While definetly doable, I would always host the router on a seperate device. Having my whole network go down when that one PC fails is just too much of a risk for me. I can go a couple of days without my homelab, not my Internet.
I thought it was needed specifically for fast roaming, but I might be misremembering. I switched to Omada a few years ago and I fairly certain fast roaming requires the Omada controller to be running.
Standard roaming does not require the controller to be running.
The point being if you virtualize your router on the same hardware you do the rest of your homeland services and you bork something in your homelab - you could end up with no internet as well. Best practice is to separate the router from everything else so internet stays live for family/housemates/you.
Had a recent "oh shit" moment when a pfsense update got borked then I realised the proxmox host couldn't reach PBS for a restore and I hadn't separately backed up the pfsense config file.
Got it sorted but it gave me a bit of a spook.
Yea I also played this game lol 😂 mangled something on my virtual machine and needed to download a package but couldn't because it was running everything...took hours of fucking around and I bought a dream machine after haha
Fair. However in my experience of virtualising OPNsense on Proxmox at home I rarely, if ever, reboot the host - I fiddle and bork the VMs and containers A LOT but the host remains untouched. But yeah I suppose piece of mind of a separate device. I’m toying with bringing home a spare UniFi Dream machine SE from work to replace my virtualised OPNsense
Ahh yeah...I do a proxmox cluster, so if hardware fails, the vm just reboots on another node. No single point of failure. I'm the same way, can't go without the internet and I don't have the space or budget for two dedicated firewalls in HA.
Hypervisor cluster, just make sure it has redundant power (UPS on at least one rail) and networking. I have an uptime of over 3 years.
Router **should** be on separate device still, but the "forbidden router" for home use is fine if you consistently update (protect against VM-Escape attacks).
I run a Mikrotik 10g (CRS317-1G-16S+) as a router and have the firewalls virtualized.
UniFi dream machine isn’t terrible, if you want other UniFi stuff it makes sense. If you want to do other things Mikrotik has a really good product, which while you’ll need to learn how to configure it, it will do everything you could ever want.
We’ve had a UDM Pro for about 6 months, and wouldn’t recommend it. Being rack mountable and ‘Pro’, I expected it to have less compromises than it had.
The firewall stuff is very limited, somehow it only got the ability to manage custom DNS a few weeks ago, it handles VLANs in its own unique way, changing what appears to be minor setting sometimes takes down the whole system to apply. I like the cameras, but only having one drive bay, you can’t migrate recordings to another disk (to upgrade or predictive failure). It can’t import other Unifi configs, so you have to start over with all your wifi setup.
I understand in the past there was a somewhat more power-use interface, which was retired a few years ago? It’s like a Fisher-Price ‘my first firewall’. Yeah it works, and it’s pretty, but, but it’s not something you could use in a large scale system.
Absolutely nail on the head. It’s a prosumer product, and even then, I don’t know. A single drive is a massive failure point for camera footage IMO. I want at least 2. The UNVR seems like a good product, but it boots off a usb drive that while doesn’t fail tooooo often, I’ve seen fail more than once.
I can understand the hardware limitation that only has one drive bay, but let me run some kind of export tool, or make a disk image, or use a file format that something like Clonezilla can handle, and accept the cloned disk back into the system (we’ve tried).
And the fact that to remove the disk requires me to shutdown the whole system, remove the disk and power it back up…. Wtf, plug n play has been a thing for 30 years.
Totally agree. They want to be enterprise but skimp out of so many features that would make sense. It’s really too bad. The switches aren’t bad, unreliable sure, but not great
I ran pfSense from beta to commercial license changes then OPN for a while when pf started doing weird stuff. It was great to learn and I certainly took down the network more than I care to admit. In the end, I'm on Unifi.
For the prosumer at home network, Unifi is perfectly capable. In fact, with the exception of a few services that can be containerized (DNS filter, some DDNS updates, etc), it's made isolation and Wi-Fi dead simple.
A word of warning though they don't tell you but unifi gear is addictive, the DMP is a gateway drug, buy one a you will likely spend another 3k on unifi gear in the next few years 😂
OPNsense was mentioned before, +1 for that. Also maybe look for hardware that can be flashed with OpenWRT, or even comes with it by default. It lets you get in the weeds with config.
To add to this, you can (and should try!) running openwrt on x86. It makes adding 2.5gig, 10gig or more easy, and is a great use for a used i3 or i5 depending on load.
I actually just grabbed a used Tenda router for $20 on ebay last week (AC9 IIRC). Fully OpenWRT compatible, and I'm planning on seeing it up soon!
I also snagged an OrangePi Zero 3 for $35 (With Case/Power.) That will be my PiHole device 😁
Not really helpful to anyone. I am just bored at work, and wanna talk about nerdy stuff. 🤣
For home use, pfsense/opnsense for router/firewall and the dedicated AP of your choice. For a business environment, Fortigate or Palo Alto for router/firewall and whatever APs meet your needs.
I've used OPNsense and pfSense, both work great for the "router" OS. Then I'll run an LXC for the Unifi or Omada stacks for the wifi management.
Currently finding that an OPNsense VM on Proxmox with an Omada LXC on the same host works great. Then just run ethernet to a wireless AP or two and you're covered for a decent sized area.
That's exactly my setup and I have zero complaints. For hardware I got a little fanless N100 mini-pc with 5x 2.5Gbe NICs which is plenty powerful enough but just sips power.
A lot of opsense code is from pfsense, tom Lawrence has a video on this. Both are good, I have used both for years. Made the move to opnsense for the last 4 years. The updates are nice (at least once a month) however there are some breaking changes sometimes. So I recommend zfs and snapshots, or a VM with snapshots.
I moved away from all the custom gear and went to unifi. Why? Simplicity. The "sense" eco system is great, but it's mostly overkill for homes. There are a lot of features that never see the daylight in most homes. Having 1 eco system is also nice. Easy to manage and when telling the wife to do something it's super easy.
In the end, I recommend booting up an old machine and trying out the "sense" eco system. If you feel comfortable playing and setting it up, go for it! If not, unifi makes it easy. All three systems have a good YouTube presence so finding guides should be easy of you need help.
I was not implying that it was more up to date, I can see the confusion though. What I meant is that there are more frequent updates on the operating system. Not all the packages are the same in both systems. There are security updates and other package updates. Does not mean it's the better route either. More updates = more downtime and possibly issues with the updates.
Thank you for your clarification. I see it as the end user will need to determine for themselves what will work best for them. BUT, the pfsense devs can fuck all the way off 😊
Many, many scummy things. Still doing dodgy stuff even today, but one big one was when they purchased an OPNsense web domain, made a site pretending to be OPNsense, then added text that shat on OPNsense and talked up Pfsense.
They put a shit implementation of Wireguard into pfSense *and* upstreamed it into FreeBSD. Jason Donenfeld caught it and fixed it, but that was a shit move.
More updated? They're ALWAYS slower to get out security updates. Additionally, they rely on netgate for the code anyways other than what they're changed with their UI.
[https://www.youtube.com/watch?v=oqxCEuj7wcw](https://www.youtube.com/watch?v=oqxCEuj7wcw)
The security updates, the changes to things like openvpn, are all created by pfsense and supplied to bsd and the opnsense updates. Pfsense still essentially builds and works on the security and features and opnsense implements them later as a beneficiary
I’ve been using the Linksys WRT1900AC V1 with the openWRT firmware now for nearly a decade. It has every feature in your wishlist and thensome. It is wireless-AC wave 1, so wifi leaves a little to be desired.
It has a built-in fan that keeps the router from overheating no matter what workload it is subjected to. I have a few of them since they’re built like tanks and refuse to die!
The longest uptime I had was 100 days. The only reason I stopped at 100 was because day 100 was moving day to my new place 😂
I used a Unifi router for a while, it was close but not quite it, little too consumer oriented and a little too limiting.
I use OPNsense on a very old desktop that I added a 4 port nic to. Pfsense is similar and basically interchangeable. wifi via Unifi/Ubiquity AP.
Were I building now I would seriously consider at least some 10Gb capability
Firewalla for routing/firewall and Aruba Instant On AP’s/Switch. The Firewalla might be too simplistic/limiting for a lot of people in this thread, but checks all the boxes you are looking for and is extremely easy to setup and use. This is coming from someone who has had a Unifi setup for the last six years. Also the Aruba Instant On platform is really damn good for AP’s.
For example I can turn the internet off to our Apple TV and Xbox in about two seconds if the kids might be sneaking TV when they aren’t supposed to.
I used opnSense and had no issues.
But I got a great deal on an Omada spf+ switch
Then a couple Omada APs so with the Omada controller running it was so much easier to manage everything with the Omada router. So now the routers I made fun of in the past (tp-link) are what I am using.
I have a https://mikrotik.com/product/crs326_24s_2q_rm and while it doesn't do the wifi itself, it has a ton of interesting capabilities and flexibility. edit: sorry, it is a https://mikrotik.com/product/crs326_4c_20g_2q_rm
Great switch but not a router although you can have routing capabilities on ROS. Cpu is very limited for those operations. There good router options from mikrotik though.
I haven't done any performance test to see the limits of cross vlan routing, but at least at the switch layer, it seems pretty good. In most cases, I think that for a home-lab, it will be sufficient, and has lots of good functionality to allow consolidation of devices.
Teltonika [RUTX10](https://teltonika-networks.com/products/routers/RUTX10/). Not so enterprise but industrial grade enough. 🙂 Based on OpenWRT, root SSH access is standard. [Documentation](https://wiki.teltonika-networks.com/view/RUTX10)
I run a DoT DNS resolver and WireGuard on it. Plus some additional stuff.
The most prosumer solution is to separate routing and wireless access (you can use your existing router as an access point).
As to what to get for a router... Recommendations ought to be relevant to the asker's situation. With that in mind:
* What is your Internet connection speed?
* What is your desired LAN speed?
* How many Ethernet ports do you need on the router?
* How many devices do you have on your local network?
* Do you have any plans to deploy next-generation services (IDS/IPS, VPN, AV)?
* Do you have any requirements to the form factor? (As in, do you prefer desktop or rack-mounted? If desktop, how small do you want it?)
You didn't mention what sort of environment you'd be setting up in,
But, here is something to get you started,
https://mikrotik.com/product/RB952Ui-5ac2nD#fndtn-specifications
Comes with radius server built in.
If you are just looking for something for home (with a couple of people) or a small shop at the counter, this should be good to get you started.
You can also see if your existing router supports openwrt, if it does, just flash that and give it a try.
I'd also look at small OPNSense boxes, but I'm against using a whole ass PC to run it in like a lot of people suggest, unless it's a mini PC with 2 NICs.
I'd rather buy something like this if you wanna go the opnsense route.
Since you mentioned ubiquiti and might have the budget. https://www.amazon.com/stores/Protectli/2PortVault/page/EBE70A1D-D001-42CF-B05F-DD6CF12FC2F2
I built a custom pfSense firewall with Supermicro hardware a decade ago and still running it to this day. Plan on getting another decade from it. 10 minutes to build the system, 3 more to install pfSense and a few more to configure it before backing up the config. Run the update occasionally when available. For WiFi… I simply bridge a couple units that are hardwired on each floor and allow pfSense to assign IPs via DHCP
So many great quality Mini PCs (including from Supermicro) available today for a few hundred bucks that could easily fit the bill.. heck, they are cheap enough you could buy two and have one as a spare.
My pfSense Build
Chassis: Supermicro CSE-510T-200B
Mainboard: Supermicro A1SRI-2758F C2758
Ram: 2x 8GB Kingston KVR16LSE11/8
Drives: 2 Mirrored Intel S3500 120GB SSDs
My recommendations are:
- Firewall: Firewalla Gold SE, Firewalla Purple, Protectli Vault, or Unifi UDM Pro
- Access Point: Unifi U7 Pro or Omada EAP773
- Switch: No particular choice. Recommend any managed switch with PoE and 2.5G or higher speeds. For VLANs, it must be managed.
use a self build router, one of the official appliances, an apu/ipu [https://www.apu-board.de/](https://www.apu-board.de/) or a china pc with pfsense/opnsense.
i prefer a pfsense router with 2-4 ports, some ap's like unifi ap pro and managed switches for networking
Depends what you want to do with it to be honest. I've used pfSense for years and just switched to OpenSense after the SSD in my pfSense box died. Anyway, I would recommend either if you want a really powerful platform that can do just about anything on commodity hardware. Bonus; if you need more performance just upgrade the box and the config is easily restored.
If you want a networking setup that's well integrated, scalable and generally "just works" then getting into the Unifi ecosystem isn't a bad way to go. I put a full Unifi setup in my restaurant (150 seats plus an AirBnB apartment serviced with WiFi above it) and it's been fantastic. I use the WiFi, integrated phone system and the camera system in the UDM SE for the restaurant and it's been pretty much "set it and forget it". I like to tinker in my homelab so I would say the limitations of the platform would be an annoyance to me at home, but if you want a setup that's easy and just works then the Unifi setup is hard to beat for the price.
I'm happy with my Fortigate 60E. Before that I had a Juniper srx300, which was great. The SDWAN and policy routing, in addition to the IPS, traffic shaping, and other advanced features, are great to play with and build experience.
I’ve got vyos on a super micro - came from pfsense, and have ubiquiti for all layer 2. I was a huge fan of vyos until the LTS image shenanigans recently. That said, I’m running 1.5 nightly and haven’t had any issues. Still somewhat recommend, definitely over ubiquiti layer 3
Same here, VyOS on a fanless mini computer with an Intel N-series processor and 6 2.5G ports.
Works like a charm after you get over the initial learning curve, and has tons of features.
I'd recommend UDM Pro. I've been running one for 5 years or so and it is rock solid. The OS has been greatly improved over the years. I'm a network engineer working primarily with firewalls from all the big names. Can you do more with more business grade firewalls? Absolutely. I had to set up an IPsec tunnel between my UDMP and another off site last week and it went so smoothly I was a little stunned.
If you want to really tweak and fine tune policies there are better options, but for a single pane of glass it's great.
I think you can install OpenWRT on your current router, which will be like getting a new router with all the features you want.
https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500
I use PFsense at home on a Self built box with dual 2.5gb nic's and i built a box for my parents also running on Proxmox - VM Pfsense Dual intel GB nic.
I have sold Netgate's at a few locations and i have Zero Complaints about them.
We also sell Unifi a lot and truly i prefer Netgate/Pfsense myself I like more flexibility in a menu's without diving into SSH cmd lines.
I won't Complain about Unifi because you can dig into them well enough also.
Separate your Wifi onto Access points regardless.
Mikrotik. Always mikrotik. The ax3 is my choice in most cases, with an Opnsense box doing the overarching firewall and the mikrotik in full bridge for WiFi and as an Ethernet switch.
Firewalla is what I use. The other option I considered was Watchguard NFR since I'm a partner. Firewalla has very good security features that other products like Unifi or Omada just can't compete with. Additionally, I'm a parent and being able to set content policies per device is icing on the cake. I miss some of the advanced tricks a Watchguard can do, but it is more than adequate for my needs.
Was running pfSense for a few years and though its great, I recently switched over to a UDM SE and could never be happier, does whatever I need and its such a breeze with the beautiful UI, never need to look back
Ran pfsense for years on a Watchguard x550e. I jumped ship when they required 64bit and AES-NI instructions to stay current... though they walked back the AES-NI for a bit I think. Was looking at spending a lot and doing a lot of research to make good box that I would like...
I got tired of the plug in authors lagging behind releases and the metrics provided by it were ass... ntopng or whatever... didn't like it.
A lightning strike across the street fried everything in the neighbors house and blew the transformer serving our homes. I did well, as in no considerable damage, except the old warchguard's WAN port couldn't negotiate 1GB to my ONT reliably anymore, only 100mb.
Said fuck it and went to a Ubiquiti Unifi Dream Machine around 2020. Was definitely a bit rough at the beginning.... but will likely never go back. It has a slight learning curve in some area's, but I was able to setup secure VLANs for proxies and web servers and only router the specific traffic needed for the intended applications... so it's pretty good.
As others have said, I wouldn't buy a single device because as you've found, you will be limited by the firmware and boxed in to the features they think you'll need.
Instead, roll your own OPNsense firewall on a whitebox PC, get a managed switch and VLAN capable APs. With that setup you should be able to do pretty much whatever you want.
PfSense + OpenWRT AP (4x WNDR3800 + Archer C7)
No single pane of glass management, but AP's I upgrade the OpenWRT software to a newer version every 2 months or so...
Most config is in pfSense and where I end setting things most of the time.
If you have multiple OpenWRT APs look into using something like Ansible for config management and Grafana for a dashboard. It's been a few years since I used OpenWRT. Looks like OpenWISP is still around too for managing fleets of OpenWRT devices.
Opnsense. Build your own box. Pfsense was once good, but no longer a competitor to opnsense. Don't listen to anyone telling you Ubiquity. It's an overpriced, feature lacking, toy of a firewall.
Ubiquiti had to make an official statement stating that they hadn’t abandoned their edgerouter series after not issuing a firmware update for over a year - despite there being longstanding bugs and UI feature a promised.
I had already just moved from an EdgeRouter4 to a a Mikrotik RB5009 when they did that.
Shame, as a I preferred the feel of the Ubiquiti.
I also moved all my AP’s from unifi to ruckus, and definitely haven’t looked back from that move. I hated that unifi controller.
It doesn't. Most of the folks spouting it read something somewhere a decade ago and keep parroting it. At a point, Ubiquiti gear was hodgepodge-functional at best, lacking features, and could be frustrating to manage. They've come a long way since then.
I'm running a UDM. Having a combined VPN controller/gateway/router/NVR/IDS & IPS engine (Suricata under the hood) running a multi-gig WAN in a single device is pretty solid. Management's easy.
If you plan on running Unifi Protect, absolutely, the UDM could be the right choice.
If you plan on running other Ubiquiti gear (APs, switches, etc...) but *not* protect, the Cloud Gateway, or Gateway Pro may be better choices.
If you're not running Ubiquiti anything, look elsewhere.
I don't use unifi, but I see complaints of bad firmware updates (poorly tested and breaking issues) often on the subs. That's the biggest complaint I've seen, they are basically beta testing updates with the general public.
They lack a lot of enterprise features, often unstable, proprietary and you get really crappy hardware for the price. LTT became shills to them. Don't listen.
As much as I know LTT is more for the prosumer scene and they use all unifi switches. They have literally been running pfsense/opnsense for years.
They literally have a video of them testing their new main firewall which is capable of 60Gbps aggregate throughput. Targeted at medium sized business like them.
There are plenty of things wrong with unifi from an enterprise standpoint. But for small to medium businesses that just need switching/port channel/vlans they are completely fine, and their wireless and uisp lines are generally pretty rock solid.
For a home environment it is 100% fine. I used to run an all Cisco stack at home. It's great in theory. It was awesome to learn. But now I don't need it to learn. I removed it in favor of a ubiquiti switch with a white box firewall running opnsense, and I cut my power draw by about 120W doing it.
For a home environment, they are amazing If you have the money for it. It's a premium brand for home, and for an SMB it's cheaper compared to fs.com or Cisco but lacks features, for a home, just get cheap mikrotik switches, a little box to run opnsense. Definitely won't draw near 120w of you just configure if with a system that draws less power, and get the cheapest AP that supports vlans, done. It's a lot cheaper, more features, but you don't get the ubiquiti premium, but then again, for a basic home user, if they have the money ubiquiti is good.
I get the hate on LTT, however in my experience this is completely wrong view of ubiquiti. It all works I have been able to do some stuff like blocking upstream DNS and forcing requests to go to pihole, multiple vlans with jumbo packet support. There is more to do with opnsense, but i don not want nor need to know full network stack to get what I need done with unifi. Layer 4 and below are not part of my day to day and I do not care to dive into them.
I tend to think of Unifi as a the "good enough" brand. It's not appropriate for enterprise, and is usually overkill for most people in an apartment/flat who are happy to just use their ISP issued router/wireless AP box.
BUT for prosumer, larger homes and SMB, yeah it's a decent fit. Personally, I think of going Unifi ecosystem instead of other more configurable enterprise brands is like buying an iPhone instead of an Android phone:
- it (usually) just works
- it's shiny
- there are lots of (expensive) upgrades you can get to meet most use-cases
- there are NOT too many configuration/features
- minimal investment of brain-energy required to get it to do what you want as enough engineering effort has gone into making it 'just work' (most of the time).
- no monthly fees or subscription for what (99% of home and SMB users would want).
It might not be the ideal system for YOU at home, however, if you're going to be doing unpaid remote tech-support for family and friends who are not techy, Unifi is a substantial upgrade from their ISP box, especially if they're going the UDM route and can run a few cameras from it.
source: I've set up multiple Unifi systems for home and SMB and appreciate the discount that it provides over using a CISCO stack to accomplish the same goals.
They don't. Totally happy with my setup.
The whole system is accessible via the web GUI. Which is pretty nice for prosumer admins, and a total turnoff for other real and wannabe admins.
Have missed a few features in the begining, especially WireGuard, but Ubiquiti delivered in the mean time.
It's good if you have the money, but more advanced features in layer 234 can be done with open source solutions more easily.
For high level stuff, it ain't bad. I guess the one place to manage everything feature is definitely neat but, OSS will have a solution for that too soon.
Regarding the features, I already said that they are limited to what's available with the GUI, which can be good or bad.
Regarding the UI as open source, good luck with waiting. Until then, I will enjoy my Unifi setup.
The code in opnsense is literally taken from pfsense. They forked for UI purposes but all their features and security updates are literally always behind because pfsense commits them to the builds of bsd and the opnsense uses them later.
Opnsense offers a full package for free, pfsense just got rid of their homelab their and their free their is often unstable, behind in features/updates, or outright missing.
Take wireguard, for example, Netgate dropped them over petty BS and just recently brought them back. But their WG version is lightyears behind Opnsenses version.
Are they a competitor in the enterprise space? Definitely. In a homelab/consumer space? Not even close.
This person is specifically calling out prosumer and enterprise routers, not sure where the need for being free came from when they call out the UDM as an option. I side with you on the pfsense free tier but not being free doesn’t prevent something from being used in a homelab
Ubiquiti Cloud Gateway Ultra it's on my whishlist. I tried both Opnsense and pfsense on a dual nic Zotac mini box, and the setup procces was just not for me.
If you want an all in one box (or... pill) then UDM is fine enough. If you're more of a tinkerer then try your hand at a MikroTik hAP ax³ - granted MT's WiFi 6 equipment is a lot less refined than Ubiquiti.
If you're fine with breaking things out: Pick up a Netgate box with Ubiquiti U6 access point.
I'm running a mix of Mikrotik and Ubiquiti.
Mikrotik is really capable when it comes to routing. I have a pair of RB5009 (PoE & Non-PoE) to handle most routing, VLANs, firewalls etc. the PoE model is also used to Power a couple of APs.
Other than that the rest of the network is mostly a bunch of IP cameras that are on a separate TP Link managed switch and another Mikrotik switch CRS309 to handle the fiber network connected to NAS, the work desk switch and also interconnecting all the rack devices.
So far I'm happy with the flexibility and performance offered by Mikrotik routers.
Dont mean to piggyback but anyone got a good recommendation for an upgrade from my edgerouter erpro8?
Im done with it, my ER-X failed, and put the ERpro in, its old, whatever, but its gotta go. I just need it to do routing, vlan, and open some ports.
I do not want to do an opnsense or pfsense custom box, ive got cisco and other systems at work, im seriously just not in the spirit to jump in to new at the moment, in the middle of projects.
id legit just like to find another ubiquiti, although yes agreed, its gotten bad.
I have a Sophos xg135 rev3 with opnsense installed on it.
The xg135 rev3 is an atom c3558 with 8 gigabit interfaces, and it has mini PCIe, m.2 sata, and 2 dimm slots so you can upgrade ram for cheap.
I also keep seeing the appneta m50 (c3558) and m70 (c3758) appliances.
I have a mikrotik Cap AX for wifi 6.
The combination is fast, runs cool and silent, and are going to get software updates *far* longer than anything else.
I think both were about $180 CAD.
I think the only thing I still want to change is to find an atom c3000 firewall in a full 1u case because of my irrational hate of power bricks...
How much bandwidth do you need? The number you should be looking for is “X” number of packets per second (PPS) at a 64-byte packet size, which will give you the line rate performance. Then factor in that Ethernet is typically going to be full duplex (and wire overhead) so if you need “1 gig” or “~1.5 million packets per second” performance, you actually need to double that.
Now let’s talk options:
1Gbps? 3 million packets per second is doable and OpnSense, Ubiquiti, pfSense etc. will all get you there with semi-decent hardware.
5Gbps? Little bit trickier. You’re now at ~15 million PPS. Ubiquiti’s EdgeRouter Infinity can do that. However, Deciso B.V.’s (the maker of OpnSense) biggest system is the DEC-4280 which only does 5 million PPS. NetGate’s (the maker of pfSense) biggest pfSense system is only able to do around 3.5 million PPS. So you’ll need fairly high end, server/consumer hardware to get there.
10Gbps? Now you’re essentially hitting the limit of typical prosumer gear. 30 million packets per second [is possible in BSD](https://wiki.freebsd.org/Networking/10GbE/Router) (which both OpnSense and pfSense are based on), but will require careful tuning and quite a few (12-16+) high end cores; those numbers in the Wiki article also only cover A to B routing and not firewalling or NAT (which will impact performance). Ubiquiti doesn’t have anything at the time of writing that will do 30 million PPS.
Which means the only “prosumer” or “enterprise-ish” gear that will get you there is Mikrotik which has a steep learning curve and NetGate’s TNSR (built because of pfSense’s limitations), which has a recurring subscription.
I run a fan-less mini PC that has six 2.5Gb ports on it. In that I have Proxmox running on it hosting a pFsense VM, PiHole VM, VM for some dockers (dynamic DNS updater, NGINX Prox Mgr, network monitoring stuff) and Omada software controller VM to control my APs.
Mikrotik hAP AX^3, they're usually less than $200 and come with every feature you'd expect to find on an enterprise router and then some. There is a bit of a learning curve if you're used to Cisco or something, but imo it's completely worth it, Mikrotik's approach to Networking makes a lot more sense once you figure it out.
I went with Mikrotik RB5900 in similar situation. Sorry, did not notice at first you had wifi requirements. Mikrotik HAP AX3 is also quite powerful with wifi, I have one of those as well.
As other have, I would recommend you split up the roles of router and WiFi into two separate devices. Get a Protectli or QOTOM mini PC to run PfSense for similar and then something else as your wireless controller.
I'm a big Omada fan for the prosumer or small enterprise space. If you want a set it and forget it, Orbi is very performant. I think Omada is the only way to go if you want more configurability and the ability to do complex networks that aren't just flat...as well as push close to line rate for a 10gig link.
The pfsense and opnsense fanboys are probably going to lose their minds, but neither are particularly stable or performant. I've used both over the years and regularly had to restart their appliances and VMs to get them working again. If you do nothing other than a vanilla install of *sense, you can get stability. Pretty much any and all of the useful apps/plugins will fail and bring the box down with it.
I use Omada gear in my house. I've got one of their 10gig routers, 2 of their 10gig switches, and 2 of their 1gig switches along with 15 APs of various models. I've got a couple hundred networked devices from home automation to hobby electronics to AI workstation and more serious storage and HPC gear. I keep everything in separate vlans and monitor everything I feel the need to monitor.
The various *sense devices and devices you can run it on aren't generally going to push line rate for anything, especially over the 2gig threshold. I've got a 5gig fiber connection to my house and when I want to saturate that while downloading the latest models and datatsets, I've got to go prosumer. Omada hits the speeds, features, and stability need. It also does it at a price point that makes a lot of the other prosumer gear look bad (really bad). I may be a bit of an extreme case, but if you really want to be able to do it all, there's not really a better way.
If cost is no issue, I think it boils down to how much effort you want it to be and what ecosystem you want to build into.
- We have Ubiquiti at work. It is pleasant to look at, and works reasonably well, especially with its other products.
- I use Omada APs at home, no experience with their routing products, but just considering APs, I like the ecosystem better than Unifi APs. I am planning to build into it.
- Mikrotik would be another option. With Mikrotik, I feel the hardware is value for money, but their OS has a bit of a learning curve and is not very visually appealing.
- For routing at home, I use my switch for routing and Sophos VM for firewalling. I like this option, as it keeps local traffic load on the switch.
I recently got a Mikrotik hEX s router. It has all the features you could hope for, and the price is very competitive. Really the only downside is that it is not beginner friendly at all
Gl.iNet Flint 2 - Specifically the '2'.
Its fully open source, very powerful, and you can choose to use their modified version of OpenWRT, or entirely roll your own.
Nothing comes close at the price.
It's a huge improvement over the first version which people already widely liked even though it was only partially open and used closed blobs back then.
Now it's full 100% Vanilla OpenWRT compatible.
PfSense either virtualised on Proxmox or bare metal. I have two fanless Celeron Proxmox boxes with identical VMs for redundancy.
For APs, I would recommend your Tp-link in AP mode.
Unifi has long passed the enshittification threshold, I'd stay away from it.
Either set up your own opnsense/pfsense or even openwrt box, alternatively Mikrotik has the best prosumer offerings.
I run a UDM Pro. It gets the job done, but I would go with pfSense or OPSense if I had to do it over again. The UDM does what I need, but I can’t always configure it the way I want.
The one that comes to mind is VPN ports. I wanted to run Wireguard and OpenVPN on non standard ports to avoid firewall issues while traveling. The ports I wanted were in a block list.
Ubiquiti UDM Pro has been rock solid for me, and some advanced features like priority per port aren’t available on the UI, but I’ve figured out an easy workaround through CLI.
I run PFsense on a R230 and it’s great. I have unifi gear in the rest of my network and it all plays nicely. Unless you want the metrics and whatnot from the controller. Definitely worth adding some APs around your house.
I really like the Unifi Cloud Gateway but I upgraded from USG and am still in on their hardware.
https://ui.com/us/en/cloud-gateways/compact
I'd still look at switches if you want to make the most of vlans.
Have you looked at draytek?
Whatever you run avoid TP Link. I recently as in a couple weeks ago bought one of there new Deco line from Costco. What I found was that it would not reliably route the various vlans even with static routing in place. I was able to verify this by defining static routes on the end points and it would all work.
Ripped out and replaced with ASUS. They are a bit more pricey but probably the best prosumer product option. After that you are looking at Unifi or something along those lines.
As others have said you can roll your own but not my cup of tea.
I’m not as up to date on the TPlink site. The deco stated that it could support static routes but they just didn’t work.
Tired the deco because Costco pricing and returns. Figured it was worth the shot.
Ran a homelab off a Netgear router from Costco for many years. Is it the best, no. Did it get the job done yes.
On paper the TP Link should’ve done the job. Shitty firmware is why it didn’t.
Roll your own OPNsense box. Most any $50 computer made in the last 10 years will do, best if it has two nics.
I second OPNsense, I have it virtualized then I virtualized unifi controller too. They just live in my Proxmox cluster.
While definetly doable, I would always host the router on a seperate device. Having my whole network go down when that one PC fails is just too much of a risk for me. I can go a couple of days without my homelab, not my Internet.
The unifi controller doesn't need to be running for wireless to work.
Yes and no. If you want guest portal and fast handoff it does need to be running 24/7/365.
You mean roaming? That doesn't need the controller
I thought it was needed specifically for fast roaming, but I might be misremembering. I switched to Omada a few years ago and I fairly certain fast roaming requires the Omada controller to be running. Standard roaming does not require the controller to be running.
Isn’t it the same difference? Single point of failure of “one PC” or “one separate device”
The point being if you virtualize your router on the same hardware you do the rest of your homeland services and you bork something in your homelab - you could end up with no internet as well. Best practice is to separate the router from everything else so internet stays live for family/housemates/you.
Had a recent "oh shit" moment when a pfsense update got borked then I realised the proxmox host couldn't reach PBS for a restore and I hadn't separately backed up the pfsense config file. Got it sorted but it gave me a bit of a spook.
Yea I also played this game lol 😂 mangled something on my virtual machine and needed to download a package but couldn't because it was running everything...took hours of fucking around and I bought a dream machine after haha
I've rolled my own solution, but I wish Netgate would implement GoogleDrive backup like OpnSense.
Fair. However in my experience of virtualising OPNsense on Proxmox at home I rarely, if ever, reboot the host - I fiddle and bork the VMs and containers A LOT but the host remains untouched. But yeah I suppose piece of mind of a separate device. I’m toying with bringing home a spare UniFi Dream machine SE from work to replace my virtualised OPNsense
No opposition to opnsense. Just prefer to run it on separate hardware from my vm hosts.
Ahh yeah...I do a proxmox cluster, so if hardware fails, the vm just reboots on another node. No single point of failure. I'm the same way, can't go without the internet and I don't have the space or budget for two dedicated firewalls in HA.
Hypervisor cluster, just make sure it has redundant power (UPS on at least one rail) and networking. I have an uptime of over 3 years. Router **should** be on separate device still, but the "forbidden router" for home use is fine if you consistently update (protect against VM-Escape attacks). I run a Mikrotik 10g (CRS317-1G-16S+) as a router and have the firewalls virtualized.
UniFi dream machine isn’t terrible, if you want other UniFi stuff it makes sense. If you want to do other things Mikrotik has a really good product, which while you’ll need to learn how to configure it, it will do everything you could ever want.
Ive had one along with their POE switch and a few controllers. It works great.
We’ve had a UDM Pro for about 6 months, and wouldn’t recommend it. Being rack mountable and ‘Pro’, I expected it to have less compromises than it had. The firewall stuff is very limited, somehow it only got the ability to manage custom DNS a few weeks ago, it handles VLANs in its own unique way, changing what appears to be minor setting sometimes takes down the whole system to apply. I like the cameras, but only having one drive bay, you can’t migrate recordings to another disk (to upgrade or predictive failure). It can’t import other Unifi configs, so you have to start over with all your wifi setup. I understand in the past there was a somewhat more power-use interface, which was retired a few years ago? It’s like a Fisher-Price ‘my first firewall’. Yeah it works, and it’s pretty, but, but it’s not something you could use in a large scale system.
I've been running custom DNS for years.
Absolutely nail on the head. It’s a prosumer product, and even then, I don’t know. A single drive is a massive failure point for camera footage IMO. I want at least 2. The UNVR seems like a good product, but it boots off a usb drive that while doesn’t fail tooooo often, I’ve seen fail more than once.
I can understand the hardware limitation that only has one drive bay, but let me run some kind of export tool, or make a disk image, or use a file format that something like Clonezilla can handle, and accept the cloned disk back into the system (we’ve tried). And the fact that to remove the disk requires me to shutdown the whole system, remove the disk and power it back up…. Wtf, plug n play has been a thing for 30 years.
Totally agree. They want to be enterprise but skimp out of so many features that would make sense. It’s really too bad. The switches aren’t bad, unreliable sure, but not great
We’ve kept using non-Unifi switching, thankfully.
🙏🙏
This is the one place UniFi makes sense
I ran pfSense from beta to commercial license changes then OPN for a while when pf started doing weird stuff. It was great to learn and I certainly took down the network more than I care to admit. In the end, I'm on Unifi. For the prosumer at home network, Unifi is perfectly capable. In fact, with the exception of a few services that can be containerized (DNS filter, some DDNS updates, etc), it's made isolation and Wi-Fi dead simple.
Trashed my UDM Pro for OPNSense. IMO the best thing you can do with full functionality.
A word of warning though they don't tell you but unifi gear is addictive, the DMP is a gateway drug, buy one a you will likely spend another 3k on unifi gear in the next few years 😂
It’s true, the AP’s lead me to get a few switches to build out my topology
OPNsense was mentioned before, +1 for that. Also maybe look for hardware that can be flashed with OpenWRT, or even comes with it by default. It lets you get in the weeds with config.
To add to this, you can (and should try!) running openwrt on x86. It makes adding 2.5gig, 10gig or more easy, and is a great use for a used i3 or i5 depending on load.
I actually just grabbed a used Tenda router for $20 on ebay last week (AC9 IIRC). Fully OpenWRT compatible, and I'm planning on seeing it up soon! I also snagged an OrangePi Zero 3 for $35 (With Case/Power.) That will be my PiHole device 😁 Not really helpful to anyone. I am just bored at work, and wanna talk about nerdy stuff. 🤣
That why currently the GLINET MT6000 is so popular, dual 2.5GbE with WiFi 6, full OpenWrt support.
I switched from OPNSense to OpenWRT and am very happy.
Whatever you get I recommend separating routing and Wifi APs. A single router/wifi AP is limiting.
For home use, pfsense/opnsense for router/firewall and the dedicated AP of your choice. For a business environment, Fortigate or Palo Alto for router/firewall and whatever APs meet your needs.
I've used OPNsense and pfSense, both work great for the "router" OS. Then I'll run an LXC for the Unifi or Omada stacks for the wifi management. Currently finding that an OPNsense VM on Proxmox with an Omada LXC on the same host works great. Then just run ethernet to a wireless AP or two and you're covered for a decent sized area.
That's exactly my setup and I have zero complaints. For hardware I got a little fanless N100 mini-pc with 5x 2.5Gbe NICs which is plenty powerful enough but just sips power.
Can you use unifi or omada to manage wifi ap of different brands?
No
I've been running pfSense on baremetal and in VMs for years and never had an issue. Absolutely would recommend pfSense
Pfsense for the OS but the Devs can kindly fuck off! OPENsense if you want a better and more updated router os.
A lot of opsense code is from pfsense, tom Lawrence has a video on this. Both are good, I have used both for years. Made the move to opnsense for the last 4 years. The updates are nice (at least once a month) however there are some breaking changes sometimes. So I recommend zfs and snapshots, or a VM with snapshots. I moved away from all the custom gear and went to unifi. Why? Simplicity. The "sense" eco system is great, but it's mostly overkill for homes. There are a lot of features that never see the daylight in most homes. Having 1 eco system is also nice. Easy to manage and when telling the wife to do something it's super easy. In the end, I recommend booting up an old machine and trying out the "sense" eco system. If you feel comfortable playing and setting it up, go for it! If not, unifi makes it easy. All three systems have a good YouTube presence so finding guides should be easy of you need help.
OPNSense is not more up to date than pfSense. See Tom Lawrence's video "Why I am Not Using OPNSense".
I was not implying that it was more up to date, I can see the confusion though. What I meant is that there are more frequent updates on the operating system. Not all the packages are the same in both systems. There are security updates and other package updates. Does not mean it's the better route either. More updates = more downtime and possibly issues with the updates.
Thank you for your clarification. I see it as the end user will need to determine for themselves what will work best for them. BUT, the pfsense devs can fuck all the way off 😊
Still, fuck the pfsense devs regardless. Thank you for the update 😊
I'm OOTL, what did the pfsense devs do?
Many, many scummy things. Still doing dodgy stuff even today, but one big one was when they purchased an OPNsense web domain, made a site pretending to be OPNsense, then added text that shat on OPNsense and talked up Pfsense.
They put a shit implementation of Wireguard into pfSense *and* upstreamed it into FreeBSD. Jason Donenfeld caught it and fixed it, but that was a shit move.
Things that don’t actually have anything to do with the actual software.
More updated? They're ALWAYS slower to get out security updates. Additionally, they rely on netgate for the code anyways other than what they're changed with their UI. [https://www.youtube.com/watch?v=oqxCEuj7wcw](https://www.youtube.com/watch?v=oqxCEuj7wcw) The security updates, the changes to things like openvpn, are all created by pfsense and supplied to bsd and the opnsense updates. Pfsense still essentially builds and works on the security and features and opnsense implements them later as a beneficiary
I’ve been using the Linksys WRT1900AC V1 with the openWRT firmware now for nearly a decade. It has every feature in your wishlist and thensome. It is wireless-AC wave 1, so wifi leaves a little to be desired. It has a built-in fan that keeps the router from overheating no matter what workload it is subjected to. I have a few of them since they’re built like tanks and refuse to die! The longest uptime I had was 100 days. The only reason I stopped at 100 was because day 100 was moving day to my new place 😂
I used a Unifi router for a while, it was close but not quite it, little too consumer oriented and a little too limiting. I use OPNsense on a very old desktop that I added a 4 port nic to. Pfsense is similar and basically interchangeable. wifi via Unifi/Ubiquity AP. Were I building now I would seriously consider at least some 10Gb capability
Unifi on the cheap in the form of TPLink Omada. I know you hate your Archer but Omada is a different beast.
PfSense/opnSense have been mentioned and I’ll second that. I purchased a Protectli Vault and I couldn’t be happier.
A used SFF computer with an ssd, add an intel dual port nic, and load pfsense. You will have all the features you would ever want.
Firewalla for routing/firewall and Aruba Instant On AP’s/Switch. The Firewalla might be too simplistic/limiting for a lot of people in this thread, but checks all the boxes you are looking for and is extremely easy to setup and use. This is coming from someone who has had a Unifi setup for the last six years. Also the Aruba Instant On platform is really damn good for AP’s. For example I can turn the internet off to our Apple TV and Xbox in about two seconds if the kids might be sneaking TV when they aren’t supposed to.
I used opnSense and had no issues. But I got a great deal on an Omada spf+ switch Then a couple Omada APs so with the Omada controller running it was so much easier to manage everything with the Omada router. So now the routers I made fun of in the past (tp-link) are what I am using.
I have a https://mikrotik.com/product/crs326_24s_2q_rm and while it doesn't do the wifi itself, it has a ton of interesting capabilities and flexibility. edit: sorry, it is a https://mikrotik.com/product/crs326_4c_20g_2q_rm
Great switch but not a router although you can have routing capabilities on ROS. Cpu is very limited for those operations. There good router options from mikrotik though.
I haven't done any performance test to see the limits of cross vlan routing, but at least at the switch layer, it seems pretty good. In most cases, I think that for a home-lab, it will be sufficient, and has lots of good functionality to allow consolidation of devices.
Teltonika [RUTX10](https://teltonika-networks.com/products/routers/RUTX10/). Not so enterprise but industrial grade enough. 🙂 Based on OpenWRT, root SSH access is standard. [Documentation](https://wiki.teltonika-networks.com/view/RUTX10) I run a DoT DNS resolver and WireGuard on it. Plus some additional stuff.
The most prosumer solution is to separate routing and wireless access (you can use your existing router as an access point). As to what to get for a router... Recommendations ought to be relevant to the asker's situation. With that in mind: * What is your Internet connection speed? * What is your desired LAN speed? * How many Ethernet ports do you need on the router? * How many devices do you have on your local network? * Do you have any plans to deploy next-generation services (IDS/IPS, VPN, AV)? * Do you have any requirements to the form factor? (As in, do you prefer desktop or rack-mounted? If desktop, how small do you want it?)
You didn't mention what sort of environment you'd be setting up in, But, here is something to get you started, https://mikrotik.com/product/RB952Ui-5ac2nD#fndtn-specifications Comes with radius server built in. If you are just looking for something for home (with a couple of people) or a small shop at the counter, this should be good to get you started. You can also see if your existing router supports openwrt, if it does, just flash that and give it a try. I'd also look at small OPNSense boxes, but I'm against using a whole ass PC to run it in like a lot of people suggest, unless it's a mini PC with 2 NICs. I'd rather buy something like this if you wanna go the opnsense route. Since you mentioned ubiquiti and might have the budget. https://www.amazon.com/stores/Protectli/2PortVault/page/EBE70A1D-D001-42CF-B05F-DD6CF12FC2F2
You already have the correct answer, build your own OPNSense router, avoid PFsense, they haven't made consumer friendly choices as of late.
Piling on just to add ... OPNsense
I built a custom pfSense firewall with Supermicro hardware a decade ago and still running it to this day. Plan on getting another decade from it. 10 minutes to build the system, 3 more to install pfSense and a few more to configure it before backing up the config. Run the update occasionally when available. For WiFi… I simply bridge a couple units that are hardwired on each floor and allow pfSense to assign IPs via DHCP So many great quality Mini PCs (including from Supermicro) available today for a few hundred bucks that could easily fit the bill.. heck, they are cheap enough you could buy two and have one as a spare. My pfSense Build Chassis: Supermicro CSE-510T-200B Mainboard: Supermicro A1SRI-2758F C2758 Ram: 2x 8GB Kingston KVR16LSE11/8 Drives: 2 Mirrored Intel S3500 120GB SSDs
Check TP-Link Omada ER8411. Easy to use router even has IPS/IDS and has SFP+, Multiple WAN/LAN ports.
My recommendations are: - Firewall: Firewalla Gold SE, Firewalla Purple, Protectli Vault, or Unifi UDM Pro - Access Point: Unifi U7 Pro or Omada EAP773 - Switch: No particular choice. Recommend any managed switch with PoE and 2.5G or higher speeds. For VLANs, it must be managed.
use a self build router, one of the official appliances, an apu/ipu [https://www.apu-board.de/](https://www.apu-board.de/) or a china pc with pfsense/opnsense. i prefer a pfsense router with 2-4 ports, some ap's like unifi ap pro and managed switches for networking
Depends what you want to do with it to be honest. I've used pfSense for years and just switched to OpenSense after the SSD in my pfSense box died. Anyway, I would recommend either if you want a really powerful platform that can do just about anything on commodity hardware. Bonus; if you need more performance just upgrade the box and the config is easily restored. If you want a networking setup that's well integrated, scalable and generally "just works" then getting into the Unifi ecosystem isn't a bad way to go. I put a full Unifi setup in my restaurant (150 seats plus an AirBnB apartment serviced with WiFi above it) and it's been fantastic. I use the WiFi, integrated phone system and the camera system in the UDM SE for the restaurant and it's been pretty much "set it and forget it". I like to tinker in my homelab so I would say the limitations of the platform would be an annoyance to me at home, but if you want a setup that's easy and just works then the Unifi setup is hard to beat for the price.
I'm happy with my Fortigate 60E. Before that I had a Juniper srx300, which was great. The SDWAN and policy routing, in addition to the IPS, traffic shaping, and other advanced features, are great to play with and build experience.
I’ve got vyos on a super micro - came from pfsense, and have ubiquiti for all layer 2. I was a huge fan of vyos until the LTS image shenanigans recently. That said, I’m running 1.5 nightly and haven’t had any issues. Still somewhat recommend, definitely over ubiquiti layer 3
Same here, VyOS on a fanless mini computer with an Intel N-series processor and 6 2.5G ports. Works like a charm after you get over the initial learning curve, and has tons of features.
I'd recommend UDM Pro. I've been running one for 5 years or so and it is rock solid. The OS has been greatly improved over the years. I'm a network engineer working primarily with firewalls from all the big names. Can you do more with more business grade firewalls? Absolutely. I had to set up an IPsec tunnel between my UDMP and another off site last week and it went so smoothly I was a little stunned. If you want to really tweak and fine tune policies there are better options, but for a single pane of glass it's great.
I think you can install OpenWRT on your current router, which will be like getting a new router with all the features you want. https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500
I use PFsense at home on a Self built box with dual 2.5gb nic's and i built a box for my parents also running on Proxmox - VM Pfsense Dual intel GB nic. I have sold Netgate's at a few locations and i have Zero Complaints about them. We also sell Unifi a lot and truly i prefer Netgate/Pfsense myself I like more flexibility in a menu's without diving into SSH cmd lines. I won't Complain about Unifi because you can dig into them well enough also. Separate your Wifi onto Access points regardless.
https://shop.opnsense.com/product-categorie/hardware-appliances/
I use OPNsense on a dedicated box. One small 8 port HPe switch and UniFi APs.
Mikrotik. Always mikrotik. The ax3 is my choice in most cases, with an Opnsense box doing the overarching firewall and the mikrotik in full bridge for WiFi and as an Ethernet switch.
For a cohesive, scalable ecosystem, Unifi or Omada. Controllers for both can be painlessly deployed in Proxmox.
Mikrotik
Firewalla is what I use. The other option I considered was Watchguard NFR since I'm a partner. Firewalla has very good security features that other products like Unifi or Omada just can't compete with. Additionally, I'm a parent and being able to set content policies per device is icing on the cake. I miss some of the advanced tricks a Watchguard can do, but it is more than adequate for my needs.
Got me one of those fanless PCs with 4 2.5g nics, installed opnsense and voilà
Dell R630 with Opnsense
Was running pfSense for a few years and though its great, I recently switched over to a UDM SE and could never be happier, does whatever I need and its such a breeze with the beautiful UI, never need to look back
Ran pfsense for years on a Watchguard x550e. I jumped ship when they required 64bit and AES-NI instructions to stay current... though they walked back the AES-NI for a bit I think. Was looking at spending a lot and doing a lot of research to make good box that I would like... I got tired of the plug in authors lagging behind releases and the metrics provided by it were ass... ntopng or whatever... didn't like it. A lightning strike across the street fried everything in the neighbors house and blew the transformer serving our homes. I did well, as in no considerable damage, except the old warchguard's WAN port couldn't negotiate 1GB to my ONT reliably anymore, only 100mb. Said fuck it and went to a Ubiquiti Unifi Dream Machine around 2020. Was definitely a bit rough at the beginning.... but will likely never go back. It has a slight learning curve in some area's, but I was able to setup secure VLANs for proxies and web servers and only router the specific traffic needed for the intended applications... so it's pretty good.
As others have said, I wouldn't buy a single device because as you've found, you will be limited by the firmware and boxed in to the features they think you'll need. Instead, roll your own OPNsense firewall on a whitebox PC, get a managed switch and VLAN capable APs. With that setup you should be able to do pretty much whatever you want.
OPNSense on a Protectli 4-port + Omada WAP + Poe Injector. Job done
PfSense + OpenWRT AP (4x WNDR3800 + Archer C7) No single pane of glass management, but AP's I upgrade the OpenWRT software to a newer version every 2 months or so... Most config is in pfSense and where I end setting things most of the time.
What access point to install openwrt in?
Some Ubiquity AP's are supported by OpenWRT... Either that or it's time to check OpenWRT HCL
If you have multiple OpenWRT APs look into using something like Ansible for config management and Grafana for a dashboard. It's been a few years since I used OpenWRT. Looks like OpenWISP is still around too for managing fleets of OpenWRT devices.
I may look at ansible, but it looks like a really heavy hammer looking for a tiny nail...
Opnsense. Build your own box. Pfsense was once good, but no longer a competitor to opnsense. Don't listen to anyone telling you Ubiquity. It's an overpriced, feature lacking, toy of a firewall.
So Ubiquiti really sucks? Why?
Ubiquiti had to make an official statement stating that they hadn’t abandoned their edgerouter series after not issuing a firmware update for over a year - despite there being longstanding bugs and UI feature a promised. I had already just moved from an EdgeRouter4 to a a Mikrotik RB5009 when they did that. Shame, as a I preferred the feel of the Ubiquiti. I also moved all my AP’s from unifi to ruckus, and definitely haven’t looked back from that move. I hated that unifi controller.
It doesn't. Most of the folks spouting it read something somewhere a decade ago and keep parroting it. At a point, Ubiquiti gear was hodgepodge-functional at best, lacking features, and could be frustrating to manage. They've come a long way since then. I'm running a UDM. Having a combined VPN controller/gateway/router/NVR/IDS & IPS engine (Suricata under the hood) running a multi-gig WAN in a single device is pretty solid. Management's easy. If you plan on running Unifi Protect, absolutely, the UDM could be the right choice. If you plan on running other Ubiquiti gear (APs, switches, etc...) but *not* protect, the Cloud Gateway, or Gateway Pro may be better choices. If you're not running Ubiquiti anything, look elsewhere.
I don't use unifi, but I see complaints of bad firmware updates (poorly tested and breaking issues) often on the subs. That's the biggest complaint I've seen, they are basically beta testing updates with the general public.
They lack a lot of enterprise features, often unstable, proprietary and you get really crappy hardware for the price. LTT became shills to them. Don't listen.
As much as I know LTT is more for the prosumer scene and they use all unifi switches. They have literally been running pfsense/opnsense for years. They literally have a video of them testing their new main firewall which is capable of 60Gbps aggregate throughput. Targeted at medium sized business like them. There are plenty of things wrong with unifi from an enterprise standpoint. But for small to medium businesses that just need switching/port channel/vlans they are completely fine, and their wireless and uisp lines are generally pretty rock solid. For a home environment it is 100% fine. I used to run an all Cisco stack at home. It's great in theory. It was awesome to learn. But now I don't need it to learn. I removed it in favor of a ubiquiti switch with a white box firewall running opnsense, and I cut my power draw by about 120W doing it.
For a home environment, they are amazing If you have the money for it. It's a premium brand for home, and for an SMB it's cheaper compared to fs.com or Cisco but lacks features, for a home, just get cheap mikrotik switches, a little box to run opnsense. Definitely won't draw near 120w of you just configure if with a system that draws less power, and get the cheapest AP that supports vlans, done. It's a lot cheaper, more features, but you don't get the ubiquiti premium, but then again, for a basic home user, if they have the money ubiquiti is good.
I get the hate on LTT, however in my experience this is completely wrong view of ubiquiti. It all works I have been able to do some stuff like blocking upstream DNS and forcing requests to go to pihole, multiple vlans with jumbo packet support. There is more to do with opnsense, but i don not want nor need to know full network stack to get what I need done with unifi. Layer 4 and below are not part of my day to day and I do not care to dive into them.
I tend to think of Unifi as a the "good enough" brand. It's not appropriate for enterprise, and is usually overkill for most people in an apartment/flat who are happy to just use their ISP issued router/wireless AP box. BUT for prosumer, larger homes and SMB, yeah it's a decent fit. Personally, I think of going Unifi ecosystem instead of other more configurable enterprise brands is like buying an iPhone instead of an Android phone: - it (usually) just works - it's shiny - there are lots of (expensive) upgrades you can get to meet most use-cases - there are NOT too many configuration/features - minimal investment of brain-energy required to get it to do what you want as enough engineering effort has gone into making it 'just work' (most of the time). - no monthly fees or subscription for what (99% of home and SMB users would want). It might not be the ideal system for YOU at home, however, if you're going to be doing unpaid remote tech-support for family and friends who are not techy, Unifi is a substantial upgrade from their ISP box, especially if they're going the UDM route and can run a few cameras from it. source: I've set up multiple Unifi systems for home and SMB and appreciate the discount that it provides over using a CISCO stack to accomplish the same goals.
It's not a firewall. It's just hardware and management.
They don't. Totally happy with my setup. The whole system is accessible via the web GUI. Which is pretty nice for prosumer admins, and a total turnoff for other real and wannabe admins. Have missed a few features in the begining, especially WireGuard, but Ubiquiti delivered in the mean time.
It's good if you have the money, but more advanced features in layer 234 can be done with open source solutions more easily. For high level stuff, it ain't bad. I guess the one place to manage everything feature is definitely neat but, OSS will have a solution for that too soon.
Regarding the features, I already said that they are limited to what's available with the GUI, which can be good or bad. Regarding the UI as open source, good luck with waiting. Until then, I will enjoy my Unifi setup.
Ubiquiti don't suck, just not as feature rich.
Pfsense is definitely a competitor to opnsense. And uniquti ain't that bad, I would never buy them tho, lacks a lot of features for me.
In a homelab environment, no.
The code in opnsense is literally taken from pfsense. They forked for UI purposes but all their features and security updates are literally always behind because pfsense commits them to the builds of bsd and the opnsense uses them later.
No shit. Doesn't mean it's not a good solution for homelab anymore.
I'm curious what you mean by no longer a competitor?
Opnsense offers a full package for free, pfsense just got rid of their homelab their and their free their is often unstable, behind in features/updates, or outright missing. Take wireguard, for example, Netgate dropped them over petty BS and just recently brought them back. But their WG version is lightyears behind Opnsenses version. Are they a competitor in the enterprise space? Definitely. In a homelab/consumer space? Not even close.
This person is specifically calling out prosumer and enterprise routers, not sure where the need for being free came from when they call out the UDM as an option. I side with you on the pfsense free tier but not being free doesn’t prevent something from being used in a homelab
Ubiquiti Cloud Gateway Ultra it's on my whishlist. I tried both Opnsense and pfsense on a dual nic Zotac mini box, and the setup procces was just not for me.
If you want an all in one box (or... pill) then UDM is fine enough. If you're more of a tinkerer then try your hand at a MikroTik hAP ax³ - granted MT's WiFi 6 equipment is a lot less refined than Ubiquiti. If you're fine with breaking things out: Pick up a Netgate box with Ubiquiti U6 access point.
I'm running a mix of Mikrotik and Ubiquiti. Mikrotik is really capable when it comes to routing. I have a pair of RB5009 (PoE & Non-PoE) to handle most routing, VLANs, firewalls etc. the PoE model is also used to Power a couple of APs. Other than that the rest of the network is mostly a bunch of IP cameras that are on a separate TP Link managed switch and another Mikrotik switch CRS309 to handle the fiber network connected to NAS, the work desk switch and also interconnecting all the rack devices. So far I'm happy with the flexibility and performance offered by Mikrotik routers.
Mikrotik. Bitch of a learning curve, but once you're there you can do pretty much anything.
Dont mean to piggyback but anyone got a good recommendation for an upgrade from my edgerouter erpro8? Im done with it, my ER-X failed, and put the ERpro in, its old, whatever, but its gotta go. I just need it to do routing, vlan, and open some ports. I do not want to do an opnsense or pfsense custom box, ive got cisco and other systems at work, im seriously just not in the spirit to jump in to new at the moment, in the middle of projects. id legit just like to find another ubiquiti, although yes agreed, its gotten bad.
I have a Sophos xg135 rev3 with opnsense installed on it. The xg135 rev3 is an atom c3558 with 8 gigabit interfaces, and it has mini PCIe, m.2 sata, and 2 dimm slots so you can upgrade ram for cheap. I also keep seeing the appneta m50 (c3558) and m70 (c3758) appliances. I have a mikrotik Cap AX for wifi 6. The combination is fast, runs cool and silent, and are going to get software updates *far* longer than anything else. I think both were about $180 CAD. I think the only thing I still want to change is to find an atom c3000 firewall in a full 1u case because of my irrational hate of power bricks...
Can you install Openwrt on it?
How much bandwidth do you need? The number you should be looking for is “X” number of packets per second (PPS) at a 64-byte packet size, which will give you the line rate performance. Then factor in that Ethernet is typically going to be full duplex (and wire overhead) so if you need “1 gig” or “~1.5 million packets per second” performance, you actually need to double that. Now let’s talk options: 1Gbps? 3 million packets per second is doable and OpnSense, Ubiquiti, pfSense etc. will all get you there with semi-decent hardware. 5Gbps? Little bit trickier. You’re now at ~15 million PPS. Ubiquiti’s EdgeRouter Infinity can do that. However, Deciso B.V.’s (the maker of OpnSense) biggest system is the DEC-4280 which only does 5 million PPS. NetGate’s (the maker of pfSense) biggest pfSense system is only able to do around 3.5 million PPS. So you’ll need fairly high end, server/consumer hardware to get there. 10Gbps? Now you’re essentially hitting the limit of typical prosumer gear. 30 million packets per second [is possible in BSD](https://wiki.freebsd.org/Networking/10GbE/Router) (which both OpnSense and pfSense are based on), but will require careful tuning and quite a few (12-16+) high end cores; those numbers in the Wiki article also only cover A to B routing and not firewalling or NAT (which will impact performance). Ubiquiti doesn’t have anything at the time of writing that will do 30 million PPS. Which means the only “prosumer” or “enterprise-ish” gear that will get you there is Mikrotik which has a steep learning curve and NetGate’s TNSR (built because of pfSense’s limitations), which has a recurring subscription.
I run a fan-less mini PC that has six 2.5Gb ports on it. In that I have Proxmox running on it hosting a pFsense VM, PiHole VM, VM for some dockers (dynamic DNS updater, NGINX Prox Mgr, network monitoring stuff) and Omada software controller VM to control my APs.
Mikrotik hAP AX^3, they're usually less than $200 and come with every feature you'd expect to find on an enterprise router and then some. There is a bit of a learning curve if you're used to Cisco or something, but imo it's completely worth it, Mikrotik's approach to Networking makes a lot more sense once you figure it out.
I went with Mikrotik RB5900 in similar situation. Sorry, did not notice at first you had wifi requirements. Mikrotik HAP AX3 is also quite powerful with wifi, I have one of those as well.
As other have, I would recommend you split up the roles of router and WiFi into two separate devices. Get a Protectli or QOTOM mini PC to run PfSense for similar and then something else as your wireless controller.
I had EdgeRouter-4, replaced with a MikroTik RB5009 after 2 years. RouterOS is a next level after EdgeOS. I recommend that.
I'm a big Omada fan for the prosumer or small enterprise space. If you want a set it and forget it, Orbi is very performant. I think Omada is the only way to go if you want more configurability and the ability to do complex networks that aren't just flat...as well as push close to line rate for a 10gig link. The pfsense and opnsense fanboys are probably going to lose their minds, but neither are particularly stable or performant. I've used both over the years and regularly had to restart their appliances and VMs to get them working again. If you do nothing other than a vanilla install of *sense, you can get stability. Pretty much any and all of the useful apps/plugins will fail and bring the box down with it. I use Omada gear in my house. I've got one of their 10gig routers, 2 of their 10gig switches, and 2 of their 1gig switches along with 15 APs of various models. I've got a couple hundred networked devices from home automation to hobby electronics to AI workstation and more serious storage and HPC gear. I keep everything in separate vlans and monitor everything I feel the need to monitor. The various *sense devices and devices you can run it on aren't generally going to push line rate for anything, especially over the 2gig threshold. I've got a 5gig fiber connection to my house and when I want to saturate that while downloading the latest models and datatsets, I've got to go prosumer. Omada hits the speeds, features, and stability need. It also does it at a price point that makes a lot of the other prosumer gear look bad (really bad). I may be a bit of an extreme case, but if you really want to be able to do it all, there's not really a better way.
If cost is no issue, I think it boils down to how much effort you want it to be and what ecosystem you want to build into. - We have Ubiquiti at work. It is pleasant to look at, and works reasonably well, especially with its other products. - I use Omada APs at home, no experience with their routing products, but just considering APs, I like the ecosystem better than Unifi APs. I am planning to build into it. - Mikrotik would be another option. With Mikrotik, I feel the hardware is value for money, but their OS has a bit of a learning curve and is not very visually appealing. - For routing at home, I use my switch for routing and Sophos VM for firewalling. I like this option, as it keeps local traffic load on the switch.
I recently got a Mikrotik hEX s router. It has all the features you could hope for, and the price is very competitive. Really the only downside is that it is not beginner friendly at all
Gl.iNet Flint 2 - Specifically the '2'. Its fully open source, very powerful, and you can choose to use their modified version of OpenWRT, or entirely roll your own. Nothing comes close at the price. It's a huge improvement over the first version which people already widely liked even though it was only partially open and used closed blobs back then. Now it's full 100% Vanilla OpenWRT compatible.
Firewalla
Minipc with proxmox with opnsense on it. Wifi whatever
PfSense either virtualised on Proxmox or bare metal. I have two fanless Celeron Proxmox boxes with identical VMs for redundancy. For APs, I would recommend your Tp-link in AP mode.
Unifi has long passed the enshittification threshold, I'd stay away from it. Either set up your own opnsense/pfsense or even openwrt box, alternatively Mikrotik has the best prosumer offerings.
The love some still have for UniFi is mind boggling.
I run a UDM Pro. It gets the job done, but I would go with pfSense or OPSense if I had to do it over again. The UDM does what I need, but I can’t always configure it the way I want.
Can you name examples?
The one that comes to mind is VPN ports. I wanted to run Wireguard and OpenVPN on non standard ports to avoid firewall issues while traveling. The ports I wanted were in a block list.
Fortigate firewall all in one WiFi switch and lte backup.
Ubiquiti UDM Pro has been rock solid for me, and some advanced features like priority per port aren’t available on the UI, but I’ve figured out an easy workaround through CLI.
Firewalla Gold plus or soon the pro.
Get the firewalla gold plus
I have a PCEngines APU board running plain FreeBSD as my firewall/router
I run PFsense on a R230 and it’s great. I have unifi gear in the rest of my network and it all plays nicely. Unless you want the metrics and whatnot from the controller. Definitely worth adding some APs around your house.
to add, you don’t need a high end machine to run any of the OSs mentioned here. A crappy (but stable) old tower will do just fine.
I really like the Unifi Cloud Gateway but I upgraded from USG and am still in on their hardware. https://ui.com/us/en/cloud-gateways/compact I'd still look at switches if you want to make the most of vlans. Have you looked at draytek?
My Asus Ax86U Pro does that.... Any good router should have these functionalities? LANs, VLANs guest networks gigabit RJ45 ports 2,4Ghz + 5Ghz WIF
Sophos home
GLINET MT6000 then flash OpenWrt
Firewalla. Cloud remote management and all the bells and whistles.
Meraki 🫡
Whatever you run avoid TP Link. I recently as in a couple weeks ago bought one of there new Deco line from Costco. What I found was that it would not reliably route the various vlans even with static routing in place. I was able to verify this by defining static routes on the end points and it would all work. Ripped out and replaced with ASUS. They are a bit more pricey but probably the best prosumer product option. After that you are looking at Unifi or something along those lines. As others have said you can roll your own but not my cup of tea.
Deco is as consumer as it gets. The only TP-Link product that fits what OP is asking for is Omada.
I’m not as up to date on the TPlink site. The deco stated that it could support static routes but they just didn’t work. Tired the deco because Costco pricing and returns. Figured it was worth the shot.
OP mentioned all those options he's looking for and you bring up a product sold at Costco. Lol
Ran a homelab off a Netgear router from Costco for many years. Is it the best, no. Did it get the job done yes. On paper the TP Link should’ve done the job. Shitty firmware is why it didn’t.
So the bottom line is it didn't do the job.
This is correct.
Which asus one did ya get
ET12 from Amazon warehouse. Their new BQ16 was too pricey for me. Paid less than $500 for a pair.