What's new

Pfsense/opnsense box with AX88U Merlin firmware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Quoc Huynh

Regular Contributor
Hi all,

As ramsomware threats are emerging and I am switching to an IPv6-supporting ISP, I plan to install a pfsense box (made from my old Xeon W-2133 computer with 32GB DRAM, 512GB SSD) in my home network to act as a firewall with IDS/IPS.

Currently my network configuration is ISP optical fiber modem -> Asus RT-AX88U router -> Wired and wireless devices and IoTs (probably adding an NAS later). My Internet speed is 100/20 Mbps, but I plan to upgrade them to Gigabit in the next few years. Moreover, I am running several scripts on the router as in my signature, including Diversion, Skynet, ntpMerlin, BackupMON…

I have read pfsense/opnsense threads on the forum but still feel confusing. Therefore, may I have some questions:

1/ Is it worth adding a pfsense/opnsense box to my home network?

2/ Is my Xeon system capable of running pfsense/opnsense with IDS/IPS enabled? How much energy consumption should I expect?

3/ I know that a pfsense/opnsense box from their shops would be more energy-saving and quieter. However, the Netgear 4200, which seems more capable of handling IDS/IPS in a Gigabit network, costs me nearly a thousand dollars. Therefore, I prefer to use my existing system.

https://erp.etsau.com/shop

4/ Should I put the pfSense/opnsense box after or before the AX88U, regarding that I only want it to be a firewall?

5/ If I put the pfsense before the AX88U and set the Asus router to bridge/AP mode for wireless clients, will all of the existing scripts still be functional?

6/ I also read that pfBlockerNG works similarly to Diversion and Skynet. In case the scripts are still usable, should I leave them on to create a so-called multi-layer firewall, or delete them for more flawless system?

Thank you in advance.
 
I would not worry about power draw and get your Pfsense working. Then decide if you like it. I would plug it into your network and get it working on the side then replace your ASUS router.
It is going to be more full featured but require more set up.
 
@coxhaus @Adooni Thank you so much for your advice! I will give pfsense/opnsense a try and see how I can go from there. Have a great weekend 😊
 
I will give pfsense/opnsense a try

Give it a try, but don't invest in hardware in advance. Run it on whatever you have available and see what it is. Based on your questions - there will be very steep learning curve. pfSense/OPNsense are entire router OS with hundreds of menus and require above average networking knowledge. Whatever you have preset by someone else with on/off in home routers GUI has to be recreated manually. They have more configuration options, but you have to read a lot and understand the logic behind it. Following online tutorials and watching YouTube videos won't help much. Set it up as independent router behind your working Asus network and play with it until you are comfortable enough.

 
Give it a try, but don't invest in hardware in advance. Run it on whatever you have available and see what it is. Based on your questions - there will be very steep learning curve. pfSense/OPNsense are entire router OS with hundreds of menus and require above average networking knowledge. Whatever you have preset by someone else with on/off in home routers GUI has to be recreated manually. They have more configuration options, but you have to read a lot and understand the logic behind it. Following online tutorials and watching YouTube videos won't help much. Set it up as independent router behind your working Asus network and play with it until you are comfortable enough.

Thank you so much for your thorough advice @Tech9. I really appreciate that!
Regarding the knowledge about networking, as you said, I actually need to learn a lot. Despite of watching several Youtube videos and reading articles about pfSense/OPNsense, I still feel being overwhelmed and confusing. Maybe it's best for me to setup the box as a seperate router behind my Asus and gradually learn from there. Thank you again and have a nice weekend 😊
 
@coxhaus @Adooni Thank you so much for your advice! I will give pfsense/opnsense a try and see how I can go from there. Have a great weekend 😊
I believe Pfsense now blocks private IP addresses by default on the WAN side so if you plug it into your ASUS you will need to tick the box to allow it to work with private IP addresses. Otherwise, you will not get internet.
 
Last edited:
Doing the same thing, replacing my Asus router with a Dell T3420, using either Proxmox or XCP-ng (+ Orchestra) hypervisor on bare metal, OPNsense, Pihole and Unbound in VMs or containers, the existing router will become a switch/AP. As a bonus, if your happy with wifi capabilities/performance, you don't have to keep upgrading hardware when Asus goes EOL and can still use Merlin's firmware hwile supported.

Starting to favour XCP-ng, once all up and running, I'll just export all the settings and VM's to one of my externals and cloud, as backup in case of hardware failure.
I have an older Asus router already setup as backup to provide temporary internet access while I repair, if it ever happens.
I also like the idea of being able to pool all my storage, memory and CPU's as one super system, of course you have to take precautions like UPS, multi-psu, raid etc.

Highly recommend tutorial by Lawrence Systems in YT.
 
OPNsense, Pihole and Unbound

Or straight pfSense with Unbound + pfBlocker-NG package, of course. It does both IP and DNS blocking.

I also like the idea of being able to pool all my storage, memory and CPU's as one super system

You won't be happy in an event of hardware failure with all your services down at once. This is no different than home AIO router.
 
Last edited:
So, using Pfsense as your router and ASUS as a wireless AP will limit you to 1 network. A small business wireless AP will allow you to have a lot of network VLANs probably depending on the brand and coding in the wireless APs. I would assume the better brands will support more VLANs.
 
So, using Pfsense as your router and ASUS as a wireless AP will limit you to 1 network. A small business wireless AP will allow you to have a lot of network VLANs probably depending on the brand and coding in the wireless APs. I would assume the better brands will support more VLANs.

There are some guides on how to configure the AX88U with multiple VLANs - can do up to 7 VLANs on Wifi, or perhaps 8. I'm currently running 6 VLANs with the AX88U set up as an AP.


Opnsense / pfsense are excellent - and will require a fair bit of time of tinkering. Initial configuration may take little time, - but then overtime, as you learn of the features - capabilities - or your own needs, you'll find yourself tinkering with them more and more. They are solid.
 
I did not know ASUS did VLANs. Sounds like in AP mode it can do 7 VLANs which will probably work for home. How about roaming? Do they support fast transition if you run more than 1 AP?
 
To those currently running a pf/opnsense as router and professional wirelese AP, what is an example of a professional AP that you would refer to? I think this is a curious conversation when taken in light of the Wifi 7 routers conversation here: https://www.snbforums.com/threads/a...-support-underway-for-3-wifi-7-routers.90126/
Is there a Wifi 7 compatible professional AP that is recommended? Will the professional features that are being included in the 3006.x branch that would have you rethink using dedicated IDS/IPS box as router? I've toyed with pf/opnsense for a few years, but kept coming back to my Asus because can be highly customized with Merlin to offer those features that are important to me.
 
what is an example of a professional AP that you would refer to?

It depends on the budget and use case. Folks around run UniFi (Ubiquiti), Omada (TP-Link), Nebula (Zyxel), WAP/CBW series (Cisco), Instant On (Aruba), I've seen a few WAX series (Netgear), my personal choice is Ruckus (CommScope), etc. There are many choices with matching or different brand switches and firewalls.

I've toyed with pf/opnsense for a few years, but kept coming back to my Asus because can be highly customized with Merlin to offer those features that are important to me.

The features in Asuswrt-Merlin with Custom Scripts actually originate from higher class business equipment. They are hardware optimized slimmed down versions to whatever is available already, but on a higher price and not as user-friendly. It's a good cost saving option for home use and most of the time good enough.
 
Last edited:
I would think Pfsense would be easier to setup than a bunch of scripts for ASUS. Most all setup for Pfsense is under the GUI. Yes, there is a lot there but easier than scripts and interactions with multiple scripts.
 
I did not know ASUS did VLANs. Sounds like in AP mode it can do 7 VLANs which will probably work for home. How about roaming? Do they support fast transition if you run more than 1 AP?

Don't know. - I only have the 1 AP - AX88u with multiple VLANs. Here's the guide that I used to configure it. Just note that if you're using the WAN port as trunk, - you won't be able to ssh or access the config page from WAN port once configured. You'll have to be on the main wifi or one of the LAN ports.
 
@coxhaus @Wolfclaw Thank you very much for your suggestion, I will follow them. Have a great day 😊
 
Thanks all for this interesting thread / topic. I was planning to get a unifi controller and some APs but decided to build my own opnsense router using a $200 mini pc from aliexpress...

This is the summary/update:
  • mini pc with opnsense bare metal now running as primary router
  • all my existing AX asus router/mesh nodes reconfigured as wired APs (running latest merlin 388.7)
  • Fiber internet 1000/50 tested with traffic shaping (Flow Queue - CoDel ECN) at max line speed!
  • Zero mdns / apple homekit disconnects or any issues for 2 weeks since I set this up
So after 2 years of fighting with aimesh and asus firmware (not merlin specific) I finally have my homekit setup stable.

I agree that there is a bit of a learning curve with opnsense / pfsense but it's fine. I setup opnsense on a proxmox PVE behind my asus network to start with (double NAT) and got everything working. Then built/installed opnsense on the mini pc. Then reset my AX network and added them as APs to the network.

I am still trying to find a good way to see all of my client devices in a single and clean UI. I am getting close using a Unifi controller (docker) and unifi switches and Home Assistant but not quite working yet. Below is where I am up to with my Home Assistant dashboard.

So thanks for this thread that convinced me to have a go at an alternative...

1718666502653.png



1718666592200.png
 
Thanks all for this interesting thread / topic. I was planning to get a unifi controller and some APs but decided to build my own opnsense router using a $200 mini pc from aliexpress...

This is the summary/update:
  • mini pc with opnsense bare metal now running as primary router
  • all my existing AX asus router/mesh nodes reconfigured as wired APs (running latest merlin 388.7)
  • Fiber internet 1000/50 tested with traffic shaping (Flow Queue - CoDel ECN) at max line speed!
  • Zero mdns / apple homekit disconnects or any issues for 2 weeks since I set this up
So after 2 years of fighting with aimesh and asus firmware (not merlin specific) I finally have my homekit setup stable.

I agree that there is a bit of a learning curve with opnsense / pfsense but it's fine. I setup opnsense on a proxmox PVE behind my asus network to start with (double NAT) and got everything working. Then built/installed opnsense on the mini pc. Then reset my AX network and added them as APs to the network.

I am still trying to find a good way to see all of my client devices in a single and clean UI. I am getting close using a Unifi controller (docker) and unifi switches and Home Assistant but not quite working yet. Below is where I am up to with my Home Assistant dashboard.

So thanks for this thread that convinced me to have a go at an alternative...

View attachment 59532


View attachment 59533
Was looking at doing the same thing this weekend lol.

Does the smart connect/single SSID still work with the ASUS in AP mode? My biggest thing is the misses just will lose it if I rename the network again...

She suspects my son is bypassing the parental controls on the ASUS, I think his just waiting up till they turn off (only a 2/3 hour window so he could DL overnight....)

In very much the same boat, was JUST looking at unifi gear....
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top