Routers

Curious

Hi,

short story long story... right now I am wondering which brand or solution is the best fit for today average non-ultra skilled linux mage user.

Enterprise level devices are not suitable.
Chepo plug and play consumer grade routers are fine I guess but not really... not regular updates, security, privacy.
pFsense, OpenWrt, Mikrotik well... great for control/privacy, terible if you have no idea.

ISP provided solutions, most of the time limited to the bone and managed by ISP

Ubiquiti? Kinda interesting middle groud, decent security, updates what I was looking but... how privacy friendly it can be with all that possible telemetry, if no accout used, cloud features, etc. but only security features like ISP etc. and no futher ecosystem?
I think it is still calling home with trafic metadata or device data etc.

Any suggestion how to solve this dilema?

Johnnyloans

Curious best fit for today average non-ultra skilled linux mage user.

Don't get openwrt

The most important spec for a router is the antenna config called MIMO

3x3 is good
4x4 is great
Higher is luxury

Asus routers have always been great with low latency and great range.

Johnnyloans

Curious

Also, check the release date of the router.

So many laptops and routers for sale are 2-6 years old.

The "new" router may not get security updates soon.

bagel

OpenWrt should be pretty easy to use after you install it, if you're not doing anything fancy; companies like gl inet are shipping routers with an openwrt fork and it seems to be going fine

the webui should be similar to commercial(consumer) routers, just hopefully with less idiosyncrasies :p

littlerack

I think OpenWRT is not that difficult unless you're up to a pretty custom config. Even their extra packages are more or less OK, like adblock etc.
Mikrotik - it depends, since a while they offer easy config wizard, but I'm not sure a basic user really benefits from Mikrotik.

So, versatility-wise, go any of those openwrt-compatible HW like GL.Inet, flash them and enjoy.

littlerack

... if you're fine to keep Chinese network equipment at home)

Unkn0wn-3nt1ty

Johnnyloans

Cant help but be pedantic here. Antennas have nothing to do with a router. For an access point/all in one device you might well be right, though.

Mikeg

Asus running Merlin firmware for me.

Johnnyloans

Unkn0wn-3nt1ty

I don't know of anyone that says:

I want to buy a router, switch, AP three-in-one.

Many people, in real life, that have questions, I'd baby it down even further:
Internet box
Internet cord

Johnnyloans

Unkn0wn-3nt1ty

Hey, apologies, OP very well might not want WiFi--you're right.

littlerack

Johnnyloans not if OP refers to Ubiquiti for non-corp use, so it's WiFi in the "router"

n3t_admin

Johnnyloans yeah and that's why OSes like OPNsense or pfSense make a lot of sense (pun intended) in the long run. You don't need to constantly replace hardware, because it runs on x86/64 and that's for as long as these systems exist. Getting and replacing an AP is a lot better than replacing the whole AIO router. You have to understand why AIOs are so popular: because 99% of people have no clue about networking. At all. You'll be lucky to find someone who knows the difference between a RJ45 and a RJ11 plug. Having the knowledge, I would absolutely recommend not going the AIO route, but building your own setup that will pretty much last forever.

Curious

Well the thing is would be nice if it is one box really for simlicity/space and as mentioned, just strong security, updates, privacy, Wifi, nothing fancy like NAS etc. all risky accesses disabled like ssh etc.

pfSense is nice I saw it but... right now there is no posibility to make dedicated setup.
Btw... question about those consumer grades routers that were released like late 2025, they should be up to date atleast a 2-3 years no?

btw about OpenWrt is there any good guide to check how to make basic but strong "lock" down setup, if we not speak about obvious stuff like remote access, yady yady yada, firewall, are there any extra stuff like IDS/IPS etc.?
Am I missing something that I am not really aware of other than standard lock down setup procedure?

n3t_admin

Curious Well the thing is would be nice if it is one box really for simlicity/space and as mentioned, just strong security, updates, privacy, Wifi, nothing fancy like NAS etc. all risky accesses disabled like ssh etc.

Strong security will almost always lead to enterprise (grade) gear. The only thing that comes close is maybe some Unifi router combos, but I really have a love-hate relationship with Ubiquiti because of their inconsistency and their general hit or miss approach with hardware.

Curious pfSense is nice I saw it but... right now there is no posibility to make dedicated setup.
Btw... question about those consumer grades routers that were released like late 2025, they should be up to date atleast a 2-3 years no?

For point one: that's a shame, but I hope you'll get there someday. I will never ever go back to consumer grade crap. It's one of the downsides once you've tasted the possibilities of a serious setup.

For point two: as mentioned, the consumer grade routers do the bare minimum for security. Nobody really gives a damn about consumers, since they are forced to use these crappy overpriced and underspecced devices due to their lack of knowledge. 2-3 years of updates for a friggin router is criminal IMHO.

Curious btw about OpenWrt is there any good guide to check how to make basic but strong "lock" down setup, if we not speak about obvious stuff like remote access, yady yady yada, firewall, are there any extra stuff like IDS/IPS etc.?
Am I missing something that I am not really aware of other than standard lock down setup procedure?

OpenWRT is a hobbyist project, first and foremost. The goal is to give a better software experience for already existing hardware or to prolong the lifespan of EOL devices (remember the 2-3 years of updates?). Its goal is not to harden anything and I am not aware of any attempts to do such things, since it's not the primary focus of OpenWRT. If you want good security for your networking gear, you really need to look at enterprise grade products and that's for the most part a split setup with hardware firewalls, managed switches and APs with VLAN and RADIUS support.

Curious

n3t_admin Well understand but... what solution is the best right now if one needs a new working router?
I went past Ubi Dream router 7 (Check it and tell me what you think) that thing is kinda decent for the fact it is all in one but... I am not really sure about their privacy policy and telemetry... it feels really intrusive but I guess that is the curse of modern "smart" routers. Obivously if there is way to make it no or minimal as possible (ideally only calling for updates) and fully run it in local mode without cloud, remote management all those fancy staff... well it could be a really decent package.

TrustExecutor

n3t_admin
You can do all that on OpenWRT. It is just Linux+musl+busybox with a very tiny kernel with small attack surface. Updating the system has become a lot easier nowadays with new tools automating the process.

There is also VyOS for enterprise environments but being Debian based puts me off a little.

Johnnyloans

Curious

2x2 mimo is very cheap
Hurts performance, quality

n3t_admin

Curious I think it's fine. If you want fine grained control with Unifi products, there's a way to self host the network controller (although note, that not all products are compatible, so check beforehand) on a home server (or even Raspi IIRC). That way you could limit the network activity on the host OS itself, if you wish. That's what I do for my AP (U7 Pro) and it's kinda working ok, although updating can be a bit of a pain.

Curious

Johnnyloans Ahh this... well trust me I have very very low standards (you know those ISP stuff)

Johnnyloans

Curious

Sorry, I edited my comment immediately after.

MIMO helps with download/upload speed even on clients that are 2x2.
Lower latency
better range
Can serve more clients with higher quality (see above).
2x2 is the bare-minimum/floor. I Think ive only seen an HP printer be 1x1. Even $0.50 microcontrollers are 2x2.

If the privacy policy of ubiquiti is incompatible with your threat model, then for sure get a new router. WiFi 7 isnt that cheap last I saw. Your router is wifi7. Many companies could have a similar privacy policy. All internet traffic is encrypted nowadays. It's not like your router is intercepting your love notes or pictures.

Most people wouldn't use ids/IPS. You said earlier you are an average linux user and not ultra skilled.

Curious

Johnnyloans Well kinda... about that intercepting... honestly that is probably the least issue,... what I saw in those types of routers... they mostly scan the whole LAN to get telemetry about MACs, RSSI (to get devices location), etc. and honestly if you time stamp it, you can kinda get nice behaviour pattern over time.

they collect DNS (if not encrypted) and also source/destination IP as ISP which is I guess standard but... still miss the days of dumb routers doing their job and that was it.

Johnnyloans

Unkn0wn-3nt1ty

@n3t_admin

I wish APs had power-user options regarding MIMO (many completelt 2x2, 1 band might be 3x3)

I explain mimo here
Johnnyloans

You should be careful not to overlap your APs too much.

Curious

Also one more thing to say, there is a Turris brand (comercialy produced today) which is kinda pricey but... I got some info that they still support 14 y.o. old devices that were first to run in this project.

But on their offic forum it seems like the newest and also older models have a some hickup with new firmware versions... which kinda ask a question about I guess it is called Valiant pyramid: Stability > Security > Scalability > Inovations
And they kinda lack on stability, I mean they have snapshots and recovery mechanisms but... ask yourself, would you like to be nervous about every update that it could potentionaly break your setup and your connection is gone?