Building own router - pfsense vs openwrt vs ?

[Hades]

After deliberating over buying a better router I've decided to build my own using a small mini PC instead. It won't need to serve wifi as that will still be served with my wifi mesh system. I will also reuse my old BT Openreach modem. So it will just be a router. What would be the preferred routing software? pfsense, openwrt or something else? I don't mind paying a small license fee if required, although free and open source is obviously preferable. Thanks.


EDIT: The reason for wanting to do this is:

1) I haven't done it before. Something to learn and enjoy.
2) I was about to upgrade my current router to get more functionality such as dynamic DNS and VPN, which my ISP router does not provide. I miss the functionality of my old Draytek Vigor and was considering buying another.
3) I recently built my own NAS using Unraid and was impressed that it was at least as good, and arguably better, than a previous commercial NAS I had in the past. So I wanted to see if I can do the same with the router.

 

[Deleted member 77746]

After deliberating over buying a better router I've decided to build my own using a small mini PC instead. It won't need to serve wifi as that will still be served with my wifi mesh system. I will also reuse my old BT Openreach modem. So it will just be a router. What would be the preferred routing software? pfsense, openwrt or something else? I don't mind paying a small license fee if required, although free and open source is obviously preferable. Thanks.

Why would you do this? What are you benfiting from doing it? What are your objectives?

 

[ChrisD.]

OPNsense if free, Untangle if paid. What are you looking to achieve?

 

[Hades]

Why would you do this? What are you benfiting from doing it? What are your objectives?

1) A little project. Something fun. Not done it before.
2) I wanted more functionality from my router such as opendns, vpn, etc.
3) Having recently built my own NAS and finding it every bit as good, if not better, than a previous commercial NAS, I wanted to look at whether the same would be true of a DIY router.

 

[Deleted member 77746]

1) A little project. Something fun.
2) I wanted more functionality from my router such as opendns, vpn, etc.

Then try them all. If it's just for fun just mess about and you decide.

 

[Hades]

Then try them all. If it's just for fun just mess about and you decide.

Fair point

 

[Hades]

OPNsense if free, Untangle if paid. What are you looking to achieve?

Thanks. I will take a look at those too.

 

[Avalon]

Nothing at all wrong with wanting to play, but perhaps have a look at the other threads that have discussed this previously as it's been done in detail?

In summary:

Pfsense is popular, but the people behind it at the top are the textbook example of the way a project shouldn't be run, I can't personally stomach the idea of supporting people who have multiple examples of making frankly unbelievably poor choices and waging hate campaigns against other developers, repeatedly. The hate campaign against the OPN dev’s, the AES-NI U turn, the move to close source, followed by the wireguard car crash and I just couldn't... I like my code functional and preferably not written by convicted fellon's with a history of bail jumping, international warrants/extradition, racism and waging hate campaigns against tenants. Then again you can see why he fitted right in as a outsourcing hire for the PF team and the code was an abomination, but PF held onto the idea it was OK to push.

OPNSense is essentially a pfsense fork, but better. It's run by people who understand what they're doing and don't default to throwing the community under the bus or attacking other devs/projects.

Both of the above can be built out to UTM functionality.

Untangle - Great UTM, OK firewall, but to get the full UTM experience, requires payment. The free functionality is still good and tbh it's easy to use. Licensing things like the wireguard module requires a premium licence which feels like an unfortunate choice.

OWRT - The basis for many a good SoC router, it has some really impressive development going on around reducing buffer bloat/latency, but isn't without issues if you scale up. It's not as intuitive and feels a little 'odd' sometimes, but then again so does anything till you get used to it.

Sophos XG - Sophos are giving you software they charge tens of thousands for, but they have zero interest in supporting you. When they let the OpenVPN version depreciate to the point it became a problem, the community begged them to update it and got nowhere. For years.

In terms of hardware, this can be cheap. £40-60 buys you a reasonably efficient/quiet ex corp SFF and a 2T Intel NIC. The new drivers make most of the issues with RTL chipsets out of date for BSD (OPN/PF), but well proven Intel chipsets (eg not the new i2xx range) tend to carry more weight.

 

[Hades]

Nothing at all wrong with wanting to play, but perhaps have a look athlete other threads that have discussed this previously as it's been done in detail?

In summary:

Pfsense is popular, but the people behind it at the top are the textbook example of the way a project shouldn't be run, I can't personally stomach the idea of supporting people who have multiple examples of making frankly unbelievably poor choices and waging hate campaigns against other developers, repeatedly. how in the AES-NI U turn, the move to close source, followed by the wireguard car crash and I just couldn't... I like my code functional and preferably not written by convicted fellon's with a history of bail jumping, international warrants/extradition, racism and waging hate campaigns against tenants. Then again you can see why he fitted right in as a outsourcing hire for the pf team.

OPNSense is essentially a pfsense fork, but better. It's run by people who understand what they're doing and don't default to throwing the community under the bus or attacking other devs/projects.

Both of the above can be built out to UTM functionality.

Untangle - Great UTM, OK firewall, but to get the full UTM experience, requires payment. The free functionality is still good and tbh it's easy to use. Licensing things like the wireguard module requires a premium licence which feels like an unfortunate choice.

OWRT - The basis for many a good SoC router, it has some really impressive development going on around reducing buffer bloat/latency, but isn't without issues if you scale up. It's not as intuitive and feels a little 'odd' sometimes.

Sophos XG - Sophos are giving you software they charge tens of thousands for, but they have zero interest in supporting you. When they let the OpenVPN version depreciate to the point it became a problem, the community begged them to update it and got nowhere.

In terms of hardware, this can be cheap. £40-60 buys you a reasonably efficient/quiet ex corp SFF and a 2T Intel NIC. The new drivers make most of the issues with RTL chipsets out of date for BSD (OPN/PF).

Thanks. Yes I'll probably be running this on an ex corporate SFF. They seem good value on ebay.

 

[Silicon Si]

I have been running a Dell Wyse 5070 Extendend with a Intel intel i350-t4 (4 port) nic for about 2 years with pfsense, ive used pfsense on several pc's over the last 4-5 years

edited to change time ive been using the dell to 2 years!

​

 

[Hades]

I have been running a Dell Wyse 5070 Extendend with a Intel intel i350-t4 (4 port) nic for about 2 years with pfsense, ive used pfsense on several pc's over the last 4-5 years

edited to change time ive been using the dell to 2 years!

​

Good to hear. That's exactly the same device I was intending to use (I bought a used one last night so will have it in a few days). It already has two NIC's so I'm still up in the air about whether to add a 4 port card or not. Have you virtualised pfsense on it or is it running as the only thing on the 5070? They seem quite powerful for such a small device.

I've been playing with Opnsense this afternoon and it seems quite straight forward. I'll take a look at pfsense too.

 

[Silicon Si]

Good to hear. That's exactly the same device I was intending to use (I bought a used one last night so will have it in a few days). It already has two NIC's so I'm still up in the air about whether to add a 4 port card or not. Have you virtualised pfsense on it or is it running as the only thing on the 5070? They seem quite powerful for such a small device.

I've been playing with Opnsense this afternoon and it seems quite straight forward. I'll take a look at pfsense too.

Great, yes they have plenty of grunt I just run pfsense on it I did replace the ssd with a Samsung 860 evo m.2 (just because I favour Samsung ssd's), btw I think I saw that 5070 on the bay the other week, their quite rare with the two network ports!

 

[Hades]

Great, yes they have plenty of grunt I just run pfsense on it I did replace the ssd with a Samsung 860 evo m.2 (just because I favour Samsung ssd's), btw I think I saw that 5070 on the bay the other week, their quite rare with the two network ports!

Strangely this one also has a half height dedicated AMD GPU. Apparently the thing will play games quite well, although that's not my intention and I may later think about selling the GPU to offset some of the cost. With the GPU it can run 5 monitors. Incredible little thing really and I see others have added SSD's like yourself and 32gb RAM.

I was half thinking about getting an esata card instead of the 4 port NIC, an external multibay HDD enclosure and also using it to run my unraid NAS to cut down the number of devices I have running. That's why I was asking about virtualisation. But it's probably a bad idea to virtualise the network router.

 

[Bluecube]

You can run router software virtualised on Unraid. I fitted a 4 port network card to my Unraid server and passed the ports through to the Opnsense VM I was running. It worked and worked well but I don’t use this set up anymore as I didn’t like the idea of the router going offline if the server did.

 

[Hades]

You can run router software virtualised on Unraid. I fitted a 4 port network card to my Unraid server and passed the ports through to the Opnsense VM I was running. It worked and worked well but I don’t use this set up anymore as I didn’t like the idea of the router going offline if the server did.

Thanks but that's the reason I wouldn't want to run the router inside unraid. If I reboot unraid for any reason then network connectivity goes offline. If I did virtualise it then I'd probably run something like proxmox and then run pfsense/opnsense and unraid as separate guests. That way the network would stay up regardless of what happens to unraid. But I'll probably just keep them on separate machines.

 

[skyripper]

Nothing wrong with virtualizing a network router as long as it has a dedicated Nic to the internet. I run pfSense in a VMware vm. When I want to tinker with a new version or whatever, I can fire that up separate until I gave the config how I want it, then I connect the new VM to the appropriate Nics and offline the old one.

 

[Turn]

MikroTik CHR.

 

[Avalon]

Thanks but that's the reason I wouldn't want to run the router inside unraid. If I reboot unraid for any reason then network connectivity goes offline. If I did virtualise it then I'd probably run something like proxmox and then run pfsense/opnsense and unraid as separate guests. That way the network would stay up regardless of what happens to unraid. But I'll probably just keep them on separate machines.

You kind of missed the point, the virtualised host goes down (proxmox) and everything is offline, just as if you used UnRAID as your host and rebooted. The obvious solution is HA, but that requires either a second host or bare metal install. CPU wise the Dell is going to take a beating trying to run UnRAID and anything other than light dockers/VM's.

 

[Hades]

MikroTik CHR.

Thanks.

Nothing wrong with virtualizing a network router as long as it has a dedicated Nic to the internet. I run pfSense in a VMware vm. When I want to tinker with a new version or whatever, I can fire that up separate until I gave the config how I want it, then I connect the new VM to the appropriate Nics and offline the old one.

Thanks. Having also looked at proxmox today I can see some advantages to virtualising it. As you say, you can try a new version without committing to it and roll back easily. I also like the easy backup options that it offers.

You kind of missed the point, the virtualised host goes down (proxmox) and everything is offline, just as if you used UnRAID as your host and rebooted. The obvious solution is HA, but that requires either a second host or bare metal install. CPU wise the Dell is going to take a beating trying to run UnRAID and anything other than light dockers/VM's.

No I got the point. There is the risk of downtime for both. But my point was that running pfsense as an unraid docker means the network would go down if I restart the NAS or upgrade unraid. By running both unraid and pfsense as separate proxmox guests the network routing is isolated from any issues with unraid. It is still at risk of downtime if proxmox goes down.

You may be right about the CPU taking a beating though.

 

[Avalon]

Thanks.

Thanks. Having also looked at proxmox today I can see some advantages to virtualising it. As you say, you can try a new version without committing to it and roll back easily. I also like the easy backup options that it offers.

No I got the point. There is the risk of downtime for both. But my point was that running pfsense as an unraid docker means the network would go down if I restart the NAS or upgrade unraid. By running both unraid and pfsense as separate proxmox guests the network routing is isolated from any issues with unraid. It is still at risk of downtime if proxmox goes down.

You may be right about the CPU taking a beating though.

In general your router wants dedicated physical resources in a virtualised environment as a bare minimum, passing NICS directly to the VM is the only viable option, anything else will scale badly and your router is not something you want to have waiting for CPU time. I like 'light' router builds, have played with my fair share in VM's including HA, pretty soon you realise that bare metal for a router is easier. My current box is a dual NIC Zotac i3 7100u with 16GB and a 240GB SSD, for the pittance it costs to run, it's worth keeping it bare metal, but I do/did have an HA backup that I can spin up if required.