Simple, cheap routers/APs for 30-50 EUR max

Hi guys.

I finally have my desired VLAN-based setup running (Linksys WRT1900 as a router, not using its AP; 2x Netgear R6220 as AP, 1x TP-Link WDR-4300 as AP, using 3 SSIDs with dedicated VLANs/LANs, OpenWrt 22.03), but I found that mixed WPA2/WPA3 doesn't run in a stable fashion. :frowning:

So now I need 2 or 3 cheap routers or access points that can run OpenWrt to replace my existing APs. My requirements are as follows:

  • rock-solid WiFi on both 2.4 and 5.0 GHz; 802.11AC on the 5 GHz band would be sufficient, a better standard would be preferred
  • I need to support at least 25-30 devices (roughly 10 on two APs seach, plus 5 on the 3rd AP)
  • must support VLANs
  • only 1 Ethernet port strictly required (but 2 or more would be a plus)
  • 16 MB flash or more
  • 128 MB RAM or more
  • must support multiple SSIDs (I use 3 right now, but ideally they would support 4 or even 6)
  • WPA2/WPA3 mixed mode must be supported and stable

I've tried to find recommendations here in the forum, but I've not yet found a device that seems to definitely fit the above requirements and is ideally still available for purchase on Amazon (but I would also buy "used", if nothing else).

Can you make a recommendation? What about the TP-Link TL-WDR4900, would it fit my requirements? (Not available for purchase as "new", of course...)

Many thanks in advance.

Kr,

Ralf

I'm not sure about the WPA2/3 mixed mode (because I have not tried, its thre but I don't know about stabilit) but everything else should be overed by Zyxel M1 / WSM 20.
It has 128MB flash, 256MB RAM, 4 rj45 GBit ports, 802.11ax on both, 2.4GHz as well as 5GHz. I'm running 10 vlans and 6 SSIDs with no problem.
I currently ony have 5 devices on a single AP, but I see no reason why that should be anywhere near the limit.

They can be had for 120€ for a pack of three at amazon.it and amazon.fr at the moment. Amazon.de wants 130€. Amazon.co.uk charges £90 plus tax for them, which should be roughly the same ballpark.
I got mine two weeks ago for 80€ for a pack of three on amazon.es, but there they are back up to 200€.

2 Likes

The Zyxel M1 is an excellent suggestion, especially if you get the 2- or 3-pack.
Another option would be the MR70x or the DAP-X1860.

2 Likes

Thank you, @golialive and @frollic

Mixed WPA2/WPA3 mode really is essential for me, so before I shell out the money I need confirmation from someone that this device is really stable and "compatible" in this mode. (When I set this up on my R6220 then many devices are unable to connect, it's really weird... Found something here on this forum, it seems to be a well-known issue...)

well, i still think that is better two ESSID, one for wpa2 and another for wpa3

1 Like

I agree, and you can't put all the blame on the router/AP, it might just as well be a client issue.

1 Like

And why is that? Mixed wpa2/wpa3 mode is essentially the same security as wpa2 only. You should either go with wpa2 only or wpa3 only.

1 Like

TP-link Archer 6 v3.20

1 Like

If you have some devices that can use WPA3 and some that cannot then WPA3/WPA2 is a must in my opinion, it is far more secure. the WPA3 devices will connect using WPA3

Oh boy, no. Read again what i wrote, and try to understand it.

2 Likes

Good price in Finland Zyxel Multy M1 WiFi 6 Whole Home WiFi System 3-Pack (WSM20-EU0301F) | Dustin.fi

1 Like

this is the only way to make wpa3 crackable.

I believe you're right. A combination of protocols is only as secure as the weakest link -- and that would be WPA2 in my case where I "require" WPA2/WPA3 combined.

So I tend to agree that setting it up to use WPA3 for my as-strong-as-possible "home" network and to use WPA2 for my IoT network (which is "data-link layer-separate" from my "home" network as I use VLANs) would be advisable.

The problem is unfortunately that not all my (supposedly "secure") home devices can actually do WPA3. I have a pretty old printer that can only do WPA2. So I guess I better put it into the "IoT" VLAN and only allow very specific routes to pass between the "IoT" lan and the "home" lan... :frowning:

FWIW, WPA2-PSK combined with Force CCMP (AES) is plenty secure for my purposes with a proper password.

Sure, high end graphics cards can brute force guess billions of passwords per second today, but I don't think a password with ~5*10^25 combinations - one that includes upper case, lower case, numbers, symbols and 13 or more characters - is going to be cracked in any time frame that matters.

there is no valid reason to use wpa2/wpa3 mixed, ever, under any circumstances.

2 Likes

Sounds like the right choice anyway. I only trust those IoT devices as far as I can throw them.

Currently my "home" and "IoT" lans are completely separate (at least in the direction of "IoT" -> "home"; I can connect from "home" to "IoT", though). That would allow me to "print" to the printer, but the printer (multi-function center) can also scan documents and upload them to my NAS with FTP. To make that work I would need to allow (just) the printer to pass thru the firewall for SMB to reach the NAS.

Of course, that would be a risk again (if the printer is compromised, someone could access my NAS...). "Perfect" solution would be to throw away the printer and purchase a new device, which would mean a cost of several hundred Euros... ;-(

wpa2 cracked, deauth and 4 way handshake (Published Nov 20, 2014)
WPA3 was introduced to specifically deal with that problem.
More recent Iphones can connect with WPA3 and so can some IoT devices, for example my TV's and PVR's can connect with it

I wouldn't call those IoT devices though...

Ok, right - hmmm awkward
what would you call them?
this will be interesting