Looking for feedback from anyone that has gone from Merlin + Scripts to pfSense

abracadabra11

Regular Contributor
Longtime Asus and Merlin user. We're closing in on purchasing a home and I'm planning to overhaul our network when we do so. It will certainly be a pricey adventure (still figuring out requirements and hardware, but leaning towards a standalone device for pfSense, 3xPoE APs, along with switches and supporting hardware). Although some of the changes are welcome, I'm dreading the transition to pfsense. I'll be trying to replicate functionality provided within Merlin including Skynet, Diversion, Adaptive QoS, VPN clients and server, along with VLAN implementation.

Has anyone made a similar switch? How was the experience? Was there any functionality that you weren't able to replicate? Or perhaps was especially difficult to implement?

The Merlin + scripts packages really do so much at such an inexpensive price point. I need to figure out a way to keep my existing setup as a backup in case this project gets too messy.
 

eibgrad

Part of the Furniture
I'm at the same point, w/ the recent addition of fiber making these consumer-grade routers far less appealing due to their limited performance (at least compared to a pfSense applicance). But what concerns me is (presumably) the lack of access to low-level modifications made possible w/ scripting, direct manipulation of iptables, etc. Things I've grown accustomed to. I'm NOT quite yet ready to turn over *everything* to the GUI, because invariably they either do things you don't like, or come up short for one reason or another.

So I'm just as curious as to whether pfSense or anything similar is going to prove unacceptable for the reasons given.
 

SwampKracker

Regular Contributor
pfsense is more difficult to configure than a consumer router, however, it is not difficult to configure for basic functionality.

VPN is relatively easy to setup, for both server and clients. Same for adding users. Make sure your CPU supports AES-NI for maximum VPN performance.

If you are not allowing access to services on or behind your firewall, there is really no need for Skynet or similar functionality. There is nothing to attack unless you expose services to the Internet. pfBlocker is the pfsense equivalent.

There are optional packages that can be installed for addtional functionality and maybe something comparable to Diversion.

Traffic shaping (aka QOS) is available. Never used it.

pfsense provides much better control over firewall rules compared to consumer routers, since it is meant to be a true firewall, and not just a wireless router that can do some basic port forwarding via the GUI.
 

Tech9

Part of the Furniture
I'm NOT quite yet ready to turn over *everything* to the GUI

You can use CLI, if you want to and are comfortable with it, on top of hundreds of GUI menus. It's a much more complex OS though and no one may be able to help you, if things mess up. I never needed to touch anything outside the GUI.

Skynet, Diversion, Adaptive QoS, VPN clients and server, along with VLAN implementation.

Skynet/Diversion - pfBlockerNG covers both IP/DNS-based blocking
Adaptive QoS - this is Asuswrt term, you have multiple QoS configuration options in pfSense
AiProtection - Suricata, Snort - even with SSL inspection (in Squid), if you want that
VPN Server/Client - IPSec, OpenVPN, Tinc, WireGuard (experimental) - much faster on x86 CPU
VLAN's - yes, but you need the rest of your system to be VLAN capable too

Other common things:
Unbound - default pfSense DNS server, as resolver or forwarder, DoT available
BIND - package, if you prefer it
APC UPS control - package(s), if you have APC UPC, available for other types too (NUT)
Bandwidth Tracker - package(s), similar to Traffic Analizer + per IP options
Cron - package, if you want to control what runs scheduled
HAproxy - package, read about it what it does
iperf - package, network throughput testing
ntopng - package, network status tool
Services Watchdog - package, self-explanatory
Clamav - package, antivirus tool (in Squid)
Syslog-ng - package, enhanced syslog tool
Zabbix-agent/proxy - package(s), monitoring tool

Full list here - https://docs.netgate.com/pfsense/en/latest/packages/list.html

What's available in Asuswrt-Merlin is slimmed down router/user friendly versions of what pfSense has available, but you need to learn how to configure/use pfSense. Nothing close to common home router GUI. Multiple menus and sub-menus with terms you need to be familiar with.
 

Tech9

Part of the Furniture
but leaning towards a standalone device for pfSense, 3xPoE APs, along with switches and supporting hardware

You can build Omada Wi-Fi system as good price/performance hardware and use your Asus as wired router. This is going to be much easier for you. No VLAN's on Asus, but there is Guest Network in Omada. Not as powerful as x86 firewalls, but the transition will be smooth and not time consuming.
 

abracadabra11

Regular Contributor
pfsense is more difficult to configure than a consumer router, however, it is not difficult to configure for basic functionality.

VPN is relatively easy to setup, for both server and clients. Same for adding users. Make sure your CPU supports AES-NI for maximum VPN performance.

If you are not allowing access to services on or behind your firewall, there is really no need for Skynet or similar functionality. There is nothing to attack unless you expose services to the Internet. pfBlocker is the pfsense equivalent.

There are optional packages that can be installed for addtional functionality and maybe something comparable to Diversion.

Traffic shaping (aka QOS) is available. Never used it.

pfsense provides much better control over firewall rules compared to consumer routers, since it is meant to be a true firewall, and not just a wireless router that can do some basic port forwarding via the GUI.
Thanks for the info. I have exposed services via nginx, so would need the functionality offer by pfBlockerNG or similar.
 

abracadabra11

Regular Contributor
You can use CLI, if you want to and are comfortable with it, on top of hundreds of GUI menus. It's a much more complex OS though and no one may be able to help you, if things mess up. I never needed to touch anything outside the GUI.



Skynet/Diversion - pfBlockerNG covers both IP/DNS-based blocking
Adaptive QoS - this is Asuswrt term, you have multiple QoS configuration options in pfSense
AiProtection - Suricata, Snort - even with SSL inspection (in Squid), if you want that
VPN Server/Client - IPSec, OpenVPN, Tinc, WireGuard (experimental) - much faster on x86 CPU
VLAN's - yes, but you need the rest of your system to be VLAN capable too

Other common things:
Unbound - default pfSense DNS server, as resolver or forwarder, DoT available
BIND - package, if you prefer it
APC UPS control - package(s), if you have APC UPC, available for other types too (NUT)
Bandwidth Tracker - package(s), similar to Traffic Analizer + per IP options
Cron - package, if you want to control what runs scheduled
HAproxy - package, read about it what it does
iperf - package, network throughput testing
ntopng - package, network status tool
Services Watchdog - package, self-explanatory
Clamav - package, antivirus tool (in Squid)
Syslog-ng - package, enhanced syslog tool
Zabbix-agent/proxy - package(s), monitoring tool

Full list here - https://docs.netgate.com/pfsense/en/latest/packages/list.html

What's available in Asuswrt-Merlin is slimmed down router/user friendly versions of what pfSense has available, but you need to learn how to configure/use pfSense. Nothing close to common home router GUI. Multiple menus and sub-menus with terms you need to be familiar with.
Thanks for sharing the list of packages. Was somewhat familiar with some (pfBlockerNG, Suricata, but not many of the others).
 

Stephen Harrington

Senior Member
I'm dreading the transition to pfsense. I'll be trying to replicate functionality provided within Merlin including Skynet, Diversion, Adaptive QoS, VPN clients and server, along with VLAN implementation.

My 2 cents. If you love your Merlin and your RT-AX3000 does what you want in terms of routing/add-ons EXCEPT for your desired new Wi-Fi coverage/functionality, why not just keep it going with the wireless turned off? This then gives you some extra dollars in the budget to get the best wireless mesh setup for your new situation, and still gives you the option to upgrade the router somewhere down the track, either to another Asus or to go to pfSense/OPNsense as you wish ...
 

eibgrad

Part of the Furniture
Speaking only for myself, one of things that concerns me is that I believe we're quickly reaching the point where these consumer-grade routers are being pushed beyond their design limits. We're seeing all kinds of "hacks" to keep them viable (CTF/SFE/FA). And I call them hacks because they often break things (QoS, port forwarding, NAT loopback, to name a few).

So the idea of "hanging on" to the router just because you prefer Merlin to pfSense or whatever, may NOT be viable in the long run. Not unless you're willing to accept the continued use of these hacks (which I'm NOT). I'd rather just be done w/ it all and move to a platform that can support the bandwidth my ISP is offering w/o such hacks. And it's only going to get worse as more ISPs move beyond even Gigabit.

Of course, the *ideal* solution would be if Merlin ran on the x86 platform (which is never going to happen)! DD-WRT does, and for those who are DD-WRT lovers, they at least have a viable path forward to bigger and better hardware without the need to change firmware mid-stream. For the rest of us, a decision is coming about how to move forward, whether you're prepared or not. In the case of FT (FreshTomato), the situation is already critical since it doesn't even support AX!

That's NOT the only consideration on my mind, but it's a major one. And once you're off the router for those reasons, you might as well consider other standalone AP offerings that offer more options, range, etc.
 
Last edited:

coxhaus

Part of the Furniture
There are more than 2 options out there. Go slow and cheap. Keep your ASUS around as a fall back if you decide to change to a different one. If you don't like it switch to another firewall until you find one you like.
 

abracadabra11

Regular Contributor
My 2 cents. If you love your Merlin and your RT-AX3000 does what you want in terms of routing/add-ons EXCEPT for your desired new Wi-Fi coverage/functionality, why not just keep it going with the wireless turned off? This then gives you some extra dollars in the budget to get the best wireless mesh setup for your new situation, and still gives you the option to upgrade the router somewhere down the track, either to another Asus or to go to pfSense/OPNsense as you wish ...
Although I have really enjoyed the Asus/Merlin setup, I've accepted some of the limitations (i.e. lack of VLAN support, low VPN throughput, poor reception [primarily related to router location]) because I didn't have a strong impetus to change. That will change in the near future.
 

Tech9

Part of the Furniture
they at least have a viable path forward

Not really. All one man show projects end the same way. It starts with few routers and actually tested firmware. Then more people want the same firmware - more devices are added with automatically generated builds and no testing. The users become perpetual beta testers. When the developer is gone or the necessary files are not available anymore - the project dies. One of the reasons I moved not only to pfSense, but on Netgate device as well.
 

Maverick009

Regular Contributor
Longtime Asus and Merlin user. We're closing in on purchasing a home and I'm planning to overhaul our network when we do so. It will certainly be a pricey adventure (still figuring out requirements and hardware, but leaning towards a standalone device for pfSense, 3xPoE APs, along with switches and supporting hardware). Although some of the changes are welcome, I'm dreading the transition to pfsense. I'll be trying to replicate functionality provided within Merlin including Skynet, Diversion, Adaptive QoS, VPN clients and server, along with VLAN implementation.

Has anyone made a similar switch? How was the experience? Was there any functionality that you weren't able to replicate? Or perhaps was especially difficult to implement?

The Merlin + scripts packages really do so much at such an inexpensive price point. I need to figure out a way to keep my existing setup as a backup in case this project gets too messy.

Take it from someone who is using Pfsense as a daily driver. The initial install and wizard configuration simple enough and gets you in the GUI web interface fairly quickly. By default, the firewall, may block all traffic to the internet and just needs a simple firewall rule added to allow traffic. There is the forums and good documentation to find almost everything you could want. Also, when I started this venture, I did searches online, as some shared appropriate settings with regards to rules and basic features. The good thing about Pfsense is it is very flexible and expandable. Now depending on how complicated you attempt to make the firewall, that could require some further reading and maintenace. I also have my Asus wireless routers, both an RT-AC3100 and GT-AX11000 in AP mode running merlin, so I am not losing all capabilities in a sense, but everything goes into my Pfsense Firewall for routing. The current custom configuration I have has an Intel I350 Quad 1Gbps card and a Realtek Dual RTL-8125 2.5Gbps card. I also have the single 1Gbps Realtek integrated NIC, but use that more or less as a backup port. I do plan on adding an X550 Dual 10Gbps card once I completely upgrade the pfsense hardware, but then that is the great benefit of running Pfsense, as hardware and software can be quite flexible. It all depends on what flexibility you are looking for along with expandability and number of devices you want to run or isolate in the network. I have experimented with Pfsense and Opnsense before deciding to stick with Pfsense, with an open eye on Opnsense, as those are the two major forks to look at.

Honestly it will all depend on what you are looking for, expandability and performance you want, and if you are prepared for some early headaches in switching and learning to setup the way you want it.
 

Tech9

Part of the Furniture
By default, the firewall, may block all traffic to the internet and just needs a simple firewall rule added to allow traffic.

Only of you have Double NAT setup with private WAN IP. Block Private Networks on WAN Interface has to be disabled.
 

Maverick009

Regular Contributor
Only of you have Double NAT setup with private WAN IP. Block Private Networks on WAN Interface has to be disabled.

No double Nat. Just depends on how you install and setup pfsense. When I began, I did not have it connected to the modem or directly to the network due to older equipment and could not do a headless install. When I upgrade the hardware, that should also fix my problem.
 

Tech9

Part of the Furniture
When I upgrade the hardware

Seriously, look at the new Netgate 6100 with 2x 10GbE, 4x 2.5Gbe and 2x 1GbE ports. The price is right for what you get. pfSense tested and guaranteed.
 

Wekiwa67

Occasional Visitor
Speaking only for myself, one of things that concerns me is that I believe we're quickly reaching the point where these consumer-grade routers are being pushed beyond their design limits. We're seeing all kinds of "hacks" to keep them viable (CTF/SFE/FA). And I call them hacks because they often break things (QoS, port forwarding, NAT loopback, to name a few).
My thoughts exactly!
I purchased a Qotom device with 8g ram, 64g SSD, 4 core @ 2Ghz for testing. It runs OPNSense with Suricata, VPN, etc with ease. Also have two TP Link AP's, one up upstairs, one down.
Personally, I'm not a fan of PFSense current business model and future plans, doesn't make it a bad product, just my personal preference.
The learning curve for PF or OPN are steep if one is not familiar with networking. However, once your network is running, you are future proof!
@RMerlin and others have produced an impressive product offering with creative code, but as @eibgrad mentioned, the hardware limitations can not be avoided.
Haven't decided what to do with the 86U routers, maybe AP's?

My employer REQUIRED that I update immediately as they were and remain very focused on the continuous threat vulnerabilities. I suspect many more corp IT regs will force remote employees to meet minimum security standards going forward.

Most of my network is VM, many opinions about VM vs physical firewall. I have a VM of OPNSense protecting part of the network with different subnets. Nothing wrong with multiple layers I suppose.

I also have an ATT Fiber with 1G. No need to upgrade as the Qotom can not process over 1G. If I move everything to VM then I could upgrade to 5G although the current 1G bandwidth is ok for now. My servers and home office are 10G today, the bottleneck remains the ATT 320 home gateway.

Wekiwa
 
Last edited:

Maverick009

Regular Contributor
Seriously, look at the new Netgate 6100 with 2x 10GbE, 4x 2.5Gbe and 2x 1GbE ports. The price is right for what you get. pfSense tested and guaranteed.
For me I like to build out my hardware, so a box like Netgate's 6100 would not be for me. I do plan on upgrading hardware at some point and been looking at a 6/12 or 8/16 core/thread Ryzen with B550 motherboard and 16-32GB DDR4 memory, just due to pricing. I will move my network cards over to the new board and add an Intel Dual 10GBe X550 card. I also have been contemplating a possible ThreadRipper upgrade as well using older version due to price and PCI-E lanes even for a mATX board that would fit my firewall server rack case. I am just more techie that way at home plus I get more freedom and expandability no matter the route I choose.
 

abracadabra11

Regular Contributor
Quick update: Made the jump to OPNsense and it's working great so far. Opted for Protectli FW6D to run it on bare metal. 6 VLANs, VPN Server, Sensei, Suricata, Unbound with Adguard Home.

Merlin firmware remains fantastic, but our network needs have outgrown Asus' hardware.
 

Maverick009

Regular Contributor
Quick update: Made the jump to OPNsense and it's working great so far. Opted for Protectli FW6D to run it on bare metal. 6 VLANs, VPN Server, Sensei, Suricata, Unbound with Adguard Home.

Merlin firmware remains fantastic, but our network needs have outgrown Asus' hardware.
You still can use your merlin ASUS router (assuming it is of the wireless variety) as an Access Point to feed your wireless devices. That is how I have 2 of mine. I have one Asus GT-AX11000 plugged in to my firewall router (currently running Pfsense 2.6) on one subnet via a 2.5G connection to have full access to bandwidth the router can support. I have another Asus RT-AC3100 in Access Point mode downstairs being used as a wired hub for the gaming consoles, Apple TV, Sony TV, and Soundbar along with the wireless handling all the IOT devices, which is mainly the home automation on a different subnet connected wired to a 28-port managed TP-Link Switch. If Merlin supported VLAN, that would be nice as I thought about placing that ASUS router on a separate subnet due to IOT devices also connected to same subnet as other wired devices, but only 3rd party firmware I believe allows VLANs is DD-WRT. Either way once you learn how to manage the firewall aspects of Opnsense or Pfsense, it becomes easier to secure the network and even open certain ports to only those devices protecting the subnets still. It can be easy or complicated, depending on your needs, features you want to enable, devices, Subnets/LANs you have etc. Definitely gives room for now and later.

As for hardware, I am now preparing to move to the next big upgrade I have been talking about possibly by end of the year if not by this summer. I have moving away from the custom Intel Q6600 4-Core 2.4Ghz/Gigabyte G41M Motherboard/4GB DDR3 platform I am using to the much newer AMD Ryzen 5600G 6C/12T APU/ASUS B550M TUF/16GB DDR4 platform for better performance/efficiency/power, plus the price is cheap enough coming close to the price of the ASUS GT-AX11000 Wireless router I purchased. If nothing unforeseen happens, that upgrade should begin to take shape. I will move my Quad Intel I350-T4 and Realtek Dual 2.5G NIC (Realtek was the only one with a dual 2.5G card when I was looking) over to the new setup and most likely will also add a dual 10G Base-T Intel NIC card. That should give me plenty of room to grow with only upgrades to my switches really needed for adding more multigig devices. The 6C/12T Ryzen will be able to handle all tasks I throw at it including saturating the 10G ports. Managed switches will help levitate even more of the CPU burden to an extent. Right now I can only see myself possibly having 3 maybe 4 plugged up to 10G, including 2 gaming/multimedia computers, and my Windows Server 2019 custom Gaming/NAS/Plex server.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top