Slate or Flint or EdgerouterX or ...?

Time to upgrade the 2+ rPis and USB-eth adapter spaghetti. I've done a bit of research but still need a few questions answered:

First, my setup, at minimum 1x Wired WAN, 2x Wired LANs, 1x Wifi. Would be nice to add another wired LAN and a very low chance of wanting another wireless. No 4G/5G backup or teaming or anything fancy. Cheaper is better, less faffing to set it up even moreso.

Most important thing is that these four are All Segregated, Separate Subnets, no talking to each other, every subnet can only access internet and that's it (a future lan3 may talk to lan1 only). As such, I don't want a switch chip on the board, no vlan tagging or whatever kludgy workarounds, I want each lanport individually routable, direct traces from plug to cpu and all that.
Speed not an issue, max internet we can get here is 100Mbps (currently only paying for 25, might go to 50 if I have to one day). No connections from one subnet to the other, no streaming or NAS or whatever, 100 internal is also fine. a/b/g/n/ac is all I need wireless side.

What I've found:
GL-inet Opal sounded good, nice and cheap, 3-wired+wifi. But apparently not OpenWRT compatible, so ignoring it.

Slate Ax1300 is basically the same but (allegedly) runs OpenWRT21.02 (yes, there are some posts talking about it being a heavily modified fork or whatever). Usable as-is, or is it possible / desirable to just overwrite it with vanilla 23?

Flint2 MT6000 also looks good, even if they're a lot pricier and more wifi-oriented which I don't care so much about. Some have a lot more wired ports, but does anyone know if they're properly routed or just through a switch? (no block diagrams or pcb shots that I can find)

Ubiquity EdgeRouterX also looks good, but no wifi (easily fixable with usb dongle etc), and no current WRT image. Any chance that's coming any time soon? EdgeRouter4 has an image, but it's rather a lot pricier.

So it does look like Slate should fit the bill, but are there any downsides / bad experiences / gotchas to know about? Or any other devices I should be considering?

Some questions:

• How many physical ethernet ports do you need on the lan side?
• Do you want this integrated into a single piece of hardware, or are you planning on using an external switch (you may need a VLAN aware managed switch, but those aren't necessarily expensive).
• Do you need wifi? And if so, are you opposed to a dedicated AP device?

Here are some thoughts:

This is going to relegate you to only a few options in the all-in-one router space... most have built-in switches. But, properly configured, the switch is an asset in most cases. But, you can set it up such that each port is effectively individually routed from a functional standpoint. There are a few possible ways of achieving this, depending on if the networks need to have wifi or not. But IMO, a switch should not be disqualifying, and in fact, you'll see that your referenced device options all have switches, except for the ER-4

You are correct that it is not supported by the official OpenWrt project. Keep in mind, though, that this has 3 ethernet ports total -- so one is usually wan, the other two would typically be lan. Don't forget to account for your wan in your port calculations.

This one is supported by official OpenWrt, including 23.05 and the upcoming 24.10. 3 ethernet ports + wifi. I think the ethernet ports are on a switch.

This device is well supported and very popular within the OpenWrt community. It's a good device. AFAIK, all the lan ports are on a single switch, but I might be wrong about that.

This device is a bit on the older side, but it is good. However, you have a few mistaken assumtptions here:

• No USB port, so a USB wifi dongle will not work ^[1]. You will need an external AP (connected by ethernet)
• The ER-X has an internal switch, and all ports are connected to the switch.
• You can run the latest OpenWrt on these devices, but you do need to start with an older build to do the initial install. It's not the easiest device to flash to OpenWrt.

The only advantage of the ER-4 for your situation is the addition of the USB port, but stay away from USB wifi adapters ^[1:1]. The ER-4 doesn't have an on-board switch, but as I noted earlier, the switch can actually be an asset. Regardless, it's not worth the extra money in your case (IMO) to upgrade to the ER-4 for this purpose given that you don't need the performance.

It does depend on how many ethernet ports you need -- don't forget that in most situations, you'll be using one of the ethernet ports as a wan, so you only have 2 lan ports on the Slate. Also consider the fact that the slate is aimed as a travel router vs the Flint2 which is an all-in-one home wifi router device. Travel routers are fine, but they are going to be a bit limited in wifi performance relative to the devices targeted for home use (think about covering a hotel room vs a home).

1. Although not applicable to the ER-X anyway, USB wifi dongles are not a good option as they have very poor performance (relative to a proper AP or all-in-one wifi router) and many of them do not properly support AP mode anyway. ↩︎ ↩︎

With respect to the Flint 2 (which I run):

Yes. The WAN port is not on the switch though.

If you don't want to do trunking (send multiple separated networks to another switch) you don't need to mess around with vlan as far as I know. You can just create multiple bridge devices and add the ports of interests to them. Then you just add those bridges to separate interfaces and assign separate firewall zones for each interface. Basically setting up multiple guest networks.

This is exactly the same as you would do with directly routed interfaces on any device using Dsa (instead of the old swconfig). The complexity only increases if you want to do trunking (multiple tagged vlans to another managed switch or router).

I think that most DSA devices do not support multiple bridges on the same switch chip. But with DSA bridge-vlan syntax, you can achieve the same functional thing even with a single bridge. It's really easy and works well.

If that is your main objective, x86_64 systems would be the obvious solution. Those firewall PCs typically have four independent ethernet cards (1000BASE-T or 2.5GBASE-T) onboard, Obviously you will need a more purpose-built wifi-router to cover your wireless aspects.

While this doesn't meet single-device criteria, it is a sensible solution.

--
qoriq/ M300 would qualify as well.

If you really want to have dedicated ethernet ports, look for those x86 mini PCs, or NanoPi R5S/R6S (both having 2x2.5GbE + 1x1GbE, still in snapshot)

What about a Cudy AX3000 WR3000? It has WiFi6, 3 LAN and 1 WAN. Cost is ~$60 shipped for me. Your location may differ.

No USB (but you won't need that for a WiFi dongle since it has WiFi). Also, only 16MB of flash, but that is enough for a basic gateway, including full wpad-mbedtls for mesh support, wireguard, OpenVPN-mbedtls, adblock, https-dns-proxy and a few other goodies.

How many physical ethernet ports do you need on the lan side?
Do you want this integrated into a single piece of hardware, or are you planning on using an external switch (you may need a VLAN aware managed switch, but those aren't necessarily expensive).
Do you need wifi? And if so, are you opposed to a dedicated AP device?

Pretty much what I wrote, 1 cable in, 2 cables out, plus wifi. 3 different local subnets + WAN, each subnet only knows about itself and the WAN. It's all up in a cupboard with the modem, once the cables get to their respective rooms I'll have a switch there if I need. If the device doesn't have wifi I'd rather USB-wifi dongles (doesn't have to reach that far, actually prefer if it didn't, and max speed is only <25M anyway), if I'm going to add an RPi / AP just as an eth-wifi bridge I'll need more cabled ports, and that's basically the multiple-device-mess I've got that I'm trying to get rid of by buying a single device.

This is going to relegate you to only a few options in the all-in-one router space... most have built-in switches.

Yep, that's fine, and pretty much why I'm asking for recommendations for devices I haven't found through searching already. It's not the switch itself that's the problem, for one thing it's more that I don't want any device on one subnet to be able to change its IP address and then be able to talk to another subnet by going through the switch-chip without being routed / firewalled / otherwise blocked from doing so.
Another reason is that yes, I know there are a few complicated ways of doing things even with a switch, but I'm trying to keep this as simple as possible (especially because I have a habit of setting something up and getting it working over a few weeks, then not touching it for a year or more and if it's too complicated I won't know wtf is going on in it by then).
Given that I'm buying from scratch, only a handful of options is better than a few dozen anyway, as long as there's at least one or two that fit the bill. Also, according to the ToH, the Slate has a QCA8075, which by my reading of the datasheet (that I've found) is just a 5-port PHY, not a switch so nothing gets from one port to another without going through the OS, no hardware shortcuts (CMIIW).

If you really want to have dedicated ethernet ports, look for those x86 mini PCs, or NanoPi R5S/R6S (both having 2x2.5GbE + 1x1GbE, still in snapshot)

Thanks, good suggestion, I've found the R5S-LTS for roughly the same price as the Slate (before shipping unfortunately literally doubles it). Does look better on paper at least, 4G/32G vs 4+128M/256M, HDMI+uSD should also make for much easier debugging too, although now just noticed that it needs an extra M.2 for Wifi, so that's even more dosh. If I can find a cheaper / more local shop (AU) I'll probably prefer it over Slate.

Forgive the nooby question, but I'm presuming snapshot = still in development / unstable etc? For someone who's been a Gentoo user for 20+ years you'd think I'd be ok at hacking software things together, but in reality I'm an Analogue Hardware guy who's just good at following well-written instructions (and just trying different things when it fails). Is there anything particularly different / difficult about installing / maintaining a snapshot? (probably not much point asking how long until it's in the mainline release). I just don't want too have to put up with too many gotchas after I've made a choice and paid.

Also, presuming that this R5S isn't too different from the R5C metioned in the ToH, besides having an extra RJ45 the install instructions / image should be the same? Or dangerous assumption to make?

If that is your main objective, x86_64 systems would be the obvious solution. Those firewall PCs typically have four independent ethernet cards (1000BASE-T or 2.5GBASE-T) onboard, Obviously you will need a more purpose-built wifi-router to cover your wireless aspects.

Yep, that's what I had between 20 to 10 years ago, downclocked Pentium1 (so I could remove the fan) running IpCop with 4 ISA 10M eth cards (WAN+LAN+Wifi+DMZ for when running a mailserver at home made more sense). Pretty much what I want now, but <15W and smaller than a beer bottle would be nicer than a full-AT case...

I've also found a few BananaPi dedicated-router style things that look worth considering, but again not too available and/or getting into the pricier range once shipped halfway around the world. Not against NUC / MiniPCs either (in some ways they're preferable) but then price again gets in the way once they're kitted out (still not seen any with 3+ ports either)

So the WiFi is the 3rd subnet? Lan 1 = subnet 1; Lan 2 = subnet 2, WiFi = subnet 3?

I assume that the respective rooms will only ever have a single network transported there? Such as if they were separate apartments and one space will never need the network of the other, right?

WiFi dongles are the source of many headaches. I'd highly recommend avoiding them, even if your bandwidth and range requirements are low. Besides, you can always adjust the power level of the radios in an AP (or all-in-one WiFi router).

Thus why the best path would be an all-in-one unit.

I can guarantee that a properly configured device (including one with a switch) will not allow this type of scenario.

The switch doesn't perform routing or firewalling, so regardless if you have individually routed ports (I.e. no switch) or a built-in switch chip, the firewall is how you limit the inter-subnet routing.

If each subnet is only used on one physical Ethernet port (and no WiFi), the setup actually becomes just as simple because you can remove the ports from a bridge and assign each directly as the device for its subnet. Even if you do use it on multiple ports and/or Ethernet + WiFi, it's actually quite easy to create bridge-vlans.

Fair enough, but actually there are a few ways you can 'remember' -- one is to look at any threads you post here to remind you of the process and why the config works. Or, you could create a little "readme" file to store on the router as a reminder... or you might even be able to read the configs directly and see what is happening without the reminders.

That is specifically a switch chip. The main processor is the Qualcomm IPQ4018.

https://openwrt.org/toh/gl.inet/gl-a1300

The switch is not a hardware shortcut for routing. And as I said before, as long as things are configured properly, it will be impossible for a user to VLAN hop just by changing their IP address.

That's why these days I keep a Google doc for myself to document the setup, to remind me how and why I did that.

It's a switch chip.

Correct, but I think it won't be too far from getting mainline release (since there is already 24.10.0-RC6 with this device), if you look at firmware selector you can see both R5S/R5C on list so you don't need to worry about it.