Help with a Router Distro?

[GrumpyGent]

Hello everyone! After quite a few frustrations on issues with a commercial home mesh while working remotely, I'm going to take the plunge and build out my own - And I'm looking for help in deciding given all of the choices for router distros.

My current environment: I have cable internet (1200/40), with nearly 60 total devices: Various PCs, streaming boxes, gaming machines, IoT items. I'm currently using three Superpod Wifi 6's from Plume (I know, subscription network bad). They're actually fantastic as far as connections are concerned and as a mesh, however their routing performance has been subpar - Bufferbloat on the gaming devices, and depending on the time of day and who is doing what I have major issues with Teams meetings and a poor network connection. Various bufferbloat tests seem to confirm that theory.

I have a quad-core NUC coming with two 2.5gbe ports, and a 2.5gbe unmanaged switch. My plan is to have this NUC act as the fw/router, and put the Superpods into bridge mode. I may eventually replace them with APs, but at this time to save some cash I'll use them for what they have been excellent at. The question now is what distro to throw on the NUC. I've been looking primarily at Pfsense, OpnSense, and Untangled so far if that helps.

My goals (in this order):
1) Connection reliability
2) Network security
3) Ease of Use
4) Connection speed

For #3, I do have a technical background (software development), but I wouldn't call myself a networking expert by any stretch. I don't need the system to hold my hand, but if I'm modifying cron jobs to get the router to work then I'd rather not Easy setup of QoS, etc. is what I mean here.

I don't mind paying for the distro and/or support, but I definitely want the latter given my wife and I both work from home. I think the cheapest plan from Pfsense is $350 a year for support - Is that true?

One other question that comes to mind: As I'm using an unmanaged switch and the Superpods (which don't have VLAN tagging), any thoughts on how I can separate the IoT devices from my other machines? Even if I have the IoT devices on a separate Wifi network, I think I lose any separation unless the pods are also the router, correct?

I appreciate in advance any help or guidance on what makes sense (on my list or not). I've been looking at the documentation thus far and it seems Untangled is the easiest, but Pfsense has the larger community and resources behind it (Untangled has 50 employees I think?).

 

[Tech9]

I think the cheapest plan from Pfsense

pfSense Community Edition is what most people use in DIY projects, is free.

Download pfSense Community Edition

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more

www.pfsense.org

As I'm using an unmanaged switch and the Superpods

Yes, you'll need AP's with VLAN support to separate WLAN devices.

 

[GrumpyGent]

pfSense Community Edition is what most people use in DIY projects, is free.

Download pfSense Community Edition

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more

www.pfsense.org

Yes, you'll need AP's with VLAN support to separate WLAN devices.

Thanks for the reply! I figured I would use Community Edition, but it doesn't come with any support - I wasn't sure if there was a support package option outside of the Commercial one. Do I necessarily NEED support? Maybe not, and if it were just missing a show or my son losing gaming time I wouldn't care. However, with my wife and I working from home having a support option makes sense (as well as supporting Netgate for offering the product).

And I kinda knew the answer to the separation question, I just wanted to be wrong to save a couple bucks.

 

[Tech9]

but it doesn't come with any support

It comes with community support, the forums. In case issues are discovered, Netgate fixes them. Not sure what kind of support you are looking for. There is no phone number to call. pfSense is perhaps the best free enterprise level firewall OS, installed on hundreds of thousands appliances around the world.

 

[Tech9]

Do I necessarily NEED support?

Do you have any experience with pfSense or other similar systems? pfSense is an entire OS with hundreds of menus. You need above average networking skills to set it up. If consumer routers are what you are familiar with, the learning curve will be very steep. Look at the documentation before you make a decision.

 

[Centrifuge]

Do I necessarily NEED support

You might look at Ipfire also, open source linux based, it looks good but I haven't actually tried it. I'd recommend Pfsense community ed. also, the support is through the forums and elsewhere, especially for the experienced, the forums aren't great for neophyte questions, but for more technical questions for those who know enough about the subject they are asking about. I am a novice, but the documentation is great and I have gotten some help from the forums when needed. I tried Opnsense but switched because the community support was relatively sparse.

 

[Tech9]

The easiest one to manage is perhaps Firewalla Gold, complete hardware/software solution:

Firewalla Gold: Multi-Gigabit Cyber Security Firewall & Router Protecting Your Family and Business (Ships Worldwide)

Due to a chip shortage, Firewalla Gold production is paused until we can obtain it at a reasonable price. As an alternative, please see Firewalla Gold SE (2x2.5Gbit & 2xGbit) Firewalla Gold Plus (4x2.5Gbit) Powered by The Firewalla Security Stack Deep Insight helps you see the...

firewalla.com

 

[mexjerry]

Have a look at openbsd.
I'm not any sort of network genius, but was able to install and configure with some reading, implementing pf, the firewall, took a lot of reading, it is much more human friendly as far as readability, as compared to iptables gobbly gook. I do have 2 ip cams, Anpviz and a Dahua NVR, a check on the firewall/router, showed 15 different remote IP addresses, made by the nvr, all blocked, via a $mybadhost stanza, you define the bad hosts, then just reference that define in the rules, easily constructed with ip addresses, and readable.
Define your interfaces, like "ext_if= "em0", then any reference to the external interface, just call $ext_if, can be anything you like. Need some guidance on some setup, have a look in /etc/example, there are lots of example setup files, just rename and change to suite to your needs.
I think the man pages are written so they are understandable for genius-challenged folks.
I did try pfsense, so many options,switches and other things, I just didn't feel comfortable using it, maybe I missed an option and let the bad guys in, or lock myself out.

 

[GrumpyGent]

Do you have any experience with pfSense or other similar systems? pfSense is an entire OS with hundreds of menus. You need above average networking skills to set it up. If consumer routers are what you are familiar with, the learning curve will be very steep. Look at the documentation before you make a decision.

Hmm, that seems to contradict a lot of what I’ve read - It’s technical but can be picked up. Would something like Untangle make better sense?

 

[GrumpyGent]

The easiest one to manage is perhaps Firewalla Gold, complete hardware/software solution:

Firewalla Gold: Multi-Gigabit Cyber Security Firewall & Router Protecting Your Family and Business (Ships Worldwide)

Due to a chip shortage, Firewalla Gold production is paused until we can obtain it at a reasonable price. As an alternative, please see Firewalla Gold SE (2x2.5Gbit & 2xGbit) Firewalla Gold Plus (4x2.5Gbit) Powered by The Firewalla Security Stack Deep Insight helps you see the...

firewalla.com

Trying to avoid a proprietary appliance, but I have seen it.

 

[coxhaus]

Does Firewalla have any China ties? Where did the funding come from?

I am talking mainland China not Taiwan.

 

[John Davis]

I have a quad-core NUC coming with two 2.5gbe ports, and a 2.5gbe unmanaged switch.

last I looked neither pfsense nor opnsense had support for the i225 2.5gbe NICs due to lack of freeBSD support (intel haven’t released freeBSD drivers for the new chipset)

Hopefully freeBSD will eventually get drivers, but right now that will limit you to non-freeBSD based solutions ( untangle, clearOS etc ) if you want to run bare metal ( otherwise you’ll need to virtualise )

 

[GrumpyGent]

last I looked neither pfsense nor opnsense had support for the i225 2.5gbe NICs due to lack of freeBSD support (intel haven’t released freeBSD drivers for the new chipset)

Hopefully freeBSD will eventually get drivers, but right now that will limit you to non-freeBSD based solutions ( untangle, clearOS etc ) if you want to run bare metal ( otherwise you’ll need to virtualise )

 

[GrumpyGent]

Ugh, that sucks - I thought the latest FreeBSD did have support. The Netgate 6100 has them, but given its their appliance they likely took care of all the work already. Thanks for that info.

 

[Tech9]

Hmm, that seems to contradict a lot of what I’ve read

Install pfSense on available x86 hardware or VM and see if you are going to be comfortable with it.

Would something like Untangle make better sense?

Easier UI with some quirks. Nice graphs. Not free - $50/y for Home Basic and $150/y for Home Plus.

 

[John Davis]

Ugh, that sucks - I thought the latest FreeBSD did have support. The Netgate 6100 has them, but given its their appliance they likely took care of all the work already. Thanks for that info.

I think PFsense is more current since it's based on 'mainstrean' freeBSD and netgate actively contribute upstream to the kernel ( specifically for things like this) - so if they support it on their own boxes hopefully the community edition also supports them ( though you could run into the whole pfsense+ vs CE thing ).

OpnSense is based on hardened BSD and is hence further behind - 22.1 is meant to be out early next year ( which moved from hBSD to fBSD) at which point hopefully i225 will also be supported, I hope so as those 11th gen dual LAN NUCs would make perfect compact but grunty boxes for multi-gig routing

 

[John Davis]

Install pfSense on available x86 hardware or VM and see if you are going to be comfortable with it.



Easier UI with some quirks. Nice graphs. Not free - $50/y for Home Basic and $150/y for Home Plus.

downside of untangle is it's more resource hungry in terms of cpu but an 11th gen nuc the cpu should be ample running it for a 900/40 internet connection - and there's no denying it's got the most 'friendly' UI.

The $150/yr is the tier most people really need ( the $50/yr tier lacks threat prevention, wireguard & ipsec vpns, virus blocking ) - it sounds a lot but if you want zenarmor on opnsense ( which is probably the closest rival in terms of a 'friendly' tps ) then that's $100/yr by itself

 

[Tech9]

In my opinion, 11th Gen NUC for home router/firewall is a waste of a good NUC.

 

[John Davis]

In my opinion, 11th Gen NUC for home router/firewall is a waste of a good NUC.

they're cheap and they're small. Now dedicating a threadripper - that I'd consider excessive ( unless you've got a 10gig fibre connection upstream )

Obviously you could run esxi or kvm on it and run the firewall virtualised so as to be able to run 'other things' as well, but by the time you've got gigabit traffic and want ids/ips it suprising how much resource is wanted ( which is why I've always run baremetal )

 

[GrumpyGent]

In my opinion, 11th Gen NUC for home router/firewall is a waste of a good NUC.

Probably, but it was pretty inexpensive and the fact is an appliance that could handle >1GB would be almost the same cost.