So I found https://www.turris.com/en/ and generally love the whole concept, they wrap their own little os around openwrt but I wanted to ask the community - what do you guys think about it? I do like the SFP connector but does that really make a big difference?
I feel RAM is a little small with only 2GB, then theres only 5 eth ports and CPU only dual core.
Then there is the TP Link AX11000, but here we have even less RAM.
Im looking for something, that without any modding or self building offers quad core CPU, at least 2GB ram and 6-8 eth ports (in addition to WAN port).
For the price of a Turris Omnia, you can comfortably get a new Alder Lake-N N95/ N100 mini-PCs with four dedicated 2.5GBASE-T ports delivered from China, as well as one or two high-end 802.11ax APs with OpenWrt of you liking (filogic 830, ipq807x, mt7622bv based). This would be both more flexible and more performant (ARMv7 is increasingly ignored in various upstream projects).
I don't get BIOS updates for my gateprotect FW-7543B either (and even BIOS access is locked/ password protected; it was cheap in used condition (less than 1 hour runtime though)), nor would you get BIOS updates for the common Sophos SG/ XG or Cyberoam devices. While not really great, that wouldn't keep me from going that route.
So the omnia is a great device and team turris does a decent job with security updates.
But the dual core arm a9, while an excellent design, is showing its age.
Also if using the turrisOS OpenWrt derivate, be aware that they tend to lag behind one or more versions.
They have plans for an omnia update, but no specifics or timeline yet...
I have an Omnia and while I really apreciate that it has served me well for the past 7 years I wouldn't pay the top dollar the're asking now for it (bought mine during the initial indiegogo campain for ~150$ if I remember well) so I would go for @slh 's option with x64 gateway and dedicated APs
What do you think about their DNS resolver https://www.knot-resolver.cz/ and the preconfigured adblock, they integrate in TurrisOS, are those features really working as out of the box as they advertise them? Have you ever had any trouble with it during the 7 years you own it?
Yes, I am feeling it too but... I would be worried, that I might get a lemon when ordering something from China and having that in a complex 24/7 system does not sound as fun, what do you think?
Secondly It would be quite hard for me to even find the parts for it online and make sure they all work with wrt. Maybe you might have a list of items you could suggest? (Would be amazing to get an SFP connector like on the Turris, as I got FTTH)
Trouble with it. Sure. Their updates bricked it a few times luckily they use btrfs for the rootfs and you can revert to last snashot via physical button.
As for the other functions like knot adbloxk I remember it wrked a few years ago before switching to pihole.
What bothers me now is that SFP doesn't work but I'm sure they ll fix it eventually
If you just want standard DNS behavior knot resolver just works for me. It offers DNSSEC and also to be run not using your ISPs DNS servers. The adblock package is really the same as in OpenWrt and works pretty much the same. They do offer some crowdsourced firewall (where each participating node operates honeypots and reports back to cz.nic, who in turn analyze this and configure all perticipatig firewalls to e.g. reject drop certain packets. This is completely opt-in and I have never tested that myself so have no information one way or the other...
I bought min in the crowdfunding campaign as well, but only operate it as primary router since a few years, so far I had no trouble that was caused by turrisOS (I had a few issue, but these were based on the behaviour of the underlaying OpenWrt version, so not turris/omnia specific).
All in all I am quite happy with the device, but just like @maurer I would not buy it for the official price right now. Sidenote, I use it for traffic shaping (SQM/layer_cake.qos/cake) and pakon (a traffic reporting feature logging per connection traffic sizes) on a 116/46 Mbps PPPoE-link with WiFi/firewalling and NAT and it works pretty well. My testing some years ago however showed that even without PPPoE and WiFi so as a pure wired router, SQM/cake topped out at about 550/550 bidirectionally saturating traffic, so I thinh for 100-200 Mbps links the omnia might still work well, the current hardware is not suitable for 500 Mbps and faster links.
(Turris is working on an "enterprise" omnia with ~6 10 Gbps capable SFP cages) and an 8? core arm A72? SoC that will likely easily operate on 1 Gbps links, but the ETA is second half of 2024 and the price they aim for is below $1000. In other words that will be a pretty pricy proposition (especially one will need SFP modules or DCAs to populate each port intended for use).
This is, BTW, not an outlier but more the norm... most folks coming from a PC background take it for granted that e.g. PCI/PCIe devices are simply plug and play. SFP modules however are considerably less plug and play and more fickle... starting with "is a given module actually supported by Linux in general" over "is it also compatible with the SFP cage in a specific router" expect potential issues all along the way...
This is clearly sad, as exchangeable PHYs seems like an obviously desirable feature...
My current device is a rpi4 with UE300 dongle and a switch. I stopped counting the amount of difficult to fix issues I had with it. To name a couple, a. if you don't disable "green ethernet" on the dongle your gonna lose WAN connection until you restart the interface, took me a long time to figure that out b. dont forget to upgrade the wifi firmware, else it keeps crashing.... (https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi#updating_the_wifi_firmware), c. dont forget to upgrade EEC rom or else... (https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi#updating_the_boot_eeprom) d. setting up adblock was a real hustle and was, at least for me, by far not as easy as described at https://openwrt.org/docs/guide-user/services/dns/adguard-home - In my case, as soon as I set different DNS servers on my WAN interface, internet was gone, so I had to use my providers DNS and configure/force different DNS via DHCP (and it still couldnt manage to make it work, so currently just using CF)
That all being said I kind of dont want to go through all of these potentially complex problems once more using a new device, that again brings new edgecases.
Well I think all your problems can be considered "normal" for an non-standard isp/comercial device.
I think if you choose to run openwrt (and I hope you do) you'll still face issues like this no matter what device you choose.
I would NOT recommend the ten64, by the way, Arm A53 is an in-order core of Arm's efficiency line of CPU's, that generally does not perform as robustly and reliably as the cores from the performance line...
I know people will mention that it is 64bit and its megahurtz, but really getting a performance router based on a53 automatically means that the heavy lifting should be offloaded to other ASICs as the main CPU simply are not well suited. Now, this is pretty much the same design philosophy big iron router's often seem to apply, but at 100Gbps plus it will be hard to find a CPU that can still cope, while 1-10 Gbps is well within reach for competent out-of-order CPU cores.
What I am getting at? I thought that was pretty clear, putting arm efficiency cores into a router is a bad idea if you want to actually do interesting network things via software. And for a 700$ device this IMHO is not a balanced choice.
At that price point picking a SoC with better CPU cores would not have affected the final price all that much.
Moving to ARMv8/ 64 bit is nice (for many reasons, better upstream support/ attention (many upstream projects are actively killing off their 32 bit ARM support already), slightly more standardized boot process (pscd/ kvm capable), no issues with 32 bit time/ y2k38, …), but in terms of attainable performance, cortex a53 is at best roughly on-par with cortex a15.
