Move back to a consumer router

Abbas

Occasional Visitor
Over the last few years as my family has grown, I have moved from a single router to a mesh system to UniFi. And then replaced USG with PFSense and Untangle. While I agree that these last two solutions and incredibly powerful, they can also be very complicated. So I was thinking of moving back to a consumer grade router and disable the WiFi on it to continue using it with my Unifi APs. What I would like from my router

1) Support for Gigabit download from ISP (250MB upload)
2) Parental controls by restircting access based on time and content
3) Split tunneling so part of the traffic can be routed thtough a VPN/Wireguard connection.

I believe ASUS routers with Merlin might support these functions. Is there any paricular model I should be looking at. I usually have about 50 devices on the network at a given time that sometimes goes up to 70.
 

L&LD

Part of the Furniture
The RT-AX88U and RT-AX86U with RMerlin 386.1_2 or later are what I would suggest.

Along with a USB drive to have the amtm scripts you want to use (for 3) look at x3mRouting by @Xentrk).

After flashing the RMerlin firmware to the router you choose, the links below will help get your router/network as stable as possible.

Best Practice Update/Setup Router/AiMesh Node(s) 2021


After the network is fully stable with the above completed and fully tested (including at least a few reboots too), the following link may be useful to get your USB drive ready for amtm use and scripts.

Note that after RMerlin firmware 384.15_0 and later, 'installing' amtm is not required anymore (it is already included in the firmware). The rest of the steps is still useful to note though.

amtm Step-by-Step https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/#post-483421
 

Trip

Very Senior Member
@Abbas - Merlin plus scripting on Asus hardware with the wifi turned off is one possibility. I'd also take a look at Firewalla Gold. It's similar-power x86 hardware to whatever you have now with pfSense/Untangle, but with Firewalla's more consumer-friendly distro on top. Covers everything you want to do, and they just added policy-based routing as of a few days ago. Expensive, perhaps, but I'd wager you would stand to recoup a fair amount of opportunity cost as well.
 

avtella

Very Senior Member
I’ve also looked at Firewalla before as well, looked very promising just wish at least one of their appliances had multi-gig.
 
Last edited:

Abbas

Occasional Visitor
@Abbas - Merlin plus scripting on Asus hardware with the wifi turned off is one possibility. I'd also take a look at Firewalla Gold. It's similar-power x86 hardware to whatever you have now with pfSense/Untangle, but with Firewalla's more consumer-friendly distro on top. Covers everything you want to do, and they just added policy-based routing as of a few days ago. Expensive, perhaps, but I'd wager you would stand to recoup a fair amount of opportunity cost as well.

Thanks for pointing me towards this. I had read up on their smaller devices a year or two back and had seen generally favorable reviews. $400 is quite a steep price but I will read up more on it.
 

Xentrk

Part of the Furniture
I spent the past few days staging and testing an AiMesh setup with RT-AX88U as the main router and two RT-AX86Us as the mesh units. I was able to get Wireguard working over the clients TorGuard streaming IP using Policy Rules. The speed increase is awesome. I have a FireTV in my office TV. It would always get buffering over the OpenVPN tunnel with it. Not with Wireguard. Sound and picture quality appear to have improved too.

pfSense rolled out 2.5.0 firmware a few days ago with support for Wireguard. Last night, I figured out how to implement the policy rules. What I noticed is the Wireguard download speed is about the same on the pfSense box and the AX88U.

The main reason I got into pfSense was OpenVPN performance with Intel CPUs that have AES support. Plus, the features of pfBlockerNG support creating IPv4 lists for selective routing.

If you go back to consumer router, I concur with @L&LD recommendation based on my recent experience.

There are some good tutorials on the net on how to setup pfSense and features such as VLANS, selective routing, etc. Lawrence Systems has many good how to videos if you decide to keep your current hardware.
 

Abbas

Occasional Visitor
Thanks @Xentrk and @L&LD - I will look into both ASUS and Firewalla solutions. I don't need the WiFi bit but looks like the other things check out nicely. Can you also share which WireGuard sevice you used? I would like to try it on my pfsense box and see what results I'm getting. Also, is there a guide to set up WG on pfs 25.?
 

Xentrk

Part of the Furniture
Thanks @Xentrk and @L&LD - I will look into both ASUS and Firewalla solutions. I don't need the WiFi bit but looks like the other things check out nicely. Can you also share which WireGuard sevice you used? I would like to try it on my pfsense box and see what results I'm getting. Also, is there a guide to set up WG on pfs 25.?
I first logged onto my providers config generator and download the file to my PC. You will need to copy paste information from this file to the VPN->Wireguard screen.

I saw some guides for the pre 2.5.0 Wireguard implementation that were of some help.

Here is the official guide: https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html that worked for me as I do policy routing.

I had issues with the NAT Outbound firewall rules in the instructions though. I already have four sets of rules for each interface to allow LAN traffic. I cloned the OpenVPN rules for Wireguard.

1613964338057.png

1613964661572.png

1613964705806.png

1613964746234.png

1613964784812.png


Continue setup in next post
 
Last edited:

Xentrk

Part of the Furniture
Routing rule.
Firewall -> Rules -> LAN
Key here is to set protocol as UDP. I had copied the rule from an existing OpenVPN routing rule where protocol was set as UDP/TCP. Does not work!

1613964863622.png


Next steps are to learn how to implement a second WG tunnel and selectively route thru it.
 

Abbas

Occasional Visitor
Thanks @Xentrk - I found an old ASUS AC86U and will also start working on that. You mentioned you gut WireGuard working on it- would love a nudge in the right direction for that!
 

Xentrk

Part of the Furniture
Thanks @Xentrk - I found an old ASUS AC86U and will also start working on that. You mentioned you gut WireGuard working on it- would love a nudge in the right direction for that!
The thread is in the VPN forum section

You may get tripped up on what the "path" mean in the "opkg install /path/wireguard-kernel_1.0.20210124-ax_aarch64-3.10.ipk" instruction. You have to download the appropriate ipk file to a directory on the router. That is what the path refers to. One could use curl command to download but I'm not in a situation to test right now. I think I downloaded it to my PC using the download feature on the GitHub page. Once I my PC, I used SFTP client to upload to /opt/tmp directory.
 

aps

Occasional Visitor
@Abbas - Merlin plus scripting on Asus hardware with the wifi turned off is one possibility. I'd also take a look at Firewalla Gold. It's similar-power x86 hardware to whatever you have now with pfSense/Untangle, but with Firewalla's more consumer-friendly distro on top. Covers everything you want to do, and they just added policy-based routing as of a few days ago. Expensive, perhaps, but I'd wager you would stand to recoup a fair amount of opportunity cost as well.

Spent some time looking at the Firewalla Gold product site and videos, and it seems to check a lot of boxes for someone (like myself) who doesn't want to the undertaking of pfSense. The main concern is that it's the first Firewalla product that is a true router so it wouldn't be unexpected if there were some gremlins or reliance on features on the road-map. Any ideas if it is built on top of any of the open-source firewall platforms or a new build? And have you had hands-on experience with the unit and, if so, what were the findings?
 

Abbas

Occasional Visitor
So I managed to pick a used Firewalla Gold and what a breath of fresh air! I've only had it for two days yet so I can't talk about the reliability but the UI and features seem pretty much everything I was looking for. PBR currently works on IPs but Apps based functionality is expected in the next release which is currently in beta. It was super easy to group devices as kids, home etc. and apply firewall rules with one click.

It supports VLANs as well but I want to make sure it stable and reliable by having the basics work trouble free for a week or two before diving deeper into its functionality,
 

Smokey613

Very Senior Member
My only issue with the Firewalla products is the same thing I have with a lot of other security products, they all need to stay in contact with the “mother ship” to work. That was my main concern with the eero products. Now to clarify, I am not concerned about the data collection, heck we have already lost that battle in today’s connected world. My concern is loss of functionality if the company folds due to the phone home nature. My pfSense, like similar products, do not rely on a mother ship to remain operational. Case in point is the eero units. If you do not have internet connectivity, you cannot even manage the units. I continue to bounce back and forth with using pfSense. I have been a long time user so it’s management and configuration is not an issue. I am just not sure I am really benefitting from an extra piece of hardware vs just my 2 RT-AC86U especially running Merlin with the available 3rd party scripts. The old IDS/IPS products are less useful today unless you have a way to decrypt/re-encrypt the packets so they can be inspected. Skynet and Diversion seem to provide a good enough solution for most home users.
 

Abbas

Occasional Visitor
@Smokey613 - I totally get where you're coming from but the difference between the UX of ASUS/Merlin and FWG is night and day. What you're trying to hack to achieve on ASUS is already built-in with FWG and with a polished UI that someone like me who is not a networking guru, can get around with.

Yes, the company can fold, but from my limited understanding, it is an opensource project. Hopefully someone can continue with it. I am all for supporting developers and wouldn't even mind paying FW a subscription fee. They've been releasing updates to improve their boxes regularly. The upcoming version will add app based policies as well as wireguard support.
 

Smokey613

Very Senior Member
I agree about a user friendly / simple interface. The biggest hurdle for me is the $400+ price tag. I got my Qotom mini pc pretty cheap and pfSense CE is free.
 

Trip

Very Senior Member
The biggest hurdle for me is the $400+ price tag.
Like anything, $418 is relative... Compared to pfSense on a base Qotom or used PC for one fourth to half the cost, yeah, it may seem overly costly. On the flip side, they are doing something at least moderately unique in the space and there's a certain amount of cost for the dev hours/talent required. Whether the actual margin is excessive is anyone's opinion, but short of being a buyer myself, I'm at least interested to see how this pans out...
 

aps

Occasional Visitor
So I managed to pick a used Firewalla Gold and what a breath of fresh air! I've only had it for two days yet so I can't talk about the reliability but the UI and features seem pretty much everything I was looking for. PBR currently works on IPs but Apps based functionality is expected in the next release which is currently in beta. It was super easy to group devices as kids, home etc. and apply firewall rules with one click.

It supports VLANs as well but I want to make sure it stable and reliable by having the basics work trouble free for a week or two before diving deeper into its functionality,
What’s the feedback on the Firewalla gold?
 

Abbas

Occasional Visitor
What’s the feedback on the Firewalla gold?

Loving it so far. Super stable with zero reboots and no speed loss with DPS enabled. I have a 500/100 connection.

I've set up a group for each of my kids and can easily block social, browsig, videos etc. for them. I have also routed some ports through a VPN on the network which is working well.

It doesn't have the granularity of Untangle but its good enough for me. To give you an example, I can enabled safe search which censors YouTube, Google etc. But I can't have it censor YouTube for one kid and Google for the other. Safe Search as a who;e is either on or off ffor any given profile.

I haven't created any VLANs either- just running all devices over one network so there are about 80 devices on the network. Haven't run into any issue.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top