WIRED (LAN) router setup suggestions

Hello, I would appreciate your help updating my home network setup please.

My current situation:

I run OpenWRT (recent version, 19.07.) on TP-Link TL-WR842ND for a while now, and it’s OK -for a week or two, but then (WiFi) connection starts having problems (gets slow, some dropped connections - locally) and a simple restart always solves it.
So I’m thinking it’s the router that can’t handle the pressure from my network. Besides my PC, phone and two laptops, I connect several single board computer “servers” to experiment with sftp/ torrent/ tor/ i2p/ media server/ xmpp, etc. Nothing serius anyone depends on, just for fun, with only a few users (almost never connected simultaneusly). I have an unmanaged switch connected to the router to get more LAN ports.

My wish (suggestions needed):

Most of devices mentioned above are connected with a cable, I don’t really need WiFi (and I prefer the security aspect of a phisical connection anyway). So I’m thinking a somewhat recent, OpenWRT supported, WIRED-ONLY router would be better in terms of stability, speed and handling the various connections.

1.) What WIRED-ONLY router with good openWRT support would you recommend?
Stability is the priority, but it also needs to be powerful enough so I don’t need to upgrade for a while. I’m not comfortable with something that would need physical adjustments to the router in order to flash OpenWRT or firmwire that needs to be compiled on my own – so please something “well supported”.

2.) Do I need a MANAGED SWITCH?
I imagine that at some point I would want to assign different ~zones (I’m a newbie) to different physical LAN ports so I can “isolate” some servers on the newtork. Since I probably used the wrong term, let me explain what I mean: I’m talking about some physical ports having IP ranges 192.168.1.X and others 192.168.100.X for example. Do I need a managed switch for that? Can I at first (without above “zones”) run a managed switch as if “unmanaged”, with no configuration, or would I immediately need to learn how to configure it?

3.) If I, later on, or temporarely, want Wi-Fi, can I still connect my current TL-WR842ND to one of the ports to serve as an “antenna” only? What “mode” does it need to be in so it’s not “routing”, just acting as a access point?

I did read through the forum (a bit) and the supported hardware list (a lot), but I don’t want to mention what I think are the candidates in order not to influence your suggestions. I‘ll mention it later after I get some suggestions first.

I’m not strictly limited by a budget but would like the router to be below 200 EUR, and another 200 EUR if you think I need a managed switch. Spending less is of course desirable. If a more expensive device is worth mentioning, please do, but I doubt I’d be able to justify spending more.

Thank you!

what speed you have in the internet contract? Speed of WAN influences choice of router because higher speed needs more CPU power or hardware acceleration.

how many IP ranges for your local networks do you need to handle? This influences the need for a managed switch or not.
If you just need 2 or 3 you can just get away with dedicating an ethernet port on the router to each IP range and buying an unmanaged switch to connect more than one device to each router port.

the current wifi router can be used to provide wifi only by configuring it as a "dumb access point" as explained in the tutorial here https://openwrt.org/docs/guide-user/network/wifi/dumbap

Thanks, @bobafetthotmail for your response.

A) My current internet connection is 20 Mbit (both download & upload) but I'd like to have an option to go to at least 100 Mbit since my ISP provides that for a reasonable price.

B) So I'll need a managed switch for configuring IP ranges of the physical ports of the switch, right? I think for first setup I'd need 3-4 IP ranges (probably doable on router as you suggest), but I'd prefer not to be limited. Maybe I buy the managed switch later and start with unmanaged, but please- do suggest one if you have an opinion about this.

Thanks for pointing me to the "dumb access point" mode, I think that's what I needed regarding possible WiFi.

If you need more physical ports to plug into, then you need a switch. However, if your need is only to segregate your network into different IP ranges, you can do that with VLANs.

My modem is plugged into my wired only ER-X router. The ER-X manages 4 VLANs on their own IP ranges (it is also the DHCP server for each VLAN), and two dumb AP's are plugged into the ER-X (wired ethernet back haul to each floor of our home). The dumb AP's provide a separate WiFi SSID for each VLAN (e.g., Guest, IOT, home LAN). The physical ports on the dumb AP's can also be configured to restrict access to certain VLAN's. For example, I have a VOIP phone device (an Ooma) plugged into one of the AP ports and I restrict that port to provide access to the IOT VLAN only.

Keep in mind that when you plug your TL-WR842ND into the new router as a dumb WiFi AP, the TL-WR842ND will give you more physical ports wherever it is located. That may eliminate your need for a switch?

As to recommendation for a wired only router, my ER-X will handle ~130 Mbps with SQM/QoS. If you do not use SQM/QoS, the ER-X will handle half a Gig no problem. You do not need to physically open the ER-X to flash it with OpenWrt, but you do want to upgrade it to the latest OEM Edge OS (version 2) and version 2 boot loader, in that order, BEFORE you flash it with OpenWrt. Instructions to do this are on the Ubiquity web site. The advantage of the new boot loader is that it is easier to recover (you don't need to open it up and use a serial dongle) if you accidentally brick it. The ER-X also needs to be flashed with a specially compiled version of OpenWrt the first time you flash it. It's not hard and you can find links to this in the forum easily enough.

I am looking into replacing my ER-X with a Banana Pi R64 at some point to get faster SQM/QoS. Before OpenWrt 21.02, I could get ~185 Mbps SQM/QoS with the ER-X, but speed has dropped quite a bit (~130Mbps) since the migration to the 5.4 kernel and DSA. The Banana Pi R64 is reported to get around ~600 Mbps with QoS/SQM. And it has 5 ports, so you probably won't need to buy a switch for it too.

If you are willing to add a switch to your setup, you could do something like the NanoPi R4S with a managed switch like the Netgear GS308T. Both are supported by OpenWrt. This would give you plenty of future proofing as well.

1 Like

The only Wireless routers that I can recommend are:

  • Belkin RT3200 or Linksys E8450

Mini PC X86 AES-NI with Intel I210AT NICs to use in OpenWrt or any other Firewall like pfSense: (from worst to best)

  • PC Engines apu2e4
  • Protectli or Qotom equivalent with Intel I210AT NICs
1 Like

Wow, thanks a lot @eginnc your setup seems similar like what I want to do...

I) so for configuring VLANs the switch does not need to be managed?

II) drop to 130 Mbps limit with the new kernel is perhaps indication that I need to look at something more future proof as well...
I'm curious why do you prefer the Banana Pi, because of the additional ports?
Have you found a case for the Banana Pi perhaps?

I'll look into these alternatives, thanks.

Thanks @elan for the ranked options!

X) I'm curious why do you rank RPi4 the highest?
Z) never thought such mini PCs exist... so I'd run a x86 version of OpenWrt here?

Plenty of homework to do, thanks.

@eginnc Banana Pi R64 and Belkin RT3200 / Linksys E8450 have the same processor and if you only buy Banana Pi R64 to use SQM, I think it would be a bad purchase, because routers for the same price have WiFi 6 and you don't have to worry about buying the case, power adapter, CPU cooler, etc.

Specifications:

Yes, but it is recommended that the processor supports AES-NI instructions and has Intel I210AT NICs.

1 Like

You could use multiple separate unmanaged switches with a separate LAN sent to each switch. All the ports on the switch box would be the same network since it is an unmanaged switch. This requires a separate port on the main router for each LAN to feed its switch. As noted it becomes impractical with more than two or three LANs.

2 Likes

@elan thanks for the clarifications, I'll obviously need to research this more than I expected :wink:

BTW, can you perhaps comment on my "I)" question above, I'll rephrase it:
"I) Does a switch need to be "managed" for me to assign different IP ranges to its ports or can I do that for unmanaged one as well?"

I'm a big networking newbie and don't know where's "the line" between the two switch options... I'll have to learn to configure it, obviously, but I don't want to buy a wrong one...

Thanks

Thanks @mk24 , I didn't see your post explaining it when I was typing my last reply :wink:

With a smart switch you can "split" the switch and decide that only some ports of the switch can see each other, or do VLANs which means you take multiple IP ranges and squash them into a single port, while still maintaining the 100% isolation between them.
So for example you take traffic from 4 different IP ranges and send it to a single port on the OpenWrt device (where you also configure the VLANs to receive this kind of traffic).

If you want a managed switch I'll recommend mikrotik switches. I don't know the size you want so I'll just link a full list. https://mikrotik.com/products/group/switches?filter&s=c&f=["gigabit"]#

Note that you CANNOT install OpenWrt on these switches, like on most smart switches anyway

2 Likes

AES-NI is hardware acceleration for encryption (VPN for example) and may or may not be a requirement.

Why are those Intel controllers recommended?

1 Like

Thanks @bobafetthotmail , much clearer now!

But why do you prefer MIkrotik (managed) switch if other switches support OpenWrt?

link with filter:
"https://openwrt.org/toh/views/toh_extended_all?dataflt[Device+Type*~]=switch"

I imagine Mikrotik has a different proriaritary interface/rules and I'd have to learn that as well...

This is one of the most important requirements if you want to try another Firewall (other than OpenWrt).

Google:

Intel LAN is in general seen as superior to Realtek LAN.

Intel NIC is the best in terms of off loading off the CPU, it crunches call outs better than other NICs and is generally regarded as the most stable with no random drop outs.

For networking applications, it’s generally known that the i210AT is considered “better” than the i211AT because it has four transmit and four receive queues per port, while the i211AT only has two transmit and two receive queues per port. So when purchasing an APU, I made sure to look for one with an i210AT.

Intel i210AT NICs are a little better than the i211AT NICs in that they offer double the egress/ingress queues per port, very nice for firewall duty.

1 Like

Support for the most of those switch devices (Realtek rtl838x chipset) in OpenWrt is a bit young and there are some unresolved issues still (see the last posts of this thread) Support for RTL838x based managed switches
plus some features like PoE are not yet supported in OpenWrt

And I assume that someone that has 4+ IP ranges needs more than 8 ports.

The situation will probably improve eventually, but eh.

Yes but it's a managed switch, not a router.
You are literally just changing VLANs and/or making port pools from a graphical interface.

look at that, we have a filthy traitor in our forum. :rofl: You want to get him to use pfSense or OPNSense?
Yes Intel controllers are the only ones that are reliable (maybe also 2.5 Realtek ones too) on those firewall distros.

Intel LAN is in general seen as superior to Realtek LAN.

This is the only one I can confirm personally. Realtek is meh on Linux and bad on the other competitors above. More for stability than performance. It's not slower, it can crash and reset itself if under load

Intel NIC is the best in terms of off loading off the CPU, it crunches call outs better than other NICs and is generally regarded as the most stable with no random drop outs.

Intel i210AT NICs are a little better than the i211AT NICs in that they offer double the egress/ingress queues per port, very nice for firewall duty.

For networking applications, it’s generally known that the i210AT is considered “better” than the i211AT because it has four transmit and four receive queues per port, while the i211AT only has two transmit and two receive queues per port. So when purchasing an APU, I made sure to look for one with an i210AT.

This is all nice-sounding specs and theory but I can't say I noticed any significant difference between different Intel controllers from the dawn of time (older than i210AT) or even with Broadcomm ethernet controllers.

1 Like

Thanks to both of you @elan & @bobafetthotmail a ton of useful info.

1 Like

I use OpenWrt.

I can confirm that when using Realtek on pfSense or OPNSense you will get disconnects, bufferbloat, etc.

And if you are going to spend more than $200 to buy a mini PC, there is nothing wrong with making sure you buy something that uses the Intel i210AT or at least i211AT NICs to avoid headaches.

Besides price, do you see any advantages of having a SBC/router over a Mini PC?
-perhaps lower power consumption? how big is the difference here?
-which are more open-source friendly in terms of specs?