Building own router - pfsense vs openwrt vs ?

[Hades]

After deliberating over buying a better router I've decided to build my own using a small mini PC instead. It won't need to serve wifi as that will still be served with my wifi mesh system. I will also reuse my old BT Openreach modem. So it will just be a router. What would be the preferred routing software? pfsense, openwrt or something else? I don't mind paying a small license fee if required, although free and open source is obviously preferable. Thanks.


EDIT: The reason for wanting to do this is:

1) I haven't done it before. Something to learn and enjoy.
2) I was about to upgrade my current router to get more functionality such as dynamic DNS and VPN, which my ISP router does not provide. I miss the functionality of my old Draytek Vigor and was considering buying another.
3) I recently built my own NAS using Unraid and was impressed that it was at least as good, and arguably better, than a previous commercial NAS I had in the past. So I wanted to see if I can do the same with the router.

 

[Hades]

Why would you do this? What are you benfiting from doing it? What are your objectives?

1) A little project. Something fun. Not done it before.
2) I wanted more functionality from my router such as opendns, vpn, etc.
3) Having recently built my own NAS and finding it every bit as good, if not better, than a previous commercial NAS, I wanted to look at whether the same would be true of a DIY router.

 

[Hades]

Then try them all. If it's just for fun just mess about and you decide.

Fair point

 

[Hades]

OPNsense if free, Untangle if paid. What are you looking to achieve?

Thanks. I will take a look at those too.

 

[Hades]

Nothing at all wrong with wanting to play, but perhaps have a look athlete other threads that have discussed this previously as it's been done in detail?

In summary:

Pfsense is popular, but the people behind it at the top are the textbook example of the way a project shouldn't be run, I can't personally stomach the idea of supporting people who have multiple examples of making frankly unbelievably poor choices and waging hate campaigns against other developers, repeatedly. how in the AES-NI U turn, the move to close source, followed by the wireguard car crash and I just couldn't... I like my code functional and preferably not written by convicted fellon's with a history of bail jumping, international warrants/extradition, racism and waging hate campaigns against tenants. Then again you can see why he fitted right in as a outsourcing hire for the pf team.

OPNSense is essentially a pfsense fork, but better. It's run by people who understand what they're doing and don't default to throwing the community under the bus or attacking other devs/projects.

Both of the above can be built out to UTM functionality.

Untangle - Great UTM, OK firewall, but to get the full UTM experience, requires payment. The free functionality is still good and tbh it's easy to use. Licensing things like the wireguard module requires a premium licence which feels like an unfortunate choice.

OWRT - The basis for many a good SoC router, it has some really impressive development going on around reducing buffer bloat/latency, but isn't without issues if you scale up. It's not as intuitive and feels a little 'odd' sometimes.

Sophos XG - Sophos are giving you software they charge tens of thousands for, but they have zero interest in supporting you. When they let the OpenVPN version depreciate to the point it became a problem, the community begged them to update it and got nowhere.

In terms of hardware, this can be cheap. £40-60 buys you a reasonably efficient/quiet ex corp SFF and a 2T Intel NIC. The new drivers make most of the issues with RTL chipsets out of date for BSD (OPN/PF).

Thanks. Yes I'll probably be running this on an ex corporate SFF. They seem good value on ebay.

 

[Hades]

I have been running a Dell Wyse 5070 Extendend with a Intel intel i350-t4 (4 port) nic for about 2 years with pfsense, ive used pfsense on several pc's over the last 4-5 years

edited to change time ive been using the dell to 2 years!

​

Good to hear. That's exactly the same device I was intending to use (I bought a used one last night so will have it in a few days). It already has two NIC's so I'm still up in the air about whether to add a 4 port card or not. Have you virtualised pfsense on it or is it running as the only thing on the 5070? They seem quite powerful for such a small device.

I've been playing with Opnsense this afternoon and it seems quite straight forward. I'll take a look at pfsense too.

 

[Hades]

Great, yes they have plenty of grunt I just run pfsense on it I did replace the ssd with a Samsung 860 evo m.2 (just because I favour Samsung ssd's), btw I think I saw that 5070 on the bay the other week, their quite rare with the two network ports!

Strangely this one also has a half height dedicated AMD GPU. Apparently the thing will play games quite well, although that's not my intention and I may later think about selling the GPU to offset some of the cost. With the GPU it can run 5 monitors. Incredible little thing really and I see others have added SSD's like yourself and 32gb RAM.

I was half thinking about getting an esata card instead of the 4 port NIC, an external multibay HDD enclosure and also using it to run my unraid NAS to cut down the number of devices I have running. That's why I was asking about virtualisation. But it's probably a bad idea to virtualise the network router.

 

[Hades]

You can run router software virtualised on Unraid. I fitted a 4 port network card to my Unraid server and passed the ports through to the Opnsense VM I was running. It worked and worked well but I don’t use this set up anymore as I didn’t like the idea of the router going offline if the server did.

Thanks but that's the reason I wouldn't want to run the router inside unraid. If I reboot unraid for any reason then network connectivity goes offline. If I did virtualise it then I'd probably run something like proxmox and then run pfsense/opnsense and unraid as separate guests. That way the network would stay up regardless of what happens to unraid. But I'll probably just keep them on separate machines.

 

[Hades]

MikroTik CHR.

Thanks.

Nothing wrong with virtualizing a network router as long as it has a dedicated Nic to the internet. I run pfSense in a VMware vm. When I want to tinker with a new version or whatever, I can fire that up separate until I gave the config how I want it, then I connect the new VM to the appropriate Nics and offline the old one.

Thanks. Having also looked at proxmox today I can see some advantages to virtualising it. As you say, you can try a new version without committing to it and roll back easily. I also like the easy backup options that it offers.

You kind of missed the point, the virtualised host goes down (proxmox) and everything is offline, just as if you used UnRAID as your host and rebooted. The obvious solution is HA, but that requires either a second host or bare metal install. CPU wise the Dell is going to take a beating trying to run UnRAID and anything other than light dockers/VM's.

No I got the point. There is the risk of downtime for both. But my point was that running pfsense as an unraid docker means the network would go down if I restart the NAS or upgrade unraid. By running both unraid and pfsense as separate proxmox guests the network routing is isolated from any issues with unraid. It is still at risk of downtime if proxmox goes down.

You may be right about the CPU taking a beating though.

 

[Hades]

In general your router wants dedicated physical resources in a virtualised environment as a bare minimum, passing NICS directly to the VM is the only viable option, anything else will scale badly and your router is not something you want to have waiting for CPU time. I like 'light' router builds, have played with my fair share in VM's including HA, pretty soon you realise that bare metal for a router is easier. My current box is a dual NIC Zotac i3 7100u with 16GB and a 240GB SSD, for the pittance it costs to run, it's worth keeping it bare metal, but I do/did have an HA backup that I can spin up if required.

Noted thanks.

 

[Hades]

PfSense is great. Although see my thread here where my "project for fun" got carried away and almost a decade of super user support later I retired it:

Retiring my ESXi Whitebox + Home Server + ZFS

Cross-post from Home & Garden as this was as much of a man-job as a techy job. Lesson learned for you all: KEEP IT SIMPLE. This device was a pet project in learning ZFS and quickly became mission critical. When I moved out, my mum relied on internet and fortunately whilst PfSense was rock...

forums.overclockers.co.uk

I had an ESXi/VMware Whitebox with PfSense as a VM, with the NIC 'hardware passthrough' using VT-D and an OpenReach modem.

Haha, yes I saw your post when you made it. Luckily if things get out of control I can just plug the BT Smart Hub back in.

 

[Hades]

Thanks all.

Complete coincidence but my BT Smarthub died this morning. I've got my internet connection working again temporarily using the old modem and router I used in 2008. Luckily I never threw them away. So when the Wyse 5070 arrives I'll definitely be building it out as a router.

 

[Hades]

Can you upgrade your internet whilst you're at it? Make sure you get a NIC that can handle it.

Unfortunately not yet. I have the fastest I can get, although my area is scheduled for FTTP in the next 1 to 3 years.

 

[Hades]

After a little more research it actually seems quite easy and cheap to add a second NIC to these devices. So perhaps the totally passive cooled slim celeron version may have been better, also with lower power requirements, and adding a second NIC to that.

This article explains it:

OPNsense and Wyse 5070: A Love Story ❤ – The Cloud Admin

Anyway I have the extended version and Intel 4 port NIC arriving in a few days so I'll see what it's like as a router. Potentially I may keep an eye out for a cheap slim version and add a second NIC to the 2230 port. Then repurpose the extended version at a later date.

OPNSense was the one I went with after testing PFSense, helps that OPN are EU based.

Thanks. Yes I am leaning towards opnsense after trying both, and also due to the company going in a better direction than pfsense could in the future,

 

[Hades]

A little bit of an update. OPNsense and the Wyse 5070 just saved me from several days internet outage. On Sunday my second BT Home Hub died. It simply wouldn't power on. I guess it was just too old and had been in a cupboard for too long. This was already my backup router after my main one died. So in the space of several days both my main router and my spare one died. My wife and kids panicked; my daughter neeeded the internet for A level revision, my son for games and my wife to work from home. I had already been playing around with OPNsense on the Wyse 5070 so I was able to swap it in and configure it for PPPoE using the BT Openreach modem that was still working fine. Without OPNsense we would have had a couple of days outage, only tethering our phones for internet, and my wife would have had to go back into the office.

Unfortunately I hadn't appreciated that I hadn't actually installed OPNsense correctly and had been running it in Live USB mode with a few issues causing it to run slowly. But I couldn't power it off or reboot it for fear of not being able to set it up correctly again (I'm very new to this - I got it working and wanted to leave it that way). So I left it alone, sitting silently in the corner working away, until I got another proper router which arrived today. I went for a used Draytek Vigor 2925 which I appreciate is a few years old now. But it is still miles better than the BT routers that I had. It was also quite cheap as its an older model. Having the Draytek means I can continue playing with OPNsense and learning how to properly set it up. I can swap the Draytek back in at the slightest hint of a problem.

I actually can't believe the timing of this. I learn OPNsense at the exact time both my routers fail and it saved us from having no internet for a few days. The other thing I discovered is that if I remove the GPU from the Wyse 5070 Extended (I have already replaced it with a 5 port NIC) it runs completely silent; the CPU fan (almost) never comes on.

Overall it was a good learning experience and the timing could not have been better. I'll keep playing with OPNsense and then make a decision whether to use it or the Draytek as the main router.