Openwrt Router Firmware

[xiaofan]

I have an entirely different setup from you, my twin Asus RT-AX92U (Gnuton Merlin FW) are running as AP and mesh node while the Brume 2 serving Adguard Home as the router.

My experience with Asus router is don't rely it too much on DNS as it is capable on basic functions and slow in catching up with these DoH/DoT/Quic tech. No experience with running pi-hole but aren't it supposed to filter and send DNS requests upstream to DoH providers directly like what AdGuard does? instead of passing to Asus? I have not fiddled/looked at my Asus router DHCP/DNS functions as it is setup as AP + node the moment it is deployed for use (another reason why I want to avoid Asus for DNS).

You are right regarding the Asus. It has the best FW features among consumer routers like Asus/Netgear/Linksys/TP-Link/D-Link, but still can not compare with OpenWRT. Merlin FW adds more features but still can not compare with OpenWRT.

Pi-hole is pretty much similar to Adguard Home and it can direct to upstream DNS, including DoH providers with a bit of extra configuration.
https://docs.pi-hole.net/guides/dns/cloudflared/
The thing is device side can bypass Pi-Hole (or Adguard Home) by using their own DoH DNS server. To intercept DNS, you need Firewall rules. I tend to think there are ways to do it in Asus as well using iptables but I have not tried that myself.

This is one place pfBlokerNG (with pfSense as the router/firewall OS) is better than Pi-Hole and AdguardHome since it has seamless integration with pfSense using the autogenerated Firewall rules. It also includes IP filtering. But again that is its weakness as well since it is tied to pfSense whereas Pi-hole and Adguard Home are not tied to a specific router operating system.

 

[Hafi]

You are right regarding the Asus. It has the best FW features among consumer routers like Asus/Netgear/Linksys/TP-Link/D-Link, but still can not compare with OpenWRT. Merlin FW adds more features but still can not compare with OpenWRT.

Pi-hole is pretty much similar to Adguard Home and it can direct to upstream DNS, including DoH providers with a bit of extra configuration.
https://docs.pi-hole.net/guides/dns/cloudflared/
The thing is device side can bypass Pi-Hole (or Adguard Home) by using their own DoH DNS server. To intercept DNS, you need Firewall rules. I tend to think there are ways to do it in Asus as well using iptables but I have not tried that myself.

This is one place pfBlokerNG (with pfSense as the router/firewall OS) is better than Pi-Hole and AdguardHome since it has seamless integration with pfSense using the autogenerated Firewall rules. It also includes IP filtering. But again that is its weakness as well since it is tied to pfSense whereas Pi-hole and Adguard Home are not tied to a specific router operating system.

the firewall command-line filtering DoH traffic on https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns not working for you?

as a workaround, for the time-being DoH DNS providers are still a handful and you can block probably 90% of them with a blocklist on pi-hole/adguard except those browser built-in Cloudflare which is querying 1.1.1.1 instead of hostname. I tested OpenDNS and Google and it blocked them without any issue.

 

[xiaofan]

the firewall command-line filtering DoH traffic on https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns not working for you?

as a workaround, for the time-being DoH DNS providers are still a handful and you can block probably 90% of them with a blocklist on pi-hole/adguard except those browser built-in Cloudflare which is querying 1.1.1.1 instead of hostname. I tested OpenDNS and Google and it blocked them without any issue.

Sorry to confuse you. I have two home networks (thanks to a special feature of Singtel ONT).
Ref: https://forums.hardwarezone.com.sg/threads/working-singtel-vlan-settings-with-tplink-sg108e.5746952/

The network with OpenWRT router works fine.
The other network with Asus router does not work well with some clients using their own DoH DNS server.

 

[TanKianW]

In fact I am having issues with my Asus RT-AX86U router (running Stock Asus FW) when it comes to DoH. I am using Pi-hole but the Asus FW settings against DoH does not work.

My Realme X50 5G Chrome browser is implicitly using DoH with Google DNS. My OpenWRT Pi-Hole works fine against that but not Asus. My temporary solution is to use Firefox browser, or set Private DNS using ad-blocking DNS (eg: p3.freedns.controld.com).

If you are using an Android phone and want it to stop using GoogleDNS, another way is to "root" your phone and install modules on "Magisk" to use other DNS (1.1.1.1). With a rooted phone, you can also more effectively control your apps by installing a low-level firewall (using iptables) on your Android phone called AFWall+.

 

[xiaofan]

If you are using an Android phone and want it to stop using GoogleDNS, another way is to "root" your phone and install modules on "Magisk" to use other DNS (1.1.1.1). With a rooted phone, you can also more effectively control your apps by installing a low-level firewall (using iptables) on your Android phone called AFWall+.

Rooting a phone is for sure not an option for me (no matter it is an iOS device or Android device). Just a personal preference.

In fact I have some old Android TV boxes which I tried to un-root (trying to delete the root software). I am not really using them after getting a XIaomi Mi Box S. I was trying to use a few of them as Linux machine using Armbian. But I kind of stopped the experiments after getting two Raspberry Pi 400.

 

[TanKianW]

Rooting a phone is for sure not an option for me (no matter it is an iOS device or Android device). Just a personal preference.

In fact I have some old Android TV boxes which I tried to un-root (trying to delete the root software). I am not really using them after getting a XIaomi Mi Box S. I was trying to use a few of them as Linux machine using Armbian. But I kind of stopped the experiments after getting two Raspberry Pi 400.

Yes, rooting the phone/devices are not for everyone. Especially when not done correctly, will potentially brick your phone or make your key apps (Singpass) stopped working.

When it comes to app, drivers and community support, no ARM devices (SBC) comes close to RasPi, reason why I still stock a couple of them at my place.​

 

[xiaofan]

I have just tried again Adguard Home running as an LxC container (Debian 12 based) and it runs fine, pretty much similar to Pi-Hole, evem though I still prefer the UI of Pi-hole.

Previously I use Pi-hole for both of my home networks (Asus RT-AX86U and OpenWRT running as a PVE VM). Now I have switched one of them to use Adguard Home just to see if it as reliable as Pi-hole.

 

[xiaofan]

I have not touched the Linksys EA7500 v2 for a while, today I just upgraded it from 22.03.0 to latest 22.03.5.

WiFi speedtest seems to drop a bit but I think that is not related to the upgrade, since my SpeedTest for the Asus RT-AX86U also drops this year, probably due to more interferences from neighbors in the 5GHz band (I got less interference previously).

It is still decent though (3m distance, client -- 2.5 years old Acer Windows 11 laptop with Intel AX201 adapter), this is especially true now that you can get it (or Linksys EA8100 v1) at around S$10 from Carousell.

Comparison: Asus RT-AX86U (same wireless client at 3m away)

 

[xiaofan]

Just noticed that OpenWRT seem to stop new version of FW for Linksys WRT AC series, last version if now at 23.02.2 (latest version is 23.02.5).

Linksys WRT AC Series: Dual Core Arm Cortex A9 CPU
https://openwrt.org/toh/linksys/wrt_ac_series
I have the earliest version WRT1900AC V1 (released in 2014). I used it as my main router from April 2014 to Sept 2020.

I just upgraded the FW from 21.02.1 to latest 23.02.2 and it still works fine. Take note the WRT AC Series has dual partition for FW, so I still have the old 21.02.1 FW in another partition.

 

[xiaofan]

OpenWRT AX Router Support: mainly MTK chipset and a bit of Qualcomm chipset support
https://openwrt.org/toh/views/toh_available_16128_ax-wifi
1. The following seems to be readily available in Singapre with Official Support.

a) Asus RT-AX53U

b) Linksys E8450 -- this may be a good one to try if you are interested

c) Xiaomi AX3200 global version -- this may be a good one to try if you are interested

 

[sgcarousell]

Recently i am tempted to get a beelink eq12pro n305 to run PVE and create a Openwrt VM n make use the dual lan of the eq12pro to be the main router. Is this a easy task and any good instructions on video to follow?
I am no expert n my experience up to now is setting up a mesh of 3 openwrt ea8100 as main n ap, a rpi4 with openwrt container as 1 arm router, pihole containter on the rpi4. Is setting up a PVe require more specific n indepth networking techincal skill?

 

[xiaofan]

Recently i am tempted to get a beelink eq12pro n305 to run PVE and create a Openwrt VM n make use the dual lan of the eq12pro to be the main router. Is this a easy task and any good instructions on video to follow?
I am no expert n my experience up to now is setting up a mesh of 3 openwrt ea8100 as main n ap, a rpi4 with openwrt container as 1 arm router, pihole containter on the rpi4. Is setting up a PVe require more specific n indepth networking techincal skill?

PVE setup is really very simple.


Install OpenWRT on Proxmox: slightly more complicated. I will use 1GB RAM and 1GB Disk size myself.
https://i12bretro.github.io/tutorials/0405.html

Another guide: ignore the MPTCP stuff
https://github.com/onemarcfifty/proxmox-network

In case you still find that the disk size for OpenWRT does not increase to the desired size, you can use the following guide.
https://forum.openwrt.org/t/howto-resizing-root-partition-on-x86/140631
I will also recommend Pi-hole or Adguard Home on the LxC container (Ubuntu 22.04 or Debian 12).

 

[sgcarousell]

PVE setup is really very simple.


Install OpenWRT on Proxmox: slightly more complicated. I will use 1GB RAM and 1GB Disk size myself.
https://i12bretro.github.io/tutorials/0405.html

Another guide: ignore the MPTCP stuff
https://github.com/onemarcfifty/proxmox-network

In case you still find that the disk size for OpenWRT does not increase to the desired size, you can use the following guide.
https://forum.openwrt.org/t/howto-resizing-root-partition-on-x86/140631
I will also recommend Pi-hole or Adguard Home on the LxC container (Ubuntu 22.04 or Debian 12).

Thank you so much for the video links, will view them n get a feel of the setting up.
How is the quality of beelink mini pc? Or i should look at other brand such aas MIC cwwk?

 

[xiaofan]

Thank you so much for the video links, will view them n get a feel of the setting up.
How is the quality of beelink mini pc? Or i should look at other brand such aas MIC cwwk?

Beelink should be okay.

However, for your test, I will recommend to get 4-ports mini PC which is more suitable for your use case. Two LAN ports are just bare minimum.

LAN 1 -- management LAN for PVE
LAN 2 -- OpenRT WAN
LAN 3 -- OpenWRT LAN
LAN 4 -- Spare (or OpenWRT LAN 2).

 

[sgcarousell]

Beelink should be okay.

However, for your test, I will recommend to get 4-ports mini PC which is more suitable for your use case. Two LAN ports are just bare minimum.

LAN 1 -- management LAN for PVE
LAN 2 -- OpenRT WAN
LAN 3 -- OpenWRT LAN
LAN 4 -- Spare (or OpenWRT LAN 2).

This is the part which i am confused, i read that can use ESXI or pve to assign 1 port as WAN n 1 port as LAN to openwrt vm, then that lan port connect to a switch for other devices n config the lan port as bridge port, host eq12pro n openwrt can talk to each other..... With this setup can i connect screen n keyboard mouse for pve/edxi console management?
Or can i attach a usb-c to lan just for console management?
Thanks in advance

 

[xiaofan]

This is the part which i am confused, i read that can use ESXI or pve to assign 1 port as WAN n 1 port as LAN to openwrt vm, then that lan port connect to a switch for other devices n config the lan port as bridge port, host eq12pro n openwrt can talk to each other..... With this setup can i connect screen n keyboard mouse for pve/edxi console management?
Or can i attach a usb-c to lan just for console management?
Thanks in advance

If you use Keyboard and Monitor for PVE console access, then yes you can do what you want.

For me I like to switch among OpenWRT/pfSense/OPNsense, and I do not want to use Keyboard/Monitor, then it is much easier to have another LAN port for PVE access. I can easily kill OpenRT and then power up pfSense/OPNsense at any time or vice versa.

 

[sgcarousell]

If you use Keyboard and Monitor for PVE console access, then yes you can do what you want.

For me I like to switch among OpenWRT/pfSense/OPNsense, and I do not want to use Keyboard/Monitor, then it is much easier to have another LAN port for PVE access. I can easily kill OpenRT and then power up pfSense/OPNsense at any time or vice versa.

i see i get what you mean now.
In a nutshell, the idea of using the beelinkn eq12pro with only 2 lan ports install with proxmox and running Openwrt VM(as main router) and provide lan to my switch and other devices is doable.

Guess is time to buy it and spend some sleepless night to configure it.
Thank you so much for your input and advises @xiaofan

 

[xiaofan]

i see i get what you mean now.
In a nutshell, the idea of using the beelinkn eq12pro with only 2 lan ports install with proxmox and running Openwrt VM(as main router) and provide lan to my switch and other devices is doable.

Guess is time to buy it and spend some sleepless night to configure it.
Thank you so much for your input and advises @xiaofan

I am using a lower end Intel J4015 mini PC with 4 gigabit LAN ports for my home network. It has 8GB RAM and 256GB SSD. But I have too many things on the machine: OpenWRT/pfSense/OPNsense VM (only one is ON at a time) and a few LxC containers running Pi-hole or Adguard Home (three always ON, the other will be OFF most of the time). I have also a few Linux/BSD VMs installed which are normally OFF due to lack of RAM and disk space. It is still running Proxmox PVE 7.4 version. It has been running 24/7 since Jan 2021. I have a USB Fan attached on top.

I am actually buying an Intel N100 based mini PC with two LAN ports as well (16GB/512GB configuration). I also intend to install Proxmox 8 and move the Linux/BSD VMs from the J4105 mini PC to this new N100 mini PC. I am not so sure if I want to install OpenWRT/pfSense/OPNsense on this mini PC yet. Maybe I will but just for experiment and not to replace my Intel J4105 mini PC.

 

[sgcarousell]

I am using a lower end Intel J4015 mini PC with 4 gigabit LAN ports for my home network. It has 8GB RAM and 256GB SSD. But I have too many things on the machine: OpenWRT/pfSense/OPNsense VM (only one is ON at a time) and a few LxC containers running Pi-hole or Adguard Home (three always ON, the other will be OFF most of the time). I have also a few Linux/BSD VMs installed which are normally OFF due to lack of RAM and disk space. It is still running Proxmox PVE 7.4 version. It has been running 24/7 since Jan 2021. I have a USB Fan attached on top.

I am actually buying an Intel N100 based mini PC with two LAN ports as well (16GB/512GB configuration). I also intend to install Proxmox 8 and move the Linux/BSD VMs from the I4105 mini PC to this new N100 mini PC. I am not so sure if I want to install OpenWRT/pfSense/OPNsense on this mini PC yet. Maybe I will but just for experiment and not to replace my Intel J4105 mini PC.

i am goin to use it to run win11 vm, Openwrt VM, pihole, adguard and jellyfin and a simple samba to upload n store my documents/photo backup and connect it via hdmi to my tv for some streaming and surfing when need to.

 

[xiaofan]

i am goin to use it to run win11 vm, Openwrt VM, pihole, adguard and jellyfin and a simple samba to upload n store my documents/photo backup and connect it via hdmi to my tv for some streaming and surfing when need to.

I see. I have no intention to install Windows 11 VM. That one needs quite some resources. So in your use case, it is indeed better to use Intel Core i3-N305 compared to Intel N100. I assume you will need 16GB RAM and 1TB SSD storage? Will you add external HDD/SSD using RAID 1 (not so sure if the Beelink support this feature)?

I use Google ONE for photo backup (200GB tier at S$40 per year, but may need to pay S$140 per year for the 2TB tier down the road, say in 2026 or 2027). I figured it is much easier to use Google ONE compared to use a local NAS.

I have Singtel TV and some paid online streaming services. I do not need to have local storage for streaming.

Then I have a simple OpenMediaMault file server running on a Raspberry Pi 400 with 512GB USB SSD for temporary file sharing and backup. This one is usually OFF and only ON once per month. Then I use two USB HDDs as well for documentation backup (very little stuff to backup in reality so probably once every month).