Using OpnSense or pfSense on ASUS RT-AX92U

[esfu]

Can I use OpnSense (preferable) or pfSense on ASUS RT-AX92U router ?

If so, how do I use it ?

Anyone with similar setup if they can help with their experience, it will be highly appreciated.

 

[Smokey613]

Short answer no.

Both are based on FreeBSD not Linux.

pfSense vs. OPNsense: Which Option is Best for you in 2024?

This side-by-side comparison looks at pfSense vs. OPNsense to determine the best open-source firewall you can use by comparing their major differences.

www.wundertech.net

 

[Dodge DeBoulet]

Can I use OpnSense (preferable) or pfSense on ASUS RT-AX92U router ?

If so, how do I use it ?

Anyone with similar setup if they can help with their experience, it will be highly appreciated.

You can't run OPNSense or PFSense on the router itself, but either is an excellent addition to your network. I installed OPNSense on a refurbished Dell 7020 with an Intel GigE dual-port NIC and that replaced my wifi router as the firewall. I had done this originally when I was using the NetGear RBKE963 unholy abortion of a mesh system, configuring that for AP mode. I've since replaced that with an ASUS ET-12 pair.

Performance is excellent and the feature set is so superior to what you can do with consumer-class wifi routers. The cost for the PC and NIC was about $200, and I had a spare display and keyboard gathering dust that I could use with it when (rarely) needed.

 

[esfu]

Performance is excellent and the feature set is so superior to what you can do with consumer-class wifi routers

I am tempted to use OpnSense due to the superior feature set but as you have mentioned the router has to be configured in AP mode in this case. As far as I know AP mode makes some of the router functionality not usable.

My ASUS RT-AX92U is my main router on a separate network segment (as its WAN port is connected to ISP router LAN port) with one mesh node and couple of access points attached to ASUS RT-AX92U router. This way, the ASUS RT-AX92U router sees each device directly. Configuring ASUS RT-AX92U in AP mode will make the OpnSense appliance or computer see each device directly but I will end up losing some features of ASUS RT-AX92U in AP mode. (I have used Reserved LAN IP addresses by MAC, Individual devices are given custom names, Website filtering, AI Protection Pro, Adaptive QoS which is customized etc. to name few features of ASUS RT-AX92U in router mode and plan to use Parental Controls in near future.)

Any information on

1. Features lost due to being unusable if ASUS RT-AX92U is in AP mode and
2. Extra features gained due to OpnSense

from experience will be appreciated.

Can ASUS RT-AX92U be continued to be used in Router mode with OpnSense appliance which is connected inline between ISP router and ASUS RT-AX92U router?

 

[Tech9]

Features lost due to being unusable if ASUS RT-AX92U is in AP mode

APs don't do routing. In AP Mode your router turns into LAN-to-WLAN bridge + LAN switch. You lose all router features plus Guest Network separation from main LAN and WLAN. No VLAN support in home routers and they are not good option as APs to VLAN capable firewalls like pfSense/OPNsense.

Extra features gained due to OpnSense

OPNsense is not for you just based on this question.

Can ASUS RT-AX92U be continued to be used in Router mode with OpnSense appliance which is connected inline

Yes, but not needed. Just extra complication for no good reason.

 

[esfu]

OPNsense is not for you just based on this question

Learning OpnSense in a gradual manner at my own pace.

Have graduated over the years from absolutely basic routers to DD-WRT routers to Mesh routers now. (DD-WRT also are very powerful by themselves but came across ASUS RT-AX92U two pack when in a different physical location altogether where I was not having any router other than ISP provided one) and started liking it as I am learning more about it and also learned more about Mesh systems. Comes with AIProtection Pro for lifetime and some extra features like Adaptive QoS, Parental Controls, Web History by device, by apps (not very useful yet to me as most apps are SSL based and treated under same category) etc. that I really like. Can install Merlin also which is similar to DD-WRT and which will make it more powerful also.

Came across OpnSense and Mini PC or Protectli or Firewalla kind of appliances when looking for hardware firewalls.

Seem to be liking OpnSense and Protectli kind of appliances more due to their open source and flexible use nature.

I guess Protectli can be used as a normal PC too provided peripherals are available to be attached to it.

 

[Dodge DeBoulet]

I am tempted to use OpnSense due to the superior feature set but as you have mentioned the router has to be configured in AP mode in this case. As far as I know AP mode makes some of the router functionality not usable.

My ASUS RT-AX92U is my main router on a separate network segment (as its WAN port is connected to ISP router LAN port) with one mesh node and couple of access points attached to ASUS RT-AX92U router. This way, the ASUS RT-AX92U router sees each device directly. Configuring ASUS RT-AX92U in AP mode will make the OpnSense appliance or computer see each device directly but I will end up losing some features of ASUS RT-AX92U in AP mode. (I have used Reserved LAN IP addresses by MAC, Individual devices are given custom names, Website filtering, AI Protection Pro, Adaptive QoS which is customized etc. to name few features of ASUS RT-AX92U in router mode and plan to use Parental Controls in near future.)

Any information on

1. Features lost due to being unusable if ASUS RT-AX92U is in AP mode and
2. Extra features gained due to OpnSense

from experience will be appreciated.

Can ASUS RT-AX92U be continued to be used in Router mode with OpnSense appliance which is connected inline between ISP router and ASUS RT-AX92U router?

As pointed out previously, the one feature you will lose is AP isolation for your guest networks. If you don't require AP isolation, that would be a non-issue.

DHCP/local DNS integration with user-defined hostnames, DHCP static leases, QoS, Parental Controls, Website Filtering, Ad blocking, Dual WAN, 4G/5G failover ... all either built in or available as (free) plugins for OPNSense.

Divorcing wireless delivery from the firewall and associated network infrastructure management also gives one the ability to do things like perform AP firmware upgrades and wifi reconfiguration without nuking access for the entire network. All wired devices are unaffected (of course OPNSense upgrades will cause brief disruptions). And since OPNSense runs on BSD, its support for Boot Environments makes firewall upgrades much easier to quickly revert in the event something goes haywire (haven't had to take advantage of this yet, but it's nice to know it's there).

When you want to take advantage of your ISP's support for speeds greater than GigE, you can upgrade incrementally by swapping in a single or multi-port 2.5 or 10Gb adapter, and at your convenience a similarly capable switch (managed, ideally, for link aggregation support) rather than replacing the RT-AX92U.

Yes, it adds another device to your network, but it converts the wifi router/mesh into something that really doesn't require "management" per se. It's certainly made my network more secure and flexible.

 

[Tech9]

and also learned more about Mesh systems

Then you know already AiMesh is a marketing name of wireless repeaters or wired access points with very limited central control.

 

[Dodge DeBoulet]

Came across OpnSense and Mini PC or Protectli or Firewalla kind of appliances when looking for hardware firewalls.

Seem to be liking OpnSense and Protectli kind of appliances more due to their open source and flexible use nature.

I guess Protectli can be used as a normal PC too provided peripherals are available to be attached to it.

I prefer PCs with PCI slots ... they're cheaper and let you choose and upgrade NICs without replacing the whole device.

 

[Tech9]

Upgradability is better, but your SFF PC in some countries may burn one Protectli box value in electricity cost each year. Most SFF PCs idle at around 40W, the small fanless boxes - under 7W. For 24/7 run device it makes a difference. Size and maintenance on top. You have fans to clean from time to time.

 

[esfu]

Upgradability is better, but your SFF PC in some countries may burn one Protectli box value in electricity cost each year. Most SFF PCs idle at around 40W, the small fanless boxes - under 7W. For 24/7 run device it makes a difference. Size and maintenance on top. You have fans to clean from time to time.

My main Asus and ISP routers located in a small cabinet where I can manage to put small box but SFF PC will not be easy. Maintaining SFF PC will be another problem. So, I guess I will have to go with mini PC or similar firewall appliance.

Saving electricity for cost is definitely a point to consider in many countries but irrespective of the cost, saving electricity in a device which is on 24 hours a day for entire year just to save energy is also a point worth considering in my personal opinion.

I know a family who even switches off a simple ISP provided router they have before going to sleep. Not possible in my case but it is good for security and energy saving too apart from less problems as without their being even aware, they are rebooting the router every day.

 

[esfu]

Based on all the information above in the thread, I have few more questions for using OpnSense or pfSense with ASUS RT-AX92U.

I have a Linksys WRT3200ACM with following specifications

Model: Linksys WRT3200ACM
Firmware: DD-WRT v3.0-r49418 std (07/04/22)
Kernel Version: Linux 4.9.319 #3296 SMP Mon Jul 4 04:23:46 +07 2022 armv7l
CPU Model: Marvell Armada 385
CPU Cores: 2
CPU Features: VFP VFPv3 NEON VFPD32 EDSP FASTMULT HALF TLS THUMB
Memory: 524288 KiB

I was using above DD-WRT as my main router before I replaced it with ASUS RT-AX92U router as main router (and second from the two pack as AI Mesh node).

As far as I am aware, DD-WRT allows installation of pfSense and opnSense but not sure about it.

Also, I am not sure whether there is a persistent JFFS2 partition available (which is not yet mounted) or even possible in above DD-WRT router like the one available on ASUS RT-AX92U.

If someone has any experience of using OpnSense (preferable) or pfSense (in case OpnSense is not possible) on DD-WRT, I will appreciate if you can point me to the correct site so that I can get help and/or provide me with detailed steps to

1. Create a persistent JFFS2 partition on DD-WRT
2. Install OpnSense or pfSense on DD-WRT
3. Configure it inline after my ISP router but BEFORE the ASUS RT-AX92U router to use it properly
4. Any changes to configuration of my main ASUS RT-AX92U router that needs to be done for it to function properly

Currently I am using the following features (ordered by priority of feature for me, highest being listed first in the list i.e. AI Mesh, AI Protection Pro followed by Traffic Analyzer and so on) of ASUS RT-AX92U router which I will require from either the DD-WRT with OpnSense or pfSense or from the ASUS RT-AX92U itself.

• AI Mesh
• AI Protection Pro
• Customized Names for each device connected to ASUS RT-AX92U either through wireless or wired or access points
• Traffic Analyzer Statistics by Device and Apps
• DNS over TLS Strict with OpenDNS Servers
• Parental Control by Web and App Filters, Time Scheduling
• Adaptive QoS which is Customized

In fact the above features in above priority are the reason I switched from DD-WRT to ASUS RT-AX92U as my main router whereas I presume that DD-WRT with above specs is much more powerful than ASUS Stock Firmware Version 3.0.0.4.386_46061.

I am comfortable with understanding and working with Unix shell scripts and am willing to perform steps by logging directly into the router using Telnet or SSH and I presume it will be required to achieve above if it is possible.

 

[Tech9]

As far as I am aware, DD-WRT allows installation of pfSense and opnSense but not sure about it.

No, it doesn't.

Currently I am using the following features

You can use your home routers for AP's only, no routing. None of the features above are available in AP Mode. You can still use AiMesh in AP Mode. Home routers don't support VLANs and you can't use the full network segmentation capabilities of your OPNsense/pfSense firewall. You need VLAN capable APs for that. You can't have LAN/WLAN separated Guest Network as well. Also, there is no preset Parental Controls in enterprise firewall software. You have to create the rules you want yourself. Otherwise from popular pfSense packages you have true IDS/IPS (Snort/Suricata), DNS/IP-blocker (pfBlocker-NG), Unbound DNS server with DoT (resolver/forwarder), network and bandwidth monitoring tools (bandwidthd/Darkstat/iperf/nmap/ntopng), you can run SSL proxy or antivirus (squid), control UPS (NUT)... many available depending on your needs. QoS is also available with 101 different settings.

 

[Tech9]

Model: Linksys WRT3200ACM

This is a pretty good router, actually. I would continue using the familiar DD-WRT on it, sell Asus routers and add 2x APs instead. This pfSense adventure starting from zero may end up in extra money spend for hardware you don't know what to do with. pfSense is an entire OS and requires above average networking skills to setup. There are tutorials available, but if you don't understand the process you'll be limited to what's shown in the tutorial.