Openwrt Router Firmware

[TanKianW]

what would be a suitable new router that is supportable by OpenWRT that has decent wifi coverage for a 2room hdb (elderly occupant). shortlisted Linksys E8450, but only issue is no external antennas so i am concerned about wifi coverage.

I will take a look at GL.iNet routers.

 

[xiaofan]

what would be a suitable new router that is supportable by OpenWRT that has decent wifi coverage for a 2room hdb (elderly occupant). shortlisted Linksys E8450, but only issue is no external antennas so i am concerned about wifi coverage.

If you need to have wireless, yes that is a decent choice.
https://openwrt.org/toh/views/toh_available_16128_ax-wifi
However, I will actually suggest to get a mini PC running Intel J4125 or better like Intel N5005/N6105 or even the latest N100. Then you add a cheap Wifi 6 AP like TP-Link Archer AX72 (AX5400, at about S$75 to S$80, BNIB from Carousell).

 

[gpgtmeowmeow]

what would be a suitable new router that is supportable by OpenWRT that has decent wifi coverage for a 2room hdb (elderly occupant). shortlisted Linksys E8450, but only issue is no external antennas so i am concerned about wifi coverage.

E8450's wireless is able to cover 5 rooms if you place it in the middle of the house. Even if you're unable to connect to the 5GHz radio at a distance, the 2.4GHz is still plenty fast. Note that the devices (PC/Handphones/etc.) will need to have Wifi6 chip and above installed to enjoy the speed.

Overall, I won't recommend you flashing OpenWRT on the E8450 until you have read the instructions properly. If you brick the router during the FW Flash, you will need to take it apart and connect via serial and reflash it. In fact, it should be fine to use it as it is (stock), if you just need a normal and simple home network.

My thoughts on the E8450 is that while it is a decent router, it is better as an AP. But, there are easier APs to setup around such as the UNIFI U6 Lite and TP-Link Omada AP.

In a 2room, 1 wifi router or 1 access point is more than enough.

Btw, if you do consider minipc as router as suggested by xiaofan above, do take a look at pfsense/opnsense too.

 

[DarthGW]

my intent is to have a low maintenance fuss-free network setup so a router+AP single device is ideal, especially for a single user and the coverage space is smaller.
might have a go at the GL.inet router on shopee.

 

[xiaofan]

my intent is to have a low maintenance fuss-free network setup so a router+AP single device is ideal, especially for a single user and the coverage space is smaller.
might have a go at the GL.inet router on shopee.

In that case, indeed GL.iNet router may be an easier choice compared to Linksys E8450 since it works out of the box. However, I do not really think it is a better choice other than the size advantage. I do not see anything wrong going with E8450 either as it is officially supported by OpenWRT project. GL.iNet routers are usually supported by their own OpenWRT fork. Personally I will go for an OpenWRT router which is officially supported by the OpenWRT project and not just by a vendor.

https://openwrt.org/toh/views/toh_available_16128_ax-wifihttps://github.com/gl-inet/openwrthttps://forum.openwrt.org/t/easiest-fastest-way-to-get-an-openwrt-router-gl-inet/151327

 

[TanKianW]

my intent is to have a low maintenance fuss-free network setup so a router+AP single device is ideal, especially for a single user and the coverage space is smaller.
might have a go at the GL.inet router on shopee.

Can take a look at their AX range.

Interested in some of the useful settings can check out here:
https://forums.hardwarezone.com.sg/...-gl-inet-travel-router-for-new-users.6592979/​

 

[xiaofan]

Beryl AX (GL-MT3000) is indeed a very good choice as a travel router and cost is quite low for its performance. In fact it can be used as a home router as well but you need to add a switch to expand the number of LAN ports.
https://www.gl-inet.com/products/gl-mt3000/
Chinese Youtuber Review

 

[xiaofan]

For those who want to run things like PVE on the new Intel N95/100/200/305, you may encounter problems related to FrameBuffer Mode. Once you settle the issue, it will be easy to install OpenWRT as a VM and install a few LXC containers like Pi-Hole and others.
Here is the solution.
https://forum.proxmox.com/threads/generic-solution-when-install-gets-framebuffer-mode-fails.111577/

 

[xiaofan]

For those who have EA7500 v2 or EA8100 v1 (and actually other OpenWRT router as well), here is a good guide to use them as a wireless AP + VLAN switch (not as a router, not used for DHCP), behind pfSense main firewall/router and main VLAN switch.

He is using pfSense as the main Firewall/gateway (main router), then use a Unifi VLAN capable switch to distribute the VLAN.

You can see that OpenWRT is not very user friendly for VLAN configuration. pfSense seems to be much better in this aspect.

The author actually mentions that the MTK radios work very well with IoT devices.

 

[xiaofan]

Usually you do not see OpenVPN speed higher than 1Gbps for typical routers, including those running OpenWRT/pfSense, but interestingly one TP-Link business router (not running OpenWRT or pfSense) is able to do that.

TP-lInk ER8411 is able to achieve 1665.64 Mbps with OpenVPN as per the vendor.
https://www.tp-link.com/sg/compare/?type=smb&typeId=5749&productIds=61511,61302,41509
On the other hand, TP-Link ER7212PC seems to be a pretty good gigabit PoE VPN router but it can only achieve 34Mbps with OpenVPN.

 

[xiaofan]

One of the major changes in OpenWRT 22.03 is the firewall backend (fw4) --- now it uses nftables instead of iptables.
https://openwrt.org/docs/guide-user/firewall/firewall_configurationhttps://openwrt.org/docs/guide-user/firewall/netfilter_iptables/netfilter_management
Nice Youtube Video introduction to nftables (introduction and live demo).



It is still good to understand the older iptables.

 

[xiaofan]

I saw warnings on my OpenWRT installation about mixing iptables with new nftables in "Status -- Firewall".

Since I do not need the legacy rules, I deleted them by following the guide here. No more warnings after that.
https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
But it is said that you may still have legacy iptables entries if you use fq_codel for sqm. You can use cake instead to get full ntfables compatibility.
https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html

 

[xiaofan]

OpenWRT has pretty extensive user guide.
https://openwrt.org/docs/guide-user/starthttps://openwrt.org/docs/guide-user/services/start
Other than the basic configurations (network, firewall, etc), I have tested below links with the exception of OpenVPN. BTW, I use Pi-hole for ad-blocking.

DNS over HTTPS
https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy
DDNS:
https://openwrt.org/docs/guide-user/services/ddns/client
Wireguard server
https://openwrt.org/docs/guide-user/services/vpn/wireguard/automated
OpenVPN Server
https://openwrt.org/docs/guide-user/services/vpn/openvpn/server
Zerotier
https://openwrt.org/docs/guide-user/services/vpn/zerotier
Tailscale
https://openwrt.org/docs/guide-user/services/vpn/tailscale/start

 

[xiaofan]

Interesting read: Linux/BSD based firewall solution
https://teklager.se/en/best-free-linux-router-firewall-software/
In the end, the author recommends the following 4.
1) OPNsense
2) OpenWRT
3) pfSense
4) IPFire

Final verdict from the author:

In short, if you plan to use WiFi in your router, choose OpenWRT. It has the absolute best support for wireless of all systems we have tested.

If you don't need WiFi support or are planning to use separate Access Points, we recommend OPNSense or pfSense.

+++++++++++++++++++++++
I guess OPNSense and pfSense are the king of open-source firewall software now (BSD based).

But now I am more interested in OpenWRT as it performs better as a Proxmox VM in my low power Intel J4105 mini PC than pfSense/OPNsense (not able to get 1Gbps with pfSense/OPNsense due to the BSD driver issue).

I am also playing with IPFire, which is Linux based and has no issue with 1Gbps Ethernet, as a VM inside Proxmox.

Edit to add:
With pfSense CE 2.7.0 release, the issue with the slower virtual network interface card (virtio/vtnet) has been solved.
+++++++++++++++++++++++

 

[xiaofan]

If you are into ids/ips, OpenWRT has actually supprot for snort (but not suricata). It is probably for lower end consumer router which typically no more than 1GB of RAM, but rather for people using more powerful x86_64 (or maybe ARM64) machine with higher amount of RAM.
https://openwrt.org/docs/guide-user/services/snort
Personally I will not try this myself as I do not have powerful machine for this experiment.

 

[xiaofan]

Pi-hole and Adguard Home DNS filter are popular choices with OpenWRT.

The DNS-hijack tips here are useful, if you want to stop clients which want to use other DNS servers (including DoT/DoH DNS servers).
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
The following video is a bit old now but I think it is still useful. However, I think the iptable based firewall rule may need to be changed.

 

[Hafi]

Pi-hole and Adguard Home DNS filter are popular choices with OpenWRT.

The DNS-hijack tips here are useful, if you want to stop clients which want to use other DNS servers (including DoT/DoH DNS servers).
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

Those using GL.iNet devices running OpenWRT that have Adguard Home integrated, the Port 53 rule already enabled by Adguard as default under Luci --> Network --> Firewall --> Port Forwarding (you won't see it on GL.iNet web admin)

However for DoH port 443, if anyone find it overwhelming dealing with firewall command-line (looks scary to me) and setting up Hotplug extra... I found a simple workaround which is to block off DoH DNS server hostnames instead.

You can find the blocklist here --> https://raw.githubusercontent.com/travisboss/TheGreatWall/master/doh.txt or google for "DoH-IP-blocklists" for pi-hole syntax

The downside is you can't block off Cloudflare 1.1.1.1 (available on Chrome browser) under secure DNS but this is considered a backdoor for me since I can use it when I need to access blocked URLs temporarily without having to login to GL.iNet/OpenWRT interfere then Adguard Home to disable something.

 

[Hafi]

The downside is you can't block off Cloudflare 1.1.1.1 (available on Chrome browser) under secure DNS but this is considered a backdoor for me since I can use it when I need to access blocked URLs temporarily without having to login to GL.iNet/OpenWRT interfere then Adguard Home to disable something.

some pple might ask why wanna block DoH?

You can actually bypass DNS filter (Adguard or pi-hole) with DoH traffic by using Chrome browser under Security --> Use secure DNS --> choose a DoH DNS provider.

Use case example: your cousin/family member use your wifi network on his phone/laptop to surf some undesirable websites that you have blocked with DNS filters but he is savvy enough to switch to DoH DNS provider on his Chrome browser effectively bypassing your DNS server/filter.

 

[xiaofan]

In fact I am having issues with my Asus RT-AX86U router (running Stock Asus FW) when it comes to DoH. I am using Pi-hole but the Asus FW settings against DoH does not work.

My Realme X50 5G Chrome browser is implicitly using DoH with Google DNS. My OpenWRT Pi-Hole works fine against that but not Asus. My temporary solution is to use Firefox browser, or set Private DNS using ad-blocking DNS (eg: p3.freedns.controld.com).

 

[Hafi]

In fact I am having issues with my Asus RT-AX86U router (running Stock Asus FW) when it comes to DoH. I am using Pi-hole but the Asus FW settings against DoH does not work.

My Realme X50 5G Chrome browser is implicitly using DoH with Google DNS. My OpenWRT Pi-Hole works fine against that but not Asus. My temporary solution is to use Firefox browser, or set Private DNS using ad-blocking DNS (eg: p3.freedns.controld.com).

I have an entirely different setup from you, my twin Asus RT-AX92U (Gnuton Merlin FW) are running as AP and mesh node while the Brume 2 serving Adguard Home as the router.

My experience with Asus router is don't rely it too much on DNS as it is capable on basic functions and slow in catching up with these DoH/DoT/Quic tech. No experience with running pi-hole but aren't it supposed to filter and send DNS requests upstream to DoH providers directly like what AdGuard does? instead of passing to Asus? I have not fiddled/looked at my Asus router DHCP/DNS functions as it is setup as AP + node the moment it is deployed for use (another reason why I want to avoid Asus for DNS).