OPNSense or BE88u?

[Tech9]

Why not VM your gateway?

Because the main security shifts from the Router/Firewall software to the VM software and you don't want every single network service down when this mini PC goes down. This is something you can do in a home lab environment just to play with it.

 

[Johno]

Because the main security shifts from the Router/Firewall software to the VM software and you don't want every single network service down when this mini PC goes down. This is something you can do in a home lab environment just to play with it.

If the environment is a home network and the PC/router goes down, the broadband/WAN isn't going to be available so what would it matter that other local network services are also down?

 

[Tech9]

For home use - use case specific and a matter of preference, I guess. When I have no Internet for whatever reason all LAN, WLAN, NAS, NVR, etc. are operational. I also have locally managed home automation. For business use - you won't see a firewall on VM because of security concerns. AIO device like the one you have running multiple services comes closer to what AIO home routers are. After you satisfy your curiosity you may want to switch to modular network design for increased reliability and availability.

I've been there with AIO on VM, Router on a stick with VLAN-ed WAN and LAN, Router in another location with VLAN-ed WAN and LAN to the ISP equipment... server rack with 200lbs of metal... at some point the interest doing such things fades away. You'll also switch to simple solutions sooner or later. Being the sole sysadmin capable to fix your home network is not a good thing.

 

[Johno]

I've been there with AIO on VM, Router on a stick with VLAN-ed WAN and LAN, Router in another location with VLAN-ed WAN and LAN to the ISP equipment... server rack with 200lbs of metal... at some point the interest doing such things fades away. You'll also switch to simple solutions sooner or later. Being the sole sysadmin capable to fix your home network is not a good thing.

I probably won't be tempted to dive into the techie networking pathway you've mentioned, I'm happy enough with my AIO router-based solution but wanted to replace the Asus AIO router with something more flexible, powerful and hopefully more secure, whilst hopefully being not too difficult to use. What would be a simple solution sooner or later though? Ubiquiti/UniFi?

AIO device like the one you have running multiple services comes closer to what AIO home routers are. After you satisfy your curiosity you may want to switch to modular network design for increased reliability and availability.

Out of curiosity, what would you suggest generally as modular network design for increased reliability and availability?

 

[Tech9]

I need to have general idea what your needs are. There is no universal best solution.

 

[Johno]

Okay, it's a network with a printer, NAS, some smart TVs and streamers, a PVR, a desktop PC and a laptop all connected via ethernet; via Wifi, a couple of Ring cameras as well as mobile devices (iOS), plus some smart plugs dotted around the home and a smart thermostat for central heating control. All ethernet traffic is through a layer 2 smart switch (Cisco SG300) to which the WiFi router is connected.
The smart TVs and streaming devices, as well as the Ring cameras are all configured to use PiHole hosted on a RaspPi 3 for DNS to block any tracking or advertising telemetry.
Ultimately the mini-pc router/firewall will be the WAN gateway with the Asus router just acting as an access point. I don't have any need for separate zones within the network at the moment but I can see that it'd be useful to restrict access of the streaming and media devices, plus the Ring cameras, to the rest of the network.
The mini-pc router has 6 NIC ports and is running PFSense and Adguard Home within a VM and LXC respectively, so one port is a dedicated Proxmox management interface on a separate subnet, the other ports are for WAN, LAN to the SG300, another port to the Asus WiFi router as an AP. I don't plan on using the PiHole box in future as PfSense will be using Adguard Home for DNS ad-blocking.

 

[Tech9]

Not sure what to recommend. Do you still have the RT-AX86U router? It can run all of the above in current flat network configuration. Perhaps the simplest solution with zero extra cost.