However, no evidence is presented that "business class" routers, as the author calls them, are any better.
And the "Consumer Router Alternatives" section [1] of the site is entirely non-helpful. Just 20 random bullets of different brands with unhelpful notes like "I have no experience with them", "I have heard good things", and "build your own router". The first bullet that recommends the "Peplink" router justifies it solely with... Peplink's own product page. Which is the furthest you can get from an unbiased third-party evaluation.
Don't the same companies make enterprise routers and consumer routers? Don't they presumably employ the same engineers to write software across them?
All of the arguments against consumer routers seems like they could apply against enterprise routers too, unless there's real evidence otherwise. But this post, unfortunately, seems to be quite evidence-free. :(
Kinda but not really (the consumer routers are usually made by subsidiaries, e.g. linksys -> Cisco)
> Don't they presumably employ the same engineers to write software across them?
For the most part no, but much more importantly the margins are much worse on consumer gear. Race-to-the-bottom pricing means race-to-the-bottom quality and race-to-the-bottom patch cycles (the last one is probably the most important). Add in that there is a deliberate effort to not make low-margin consumer gear not cannibalize high-margin business/enterprise gear.
A noted exception to this is NetGate, whose pfSense hardware runs the same OS with the same engineering up and down the stack. Probably not the best idea for a normal consumer to buy, though.
[1]https://openwrt.org/supported_devices [2]https://www.asuswrt-merlin.net/download
I spent countless hours messing with that thing trying to get decent performance out of it, and simply couldn't.
The router provided for free by my ISP is superior in real world usage.
I get the principles in play here with privacy and security and open source etc., but in practice it's a fight I'm done with. Just give me internet that works well out of the box so I can forget about it.
The flashing process was exactly the same as the factory firmware. After that I had to configure it just as I would any new router.
It's better than the factory firmware in every way except user friendliness, but even that isn't bad unless you are trying to something more advanced.
The CPE from Comcast was so much slower and worse in every single way. Now it only acts as a modem for the Zyxel.
An important part of my experience is that I deliberately set out to buy a good router that was very well supported by openWRT, because in the past I have had experiences similar to your post (but with dd-wrt in the long long ago).
I really believe if you plan the project like you would a production project you'll have an extremely good experience.
That said, I did have a number of non-standard things I wanted to do on my home network without paying thousands for enterprise level hardware so it was worth it for me to do that work. If I was just getting on line with a couple computers, phones, and tv's I wouldn't have bothered to flash with openWRT.
I’m impressed. The ones issued by Rogers in Canada are all-in-one-units and complete garbage.
I think they want your mobile phone to drop its wifi to chew through your $10/gb data, prevent sharing with your neighbours and minimize your peak utilization speeds to cut their network spend.
But you probably live in a country where ISPs compete for your business.
I get that OpenWRT doesn't want to favor one brand over another, but it'd be really nice if their homepage had a list of 5-10 routers that are really solid with the latest OpenWRT release.
First I tried the tp-link TL-WDR4300, which was very well supported at the time.
I then moved to the tp-link Archer C7.
Along the way I went from a "regular install" of openwrt, to build the LEDE fork myself, then back to building openwrt.
It's actually quite straightforward after you get over the hump.
$ git clone https://git.openwrt.org/openwrt/openwrt.git
$ cd openwrt
$ ./scripts/feeds update -a
$ ./scripts/feeds install -a
$ make menuconfig
$ make -j $(nproc)
my current router is a wrt-1900acs, which took a while to get stable. I sit it on the shelf for a good year.
Because I learned how to build openwrt, I also have two mikrotik rb3011uias-rm 10x gbe switches. I wish the touchscreen worked.
It's not in the main tree but I followed this thread:
https://forum.openwrt.org/t/support-for-mikrotik-rb3011uias-...
It's a community build, but it is stable and works well.
If you want to play with openwrt, it's a little saner to have two routers. Have one that works, and one that you can break without having to stay up all night to get online.
There is a learning curve when using openwrt. When my girlfriend demanded that I stop effing up the wifi at some point. That's when I decided to get a second router to test new and complex configurations.
It's also a bit cheaper to do this than buy high-end consumer equipment as nimbius mentioned.
Really? Can the *WRT releases finally run at full speed? Can they ping from the wired to the wireless? Can they actually do MIMO?
As much as I love open source, the *WRT developers have a bad hand and it's not their fault. There are a zillion router variants that change with zero notice, no documentation from anybody, and not enough people.
This really is a spot where an actual open source hardware design is probably the only real solution.
I run a combination USB 2.4ghz AP and 5ghz pci-e from one. In addition, it runs a podman rootless pihole container and handles wireguard.
It's a little daunting, like looking at the openwrt table of hardware (but inside out like a menu).
Over time, with enough people do it, the manufacturer will realize that and cater to you (see the Linksys 54gl router, archer c7, dell laptops, and Lenovo Thinkpad -- the manufacturer all know people buy the hardware to run the software they want)
Will Merlin flash like a normal firmware update or does it require the Windows based “recovery tool” to force the flashing of Merlin?
Thanks for any response.
If you’re interested in doing as-blocking on the router itself there’s a tool called diversion which does take a bit of work to get installed, but is a bit simpler than trying to get oí-hole running on it: https://www.snbforums.com/threads/diversion-the-router-ad-bl....
The standards on that stuff are shockingly low. I mean, think about the stupidest, laziest, most slipshod shit you can imagine, and then be assured that it's worse than that.
... and "small business" routers are only slightly better. Even "enterprise" equipment isn't all that stellar.
Personally, I use real Linux as a router, and a separate WiFi access point behind it that gets as little trust as I can manage.
At the same time, I can’t really disagree with the general sentiment that a lot of firmware in embedded devices, router or otherwise, is very poor. The thing I’d add is that it’s not just consumer-grade products with this problem, there are plenty of supposedly professional-grade devices where the firmware is junk too. The worst products I have ever had in my typical small-office work environments were the Cisco-branded “small business” range, which in specs and appearance did look like they were being pitched at that market, yet which never performed accordingly and mostly failed after an unreasonably short amount of time for equipment in this class.
To be blunt, a big part of the problem is money. Think about the kind of developer who has gained a few years of experience and has the skills and interest to do a good job solving challenging technical problems. Look at what that person can earn working for a FAANG or a financial services firm, or the potential upside for them at a startup if they get in early and there is a big exit. Look at the work environments they have in those roles. Now look at what a whole team of those people would earn collectively for writing router firmware and tell me which number is bigger, and look at their work environment and tell me where you’d rather be spending a significant fraction of your waking hours. In short, the people you find working in this area with real ability tend to be those who enjoy this kind of work enough to give up a lot of other benefits to do it. Obviously that restricts your talent pool and then manufacturers have to fill the gaps with whoever else they can find.
It comes down to the age-old reality that many customers prefer to buy junk as long as it’s cheap. Sadly, I doubt this will change any time soon, whether we’re talking about consumer routers or TVs or whatever IoT device someone decided would make their home smarter this week. Maybe if something really bad happens, the market will shift and/or governments will step in and regulate to try to force better standards for things like security and updates. In those cases, I would expect to see both significant consolidation in the consumer devices market and significant price increases follow quickly afterwards.
Absolutely. An example: https://www.youtube.com/watch?v=B8DjTcANBx0
There are $5000 security cameras placed in very sensitive areas with security just as poor as the $50 trash you can buy from Office Depot (or at least it was the case 8 years ago).
Even on the high end there is a race to commodification. Router manufacturers have some similarity to server manufacturers like Dell - they get hardware and software components from 3rd parties and put them together. Your main bespoke software contribution might be device drivers and a data model.
High pay may not automatically translate into quality because there are other forces in play.
Generally, I completely agree with you. The high-end products do not look fancy normally.
- A firmware upgrade to my switch last year enabled some sort of loop detection that would shut off ports that my Google WiFi mesh was connected to (Ethernet backhaul). Support was nice, but ultimately unable to disable that new feature of the firmware. - My original camera NVR was flaky, possibly because of camera flakiness, partly also because it just couldn't keep up with 4 cameras. - Replaced NVR with CloudKey Gen 2, which was fairly nice but then brought the camera flakiness into full view. I would spend DAYS every quarter messing around with rebooting cameras to get them to reassociate with the Unifi Protect server. - A recent firmware update to the cameras left 4 out of 5 of them totally dead, unable to even be pinged, let alone associating with the Protect server.
On the plus side, the Unifi Protect mobile app is easily best in breed. Light years ahead of ReoLink or Hikvision or Montavue (I've played with all of them recently). The BlueIris mobile app seems to be pretty crappy, but I haven't shelled out the money to actually try it (based on the reviews).
I've replaced the switch with ebayed Enterprise gear, Aruba S2500 for <$100. Harder to set up, but did have enough knobs to disable the loop detection. A great PoE switch, plus it has 10Gb ports.
The cameras I've replace with MontaVue 4K cameras, which are amazing in low light. 10x the sensitivity of most other cameras in low light. I also got their DVR, which is ... meh. The mobile app is basically unusable for anything other than live view. The DVR is probably fine if you use it from a keyboard/monitor, but this is for my house and we really want a good mobile app, not some silly console. The cameras though! <chefs kiss>
If you're in the market for a new device, look at https://openwrt.org/toh/views/toh_available_16128 as a first step (and avoid devices with Broadcom's involvement).
I'd also strongly suggest to have router and access points as separate physical devices.
A great step up for someone with an AIO consumer router/WiFi AP would be to get something like that as a router, flash OpenWRT on the old router and transform it into a "dumb" access point.
It's my favorite OpenWrt router so far, and I've owned quite a few since I started using it on a WRT54G :)
Such vulnerabilities are more common than most vendors would like to admit. Adding `reboot` to random GET requests gets you quite far with quite a lot of consumer routers. I have little experience with TP Link software outside of flashing OpenWRT on their hardware.
There's been already scanners that target specific ISP routers for specific ISPs in specific countries already. In practice the probability of getting hit like this is very low, but the risk is still there.
With four years of updates, TP Link might actually care enough about security to not allow trivial exploits to execute code on their routers. Many vendors I know won't update past a year or two. I'd say the risk is low to very low in practice, but I'd watch out with running sensitive services (if you're in a healthcare startup, for example) while working from home.
Consumer routers all have security holes that can be exploited even when you do everything correctly like you did.
https://www.cvedetails.com/vulnerability-list/vendor_id-1193...
Looking at this one:
TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ipAddrDispose function. By sending specially crafted ICMP echo request packets, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges.
What if my space at home doesn't allow for a half rack of equipment and required cabling?
OpenWRT is no panacea. It generally doesn't support higher throughput modes in wireless radios in said routers and I need these features (thick walls, wifi first devices, etc.).
I bought unifi specifically because I wanted some professional features (proper in house roaming, wifi bridge, and VLANs) but live in a rented house where I cannot carve out some decent rack space or channel the walls.
You can get 3x3MIMO 802.11ac routers with good openwrt compatibility for 60-80$, that should give you gigabit speeds and there are cheaper versions (get at least 2x2 @5GHz). Check for openwrt support before buying. You do not need a rack full of equipment, though you would need to reasonably distribute APs with cables.
APs that are properly distributed, running on minimum TX power, yet close so they use highest rates, will beat every single overpriced AP. May need some adjustment for corner cases.
802.11ac wave2 and especially ax have very useful features, but they are no match for fundamental properties of radio wave propagation.
¹ Close mostly means distance at line-of-reflection for 5GHz channels and line-of-penetration for 2.4GHz.
Also 3x3 only gives you close to gigabit speed (realistically 700 mbps) when both ends are 3x3, and only very expensive and special workstation class laptops (including 15" MacBook Pros which belong in that category at least by pricing) are that.
2x2 laptop won't have better than 866 PHY speed in ac and that's realistically about 500 mbps single duplex.
Smart 4x4 device can use the extra streams for range - but that only ever works with original firmware, there's a lot of magic and patents involved.
The software is worlds apart from any consumer router I've had before. The only downside is the number of settings is intimidatingly large, which might make it a poor choice for gifting to your less tech-savvy loved ones.
There's no better bang for the buck, that's true.
I doubt this generalization is true. With OpenWRT, you're generally screwed if your router uses Broadcom WiFi, or you get full speed from the other common radio vendors. My Qualcomm-based 802.11ac router running OpenWRT has no trouble maintaining link rates of 866Mbps or higher with several devices in my home (5GHz band, 80MHz channel).
The Jetway computers are similar to NUCs, but geared towards industrial installation rather than home consumer use, so they generally lack 4K HDMI support but include options for multiple serial ports, usb ports or network interfaces, similar to this: http://www.jetwayipc.com/product/hbjc390f841xx34b-series/ . Mine runs OpenBSD right now, but that doesn't support the Wifi card so I'm planning to migrate it back to Debian.
The solution will require a modem, a PFSense box and an access point, at least. This is again some cables, at least three adapters and more space requirements.
I can manage a much complex setup if I need to, but space and noise is at premium, so it won't help in my case.
Just got a new Mikrotik RBwAPG-5HacD2HnD that has a quad core ARM CPU, dual chain, dual band wifi. Highly recommended.
That's a wireless access point, not a router. Different animal.
For WAPs, I'm waiting for 802.11ax/bd to be more reasonably priced. In the mean time, it's wires for me.
It can be used indoor and outdoor, it has PoE if desired and mounting brackets.
But yes, it is a router in the default configuration.
https://en.wikipedia.org/wiki/List_of_WLAN_channels#5_GHz_(8...
https://en.wikipedia.org/wiki/IEEE_802.11ax
This leaves us with 5x20MHz spectrum and while being good netizens we'll leave some of that free for others (and ourselves), so we use just 40Mhz of that.
With the tightest modulation and guard interval even, theoretically, we will acheive at best 573.6Mbit/s simplex and not the best of latency and jitter.
I'm not saying that 802.11ax is not worth the money. I am however saying that getting closer to garanteed Full Duplex 1Gbit/s is hard. And I still have 2.4Ghz-only -devices still in daily use.
If you buy something with Mikrotik RouterOS on it make sure you read a hardening guide and how to upgrade and keep and eye on the CVE list.
it's an excellent security maintained choice in europe, for combined cable or dsl modem, router, wifi access point, nas device, phone switch and voice mail box.
And yes, I've been using Fritzboxes (upgraded in 2017 for better wifi, to another Fritzbox) since 2011, and it:
* reliably auto-updates,
* has the best built-in software I've seen (no OpenWRT, but nothing that would motivate me to install OpenWRT)
* has been getting updates for many years.
It's not the prettiest, nor does it go for (my preferred) rack-mounted look, but it works and it lives in a broom closet anyway.
So what if you wipe out the firmware and go for openwrt? how does balancing for compatibility with openwrt and consumer router hardware rank on this scale?
Whole range of chipsets with no free software support are immediately excluded from OpenWRT.
True, but it reminds me of where printer support used to be in Linux, say, 20 years ago: Lots of shitty printers weren't supported. Sometimes, yeah, that's a deal-breaker, but if you're in a position where you can buy one, plenty of good hardware is fully supported.
Normal consumer routers are bad for the same reason that just about all IoT devices are bad. This will not change unless the incentives involved change; i.e. don’t hold your breath.
Does it hold up to their claims and is it playing nice with American ISPs like charter?
I'm considering running Alpine on it but so far that's pretty much uncharted territory.
I currently have mumble and a nextcloud server running on the router, and a wireguard interface.
I can't comment on any US ISP weirdness as I live in europe.
It was expensive for a home firewall but not horribly so, and I fully expect it to have a ten or twelve year lifespan with full support. If the NIC fails, I can replace it -- it's a PCIe card. If the storage fails, I can replace it -- SATA SSD. Neither of those have happened yet, but I might replace a fan sometime soon.
These days I would probably buy a tiny NUC-like object with enough gig-e ports.
There have been some CVEs, but all the exploits I'm aware of already had patches and were only exploitable for un-updated models.
I honestly don't know what you mean by not invented here. They did create a wireless protocol for point-to-point products with some advantages for those who opt into it, but that's the only thing I can think of.
Sometimes their documentation is lacking, but generally their docs are very good.
If you need a more advanced AP, you probably shouldn't be looking at all-in-one devices. Buy separate components, add as many APs as you need for proper coverage, rather than relying on a single device to cover everything.
Seems like it would make a quiet and fast 6 port x 2.5 Gbit router and run well with Linux based OS, unsure of the state of drivers for *bsd.
I did see a thread about getting it to work well with OpenWRT.
For my home, using Ubiquiti products has worked well. I have the EdgeRouter Lite and UAP-AC-PRO access points which support POE. It's been nice using products designed for professionals, and it's nice to be able to administer and upgrade the router independently from the access point. These products just work, and there's none of this dodgy "reboot the router" nonsense.
I hear a lot of good things about the many mesh networking setups (often combined routers/APs) now on the market but haven't tried any. They're almost certainly a better fit for a consumer who doesn't want to be a network admin. Ubiquiti has one (the "Alien"), and the Eero (now owned by Amazon) is often recommended.
It's a shame that there aren't more "pro-sumer" products like this out there. A common warning I read when researching Ubiquity products was that they're not for people who aren't tech/networking professionals. I don't know where that came from, because setting it all up was a breeze. It was way easier than dealing with Asus's terrible "setup wizard".
The EdgeRouter OS is essentially a Debian build and can run openconnect and other VPN software if you need something that is not included in the base install.
I would recommend the ERs to anyone with a bit of networking skill.
My parents have Eero, and it's definitely a really nice system that Just Works. Exactly as you described it, perfect for a consumer that wants quality without having to be a network admin.
https://www.michaelhorowitz.com/second.router.for.wfh.php
and here:
>Can the wireless network(s) be scheduled to turn off at night and then back on in the morning?
This seems almost tin-foil hat level security. Nobody is wardriving at 3am and hacking into your wifi.
>Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.
How does this improve security? I guess you can use it to catch an attacker on the rare chance that they get access at the same time you're on the admin page, but that's not really worth considering.
>Can the userid for the web interface be changed? Every router lets you change the password, a few let you also change the userid. This is most important when using Remote Administration. An October 2016 study of 12,000 home routers by ESET found that "admin" was the userid "in most cases."
What's wrong with "admin" with a secure password?
* Pepwave Surf SOHO
* Amped Wireless RTA1750
* Synology RT1900ac
Not saying it wasn’t worth it - it’s a huge step up in reliability from what I had, but I kinda feel like an EdgeRouter is a gateway into the wider Ubiquiti ecosystem.
As for what DIY OS/dist, I have used VyOS, IPFire, pfSense, OPNSense, and a handful of various xx-WRT derivatives. OpenWrt is still my recommendation without a doubt. I'm still not at all a fan of the update and package management of OpenWRT, but it's the best out there unless you configure a vanilla debian install yourself.
Keep WiFi APs as separate devices, regardless of if you mesh or not.
Of course it wouldn't be complete without hacking up your own, custom Linux system calls[1], or hacking up SquashFS to be big-endian for no reason and storing your own data structures in the compressor options[2].
[1] https://twitter.com/RichFelker/status/1357733309737021444
Other comments have addressed security concerns - there's lots of CVE's out there because there's lots of Mikrotiks out there. As far as I'm aware, all or nearly all CVE's are patched before they are public; there's always the risk of zerodays but everything has the risk of zerodays.
The difference in price isn't even that much, the AC2 is less than $70.
My personal setup is actually running the hap AC lites as access points, via CAPsMAN. I do routing on a hex Gr3. The hap ac lites are great value for a dual-radio 2.4/5ghz ap.
I also have an all-mikrotik passive poe setup, so it's one lead to the ac lites. Similar featureset to ubnt, cisco, others, at a fraction of the price.
IMO, the only way to have a reasonably secure device is to build it yourself. That's not going to be a popular opinion where the prevailing motto is "nobody gets fired for buying Cisco", but I don't really see any alternative. OpenWRT/Tomato are decent, but they still expose a web UI which is potentially a greater attack surface than ssh w/ public keys.
I've seen some people have good results with OpenBSD or FreeBSD, others with skinny versions of Debian or CentOS. I took a crack at it last year on Debian (shameless plug: https://nbailey.ca/post/linux-firewall-ids/), and I've been happy with it so far. It is more expensive to build, but I expect this device to last more than a decade, or until I need greater than 1gbps per port.
or configure uhttpd to only listen on localhost and use a ssh proxy tunnel to access the web interface. It saves you from the hassle of self signed certs too.l
I don't care about the small increase in cost of electricity where I'm at.
Now I do also have an Asus RT-AC56U but configured for an access point only. Which had pretty decent firmware IMHO with it's OpenWRT variant "AsusWRT"--decent because it's easy to get root without flashing it and really do what you want. With all the cloud service stuff disabled, it goes into a 2nd NIC into my PC-as-a-router and is appropriately firewalled.
At least one other comment talks about getting business class hardware for Wifi and that might be a plan in the near future, but for now it's working OK for me.
> "Linksys is by no means alone in using its customers as beta testers
No sure, but my Linksys router starts painfully slow and kinda 10x faster on OpenWrt. Crazy slow for dual-core machine. Maybe it's the part of their plans to force clients for buying new routers?
I assume the ISP could still backdoor their way in (is this likely?) but that is a separate concern.
One thing I tried to find but couldn't is stand alone modems, most routers today don't come with a modem and you have to use the shitty one given to you by your ISP in bridge mode, I'm not sure about the risk of compromised bridge mode router to infect down to the router given it's "secured" but it's still can be a bot in a botnet.
I'm still just plugging these supposedly awesome routers into bargain bin, un-updated, garbage quality, broken, insecure, spying cable modems provided by or "compatible with/verified for" my internet service.
So what if my router is secured? My connection is still beholden to whatever garbage software written in 2008 my damn DOCSIS 3.0 compliant box has, with all the unfixed bugs and performance issues that entails.
Are there any cable modem/routers that can be customized? Have openWRT or similar installed? Or are otherwise pretty good?
I have used a Ubiquiti router, but find opnSense easier to use.
If anyone knows of a security issue I'd love to hear about it.
mind you even a basic srx is complete overkill for a home environment. it is very solid hardware with good support. I would however, not recommend getting one for home use unless your employer runs juniper and can get you the update packages, getting them without a license is difficult.
unfortunately, mine has intermittent radio timeout issues (or something more obscure that i can't diagnose, like frequency-hopping induced congestion), where i have to log into the router and force a rescan of the airwaves for it to reestablish connection to the upstream wan wifi. it's also lately having issues with the 2.4Ghz network dropping out (i may eventually dig up my old wrt54-gl with tomato on it to run the 2.4Ghz separately).
If the router is also used as a media-convertor (upstream is Fiber or DSL or coax), they should be able to set it to "bridging mode", where it will function as a Layer2 device (switch), thus allowing the customer to use their own Layer3 device (router).
It is a ridiculous situation, but I actually have our provider-provided router connected straight into a real firewall, and that in turn connected to a switch which in turn has the wifi base stations connected to it.
This means that if the first router is compromised there is a chance it won't penetrate the household, but of course the first router could still be used e.g. as part of a botnet by an attacker.
It's probably a wise decision to avoid consumer products in general but it's becoming harder every year.
Buy any router, but replace its software with dd-wrt or openwrt?
Nice little pfsense box.