Let's talk about free/FOSS routing platforms for the homelab
I am going to intentionally exclude Unifi and Mikrotik along with the vendors like Cisco, Juniper, Aruba etc from this discussion as I don't think they are relevant (especially since you can't run them on your hardware).
OPNsense: Considered the superior alternative to PFSense. Great firewall, routing capabilities, IDS and certificate authority, advanced features, can be a DNS server etc. Best option all around for x86, but BSD based - take note of available drivers. Don't even think about running random WiFi antennas unless you confirm good support for them (use a distinct WAP).
OpenWRT: built for consumer router + switch + WAP boxes on embedded hardware. Great OS and uses very little resources with many features, but doesn't compete in features with OPNsense if you have x86.
VyOS: Debian based router + firewall. Linux makes it easier for people to pick up the CLI but I've heard complaints about it being difficult to follow. Currently CLI only, at least without third-party solutions, but is powerful and competes directly with OPNsense for features for the most part. Edit: I made a mistake - LTS versions also have their source available for free, you'd just need to compile it with the instructions on their website. Seems to be stable.
Debian + FRRouting + nftables + heavy SELinux for the paranoid/analogous alternatives on OpenBSD (the latter is considered more secure but YMMV, configuration plays a big part here).
Freemium: Sophos free version for home use.
Which one of these do you run, and why? What have been your issues with one or the other, and what have you settled on? Any niche customisations that you might have made? I'm very interested to know!
Cheers
Edit: it would seem that OPNsense is a big winner in this space for stability. OpenWRT comes next because of it's very light nature and ability to run on consumer routers.
Yep. Firewall, routing, dhcp, dns, everything you’d expect from a gateway device. Plain Debian (or really any distro) can do it all. With a 1gbps bi-directional connection fully saturated it will run at about 10% cpu on my very crappy low power Celeron CPU.
Plus, there’s no web UI full of janky and insecure CGI scripts to exploit, and software updates are forever (well, until x64 is deprecated, so basically forever).
OpenWRT, because it has a nice interface, runs on half a toaster, and I've yet to find something that I need it do that it couldn't do but OPNSense could.
I did try PFSense many years back and it just seemed overly complicated and generally flaky. I had trouble setting it up as tinc vpn client despite that being a trivial task in OpenWRT, so I switched back.
I've run Opnsense for quite a few years now, haven't really had any issues with it.
I'd like to try OpenWRT and move to a nice low power router, but figuring out what hardware is supported is hard, as just "it runs openwrt" isn't good enough when hardware acceleration often doesn't work and stuff like that. Overall just too confusing for me to bother with finding hardware that will handle at least 3 Gbps throughput.
VyOS looks interesting but CLI only sounds super rough, I don't really understand how I would do stuff like see DNS blocklist stats and easily whitelist by clicking on a blocked host, or add a static IP by clicking on the MAC address and that sort of thing.
Honestly you can go buy some random device and it will probability be supported. For instance I bought a Linksys router from Walmart and it runs Openwrt fine.
Finding throughput data is difficult though, basically anything will support like 500Mbps, but hitting 1-2Gbps consistently with internet downloads or transfers crossing VLANs seems a lot tougher.
What kind of extensive network setups are you running at home? I just have a few Wifi-routers with OpenWRT and one server / NAS. (Which also does DNS Ad-blocking.)
Most home setups will likely work fine with just one firewall, but I am planning for 2 at the very least for my network. Also, sometimes it might be better to run a separate router in a VM and have a distinct network behind it if you want to segment said network more thoroughly/want to emulate an enterprise environment etc. I personally see good use for running 2 or more routers (software/hardware) in a lab, but YMMV
Thanks. I was going a bit more for the "what do you need that for" aspect. Emulating an enterprise environment sounds more like tinkering or learning? I mean I get network segmenting if you want to seperate for example an home-office from the entertainment devices in the livingroom from the cheap unpatched IoT devices... And also have a seperate network to experiment in the basement lab... Doing firewalling to keep the TV from transmitting behaviour tracking data to the manufacturer... Stop the kids from accessing the network share... Or you have several servers running at home with lots of containers...
But are that hypothetical use-cases? Or what do people actually use the 2 consecutive firewalls and different network segments for?
I mean I live in a country where electricity isn't that cheap. I run one server 24/7 and that has to do everything. And since it's just one machine I can set up a network bridge and a seperate internal network for docker there. Most of the networking isn't overly complicated and contained within that machine. But my OpenWRT also does additional wifi for the guests and a third network for experimentation.
I get doing it as a hobby. I was just wondering if there are 12 laptops at home, VLANs through the house and 3 servers with lots of storage and webservices and that's what the OPNsense is for, or if it's more "because I can".
VyOS: Debian based router + firewall. Linux makes it easier for people to pick up the CLI but I’ve heard complaints about it being difficult to follow. Currently CLI only, at least without third-party solutions, but is powerful and competes directly with OPNsense for features for the most part. Seems to be just as stable. my mistake, FOSS version is not LTS but a rolling release and needs to be compiled.
Very misleading statement. Both rolling and LTS are FOSS, they just do not provide LTS binaries for free. Want LTS? build it yourself , all tools and guides(bit outdated) is out there. It will took 30 min you your time to setup.
My apologies, I didn't realise the LTS version's source was free. I'll edit the post, thanks for pointing it out. Could you tell me more about your VyOS setup?
OPNsense all the way. I run it in a VM. I ran PFsense for years then finally went through the pain of migrating. It was worth it for the UI improvements alone. PFsense also corrupted itself twice in about 4-5 years of running it, requiring restores from VM snapshots. OPNsense has been rock solid but it’s only been 2 years since I migrated.
I have used openwrt but only for a WiFi AP, not as a real router. I’ve since moved to a Unifi AP which works fine, but I won’t buy their stuff again for other reasons.
I tried opn/ pfsense, VyOS (the rolling one. Stable is paid only), and a couple commercial options. Surprisingly not a single free/foss option can do IPv6 properly (I was looking specifically for prefix delegation for downstream routers). Cashed out for a single RouterOS CHR license and never bothered since.
But otherwise I tend to like VyOS. the rolling releases as the only free option make it somewhat questionable for something more serious though.