Which Router to buy in 2023? UPDATE went with OPNsense on a firewall box.
- Thread starter LBJ
- Start date
- Joined
- Sep 5, 2015
- Messages
- 662
- Reaction score
- 484
I've been using pfSense CE for about a year and a half now. I'll never go back to any consumer router as long as I have control over it. Going from a subpar consumer router like Asus, Netgear, Amazon etc. to pfSense is like going from a Ring door bell to Andy's Color 4K cameras.
I like the ability to run pfSense on my own hardware which gives me the flexibility to switch firewalls easily if I need to. IE switching from pfSense to OPNsense would only require me to download the install file for OPNsense and install it. I also like having my wifi AP's separate from my firewall as I can choose the best manufacturer that best fits my needs. If you use a consumer router you're stuck with their router and wifi (unless you disable it and add your own). I've used Asus routers for quite a few years. While most of my experiences were good, I found their GUI to be a little buggy and every so often the wifi would act funky. I also wasn't a fan of their very limited configuration options for OpenVPN.
With that being said, pfSense is not for everyone. You need to have a little networking knowledge to configure it. It's definitely a learning curve but there are plenty of videos on YouTube that will help you though it.
I'm using pfSense too.
I have 2 x "Chinese Qotom i5 - w. Quad Intel 211 NIC's" , home & summerhouse.
And have 8 "Chinese Qotom i3 - w. Hexa Intel 211 NIC's" at work.
I was a "happy" user up until a few month ago, when they decided to go back on their promise: That pfSense+ would be free for home/lab usage.
The CE (Community Edition), fulfills my requirements.
But my gut feeling says it will not be maintained as well as the PLUS, and i have lost a lot of confidence witn Netgate.
I'm still considering to move to OPNsense.
That said :
pfSense is a super nice firewall (router), and it will "tame" any cam/nvr that wants to callback to "The Mothership".
A "basic" network install, with these interfaces defined:
WAN , LAN , OPTx - (Additional Lan segments are by default called OPTx)
Will almost work right out of the box.
Just remember that any interface but LAN, would default have any incomming traffic (aka .. traffic leaving the subnet) blocked.
So you will have to add "Pass rules" on those interfaces.
I prob. went a bit overboard, and have 14 VLAN's at both of my sites, with pfSense doing the Layer3 routing between them.
And i have a L2L OpenVPN-TLS tunnel between my home/summerhouse sites, and an OpenVPN-TLS "dial-in" daemon on the home site for remote access.
My favorite (fanless) switches are D-LINK DGS-1210xx and for "sattelites" D-LINK DGS-1100-08, where the pricing/features is attractive.
Quite unusual that gear is cheaper in EU than US ......
My "core" consists of
DGS-1210-28 and HP 1820-24
For PoE/Cams i use (I only want fanless):
DGS-1210-10P - (PoE+ - Powerbudget 64W shared among all ports) - MAKE sure you get the new models with the extrnal PSU brick ... The ones with built-in PSU gets extremely hot.
DGS-1100-08P V2 - (PoE+ - Powerbudget 64W shared among all ports)
The 1210 series is "the fancier one" - SFP Uplinks , PoE+ or not , 802.1x, SNMP Write, VLAN ACL's etc ... not much heat generated and fanless (both PoE & non-PoE)
The 1100 series is a "basic 32-Vlan" L2 switch - Small size, PoE+ or not , SNMP read, not much heat generated and fanless (both PoE & non-PoE)
I work with Enterprise IP on a daily basis , and was offered lot's of free Cisco 3560 or 3750 switches.
But they sound like a "Jetfigther" , and would make my Electricity meter usable as a "hairdryer"
We pay on average around US$ 0.4 per kWh.
So i declined, and went HP (early choice) , and since then D-Link
I typically use the 1210-10P (PoE) , where i would like to "automate" via SNMP ie. - Port up/down (on/off) ... Ie. Cisco AP's in the summerhouse garage
And the 1108-08P V2 (PoE) - At places where it makes sense to put a switch instead of pulling multi cables (sattelites).
I have had the D-LINK's in 24/7 prod, for 5 years now. And have not lost a single unit or PSU yet.
I have had one 1108-08 (non PoE) , that developed a bad port, that's all.
I did try out TP-Link, but never forgave them for their "avoid customer unlock", where they forced all switchports to be menber of VLAN1 (unremovable)
They're still on my "don't touch" list ...
Linksys 308 series is nice as "sattelite switches" too , but in EU pricier than D-LINK
My HP 1820 switches are featurewise like the D-LINK 1100 series.
A nice "basic" L2 switch, but no SNMP automation possible.
As a general rule for home/cam usage, i'd say stay away from the enterprice switches.
The money you save now will be eaten up in 24/7/365 electricity.
They're noisy, NOT Happy in a hot room , and the "cheap ones" prob. have their PSU's living on the last leg.
And most of the cheapies are 802.3af (15.4w)
Edit:
For WiFi i use Cisco 2702 enterprise AP's , and like the possibility of 8 SSID's. (Beware of mgmt frames eating radio bw. though)
I have autonomous versions, as i have "lost" too many perfectly good AP's at Job , when Cisco EOS/EOL removes support in the controllers.
The D-LINK (PoE+) can drive a 2702 fully - A 802.3af can't .. 2702 will shut one of the MIMO radios.
Edit2:
pfSense used FreeBSD as "Base OS" , and NIC drivers are dependant on the FreeBSD drivrs supporting them.
Always check FreeBSD NIC support list.
While the FreeBSD Realtek drivers have improved, during the last years, i would still recommend you to get a "box" with Intel NIC's".
Intel NIC's seems to behave in FreeBSD
I have 2 x "Chinese Qotom i5 - w. Quad Intel 211 NIC's" , home & summerhouse.
And have 8 "Chinese Qotom i3 - w. Hexa Intel 211 NIC's" at work.
I was a "happy" user up until a few month ago, when they decided to go back on their promise: That pfSense+ would be free for home/lab usage.
The CE (Community Edition), fulfills my requirements.
But my gut feeling says it will not be maintained as well as the PLUS, and i have lost a lot of confidence witn Netgate.
I'm still considering to move to OPNsense.
That said :
pfSense is a super nice firewall (router), and it will "tame" any cam/nvr that wants to callback to "The Mothership".
A "basic" network install, with these interfaces defined:
WAN , LAN , OPTx - (Additional Lan segments are by default called OPTx)
Will almost work right out of the box.
Just remember that any interface but LAN, would default have any incomming traffic (aka .. traffic leaving the subnet) blocked.
So you will have to add "Pass rules" on those interfaces.
I prob. went a bit overboard, and have 14 VLAN's at both of my sites, with pfSense doing the Layer3 routing between them.
And i have a L2L OpenVPN-TLS tunnel between my home/summerhouse sites, and an OpenVPN-TLS "dial-in" daemon on the home site for remote access.
My favorite (fanless) switches are D-LINK DGS-1210xx and for "sattelites" D-LINK DGS-1100-08, where the pricing/features is attractive.
Quite unusual that gear is cheaper in EU than US ......
My "core" consists of
DGS-1210-28 and HP 1820-24
For PoE/Cams i use (I only want fanless):
DGS-1210-10P - (PoE+ - Powerbudget 64W shared among all ports) - MAKE sure you get the new models with the extrnal PSU brick ... The ones with built-in PSU gets extremely hot.
DGS-1100-08P V2 - (PoE+ - Powerbudget 64W shared among all ports)
The 1210 series is "the fancier one" - SFP Uplinks , PoE+ or not , 802.1x, SNMP Write, VLAN ACL's etc ... not much heat generated and fanless (both PoE & non-PoE)
The 1100 series is a "basic 32-Vlan" L2 switch - Small size, PoE+ or not , SNMP read, not much heat generated and fanless (both PoE & non-PoE)
I work with Enterprise IP on a daily basis , and was offered lot's of free Cisco 3560 or 3750 switches.
But they sound like a "Jetfigther" , and would make my Electricity meter usable as a "hairdryer"
We pay on average around US$ 0.4 per kWh.
So i declined, and went HP (early choice) , and since then D-Link
I typically use the 1210-10P (PoE) , where i would like to "automate" via SNMP ie. - Port up/down (on/off) ... Ie. Cisco AP's in the summerhouse garage
And the 1108-08P V2 (PoE) - At places where it makes sense to put a switch instead of pulling multi cables (sattelites).
I have had the D-LINK's in 24/7 prod, for 5 years now. And have not lost a single unit or PSU yet.
I have had one 1108-08 (non PoE) , that developed a bad port, that's all.
I did try out TP-Link, but never forgave them for their "avoid customer unlock", where they forced all switchports to be menber of VLAN1 (unremovable)
They're still on my "don't touch" list ...
Linksys 308 series is nice as "sattelite switches" too , but in EU pricier than D-LINK
My HP 1820 switches are featurewise like the D-LINK 1100 series.
A nice "basic" L2 switch, but no SNMP automation possible.
As a general rule for home/cam usage, i'd say stay away from the enterprice switches.
The money you save now will be eaten up in 24/7/365 electricity.
They're noisy, NOT Happy in a hot room , and the "cheap ones" prob. have their PSU's living on the last leg.
And most of the cheapies are 802.3af (15.4w)
Edit:
For WiFi i use Cisco 2702 enterprise AP's , and like the possibility of 8 SSID's. (Beware of mgmt frames eating radio bw. though)
I have autonomous versions, as i have "lost" too many perfectly good AP's at Job , when Cisco EOS/EOL removes support in the controllers.
The D-LINK (PoE+) can drive a 2702 fully - A 802.3af can't .. 2702 will shut one of the MIMO radios.
Edit2:
pfSense used FreeBSD as "Base OS" , and NIC drivers are dependant on the FreeBSD drivrs supporting them.
Always check FreeBSD NIC support list.
While the FreeBSD Realtek drivers have improved, during the last years, i would still recommend you to get a "box" with Intel NIC's".
Intel NIC's seems to behave in FreeBSD
Last edited:
LBJ
n3wb
- Joined
- Jul 9, 2016
- Messages
- 26
- Reaction score
- 14
Thanks all for the responses.
Some 4 months later, here is where I landed:
Got a CWWK/Topton generic "fanless" firewall box with a J6412 CPU on Black Friday from Amazon for $180. 16 GB memory and 256G SSD which is more than I'll ever need for this application. Thought if things went really bad I could return it, but I still have it, and it's on my network now.
Chose OPNsense based on some of the comments in this thread, plus the owners of PFsense made some recent changes and are charging for their "plus" version unless you have their HW. I don't mind paying for good products (BI and decent cameras for example) but several factors tilted me toward OPNsense. YMMV. I've heard that PFsense has it's advantages too.
a few points:
and again, thanks for the advice provided. Tilted to toward OPNsense.
Some 4 months later, here is where I landed:
Got a CWWK/Topton generic "fanless" firewall box with a J6412 CPU on Black Friday from Amazon for $180. 16 GB memory and 256G SSD which is more than I'll ever need for this application. Thought if things went really bad I could return it, but I still have it, and it's on my network now.
Chose OPNsense based on some of the comments in this thread, plus the owners of PFsense made some recent changes and are charging for their "plus" version unless you have their HW. I don't mind paying for good products (BI and decent cameras for example) but several factors tilted me toward OPNsense. YMMV. I've heard that PFsense has it's advantages too.
a few points:
- There is a learning curve moving from an Asus router to OPNsense. I'm a better person having gone through the learning curve and I now have a better understanding of networking in general. It took many hours of looking at blogs, videos and the like. I even read a book on OPNsense which was available for free from my company's "continuous learning" subscription.
- Sadly the book is based on an earlier version of OPNsense, but most of the concepts were the same. I found this to be true of much of the info available. Most videos in particular are Based on old SW versions of OPNsense, but still mostly useful for getting going.
- The "fanless" firewall computer still needs an external fan. CPU temps went down about 10 degrees (F) once I pointed a fan at the heatsink. Temp levels not super high, but I feel better running it cooler
- I checkout out a "hotspot" from the public library and set up a mini-network so I could test everything out with old laptops, etc. This turned out to be a good move since 2 people here who WHF cannot do without the internet, even for a small period.
- I made one HUGE mistake that cost me some time and made me lose trust in the system somewhat: I wanted to make sure the firewall box and SW would come back after a power failure. So I simply pulled the power plug and after a minute plugged it back in. Big mistake. It wouldn't boot. I had to start from booting from USB and re-install OPNsense from the start. I was ready to return the box and forget the whole thing, but instead I did 2 things:
- 1] invested in a $72 APC UPS box which sits in my media closet. There is a software OPNsense plugin so the firewall shuts down properly if a power failure occurs. The firewall comes up again once the mains return to normal.
- 2] Decided to keep my old Asus in the media closet as a spare. If I need to start again from a bootable USB stick, I need to be on the internet for work activities during the downtime. Now it's a simple matter of changing 4 RJ-45 connections and I'm on the internet again.
- My strong advice is to have a spare router handy if you go with OPNsense.
- If I go back to a traditional router, this event will weigh heavily in that decision. My old Asus would get the power pulled all the time and it ALWAYS came back due to the difference in architecture.
- I got the DDNS going that I use. DuckDNS. I'd rather use the one that IPCT offers, but I don't know if it's compatible. Couldn't figure it out.
- I got the DNS server that I use working and tried DNS Leak Test to confirm. A few unresolved questions:
- there seems to be many DNS features in OPNsense. But I instead use the safe browser DNS services that I've used for years. Is that good enough since it protects me from virus sites, adult sites and the like????
- I've pretty much disabled the "unbound" feature since I think setting my DNS server to the safe site DNS does the same thing. Am I wrong
- Along those lines, what the heck is Zenarmor. All I keep seeing on line is that it's a next generation firewall, but that seems like marketing talk, and nobody has offered examples of Zenarmor doing better than the DNS server that I've been using for years plus the firewall already built into OPNsense.
- there is still a lot of learning to do such as this
- I took the 3 extra ports not used for the WAN and "bridged" them together. I guess this is not recommended, one is to set a different LAN for each HW Ethernet port. I don't see what they would do for me
- VLAN's for cameras and other IOT devices. I don't see my cameras as a large threat, so I have not bothered yet. I don't have any open ports for cameras
- reporting: it would be fun to see where the traffic goes, but I've not bothered to use it much other than see the basic traffic graph on the dashboar4d, which is similar to a screen I had for traffic reporting on the old Asus
- Ad Blocking. I've Not done this yet, and I'm somewhat afraid to since last time I tried an ad blocker many sites simply stopped and said "disable your ad blocker to continue. This was so painful that I gave up on AD blockers.
and again, thanks for the advice provided. Tilted to toward OPNsense.
- Joined
- Sep 5, 2015
- Messages
- 662
- Reaction score
- 484
That is NOT normal. I would be worried there is a hardware issue with the box you bought. I have multiple pfsense boxes installed using the ZFS file system and they've all abruptly lost power due to it being unplugged or an outage. I've never had one not boot up after a power fail. If I were you, I would investigate that further as that problem may lead to additional issue down the line. I know pfsense is not opnsense but it's close enough.
It's always a good idea to have a backup router but since I switched to pfsense about 3 years ago I've found it to be way more reliable than any Asus router or Unifi router I've ever used. I'm going on three years without a single issue, only downtime was to perform updates. Might not be a bad idea to keep a spare box around that can handle opnsense. All you would have to do is restore you config file and you're back up and running.
LBJ
n3wb
- Joined
- Jul 9, 2016
- Messages
- 26
- Reaction score
- 14
Good point on the power up issue. I have since found out that there is a ZFS and a UFS file system. I used UFS which had known issues, especially on power cycle. I Just didn't know any better.
So next time I have a free evening I'll switch to the other file system which means starting over and hoping my configuration back-up holds.
By the way, I'm not sad about buying the UPS. I wanted one in that spot anyway since all of my POE switches are there too, and I wanted these cams to stay alive for at least a little while after an outage since by BI computer is already on a UPS. So all is good.
.
So next time I have a free evening I'll switch to the other file system which means starting over and hoping my configuration back-up holds.
By the way, I'm not sad about buying the UPS. I wanted one in that spot anyway since all of my POE switches are there too, and I wanted these cams to stay alive for at least a little while after an outage since by BI computer is already on a UPS. So all is good.
.
- Joined
- Sep 5, 2015
- Messages
- 662
- Reaction score
- 484