I would wholeheartedly recommend Ubiquiti products. I use an EdgeRouter X and Unifi AP Lite and get almost no loss of speeds over WiFi compared to connecting directly to the modem. Also no packet loss or poor reception.
Their devices run Linux so you can ssh directly into them if you want to change something. All config options are also available via the command line interface.
If you want a consistent UI experience, choose one of their several "lines" and stick with it for all your hardware, i.e. use a Unifi Security Gateway + a Unifi Switch instead of the EdgeRouter X. This will allow you to control all your devices from the same interface. I went with the heterogenuous combination because it suited my needs.
It is worth noting that the edgerouter-x, which is only $48, and its more expensive cousins have a pretty good origin of their OS. Ubiquiti's EdgeOS is a fork of Vyatta. UBNT hired most of the talented Vyatta developers when Vyatta was acquired by Brocade. Vyatta is based on Debian.
The ER-X is actually a little Debian box with a decent GUI.
Unless you have >600 Mbps symmetric gigabit home internet, an ER-X is more than fast enough for routing, firewall/NAT functions for the average residential user.
It is also a really good way to economically separate the functions of router and wifi. Have a router that is a wired 1000BaseT router with no wifi. Buy one or two of the 802.11ac Unifi dual band access points, priced anywhere from $75/ea to $200/ea depending if you want 2x2 MIMO or 3x3 MIMO, or wave2 functionality.
Set up the unifi controller as a virtualbox VM on your laptop that you use to provision it and make changes. The controller does not need to remain persistently on the LAN once the APs are configured.
I remember early on the edgerouters had performance problems with all kinds things (e.g. IPv6) since their hardware-offloading support was lacking, I assume that has improved by now?
Short answer: EdgeRouter 4 ($199) or EdgeRouter Lite ($99).
Long Answer: It depends.
The ER-X / ER-X-SFP are architected as a switch with a router hanging off an internal 1Gb/s full-duplex link. Every routed packet crosses that link twice -- once in, once out -- so they can only do 1Gb/s of combined routing.
For most purposes, traffic patterns are heavily asymmetrical so this isn't a meaningful limitation, but to get > 400-500 Mb/s symmetrical performance you need any of their other models.
The ERLite-3 and ER-4 are the next best models for home use. Both are fanless, low-power, and capable of line-rate symmetrical routing across all ports simultaneously. ER-4 doubles the RAM, has twice as many faster CPU cores, adds a dedicated SFP port, has an internal PSU, and an optional rackmount kit.
ERPoe-5 is an ERLite-3 with one port replaced by a 3-port switch and 24v/48v PoE (early units shipped with a 24v PSU, buyer beware if you need 48v PoE).
ER-8 / ERPro-8 have 8 routed ports, are rackmount-only, and have fans that aren't suitable for living / work spaces. The Pro adds 2 SFP combo ports and a slightly higher clocked CPU. The newer ER-4 is much more powerful and costs less.
ER-6P is an ER-4 with two more copper ports, an external PSU, and 24v PoE (standard PoE is 48v).
Note that the ER-X, ER-X-SFP, and ERPoe-5 are the only models with switched ports. You can bridge routed ports to emulate a switch, but that forces traffic out of the hardware offload engine and seriously compromises performance. Buy an external switch or a model with switched ports if you need switched ports. For the money, the ER-X makes an excellent compact managed switch with a much nicer UI than typical cheap web-managed switches.
On the UniFi side, the USG is equivalent to the ERLite-3 and the USG-PRO-4 is an ERPro-8 with half the ports. An updated model based on the ER-4 / ER-6P platform is expected but not any time soon.
Has Ubiquiti started shipping the toolchain necessary to build their Linux, or are they still violating the GPL?
When last I checked, you could not compile your own kernel for Ubiquiti devices and get something that worked the same way as before -- the switch ports, IIRC, and probably other stuff.
My firewall runs actual Debian Stable, gets updates to everything including the kernel, and happily handles the gigabit that VZ claims to be delivering to my house. (Actual speeds tested vary from 700-950Mb/s.)
Depends on how many gigabit ports you want. I wanted five, so it pulls about 20W idle and 45W max. If you can survive with 2 and a WLAN, you can get down to about 5W idle and 25W max.
Nothing is as small as custom non-PC hardware. However, I think mine is reasonably small and you can go to a NUC size for 2 gigabit ports.
I really like the Unifi gear for home use; it’s industrial-grade without completely breaking the bank (can get a good 2 AP setup for $400). PoE is a nice touch that makes it really easy to just snake a cable from a closet and leave a full-power AP in the attic.
The remote management tools are really nice if you have multiple sites (parents house, vacation home, etc) to manage. 1% problem for sure, but for a little bit more than a crapbox integrated router you can get an enterprise-grade modular managed solution.
UniFi is awesome for managing the extended family's stuff, tho I've been leaning towards AmpliFi Mesh (another Ubiquiti product line) for those who don't have very fast Internet -- the phone app is super friendly and supports remote management.
As a geek with more complex networking needs -- multi-WAN, site-to-site VPN tunnels, lots of port forwards -- EdgeRouters are the way to go. UNMS gives me some centralized management and insights into what's happening with my EdgeOS (and AirMax) gear. Rest of my network is UniFi APs and switches.
Actually, I would use the Edge line for exactly what it is marketed for e.g. your network interconnect (internet <-> internal network) and internal network backbone and the Unifi products to connect the Edge powered backbone network to devices.
This way you get the best of both worlds. Especially since the EdgeRouter line is absolutely one of the best on the market when it comes to network throughput (which you really want if you have 1000mbps+ fiber behind it)
I've been running Mikrotik routers at home for a couple of years, and I have been at least as happy with them as anything else I've used. Yes, they can be a little more awkward to configure (some of which comes down to offering multiple different tools with slightly different capabilities - command line, Webfig[1], Winbox[2], and The Dude[3]). If anyone wants to experiment with them cheaply, they do make a bargain travel router[4].
Right now I am using their hAP ac[1] which does b/g/n/ac, though there's a new version[2] of it with a 4-core ARM in it which might be a little better for routing... otherwise I know people like to use Ubiqiti for their AP and choose one of the non-wifi Mikrotik models[3].
I'd be wary about running a mikrotik as a home router, but mostly because the user interface is not what I would call friendly at all unless you're already a networking person. It's not a terrible idea if you need more capability then a standard home router, but there are other options that also offer more power than home routers without quite so much visible complexity. As an example, OpenWRT on a capable router get you a more familiar command line interface and an awful lot of packages.
As far as the RCE, is SMB even enabled by default? It's an important catch and I'm not clear yet how exploitable via JS in a browser, but I can't imagine that SMB is open to the world in any router's default configuration.
In the home / office equipment SMB is disabled by default, and there are firewall rules blocking all incoming connections from WAN. Someone over at a MikroTik channel said "if you run SMB on your router and you've got it accessible to the world you deserve to be hacked"
I can't say i disagree.
The recent bug about being able to download the user database was less cool though. But it was patches very fast after it was discovered.
Then again the above bug is only exploitable if you allow incoming connections from WAN on the management port, which isn't good practice (but i and many other people do it anyways because it's simple).
We used to allow remote connections to management, but for probably 2-3 years it's been trusted networks only. Same for rdp, and the last customer with an in house mail server should be off it in 2-3 months.
These days a blank non responsive void is the only thing that makes sense for an office.
I had a buddy that used a Mikrotik router for years. He couldn't shop at Newegg because his router "optimized" his MTU and Newegg blocked connections with non-standard MTU sizes.
That's a Newegg misconfiguration. If they received a packet with an MTU they thought too long, they should have responded with ICMP Fragmentation Needed.
Mikrotik sometimes do things differntly to how you might expect[0]… though that was how I found out about them, and have been happily managing a hEX lite for a while now.
This is definitely a bug (a 'value of out range' for prepend > 255 should have at least been emitted), but IOS devices crashing because of it is noone but Cisco's fault. And then, not having a 'filter out if AS path > 64' config line while being a transit provider is just careless.
I've had a Mikrotik router for a few years now, and have absolutely no problem with Newegg at all... perhaps one or the other has fixed things since your friend had trouble?
but I advise against it if you want to run pfSense, since driver support on pfSense for these might be sketchy/difficult to get working. Linux might be a better choice for a router OS if you're going to get those modules.
My personal recommendation is to avoid getting wifi onboard the apu2 and stick with this instead:
and just take up one of the three ports available on the apu2 permanently for your Nanostation.
Set this up, and you'll be happy for years. I consider it the ultimate DIY home router setup and I've experimented with many. This one takes the cake. The only thing I wish for is an extra RJ-45 port on the pcengines APU2 for some of the devices that are close by it (e.g. a mac mini I use as HTPC), but since everything or nearly everything has wifi nowadays, you don't get to notice this much. Worst case, if you need extra ports, hit amazon and type only "pfsense" in the box - there's a vendor called ProtectLi (https://protectli.com/) which sells 4 and 6 port boxes similar to the APU2, but with Intel instead of AMD (I'm kind of partial to AMD plus PCEngines is run by Americans/Swiss :). Those will work just as well though you're looking at spending more $$$. If that's no objective, then just get the 4 or 6 port ProtectLi.
Reply here let me know how it works out once you've got it setup the way you want.
I was using Mikrotik for a while until I wanted to optimize bufferbloat issues - my goto algo has been fq_codel, which Mikrotik does not support. I've fiddled around with the other available algos, but nothing comes close to the performance that fq_codel has out of the box.
I ended up switching to Opnsense instead. It was a good medium between dd-wrt and Mikrotik in terms of usability / exposed features.
Mikrotik is for those who want to do traffic manipulation at very low levels - it's not for the faint of heart if you're not a network pro.
I also didn't like that I had to pay for a new license if I had to change the hardware in my box.
Been home routing for about 15y, first on old PC's with 2x nics, then on more embedded kit (soekris boxes RIP, about to upgrade to PC Engines hardware since my particular soekris boxes, though still running strong, are getting a bit long in the tooth for modern speeds).
Strongly suggest just throwing OpenBSD on a flash disk (possibly with the help of flashrd) and going from there. Once you get a taste of the solidness of pf & the openbsd network configuration tools/documentation, you'll miss it every time you use another free OS.
As a side note, I'd consider trying to flash something openWRT on other routers that anybody owns. There are not really many companies that keeps releasing patches for consumer devices unless there is a major outcry (for e.g KRACK). In most cases your router in a small MIPS box running linux (consumer ones), treat it as you'd treat your other systems and update it often!
I've used MikroTik products pretty extensively over a number of years, and would recommend them -- pretty tough to beat, on a "bang for the buck" basis.
No vendor's products won't have RCEs; what's important is turnaround time to deployable fix, and MikroTik's pretty fast.
I have used it to teach an introductory course in computer networking and it could perform well many net protocols (DHCP, NAT, etc.) and even some advanced routing configurations (with RIP/OSPF).
UI was a little rough on the edges but after a while you get used to.
It's quite funny how most people say they hate the WinBox interface. I'm a huge fan of mixing the CLI and the WinBox interface, i also like that the CLI and the GUI management solutions are tightly coupled together and that you can do "everything" (99%) of everything in either of them (some superrare features are only in the CLI).
So which major vendor hasn't had a RCE on the LAN side? Even my current Asus router had an RCE on the LAN side a couple of years ago...
MikroTik fixed both of the issues you referenced, just as Asus fixed the issue I referenced. So I see no specific reason not to use either a MikroTik or a Asus device (and keep both up to date).
The only major thing I'd consider is:
- Does the manufacturer respond constructively?
- Is the device still receiving security updates/has no outstanding holes?
Considering that they can't even get user authentication right, I have pretty big doubts about the rest of their security. Hashing/salting passwords is not a new concept.
It's hard to defend something like this, but i think it's important to know that this only affects MikroTik devices with the SMB service enabled (disabled by default).
It's very bad, but they responded quickly and resolved the issue.
One thing i'd say is worth mentioning is that they're still keeping "all" (all i know off) RouterBoard devices updated. We've had customers with gear many many years old, still updated with feature and security upgrades.
I don't think a manufacturer should be judged too harshly based on if they have vulnerabilities or not, since all software does, but rather on how they respond to and patch those vulnerabilities.
Note: Mikrotik are violating the GPL (at least in spirit, by having you request sources by mail instead of just publishing them) by shipping RouterBoards/RouterOS without any Linux sources. You might want to take this into consideration before spending money with them.
(they even ship their rootfs with proprietary kernel modules that are marked as license: GPL so that they don't taint the kernel, ie for their bandwidth test)
the "spirit" of GPL is not "everything must be on GitHub". from the start, the GPL allowed distribution on physical media. given that in 1989, the state of the art in file distribution was Usenet, and given that even today, Stallman allegedly still uses his wget contraption, it is safe to say that Stallman did not in fact envision that all software under the GPL must be distributed online.
I am running mikrotik as home router for... I think 2 years and am perfectly happy with it. It is extremly stable and you can configure it into every detail (to the LEDs and beeper... and I am not joking). Microtik is also very fast with updating vulnerabilities. But I wouldn't recomend it to everyone, for configuring it beyond basic configuration (like QoS), you need to understand networking, it is not a consumer grade product.
Bottom line, great routers, packed with features, not simple to configure.
Their devices run Linux so you can ssh directly into them if you want to change something. All config options are also available via the command line interface.
If you want a consistent UI experience, choose one of their several "lines" and stick with it for all your hardware, i.e. use a Unifi Security Gateway + a Unifi Switch instead of the EdgeRouter X. This will allow you to control all your devices from the same interface. I went with the heterogenuous combination because it suited my needs.