I have been using opnsense on a very cheap celeron nuc for a few years, very happy with it
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
I can second this, I've been running openwrt on an old office PC for many years and it has been performant, flexible, and most of all reliable, it just works
I personally would flick through the OpenWRT supported devices and pick the best supported device with 802.11ax.
How much bandwidth and flexibility do you want? OpenWRT is what I use on consumer hardware but many people here also swear by custom hardware with opnsense
swear by custom hardware with opnsense
...which is completely unnecessary and overkill for most people, even those with home labs, since OpenWrt can do it all.
Homelab is a hobby, and like other hobbies, people actually loves doing the "unnecessary and overkill" stuff.
I thought "unnecessary and overkill" is our actual name, and selfhosting is just a nickname
I won't disagree but not everyone is the same
How much wifi and open-source do you really want?
If you are willing to go with commercial hardware + open source firmware (OpenWrt) you might want to check the table of hardware of OpenWrt at https://openwrt.org/toh/views/toh_available_16128_ax-wifi and https://openwrt.org/toh/views/toh_available_864_ac-wifi. One solid pick for the future might be the Netgear WAX2* line or the GL.iNet GL-MT6000. One of those models is now fully supported the others are on the way. If you don’t mind having older wifi a Netgear R7800 is solid.
For a full open-source hardware and software experience you need a more exotic brand like this https://www.banana-pi.org/en/bananapi-router/. The BananaPi BPi R3 and here is a very good option with a 4 core CPU, 2GB of RAM Wifi6 and two 2.5G SFP ports besides the 4 ethernet ports. There’s also an upcoming board the BPI-R4 with optional Wifi 7 and 10G SPF.
Both solutions will lead to OpenWRT when it comes to software, it is better than any commercial firmware but be aware that it only support wifi hardware with open-source drives such as MediaTek. While MediaTek is good and performs very well we can't forget that the best performing wifi chips are Broadcom and they use hacks that go behind the published wifi standards and get it go a few megabytes/second faster and/or improve the range a bit.
DD-WRT is another “open-source” firmware that has a specific agreement with Broadcom to allow them to use their proprietary drivers and distribute them as blob with their firmware. While it works don’t expect compatibility with newer hardware nor a bug free solution like OpenWRT is.
There are also alternatives like OPNsense and pfSense that may make sense in some cases you most likely don't require that. You've a small network and OpenWRT will provide you with a much cleaner open-source experience and also allow for all the customization you would like. Another great advantage of OpenWRT is that you've the ability to install 3rd party stuff in your router, you may even use qemu to virtualize stuff like your Pi-Hole on it or simply run docker containers.
I've been very happy with Opnsense running as a VM on both ESXi, and now Proxmox. Lots of configuration options and able to setup some complicated firewall rules easily.
Also opnsense, but on thin client.
I have a Unifi router, switch and four access points. My setup works fine. Stable.
I see other people from work say they get dropouts over the work VPN but I have no issues at all. I'm not saying the hardware is their cause but ISP provided all in one boxes are just that. An all in one solution.
Jack of all trades, master of none. Forcing a router reboot to get the home Internet working again has become a thing of the past since I set up a unifi router and APs.
I'd had router/WiFi combos before running either dd-wrt, open-wrt, or tomato. None of them were stable. But I suspect that was because the hardware just couldn't keep up, not because the open source software was faulty.
Adding another Mikrotik recommendation with the standard warnings -- a bit of a learning curve, although it has a default configuration that "just works". If you mess something up you can just apply the default config to get back online.
Don't buy from Amazon. For whatever reason people have problems with those units. Fakes maybe? Who knows. If you're in the US buy from streakwave, roc-noc, ISP supplies, Double Radius, or Getic (international shipping).
The RB5009 series is very good if you want something beefier with more ports.
Fritzboxes are rock stable, and support Wireguard from FritzOS 7.5 onwards, see https://avm.de/service/vpn/wireguard-vpn-zur-fritzbox-am-computer-einrichten/
(Apparently NOT the cable versions!)
What nags me most with them is that you have no separate Firewall controll over their WiFi, and the WiFi range is not really great. So probably consider going with dedicated APs instead.
They are quite solid but be aware that the web UI is dog slow and the menus weirdly designed.
I'm very happy with my FritzBox (7590), it handles de ADSL connection to the ISP, supports various DDNS providers, Wireguard VPN, 4 port gigabit switch (5 of you don't need the WAN port), guest WiFi with client isolation.
It also has basic media server and NAS functionality (with USB3 external hard drives).
Of course you can change the DNS server and other network controls like QOS, wake on LAN, port forwarding, different profiles with parental controls, filters, connection times, etc.
They also seem to take security seriously.
I've been super happy with mikrotik, currently running mikrotik hex s, and ubiquity u6-lr for wifi, have had 0 issues, no need to reboot etc. Plenty of customizing if desired. A learning curve tho if you do want to start messing around
I purchased the same router about 2 months ago and love it...cant recommend mikrotik enough.
Ya been rocking it I'd say close to 2 years no 0 issues. The old ISP modem had to be rebooted every few weeks before I had the mikrotik and unify combo.... And the hex s is super cheap to buy now!
I use an entry level router ASUS RT-AX53U with OpenWrt. WiFi 6, IPv6, Guest VLAN, DNSCrypt (DoH), Adblock, Firewall are few things I have configured with OpenWrt.
Even if you don't buy ASUS, make sure your router is supported by OpenWrt. It's a Linux distribution that runs on routers and PCs to configure home networking.
One more for mikrotik (I run the VM version on a small linux box).
I tested a ton of those (pf/opn-senses, VyOS, even Cisco), and noone of the free ones can handle IPv6 in a reasonable way in 2024, which is slightly bizzare. Mikrotik has some annoyances, but it's rock solid as a router.
I don’t use its container features and instead run podman in a vm next to it. Works great.
How do you mean? IPv6 in OPNsense is working fine.
OpnSense is incapable of proper DHCPv6-PD, that's when your route receives a prefix from upstream and delegates parts of it downstream. More specifically, it does the delegation, but it doesn’t add the relevant routes, effectively blackholing the allocated prefixes.
VyOS fixed this specific bug since I reported it. RouterOS and IOS never had it.
Wireguard and DNS filtering (albeit not as fine tuned and automatic as pihole) can all be done on OpnSense
I recommend OpnSense on whatever modern low-power hardware you can get your hands on, ThinkCentre, NUC or whatever, if you are okay with a separate device for WiFi or do not need WiFi. WiFi APs can be had for as low as 20 bucks and are usually straight forward to set up, but you gotta shell out more if you want the latest and greatest connectivity.
There is also the possibility for adding WiFi directly to OpnSense but I have not even bothered touching it. If you love tinkering and suffering, that's a route you can go.
For the love of God, if you're going to install PfSense, just get OpnSense instead. It's just better.
I always use separate router / firewall and WiFi AP. That way I can upgrade WiFi to any device I like without touching the router.
what do you mean upgrade WiFi to any device?
For example, upgrade /n AP to /ax. The router may keep working for LAN connections while you are playing with WiFi.
If you’re new, something like Uniquiti UniFi stack is very beginner friendly and well polished.
If you’re planning to run your own hardware, the usual recommendation seems to be pfsense or opnsense on a modern lower end system (Intel N100 box for example).
Bearing in mind that a router is only responsible for routing (think directing the packets where to go). You’d also want to have access points to provide WiFi for your wireless devices. This is where UniFi stack makes it easier because you can just choose their access point hardware and control through single controller. Whereas rolling your own you’d be looking at getting something else to fill that role.
he following I am run
I second everything said here.
UniFi is a good starting place, and pfsense is good if you really want to dig in.
On one hand I love unify on the other I wish i never went this route. They do make it very simple to manage a whole suite of devices. But updates sometimes feel "Alpha/beta" some more advanced stuff requires editing jsons in the devices them self. Also recently the battery in my cloud key gen 2 has blown and their is no way to replace it without replacing the whole cloudkey. Thing lasted like 2 years. which is ridiculous. Personally I have started to look in to Mikrotik which is a load more advanced and has a higher learning curve. but if I am forced to edit jsons and use scripts to do some more advanced things i might as well.
Sorry for the slight rant... just be aware what you can get your self in to.
Thing lasted like 2 years. which is ridiculous. Personally I have started to look in to Mikrotik w
Good points -- I've never ran into any issues with UniFi personally.
At the time I was self-hosting the UniFi Controller on my Proxmox server for a switch and an AP. So i suppose your mileage may vary with UniFi.
As far as routers go, I've been running a pfsense for a while and its been great. There is definitely a bit of a learning curve and it's not something that I'd recommend to someone who has little networking knowledge. Once you understand how to work with it, there is very little you can't do.
Mikrotik has pop-ed up on my radar recently too, might have to give them a look.
Edit: Phrasing.
All ill say is ROS script is a huge PITA.
So, making a script that takes an object of vlan/port assignments, and running the required commands to ensure the config of the mikrotik matches the declared vlan/port assignments.
The besy way ive seen to build/manage them is to use a compile step to go from some sane declarative config in order to build the actual ROS script to make the changes.
I just havent got round to making that a thing.
I hope they are working on a native python API, so i can script in a sane language, and run it directly on the mikrotik.
Config files are easy to import/export/edit/read, tho.
It does mean you have to reset to default when you update a config file (or configure the device live, then export the config)
I recently bought an x86 passive cooled box from Topton, an aliexpress merchant, that was recommended by ServeTheHome, a great youtube channel/blog that reviews all kinds of networking equipment for homelabs. Since it's x86, you can pretty much install anything on it, in my case OPNSense. I recommend you watch some of their videos/read their blogs and see what fits!
i am happy to have a raspberry pi setup connected to a VLAN switch, internet is behind a modem (like bridged mode) connected with ethernet to one switchport while the raspi routes everything through one tagged physical GB switchport. the setup works fine with two raspi's and failover without tcp disconnections during an actual failover, only few seconds delay when that happens, so basically voip calls recover after seconds, streaming is not affected, while in a game a second off might be too much already, however as such hardware failures happen rarely, i am running only one of them anyway.
for firewall i am using shorewall, while for some special routing i also use unbound dns resolver (one can easily configure static results for any record) and haproxy with sni inspection for specific https routing for the rather specialized setup i have.
my wifi is done by an openwrt but i only use it for having separate wifis bridged to their own vlans.
thus this setup allows for multi-zone networks at home like a wifi for visitors with daily changing passwords and another fror chromecast or home automation, each with their own rules, hardware redundancy, special tweaking, everything that runs on gnu/linux is possible including pihole, wireguard, ddns solutions, traffic statistics, traffic shaping/QOS, traffic dumps or even SSL interception if you really want to import your own CA into your phone and see what data your phones apps (those that don't use certificate pinning) are transfering when calling home, and much more.
however regarding ddns it sometimes feels more safe and reliable to have a somehow reserved IP that would not change. some providers offer rather cheap tunnels for this purpose. i once had a free (ipv6) tunnel at hurricane electronic (besides another one for IPv4) but now i use VMs in data centers.
i do not see any ready product to be that flexible. however to me the best ready router system seems to be openwrt, you are not bound to a hardware vendor, get security updates longer than with any commercial product, can 1:1 copy your config to a new device even if the hardware changes and has the possibility to add packages with special features to it.
"openwrt" is IMHO the most flexible ready solution for longtime use. same as "pfsense" is also very worth looking at and has some similarities to openwrt while beeing different.
You haven't mentioned what sort of access link or speed you have, that seems very relevant here.
For my 1Gbit/s fiber connection the Edgerouter 6P has been pretty good. It has an SFP port and can route 1 Gbit/s of traffic without issue and my dual-stack setup works well too.
The only significant downside is that its switching is slow, it has no hw support. So I put my NAS on a separate subnet instead so that the traffic to it can be routed instead.
If you want to start small, I'd go with one supported by Asuswrt-Merlin, "a third party alternative firmware for Asus routers, with a special emphasis on tweaks and fixes rather than radical changes or collecting as many features as possible." Keeps it close to stock with minor upgrades, and a faster release cycle for fixes. The RT-AX88U_PRO is one of the higher end routers that is supported by Merlin.
When I reached your situation, I started rackmounting which has saved me a lot of time.
I got a 1u dell poweredge r210 and slapped in a 10Gb network card. Loaded up OPNsense onto it. OPN sense was not easy to learn how to use, for me at least. Struggled to get everything running smoothly. But I am very happy I went with rack mounting instead of adding to the rat's nest.
pfSense on an old PC with two NICs should do well. You could buy dedicated hw like a protectoli. Ive had one for 6 years now no issues.
A raspberry pi with pihole running as dhcp server. In the ISP router turn off DHCP, DNS problem solved as pi will advertise its DNS to all connected devices on the network.
I always liked Mikrotik. Not the most open of router but the most documented and configurable I've seen with a web, gui, ssh, or telnet I've seen
+1 for Mikrotik.
Get one of their routers that have an Arm or x86 processor and you can run PiHole and a DDNS updater on there as containers. Wireguard support (client and server) is built in.
Even their cheapest hardware that runs routerOS has access to all the same features as their enterprise level gear.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters | More Letters |
---|---|
AP | WiFi Access Point |
CA | (SSL) Certificate Authority |
DNS | Domain Name Service/System |
ESXi | VMWare virtual machine hypervisor |
IP | Internet Protocol |
NAS | Network-Attached Storage |
NUC | Next Unit of Computing brand of Intel small computers |
PiHole | Network-wide ad-blocker (DNS sinkhole) |
SSH | Secure Shell for remote terminal access |
SSL | Secure Sockets Layer, for transparent encryption |
TLS | Transport Layer Security, supersedes SSL |
Unifi | Ubiquiti WiFi hardware brand |
VPN | Virtual Private Network |
13 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.
[Thread #626 for this sub, first seen 25th Mar 2024, 09:55] [FAQ] [Full list] [Contact] [Source code]
I guess maybe too mainline for everyone here but I use an Asus router flashed with the Merlin OS (a painless easy process) and it works excellently. No issues setting up all the things you mentioned.
I am using NanoPi R5S. I am using debian system but there is also openwrt image for it, if you are not experienced Linux admin.
Works for over a year without problems. It runs PiHole and Wireguard client on docker, ddclient, unbound and reverse proxy.
I have a mesh system made up of Asus Zenwifi ET8s, and I have been very happy with them. They have a lot of cool features, such as having a VPN server and VPN client, with the VPN client allowing me to apply the VPN to only selected devices. It has tons of customization options for those that are knowledgeable about that sort of thing. For example, I can tweak at what signal strength AP steering happens. It has WiFi 6E and 2.5 Gbps wired backhaul.
When I first got it, it was very buggy, and some features straight up didn't work. But they eventually got all the bugs that I found fixed. It's in a really good state right now.
To address your desired features, it does have wireguard. I don't know about DDNS, but it does not have pihole built in. It has adguard built in, but it doesn't really seem to do much, tbh. Then again, pihole didn't really do anything for me either. I ended up shutting off my pihole because I didn't even notice a difference.
I find DrayTek devices to work quite well.
I have had basically no issues with my setup: Edgerouter 4 (overkill, had a lower end Edgerouter earlier with no issues except the power adapter died, other hardware was fine). Some pretty basic unifi AP. As well as some cheap dumb gigabit switches. Can basically fire and forget them. Relatively easy to do most things I need on it. Never needed a reboot outside of upgrades. No stability issues, unlike basically all other home grade all in one stuff I have experienced in the past.
I can kind of recommend Firewalla. They run all open source software under the hood, but their UI is their own. I'm not super impressed with some of the decisions they've made, but it works and has almost every feature a firewall/router device needs.
Things I like
-
VPN client support with selective VPN routing. Beats having to manually maintain a routing table for a VPN interface.
-
SSH access with sudo to root
-
comes with an Ad blocker, but can run pihole in a docker container. I find the onboard ad blocker paired with NextDNS via TLS is good enough.
Things I don't like:
-
UI is a phone app. WebUI is neutered. You will require all three (SSH included) to set up any advanced configs
-
SSH access is a pain to use.
-
Firewall rule creation is kind of a nightmare. I can see what they were going for, but they missed.
-
You can't easily configure the onboard IDS or Adblocker. You can dive into the filesystem if you want, but I don't wanna.