I'm a staunch defender of OpenWRT. Having used just about every "router distro" folks care to name (remember SmoothWall?) for the last 20~ years, OpenWRT is built like a tank and just keeps trundling along
I hope their experiments with the "OpenWRT One" keep going. I'd love to see OpenWRT take a (deserved) bite out of the "SMB firewall vendors" like Netgate or OPNsense. Or just undercutting Wi-Fi vendors like Ubiquiti who base their work on OpenWRT anyway
Something I'm excited to try myself in future is running "OpenWISP" [1] to manage a small fleet (three) OpenWRT devices in parallel for a deployment in a shared workshop. This seems to also be something that OpenWRT could be better at integrating, but it's nice to see "a vendor" tackling it
Ease of managing multiple OpenWRT devices is still its weakest link. OpenWRT is device centric, but I don't want to managed devices, I want to manage a network.
Modern mesh WiFi systems I've seen do that so well. I know in theory that I could create a VLAN + SSID on my OpenWRT router and APs just for iot devices to only access the internet. But setting that up on a TP-Link mesh was a couple of taps in their app. Doing it on my OpenWRT devices would be quite a bit more hassle.
Thinking about this more, I doubt I'll setup any OpenWRT APs on my network going forward. Most of the things I like about OpenWRT, and need it for, are related to being my router. My OpenWRT APs are just "dumb" APs. Wifi is off on the router.
For the APs, I could use a mesh kit like the TP-Link Deco unit I installed for a friend recently. Super easy setup, reasonable price (cheaper than equivalent OpenWRT hardware I'd buy), wired backhaul up to 2.5Gbps.
At home, I built an OPNsense box to evaluate (using Sophos XG135 Rev 3 hardware, along with an OpenWrt nice Netgear WiFi AP on POE), but then went back to a plastic OpenWrt all-in-one box.
OPNsense (and pfSense) are neat, but I personally don't need an IDS/IPS right now, and I like to be able to run the router fanless.
One thing that OpenWrt could use immediately, for basic home WiFi router functionality, is easier ways to add guest-like VLANs from the Luci Web-based admin UI. (I currently have a guest VLAN config that I partly cargo-culted with numerous steps in Luci years ago, largely based on a blog post, and that would be a pain to reconstruct on a new install.)
For techies whose households include non-techies, a little IDS/IPS could help keep some nasty traffic off your home Internet pipe, and I suppose that could now run alongside OpenWrt on some of the more powerful plastic boxes, or on a PC with the right WiFi devices/APs. (In addition to use of VLANs and routing to minimize damage from all the malware-infested devices, and also thinking "zero trust" for the techie stuff you run.)
You don't need a fan for OPNsense or pfSense? Plenty of folks running protectli boxes without a fan, they're one of the most popular platforms for both OS'
> a little IDS/IPS could help keep some nasty traffic off your home Internet pipe
the adblock package does a great job of blocking ads and other nasty stuff, it doesn't have fancy statistics or an interface like Pi-hole but it does its job without complaining
I definitely believe people underestimate the potential of OpenWRT as an app platform. Before getting sidelined with work I did some proof of concept WebRTC SFU on it https://github.com/atomirex/umbrella which worked surprisingly well.
Was also surprised, then not surprised, to learn it's used as the front end on many of the new generation of 3D printers.
I have a bunch of old WD MyBook Live NAS drives (PowerPC CPU) from an older project, and was surprised that OpenWRT was the best way to get a modern linux on them:
OpenWISP states in its docs that you should be running at least 20 devices to make it worth it. [1] So it's not supposed to be a easy way to manage a few devices for home users.
> However, OpenWISP may not be the best fit for very small networks (fewer than 20 devices), organizations lacking IT expertise, or enterprises seeking open-source alternatives solely for cost-saving purposes.
It's for exactly that reason I started with OpenSOHO.
It is targeted towards the typical home and small office network with less than 20 OpenWRT devices. (although there is no hard limit).
"Or just undercutting Wi-Fi vendors like Ubiquiti who basse their work on OpenWRT anyway."
Not sure about today, but this company used to sell hardware whose capabilities were IIRC only "fully enabled" if the buyer used the company's closed source OS. An open source OS might work with the hardware but the buyer would not get the same performance.
At the time, the HN comments continuously supported this company. It appeared that for these commmenters, this was a worthwhile sacrifice. They would just keep recommending Ubiquiti. (Unsolicted recommendations)
I don't know about newer devices, but the older ones (the Edge* devices) had software based on Vyatta. Not sure if that was in turn based on Debian, though.
>I'd love to see OpenWRT take a (deserved) bite out of the "SMB firewall vendors" like Netgate or OPNsense. Or just undercutting Wi-Fi vendors like Ubiquiti who base their work on OpenWRT anyway
Why? You don't want competition in the space?
>Or just undercutting Wi-Fi vendors like Ubiquiti who base their work on OpenWRT anyway
Huh? The older edgerouters were based on vyatta. The newer ones on a custom linux distro, neither of which are OpenWRT. They hired the original author of pfsense to build them a firewall based on Debian from scratch when they realized vyatta wasn't going to meet their needs. The UDM kernel is very much not OpenWRT
Being excited about OpenWRT is great but spreading bad information and for reasons I can't fathom hoping for the downfall of other players in the market, not so much.
> They hired the original author of pfsense to build them a firewall based on Debian from scratch when they realized vyatta wasn't going to meet their needs. The UDM kernel is very much not OpenWRT
You're (perhaps unintentionally) also spreading bad information here.
The original 'author' of pfSense was Scott Ullrich, not Chris Buechler. While they were partners in the project, Scott was technical, and Chris did a lot of work back then on documentation, by by his own admission back then, "I am not a developer", and this, even though he was CTO.
Ubiquiti originally hired two of the devs out of Vyatta to maintain their fork of the Vyatta codebase. These two were known on the Ubiquiti forum as 'stig' and 'An Chen'. Both left in the first half of 2016, and then (and only then) did Ubiquiti hire Chris Buechler, in an attempt to maintain and extend the Ubiquiti firmware. Chris has since left Ubiquiti and is now at Alta Labs.
Related, I used to love going to the monowall website gallery to see all the labgore. It's still there like a time capsule: https://m0n0.ch/wall/gallery.php
I hope OpenWrt doesn't turn too commercial (like Netgate or opnsense) because that leads just to subscriptions, enshittification, feature gates, and drama. It is now in a good place as a solid platform to build upon, I hope it stays that way.
OpenWrt is what I use. I picked my routers specifically to be well supported by OpenWrt, immediately wiped whatever the original firmware and installed OpenWrt and that was about ten years ago. Then when I replaced the hardware I also looked for a compatible model with OpenWrt and did the same.
I never had any issue with OpenWrt which I couldn't solve and it just works. Its uptime is pretty much the uptime since when the power goes out due to storms and such.
Same. Been running OpenWrt for years now. I select hardware that runs OpenWrt and never (well, only once, truely) have had to reboot a device due crashing. That old "reboot your router" is just not a thing (touch wood).
I'm sure it helps that all my infrastructure is on a UPS. I've found that even Raspberry Pis can be long-term reliable servers, running ubuntu server and on the UPS.
Another thing that seems to help. I separate function. One box functions only as the router. The wifi boxes only provide wifi endpoints - they do not do routing. And so on.
What hardware did you go with? I was thinking of getting the second most recent glinet to run openwrt, but haven't convinced myself it's worth it since my current tplink is still pretty new and is just be getting it to tinker (I don't currently even run any vlans or anything fancy)
I went with a TP-Link Archer C7 V2. It's quite dated by now, but it's been sitting quietly in the closet and working for all these years and I am still happy with it. My speeds are also not that fast, I only pay for 100Mbps so something faster might overwhelm this hardware. I also don't have anything fancy on it, no vlans just a few wifi networks on 2.4ghz and 5ghz, some wired devices, and two usb drivers which I access via ssh (these do require I install a few extra packages to allow mounting them).
I run openwrt on an ancient Netgear WNDR3700 which is probably 15 years old by now. I can get around 900Mbps on my gigabit connection (wired). We only have two adults in our home using the Internet (for now until our two kids are older!) and it’s been totally fine for us. openwrt is a great way breath extra life into older routers. A lot of homes don’t really need anything fancy or recent.
Seconding all this. Ever since I had weird problems with the vendor firmware on a router, I just pick hardware I can put OpenWrt on right away. Works great.
But then you get annoying firmware providers like Broadcom who refuse to write OSS drivers for linux and a lot of work is being spent on the reverse engineering
The amusing thing about that is that broadcom, not Cisco, was the culprit in the original WRT54G GPL violation. Cisco, of course, were legally liable and should have checked that the code they obtained was not encumbered - although the usual way to do that is to specify contractually that your vendor will do the checking. It was a huge issue for them that they had tripped a customer who provided a significant fraction of their revenue into legal difficulties. I suspect that to this day, a big reason that parts of broadcom are reluctant to open-source stuff is because certain executives are still angry about the experience.
Ok, but this should not be a major limiting factor.
From my experience, there is sufficient amount of routers based on well-supported chips which work okay with OpenWRT.
When I consider to buy a new router, I go to the OpenWRT device support page, filter for features I would like to get and choose one of the supported routers listed there.
MediaTek chips are well supported by OpenWrt. Broadcom is not good supported.
Mainline Linux kernel supports recent MediaTek Wifi chips quite well [1]. MediaTek is also working on these upstream Linux drivers, but they still have a proprietary Linux driver in addition.
Also the rest of the recent MediaTek SoC is supported quite well by upstream Linux and OpenWrt.
You can run OpenWrt on recent MediaTek SoCs with all code running on the main CPU being open source, no closed source code needed inside the Linux kernel address space or in user space. The chips need firmware running directly on the IP cores. It needs a firmware running on the wifi core itself, there are probably one or more CPUs inside the wifi cores doing real time stuff. The Ethernet PHYs also need a firmware which is running on the PHY.
But I wished there was something similar but for "big" (in a relative sense) devices. I feel lot of the constraints OpenWrt is based on are not really that applicable when you have hundreds of megabytes of flash and RAM, and that is starting to become a common thing for routers these days. Even their own OpenWrt One router has 256M flash and a full gigabyte of RAM. That is not all that resource constrained anymore. What I would love is to have something that would be closer to "normal" linux distro while getting the networking goodies and ease of configuration from OpenWrt.
I have the opposite complaint. I wish OpenWRT ran on low-resource routers like those really cheap TP-link ones. DD-WRT does support a few of it, and my personal opinion is that it is better optimised than OpenWRT. By the way, you should explore OpenBSD ( https://openbsdrouterguide.net/ ).
Something with a more normal way of updating the packages and OS would be nice. I thought I'd heard someone was working on an Alpine-based thing a few years ago, but haven't heard anything since.
Agreed. When I last tried to update packages there was a scary disclaimer about it being likely to break the system, and that flashing a new firmware is preferred.
I nope'd out of that, and don't wish to go through the hassle of flashing again, so my AP is running a year+ old version. It works fine, and I'm not too concerned about it, but I would still like to be able to easily upgrade the system without worrying about breaking it.
Strongly agreed. I'd rather be running a Debian, with systemd, and boring regular utilities, than the bespoke environment openwrt has crafted together.
I'm super glad openwrt exists, and their uci config predates systemd's attempt to build a cohesive consistent whole system configuration pattern & is epic, but given the capabilities of these systems it feels so worthwhile to de-specialize the environment, to make it more boring.
What I really want is Kubernetes oriented tools that can manage hostapd & something like dawn or openert's usteer for band/ap steering. And some other ancillary wifi tools. Maybe maybe a setup for radius/enterprise, instead of just psk. You can do so much more with it, but at its core openwrt is 90% packaging for openwrt. It's not even particularly super well tuned hostapd: theres so much wireless config one can go try & enable that really is just additional 802.11 specs hostapd supports, they may improve your openwrt wifi experience.
> I'd rather be running a Debian, with systemd, and boring regular utilities, than the bespoke environment openwrt has crafted together.
I agree. I tried running OpenWrt as a wired router on an x86 mini PC, and found that it had some really powerful features and was certainly rock solid as a router. But there were some major annoyances, too. For example, their documentation includes a script for expanding the root filesystem [1] that left my system unable to boot. And while I didn't use it long enough to make it through an upgrade, their documentation on upgrades makes the process sound very brittle (it sounded like configs for installed packages don't carry over by default) and confusing.
I thought about trying to set up an Ubuntu (or other popular distro) box as a router, which I think would be much easier to maintain over time. But my concern is that I might overlook some important config that is set by default in OpenWrt, and leave my machine vulnerable to attack. Having a web UI that I can log into and view/make config changes is also kind of nice. Are there any good out-of-the-box solutions or guides for doing this? (I know that OPNSense/PFSense are really popular among homelab users, but unfortunately the Marvell NICs in my mini PC are not supported in FreeBSD).
> I'd rather be running a Debian, with systemd, and boring regular utilities, than the bespoke environment openwrt has crafted together.
Yup, that's the answer. Debian is rock solid, and a script with a bunch of iptables and iproute2 commands is so much simpler than the mess that is OpenWRT's network setup. I only use it for dumb APs, and even then it's questionable -- the UI is nice, but configuring it is unnecessarily complex IMHO.
I run OpenWRT on a 'big' device, this being a container on a Proxmox-managed DL380 G7. It works fine in this context, performance is good enough to be able to easily saturate the gigabit fibre link without breaking into a sweat.
Installing OpenWRT on such a device comes down to downloading openwrt-${version}-x86-64-rootfs.tar.gz and unpacking it in the target location. Boot the container or VM (or old PC or whatever) and follow the normal OpenWRT configuration procedure. Updating such an installation comes down to making a configuration backup in OpenWRT, unpacking the new distribution and restoring the configuration backup to the new install. Given the low resource requirements for such an installation it makes sense to first clone the working container or VM and performing the upgrade on one of the instances so you always have a working instance at hand.
Sure, openwrt works. I too have run it on x86 vm at a time. That being said, there is lot that could be improved. My biggest gripe is the weird filesystem layout with overlays and stuff in /tmp and whatnot. I can see it being needed on tiny devices, but on bigger ones can I just have regular ext4/xfs gpt partitions please? Another thing is just replacing the tiny versions of software with regular ones, like busybox->gnu or dropbear->openssh etc. Systemd could be at least considered as init.
All of this kind of things make sense when you consider openwrts origins. But on "big" system I'd just much rather have it be closer to "normal" Linux.
You can build the image yourself, but have to switch off some packages or features - otherwise the image (linux-kernel + tools) is just too large or consumes too much memory. The original router has 8 megabytes RAM-memory and 2 Megabytes flash ("storage"). You can boot a recent kernel 6.16.5, but with 8mb there is not much left to work with 8-)
My uneducated guess is that that people that want this kind of symbolism aren't willing to actually become a maintainer and invest time in niche code for a declining user base?
Been a fan for a long time and use it on my Archer C7, but I had to disable hardware switching in order to use SQM, and now the switching performance is <200mbps. Having recently upgraded to home fiber, I'm probably going to get a native Unifi router.
Maybe have a look at Intel n100 boxes (Aliexpress -> Topton). They often have 4-5x 2.5GE Ports with high quality Intel cards. They are very cheap (100-200€) and suck not too much current (5-15W).
You can run OpenWRT on them using the x86 build.
We usually have 5-10x of them around for emergency network tasks if everything burns down in a building.
Honestly it is tempting. I do have an old Haswell-era industrial motherboard that would manage the task just fine, and I've definitely considered this path.
That said, I'd probably spend about as much on a power supply, case, and NIC for that machine as I would on just buying a Unifi gateway, and theirs comes with an integrated UI for the APs. I'm past the stage of life where I find joy in tinkering with the infrastructure I need to do my job (WFH) so I'll probably still just go off the shelf.
I bought a Fujitsu Futron S920 second hand for like 30 euros. Put a dual NIC PCI in there and now have a low watt router running very fast. Can easily run 1Gbit up and down
I'm a huge fan of OpenWrt. When I got 10 Gbit internet at home I had to replace my old Ubiquiti USG3 on the cheap so I built a router out of a $80 Lenovo ThinkCentre Tiny.
I tried OPNsense and pfSense on advice but they could never crack around 5 Gbps throughput even with a bunch of tweaking, but OpenWrt gave me the full 10 gbps out of the box with no hassles.
I also replaced the Ubiquiti firmware on an EdgeRouter with OpenWrt and it boosted the throughput from around 1.3 Gbps to 1.7 Gbps.
The OpenWrt UI for configuring the firewall is probably one of my favorite firewall UIs of all time. Before OpenWrt I could never wrap my head around those "local" etc ruleset names in more traditional routers, I had to look them up again every time I edited the config. Just being able to say "I have these networks, let this one do this to that one" is very easy to understand.
Agreed... probably the best experience for a SOHO router+wifi. I currently use OpnSense on an N305 mini pc for my router and the separate wifi AP has it's own management interface. Works for my needs.
Interesting, on my latest router (WRT3200ACM) I've had the opposite experience - I had to switch from OpenWRT to DD-WRT since the former was too buggy to use (couldn't get the WiFi to work reliably).
Readit News
I hope their experiments with the "OpenWRT One" keep going. I'd love to see OpenWRT take a (deserved) bite out of the "SMB firewall vendors" like Netgate or OPNsense. Or just undercutting Wi-Fi vendors like Ubiquiti who base their work on OpenWRT anyway
Something I'm excited to try myself in future is running "OpenWISP" [1] to manage a small fleet (three) OpenWRT devices in parallel for a deployment in a shared workshop. This seems to also be something that OpenWRT could be better at integrating, but it's nice to see "a vendor" tackling it
[1] https://openwisp.org/
Modern mesh WiFi systems I've seen do that so well. I know in theory that I could create a VLAN + SSID on my OpenWRT router and APs just for iot devices to only access the internet. But setting that up on a TP-Link mesh was a couple of taps in their app. Doing it on my OpenWRT devices would be quite a bit more hassle.
For the APs, I could use a mesh kit like the TP-Link Deco unit I installed for a friend recently. Super easy setup, reasonable price (cheaper than equivalent OpenWRT hardware I'd buy), wired backhaul up to 2.5Gbps.
Openwrt supports the zyxel gs1900 switch, which goes up to 48 ports.
Deleted Comment
OPNsense (and pfSense) are neat, but I personally don't need an IDS/IPS right now, and I like to be able to run the router fanless.
One thing that OpenWrt could use immediately, for basic home WiFi router functionality, is easier ways to add guest-like VLANs from the Luci Web-based admin UI. (I currently have a guest VLAN config that I partly cargo-culted with numerous steps in Luci years ago, largely based on a blog post, and that would be a pain to reconstruct on a new install.)
For techies whose households include non-techies, a little IDS/IPS could help keep some nasty traffic off your home Internet pipe, and I suppose that could now run alongside OpenWrt on some of the more powerful plastic boxes, or on a PC with the right WiFi devices/APs. (In addition to use of VLANs and routing to minimize damage from all the malware-infested devices, and also thinking "zero trust" for the techie stuff you run.)
You don't need a fan for OPNsense or pfSense? Plenty of folks running protectli boxes without a fan, they're one of the most popular platforms for both OS'
the adblock package does a great job of blocking ads and other nasty stuff, it doesn't have fancy statistics or an interface like Pi-hole but it does its job without complaining
Was also surprised, then not surprised, to learn it's used as the front end on many of the new generation of 3D printers.
https://openwrt.org/toh/western_digital/mybooklive
They're slow, but great for stuff that doesn't need to be fast.
> However, OpenWISP may not be the best fit for very small networks (fewer than 20 devices), organizations lacking IT expertise, or enterprises seeking open-source alternatives solely for cost-saving purposes.
1: https://openwisp.org/faq/#suitable
https://github.com/rubenbe/opensoho
It is still a work in progress, but it is easy to deploy (one golang binary based on pocketbase)
I could wire up all of that manually. But I'm excited for the chance to learn something new
Not sure about today, but this company used to sell hardware whose capabilities were IIRC only "fully enabled" if the buyer used the company's closed source OS. An open source OS might work with the hardware but the buyer would not get the same performance.
At the time, the HN comments continuously supported this company. It appeared that for these commmenters, this was a worthwhile sacrifice. They would just keep recommending Ubiquiti. (Unsolicted recommendations)
Deleted Comment
I thought Ubiquity’s firmwares were all based on Debian. Is this no longer the case?
Why? You don't want competition in the space?
>Or just undercutting Wi-Fi vendors like Ubiquiti who base their work on OpenWRT anyway
Huh? The older edgerouters were based on vyatta. The newer ones on a custom linux distro, neither of which are OpenWRT. They hired the original author of pfsense to build them a firewall based on Debian from scratch when they realized vyatta wasn't going to meet their needs. The UDM kernel is very much not OpenWRT
https://github.com/fabianishere/udm-kernel
Being excited about OpenWRT is great but spreading bad information and for reasons I can't fathom hoping for the downfall of other players in the market, not so much.
You're (perhaps unintentionally) also spreading bad information here.
The original 'author' of pfSense was Scott Ullrich, not Chris Buechler. While they were partners in the project, Scott was technical, and Chris did a lot of work back then on documentation, by by his own admission back then, "I am not a developer", and this, even though he was CTO.
http://freesoftwaremagazine.com/articles/interview_with_jeff...
Ubiquiti originally hired two of the devs out of Vyatta to maintain their fork of the Vyatta codebase. These two were known on the Ubiquiti forum as 'stig' and 'An Chen'. Both left in the first half of 2016, and then (and only then) did Ubiquiti hire Chris Buechler, in an attempt to maintain and extend the Ubiquiti firmware. Chris has since left Ubiquiti and is now at Alta Labs.
OpenWRT Two is scheduled for late 2025 from GL.iNet and should go for ~$250.
https://news.ycombinator.com/item?id=43512495
I'll just leave this here: https://www.netgate.com/blog/pfsense-software-embraces-chang...
OPNsense are unlikely to be able to make this transition, as they can't even reliably work on the FreeBSD kernel.
https://web.archive.org/web/20160314132836/http://www.opnsen...
I never had any issue with OpenWrt which I couldn't solve and it just works. Its uptime is pretty much the uptime since when the power goes out due to storms and such.
I'm sure it helps that all my infrastructure is on a UPS. I've found that even Raspberry Pis can be long-term reliable servers, running ubuntu server and on the UPS.
Another thing that seems to help. I separate function. One box functions only as the router. The wifi boxes only provide wifi endpoints - they do not do routing. And so on.
From my experience, there is sufficient amount of routers based on well-supported chips which work okay with OpenWRT.
When I consider to buy a new router, I go to the OpenWRT device support page, filter for features I would like to get and choose one of the supported routers listed there.
Also the rest of the recent MediaTek SoC is supported quite well by upstream Linux and OpenWrt.
You can run OpenWrt on recent MediaTek SoCs with all code running on the main CPU being open source, no closed source code needed inside the Linux kernel address space or in user space. The chips need firmware running directly on the IP cores. It needs a firmware running on the wifi core itself, there are probably one or more CPUs inside the wifi cores doing real time stuff. The Ethernet PHYs also need a firmware which is running on the PHY.
[1]: https://elixir.bootlin.com/linux/v6.17-rc5/source/drivers/ne...
Deleted Comment
That's better than a fully commercial world or a fully "pure" world with no functionality.
also, I think the linksys wrt1900 supported openwrt when it came out. (not perfectly, but they tried)
But I wished there was something similar but for "big" (in a relative sense) devices. I feel lot of the constraints OpenWrt is based on are not really that applicable when you have hundreds of megabytes of flash and RAM, and that is starting to become a common thing for routers these days. Even their own OpenWrt One router has 256M flash and a full gigabyte of RAM. That is not all that resource constrained anymore. What I would love is to have something that would be closer to "normal" linux distro while getting the networking goodies and ease of configuration from OpenWrt.
Do you know whether 10Gb NICs are supported in OpenBSD, and can the link be fully saturated?
I'd be interested in building a DIY router on OpenBSD, but I need support for 10Gb SFP+, with an upgrade path beyond that.
I nope'd out of that, and don't wish to go through the hassle of flashing again, so my AP is running a year+ old version. It works fine, and I'm not too concerned about it, but I would still like to be able to easily upgrade the system without worrying about breaking it.
I'm super glad openwrt exists, and their uci config predates systemd's attempt to build a cohesive consistent whole system configuration pattern & is epic, but given the capabilities of these systems it feels so worthwhile to de-specialize the environment, to make it more boring.
What I really want is Kubernetes oriented tools that can manage hostapd & something like dawn or openert's usteer for band/ap steering. And some other ancillary wifi tools. Maybe maybe a setup for radius/enterprise, instead of just psk. You can do so much more with it, but at its core openwrt is 90% packaging for openwrt. It's not even particularly super well tuned hostapd: theres so much wireless config one can go try & enable that really is just additional 802.11 specs hostapd supports, they may improve your openwrt wifi experience.
I agree. I tried running OpenWrt as a wired router on an x86 mini PC, and found that it had some really powerful features and was certainly rock solid as a router. But there were some major annoyances, too. For example, their documentation includes a script for expanding the root filesystem [1] that left my system unable to boot. And while I didn't use it long enough to make it through an upgrade, their documentation on upgrades makes the process sound very brittle (it sounded like configs for installed packages don't carry over by default) and confusing.
I thought about trying to set up an Ubuntu (or other popular distro) box as a router, which I think would be much easier to maintain over time. But my concern is that I might overlook some important config that is set by default in OpenWrt, and leave my machine vulnerable to attack. Having a web UI that I can log into and view/make config changes is also kind of nice. Are there any good out-of-the-box solutions or guides for doing this? (I know that OPNSense/PFSense are really popular among homelab users, but unfortunately the Marvell NICs in my mini PC are not supported in FreeBSD).
[1] https://openwrt.org/docs/guide-user/installation/openwrt_x86...
Yup, that's the answer. Debian is rock solid, and a script with a bunch of iptables and iproute2 commands is so much simpler than the mess that is OpenWRT's network setup. I only use it for dumb APs, and even then it's questionable -- the UI is nice, but configuring it is unnecessarily complex IMHO.
Installing OpenWRT on such a device comes down to downloading openwrt-${version}-x86-64-rootfs.tar.gz and unpacking it in the target location. Boot the container or VM (or old PC or whatever) and follow the normal OpenWRT configuration procedure. Updating such an installation comes down to making a configuration backup in OpenWRT, unpacking the new distribution and restoring the configuration backup to the new install. Given the low resource requirements for such an installation it makes sense to first clone the working container or VM and performing the upgrade on one of the instances so you always have a working instance at hand.
All of this kind of things make sense when you consider openwrts origins. But on "big" system I'd just much rather have it be closer to "normal" Linux.
Not to bell the cat, but some sort of symbolic build for the WRT54G(L) should still be possible… right?
A starter is here: https://intercity-vpn.de/files/openwrt/wrt54gtest/minimal/
Here's a blog post about this, not sure if it was the same one I followed:
https://blog.thelifeofkenneth.com/2010/09/upgrading-ram-in-w...
You can run OpenWRT on them using the x86 build.
We usually have 5-10x of them around for emergency network tasks if everything burns down in a building.
That said, I'd probably spend about as much on a power supply, case, and NIC for that machine as I would on just buying a Unifi gateway, and theirs comes with an integrated UI for the APs. I'm past the stage of life where I find joy in tinkering with the infrastructure I need to do my job (WFH) so I'll probably still just go off the shelf.
I tried OPNsense and pfSense on advice but they could never crack around 5 Gbps throughput even with a bunch of tweaking, but OpenWrt gave me the full 10 gbps out of the box with no hassles.
I also replaced the Ubiquiti firmware on an EdgeRouter with OpenWrt and it boosted the throughput from around 1.3 Gbps to 1.7 Gbps.
The OpenWrt UI for configuring the firewall is probably one of my favorite firewall UIs of all time. Before OpenWrt I could never wrap my head around those "local" etc ruleset names in more traditional routers, I had to look them up again every time I edited the config. Just being able to say "I have these networks, let this one do this to that one" is very easy to understand.