exactly, but "Bridge mode on port 4" is what's on the configuration page of the Hitron Chita Hub router that I'm using.

Turns out the Wifi can be kept enabled on the router's faux bridge mode and so can the DHCP server as well.

You can do that too but it will weaken security significantly since now whatever compromises the ISP modem/router (which isn't going to be that hard in a few years if it isn't already, depending on the device age) has direct access to your LAN.

I always assume that people that go through the effort of getting/installing/learning OpenWrtare also interested in the security aspect of their network, but it's not always the case.

Wouldn't the only exposed parts of the ISP modem/router be the management interface and the wireless security protocol?

Access to the ISP modem/router management interface can be blocked from WAN with a firewall rule, and so long as the wireless security protocol isn't older than WPA2 it should be ok as far as I can work out. If there is another potential weakness to this set-up could you please elaborate?

Yes, it's a kludgy hack and not very efficient with packets going through the ISP modem/router twice each way for wireless traffic, but if there is no other equipment available it's a solution to keep wifi going until there is. And you're better off after adding an OpenWRT to the mix than before.

Firewall rule on what, The OpenWrt device and the modem share the same LAN network for the wifi clients. LAN traffic coming from it will not go through the OpenWrt device firewall (and NAT), so it can freely ping and talk to whatever other device you have in the LAN.

The ISP modem/router is exposed to the outside network, and you don't know if it has special access or other interfaces that can be exploited regardless of its own firewall rules.
On many cable modems you just can't disable or block remote management because that is required by ISP, some ISPs don't even give you access to the web interface.

There are at least 2, maybe 3 different vulns for WPA2 already, only up-to-date devices using WPA2 are secure.
Note that just having a recent stock firmware release does not mean anything, they always use ancient software versions so unless they specifically state they have fixed it in the release notes, you can safely assume they did not.

If there is another potential weakness

I already told you. If someone takes control of the modem now it has access to the LAN because you have connected the LAN ports to get the clients on wifi to go in the same LAN as the devices after the OpenWrt router firewall.

And this "taking control of the modem" isn't a tinfoil hat conspiracy, there is a very a decent chance that will happen within the device's lifetime because embedded device firmwares are just a pile of hacks on top of ancient Linux-based OS, and they never get updated past a few years of release. But you will keep using that modem for many many years.

OpenWrt has better code quality and it's using recent software versions, but there have been bugs here as well. With OpenWrt you can usually update the device within a few weeks after vulnerabilities are found, and close that door, with stock firmware it's a crapshoot, they may make an update quick or they may not update at all forever.

That said I'm not aware of any hilarious remote exploit in OpenWrt as there is no telemetry nor remote management nor secret backdoors for technicians or developers, so most bugs are either wifi vulns (not specific to OpenWrt) or local stuff that requires access to the network or the device.

There is a significant monetary incentive in exploiting devices like this because they are used to (or can give access to other devices that can also be compromised to) create botnets, which is a swarm of devices that are used to launch DDoS attacks and bounce illegal traffic to hide its real IPs (similar to Tor but much simpler). Devices part of a botnet usually don't show signs of being compromised until they receive an order from the control servers.

Mirai botnet has been a big thing in recent years and you will find it mentioned in the following articles but it is not the only one around.

There have been a bunch of remote exploits for years now where embedded network devices have been just hijacked by randoms on the internet by abusing stock firmware "secret" technician backdoors or firmware update, or telemetry or whatever other service the stock firmware is doing to contact the manufacturer's servers on the internet.

The following are some random articles I got with a web search, but there are many others for more or less all big brands.

And this one, where older WD NAS devices with internet access were remote-wiped en-masse by hackers, and also links to how QNAP nas devices have hilariously bad security as "further reading"

Tangent: These can run OpenWrt, and do so very well. Can you imagine my relief, having previously converted all of my My Book Lives to OpenWrt?