Quite the Conundrum...

[pidgeynerd]

Hi everyone, I've been a long time lurker but decided to finally jump in and seek some advice.

Some background - I'm a Cloud Architect at Microsoft and specialize in Software Defined Networking. My spouse is also a Cloud Architect and works for AWS so discussions are fun and competitive. We are very technical and always looking for some cool project to work on. Complexity is more of an interest than a turn off. We spend all our time working from home with our jobs so our home network is essential. However, our current setup is fairly basic - I run a Linksys EA9300 + a RasberryPi for PiHole w/DHCP + Unbound for DNS. The router is very lackluster when it comes to features (no VPN, Firewall, Custom Routes etc.), but it does a surprisingly decent job of covering a 7000 sqft home and 40+ devices (Gaming Desktops, Laptops, Phones, Tablets, Game Consoles, TV's, IoT Devices etc.) Internet speed is about 400Mbps down but will look to upgrade to 1Gbps in the near future. If my current router supported a 3rd party firmware like DD-WRT, I would likely be able to solve a lot of my problems.

Some things I need to be able to do with a new router are the following:

• Support VPN with the ability to route certain clients out over VPN or directly to the internet. Example: Route certain Laptops over VPN all the time, but have others route directly to the Internet. Doing this based on MAC/Static IP is fine but doing it based on destination FQDN would be a plus. So if going to X site, route over VPN. If going to Netflix.com, route directly to Internet.
• Support to have the router perform DHCP while using PiHole + Unbound for DNS. My current router must offload DHCP if you want to use something else for DNS too.
• Support to route/redirect all traffic based on port/protocol. Example: Certain Android devices hard code 8.8.8.8 for DNS no matter what. Changing the DNS servers for the WiFi network or turning off Private DNS on Android doesn't fix this. However, blocking/redirecting all DNS/Port 53 traffic to PiHole at the router may fix this issue.
• All of the typical must haves would apply - Multi-Band 5GHz, WIFI 6 support (maybe), MU-MIMO etc.

Having a robust feature set is important because there is no telling what I may want to do or try next - like setting up MPLS.

This brings me to routers and budget. I'm not very strong on the hardware side of things. So while a professional grade router would be cool, I don't how much more value I would get from a Cisco Meraki MR56 vs an offering from MicroTik for example. I'd prefer to just have a Wireless Router instead of an Access Point. However, hearing pros vs cons would be great.
https://www.amazon.com/dp/B087CBCX4V/?tag=snbforums-20
https://www.amazon.com/dp/B07QMNNVG8/?tag=snbforums-20

How do these compare versus a consumer grade Asus router?
https://www.amazon.com/dp/B07HM6KJN8/?tag=snbforums-20

My budget is fairly wide so anything up to and around $1000 is fair game. I care about getting a rich feature set with great reliability and performance.

Please share your thoughts and recommendations.

 

[ColinTaylor]

These forums are predominantly inhabited by Asus fanboys so you'll likely get a disproportionate number of recommendations for Asus devices. That said the Asus router you identified would probably cover all your requirements provided you install Merlin's firmware and some third party scripts. My current reservation about recommending Asus devices are the bugs and stability issues (particularly on the WiFi side) that some users are experiencing.

Given your skill set and budget I'd investigate the possibility of a separate router/firewall (perhaps OPNsense, pfSense or Sophos XG) and access points. That might give you more flexibility, particularly if VLANs are of interest to you. This is not my area of knowledge though so I'll leave these recommendations to others.

 

[heysoundude]

I like the asus stuff because I can go to either of the computer stores/chains in my (small) city and they'll have a replacement on the shelf in case mine takes a kamikazi dive...a literal 1hr (or less) downtime.
7000 sqft seems particularly suited to a mesh...I've an AC86 and still have 1 dot of 2.4GHz 80-90' away from the unit, but at that distance it's SLOW.
I'd go with a pair of the newer AX86 model for your use case, or an AX86 and 2-AC86 nodes (depending on your floorplan/property layout).
Merlin Firmware/scripts most likely will address your stated needs. Your RasPi might even be able to be retasked to run a full suricata IDS/IPS instance, depending on which model it is.

 

[thecheapseats]

<snip>However, hearing pros vs cons would be great.
https://www.amazon.com/dp/B087CBCX4V/?tag=snbforums-20
https://www.amazon.com/dp/B07QMNNVG8/?tag=snbforums-20

How do these compare versus a consumer grade Asus router?
https://www.amazon.com/dp/B07HM6KJN8/?tag=snbforums-20
<snip>

the asus consumer routers fulfill a niche with reasonably good features for not a lot of money and most importantly don't require serious admin skills and/or time invested - but as features go, they're a subset collection of SMB features and foremost, a hobby device aimed at consumers... stability is 'iffy' at best... reading your skill sets and desires, they would lack enhanced feature sets you seem to be after even if you're willing to jump through hoops...

I've used two different microtik routers (don't recall the models offhand) but they were mid range devices, comparably inexpensive and pretty darn configurable and 'soft' for the money...

recently for me, I've settled on separating APs, router(s) and switches - cisco stackable smb(s) - to get the layer control I want... being a cheap guy, chinese i7s in tandem or triples (Qotom or equivalet) routers and open source router dists (it's the future, imo) as the bang for the buck distance compresses between real SNB boxes and absurdly inexpensive 'other continent' hardware... in other words, buy two or three, they're cheap...

 

[L&LD]

Welcome @pidgeynerd, your home must be a very 'open-space' type of design if a single router is covering you well right now at 7K SqFt coverage? Curious about what AP you're running?

How many floors is that? Is coverage required outside on the patio/garden?

Are you able to wire (Cat5e or better) any required AP's to get the coverage you want? Do you want Guest networks to be available on any nodes you may install?

Two or more RT-AX86U's in an AiMesh wired setup may be all you need, even for greater than 1Gbps ISP service too.

However, with your $1K budget, @Trip is sure to recommend a better approach for you than the consumer routers I know and support.

 

[pidgeynerd]

Thanks everyone for your input so far!

Welcome @pidgeynerd, your home must be a very 'open-space' type of design if a single router is covering you well right now at 7K SqFt coverage? Curious about what AP you're running?

How many floors is that? Is coverage required outside on the patio/garden?

Are you able to wire (Cat5e or better) any required AP's to get the coverage you want? Do you want Guest networks to be available on any nodes you may install?

Two or more RT-AX86U's in an AiMesh wired setup may be all you need, even for greater than 1Gbps ISP service too.

However, with your $1K budget, @Trip is sure to recommend a better approach for you than the consumer routers I know and support.

Thanks! The home is very open spacey lol. It's a 2 floor with large garage space, outdoor living and unfinished/storage spaces. So I don't have a need to have a perfect connection everywhere though the coverage is still good. I also have CAT6 run throughout the house so I can hard wire devices like TV's or Consoles for streaming. I actually don't use any AP's or range extenders so the EA9300, a switch and the PiHole is all the networking equipment I have.

It seems based on the replies that an Asus router is the best way to go. I would likely combine this with Merlin to get more features. Perhaps the pro equipment would just be overkill. Curious to hear more thoughts.

 

[L&LD]

I have seen homes like that, and they are made for Wi-Fi.

An RT-AX86U or an RT-AX88U would have the 'horsepower' to have a lot of fun (both are 1GB RAM with a 4-core 1.8GHz processor with AES-NI support for up to 250Mbps VPN connections. The RT-AX86U has a 2.5GbE Ethernet/WAN Port in addition to 4, 1GbE Ports plus a 1GbE WAN Port. It is also the lowest latency router Asus currently ships.

Asus RT-AX86U review: The best Wi-Fi 6 router for the money - CNET

RMerlin firmware is highly recommended as, comparatively, the stock firmware just feels 'unfinished'. With a spare USB drive plugged into the built-in amtm support (since RMerlin 384.15_0), you'll be exploring scripts in no time.

Just note that the latest suggested firmware for both these models is 386.1 Beta 2, even if it is a little rough, it is still stable, secure, and fast. If you want the last stable release firmware on the router, the RT-AX88U offers 384.19_0 (last of the 384.xxx line and it's from last August). I think I've covered the important/main things for you.



Features | Asuswrt-Merlin (asuswrt-merlin.net)

About | Asuswrt-Merlin (asuswrt-merlin.net)

Changelog | Asuswrt-Merlin (asuswrt-merlin.net)

Download | Asuswrt-Merlin (asuswrt-merlin.net)



New M&M 2020

L&LD | SmallNetBuilder Forums



amtm Step-by-Step https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/#post-483421
(Just remember you don't need to 'install' amtm with the newest firmware).



amtm - the Asuswrt-Merlin Terminal Menu - Diversion

Order of installing popular scripts | SmallNetBuilder Forums



Even with all the above said, what @Trip may suggest will be well worth waiting for.

Looking forward to this project complete for you and your impressions/experiences either way you go.

 

[Trip]

@pidgeynerd - Welcome to SNB. Given your background, requirements and the environment, as much as you indicate you'd like to keep everything in one box, I'd highly encourage you to consider decoupling routing/firewall and wireless to discrete devices. I'll explain why below:

First, for firewall/gateway/routing, I would definitely look to a platform that is open-source friendly and able to run whatever *nix distro you prefer (pf/OPN-sense, Untangle, IPFire, VyOS, Endian, etc.), so that you may create the exact software stack you desire to accomplish the policy-based routing, selective DHCP/DNS directives, and anything else, exactly the way you want, with no limitations on which software you can run (or how fast). On the topic of speed, such a stack is probably best run on x86 (PC-class) hardware, for example: a low-power, embedded whitebox, such as an Intel i-series Qotom unit off Amazon, or a pre-built pfSense appliance if you want something ready-to-go out-of-the-box (still re-flashable with any *nix distro); either choice would be able to drive any/all traffic in-software (via CPU) at full line-rate gigabit, without having to care about what's offloadable or not (as opposed to being locked into an ARM-based consumer platform, which will inherently self-limit to a few hundred Mb/s at the most, and offer two, maybe three or four custom firmware options if you're lucky).

Next, for wireless, you would wire in a separate solution, be that your EA9300 or some other all-in-one consumer router(s) in AP mode, or, my preference, one or more purpose-built, controller-based APs from a single ecosystem (Ubiquiti UniFi, Cisco CBW, etc.), which would add PoE and native VLAN capability, plus the highest chance at truly seamless roaming (802.11r, k and v implementations that actually work) and centralized management of all APs from one control panel.

Depending on your reaction to any of the above, I can go more in-depth at your request.

 

[pidgeynerd]

L&LD, Trip - Thank you both for the recommendations. Let me spend some time doing research and I will get back to you with questions. The Asus route is very enticing for sure.

I'm not very familiar with pfsense and other router based OS's, but it should be fun diving into that for a couple days.