Any guides to DIY routers?

[jzchen]

Are/Is there any guides to making your own home made router? I tried to (over the phone) talk my son through updating a very expensive Ubuntu Lambda desktop his first day/week at his new job, and it bricked, requiring creating a recovery USB and restoring the darn thing...

TIA

 

[Tech9]

Are/Is there any guides to making your own home made router?

Type in Google "Build own router, firewall with FreeBSD, pfSense, OPNSense, OpenWrt, Arista, Sophos, etc." even "FreshTomato x86" if you like and hit Enter. Multiple results will come up including forums, articles, tutorials, videos. Your question doesn't belong to this thread.

 

[dave14305]

This is a very good series on building a Debian-based router:

DIY Debian Router - Part 1: Foundations and network architecture

Architectural overview and design decisions for building a secure, DIY router using Debian Linux

betweenlayers.io

 

[Tech9]

pfSense and OPNsense are perhaps the most popular choice for x86 appliances:

pfSense Documentation | pfSense Documentation

docs.netgate.com

Welcome to OPNsense’s documentation! — OPNsense documentation

docs.opnsense.org

 

[Viktor Jaep]

Type in Google "Build own router, firewall with FreeBSD, pfSense, OPNSense, OpenWrt, Arista, Sophos, etc." even "FreshTomato x86" if you like and hit Enter. Multiple results will come up including forums, articles, tutorials, videos. Your question doesn't belong to this thread.

 

[Viktor Jaep]

Are/Is there any guides to making your own home made router? I tried to (over the phone) talk my son through updating a very expensive Ubuntu Lambda desktop his first day/week at his new job, and it bricked, requiring creating a recovery USB and restoring the darn thing...

TIA

But thanks for asking, because I have a feeling may of this may be going down this path here very soon.

 

[killweav]

I'm here for the same advice. Considering replacing the layered security handled with ASUS-Merlin and turning that router into AP instead. Current layered security consists of AiProtection 2 way IPS only, Skynet, Control D daemon for DNS filtering.

I'm looking into MiniPC options. Before I drop upwards of $400 can I get advice on if this is a good strategy if my goal is a more stable environment with more visibility and control? My Linux skills are not very robust but I'm a good see-and-do monkey. I used to manage Linux servers at the VM level, but when it came to diving into the OS for deeper troubleshooting, I reached out to a vendor. That's why I'm looking at OPNSense + Suricata. I'm told OPNSense built-in IPS/IDS is based on Suricata. Does that preclude me from still installing the product? I'm comfortable with the install of the OS.

Should I stick with an Intel N100 based mini PC to get the most stable experience and performance on 1G fiber? Intel 2.5G LAN ports as well. I'm fine with adding my own RAM + SSD but was reading about incompatibilities with Corsair or Crucial, with people citing Samsung SO-DIMM a stable option for some of these mini PCs that I see.

In the long run, I'm looking for less troubleshooting and firmware updates to my ASUS router and want more in-line control via the GUI of my router. Something I can set and leave running updates as needed and just peek in on once in a while knowing it's doing it's job.

I've read that the layered security that I've got already is sufficient, while moving to MiniPC will have marginal benefits maybe the cost won't justify it. I'm kind of up in the air with this.

Any advice is appreciated. Thanks.

 

[Tech9]

I'm told OPNSense built-in IPS/IDS is based on Suricata.

IDS/IPS can't inspect encrypted packets unless you run SSL proxy and learn how to deal with resulting complications. For better general security you need fast updating rules and they are not free. Not sure how FCC will classify gateways like UCG-Max, but it has all you need in $199 small package with optional CyberSecure by Proofpoint and Microsoft Active Protections Program subscription for $99/year (which is excellent value compared to other subscription plans). It has all 2.5GbE ports, Suricata based IDS/IPS (36 free categories, 50+ extra with Proofpoint), Geo-blocking, Content Filtering (by Cloudflare, user categories with Proofpoint), Ad-blocking (by AdGuard, local processing), Zone-based firewall, AI interface monitoring (yes... I know), selective routing, encrypted DNS, etc. ready to go with nice UI. The OS itself is Debian based, updates are regular, new features are comin quite often. The device has quad ARMv8 CPU, 3GB RAM, built-in 16GB storage (~6GB is taken by the OS) and can serve 300+ clients.

If you take x86 route the hardware will be no doubt more powerful and versatile, but it will be also more expensive, you have to maintain it yourself and you won't have the exclusive price option for IDS rules and filtering categories. On the other hand you'll have the freedom to do whatever you like with it, not an option with locked down ready made gateway. If you want 100% compatibility and pre-installed licensed OS - Netgate appliance with pfSense+. They are expensive, but excellent quality. I have 2x 6100 for business use.

I have 4x UCG-Ultra gateways on my home networks, they do all of the above with GbE ports for $129/unit. Reliability is 100% so far. Potential issue in the US - FCC may decide they are consumer-grade even though only part of incomplete system and the so called consumer has to build wired infrastructure first plus complete the system with the necessary switches, PoE power and access points. Many people are doing it, but still perhaps small % because it requires some knowledge and is not exactly bring it home and plug it in.

 

[Tech9]

This unknown brand (to me at least) unit is currently $220 on Amazon US (it was $200 a week ago):

Not the latest and greatest, but with good enough CPU, 8GB RAM and 128GB SSD in small package.

Amazon.com: Fanless Micro Firewall Appliance Mini PC Intel J4125 Quad Core, 4 Intel i225 LAN Ports Mini Computer 8GB RAM DDR4 128GB mSATA SSD, Network Gateway Soft Router, Support AES NI : Electronics

Amazon.com: Fanless Micro Firewall Appliance Mini PC Intel J4125 Quad Core, 4 Intel i225 LAN Ports Mini Computer 8GB RAM DDR4 128GB mSATA SSD, Network Gateway Soft Router, Support AES NI : Electronics

www.amazon.com

 

[killweav]

Not the latest and greatest, but with good enough CPU, 8GB RAM and 128GB SSD in small package.

Thanks. Yes, I've been looking at others like this. I definitely want to avoid subscriptions but realizing this might be unavoidable if I truly want a robust IPS/IDS solution. I'm told that on OPNsense / Suricata many of those lists require subs. I'm unsure what value the basic free IPS/IDS lists offer compared to the solution I already have.

That being said, I feel like I want to do the MiniPC route just to go down that journey and if it doesn't work out (too much of a hassle or I'm really bad at managing it) then I can turn it into a dedicated Plex Server to host my growing 8TB library instead of using my main PC.

As a side note I read that the J4125 processor would max out at about 600mbps running Suricata DPI under heavy load or heavy IPS rules. If that's untrue then I'd be glad to go with something like the one you suggested bc it would save me about $100 vs the N100 series chip.

 

[Tech9]

I'm unsure what value the basic free IPS/IDS lists offer compared to the solution I already have.

The same - very little to totally useless. I have it currently disabled on my home networks. Even though the rules on UniFi gateways update daily they are the same slow update cycle free rules and this means they perhaps don't contain anything newer than 30 days. May eventually help for the obvious only. To make more sense you have to pay for subscription with fast update cycle rules. Remember, most of the traffic is encrypted these days so the IDS doesn't see it. Only the end point, in our case our browsers, can do efficient real-time protection. And they do have Safe Browsing engines implemented, all popular browsers. So don't invest heavily in IDS hardware for home use, there will be no proportional return of investment.

 

[killweav]

UCG-Max, but it has all you need in $199 small package with optional CyberSecure by Proofpoint and Microsoft Active Protections Program subscription for $99/year

I'm now looking into this option. I'm pleased with what I'm seeing. I didn't know Ubiquiti was this affordable. Thanks for the info. I found this one: Ubiquiti Cloud Gateway Max UCG-MAX-NS and I can add a SSD, sounds like 16GB should to the trick based on your info. What I like is that it specifies 1.5G routing with IDS/IPS eliminating a lot of variables / questions I had with selecting a MiniPC. I'm onboard with the subscription model now; understanding that it's important to keep up with zero day vulnerabilities in a world that is rapidly changing on the security front. (AI powered attacks, etc.)

This should satisfy my growing need to move away from ASUS as a router platform. I'll keep the hardware but make it subordinate in AP mode. Do you concur?

It sounds like I should decide soon because prices are going up - presumably in part because of anticipation of this FCC bs.

Is the unit I identified a good choice or do you have a recommendation for a unit at a better price elsewhere? I like the Max instead of Ultra for futureproofing. I can grow into it.

PS: I also found this used one w/512GB storage: Ubiquiti Cloud Gateway Max - (UCG-Max) (512GB)

Thanks!

 

[Notconnected]

This unknown brand (to me at least) unit is currently $220 on Amazon US (it was $200 a week ago):

View attachment 71295

Not the latest and greatest, but with good enough CPU, 8GB RAM and 128GB SSD in small package.

Amazon.com: Fanless Micro Firewall Appliance Mini PC Intel J4125 Quad Core, 4 Intel i225 LAN Ports Mini Computer 8GB RAM DDR4 128GB mSATA SSD, Network Gateway Soft Router, Support AES NI : Electronics

Amazon.com: Fanless Micro Firewall Appliance Mini PC Intel J4125 Quad Core, 4 Intel i225 LAN Ports Mini Computer 8GB RAM DDR4 128GB mSATA SSD, Network Gateway Soft Router, Support AES NI : Electronics

www.amazon.com

I just bought two of these to make a router.

 

[Tech9]

What I like is that it specifies 1.5G routing with IDS/IPS

It's full 2.3Gbps now, they have optimized multi-core processing some updates ago.

and I can add a SSD

Only if you plan to use Protect features. This storage is not user accessible NAS type.

make it subordinate in AP mode

You can, but make sure you can use VLANs on it for your network segmentation. VLAN capable gateway to dumb AP doesn't make much sense. Based on your previous posts you have RT-BE92U and it's Smart Home Master series with no VLAN to LAN port. See what it can do in AP mode, may get lucky. This model has quite a few connectivity issues reported as well and may ruin the experience.

 

[Notconnected]

I'm now looking into this option. I'm pleased with what I'm seeing. I didn't know Ubiquiti was this affordable. Thanks for the info. I found this one: Ubiquiti Cloud Gateway Max UCG-MAX-NS and I can add a SSD, sounds like 16GB should to the trick based on your info. What I like is that it specifies 1.5G routing with IDS/IPS eliminating a lot of variables / questions I had with selecting a MiniPC. I'm onboard with the subscription model now; understanding that it's important to keep up with zero day vulnerabilities in a world that is rapidly changing on the security front. (AI powered attacks, etc.)

This should satisfy my growing need to move away from ASUS as a router platform. I'll keep the hardware but make it subordinate in AP mode. Do you concur?

It sounds like I should decide soon because prices are going up - presumably in part because of anticipation of this FCC bs.

Is the unit I identified a good choice or do you have a recommendation for a unit at a better price elsewhere? I like the Max instead of Ultra for futureproofing. I can grow into it.

PS: I also found this used one w/512GB storage: Ubiquiti Cloud Gateway Max - (UCG-Max) (512GB)

Thanks!

This is a good option, them mini pcs are ok too, but there is more work involved and they are not cheap where am from.
I hide my IP and they are cheaper, soon as I put my real address in for delivery then the price goes up, or they are not available for deliver to my area, crooked wan7ers

 

[Tech9]

I just bought two of these to make a router.

You have wasted 2x €432.76 then.

 

[Notconnected]

It's full 2.3Gbps now, they have optimized multi-core processing some updates ago.



Only if you plan to use Protect features. This storage is not user accessible NAS type.



You can, but make sure you can use VLANs on it for your network segmentation. VLAN capable gateway to dumb AP doesn't make much sense. Based on your previous posts you have RT-BE92U and it's Smart Home Master series with no VLAN to LAN port. See what it can do in AP mode, may get lucky. This model has quite a few connectivity issues reported as well and may ruin the experience.

Does this > RT-BE92U has connectivity issues, its not that cheap either.

 

[Notconnected]

You have wasted 2x €432.76 then.

Whatever happened to being kind.

 

[Notconnected]

You have wasted 2x €432.76 then.

, this is just pure greed, I hope it never sells for whatever reason.

 

[Tech9]

PS: I also found this used one w/512GB storage: Ubiquiti Cloud Gateway Max - (UCG-Max) (512GB)

All my Ubiquiti equipment was purchased directly from Ubiquiti. Middle man not needed.

Ubiquiti Store

Rethinking IT

store.ui.com

When you shop for devices with high-availability requirements buy new and with full warranty.

I'm onboard with the subscription model now; understanding that it's important to keep up with zero day vulnerabilities

Proofpoint won't give you zero-day for $99/year at promo price. If you need something like this get x86 hardware, run Snort and subscribe for paid rules. It will cost you $99/month or more. The more you want the more you pay. Make sure you set realistic expectations.