I’m a long time Level1Techs lurker and subscriber since the Tek Syndicate days and whilst I’ve seen a few videos on how to setup your own home router, they’re usually quite expensive and overkill for my needs.
I’m looking to update my home network, specifically moving away from a standard home router and onto a DIY firewall that ticks the following boxes:
2.5Gbit LAN/WAN support
Customizable firewall rules (above that of a consumer router)
VLAN support (primarily to segregate IoT devices)
IDS/IPS whilst maintaining full throughput at 2.5Gbit
WireGuard VPN support whilst maintaining full throughput at 2.5Gbit
Cannot be rack mount equipment
I am looking for recommendations for:
1x Firewall Appliance - Need Suggestions for hardware and software
2x Wi-Fi 6E Access Points (PoE) - Need Suggestions
I’ve looked at going all UniFi but the only appropriate firewall is the Cloud Gateway Ultra which doesn’t do 2.5Gbit (it has a 2.5Gbit WAN port but doesn’t actually support that speed).
I’m thinking pfsense or opnsense on some kind of a NUC that has dual NICs, like the Beelink EQ12 for example.
I do not know if the particular unit I am suggesting fits all your needs; you must do some research to see. If you will use any Ubiquiti (UniFi) products, do yourself a favor and stay within all UniFi product lines. While having a UniFi AP and UniFi switch without a UniFi gateway is possible, you will save yourself a lot of trouble. I used to run pfSense as my gateway using the UniFi switch and their UniFi AP. When I was running pfSense instead of a Dream Machine SE as my gateway, every few days I would have issues with either my UniFi switch or my UniFi AP. When I added my Dream Machine SE, all issues went away. Protectli Vault FW6A - 6 Port, Firewall Micro Appliance/Mini PC - Intel Dual Core, AES-NI, Barebone
When it comes to software to run as a firewall/gateway, you have a lot of choices. Personally, for home use (not business), I recommend the open-source project OpenWRT. For businesses or someone who wants more features out of the box, I recommend pfSense. In my opinion, there isn’t anything wrong or bad about OPNsense; I just prefer the pfSense layout.
Whatever gateway/firewall software you go with, I don’t recommend virtualizing the environment.
You aren’t going to get all that in any single device. What you are describing is a full network stack in one box and even building that yourself you won’t get that in a single device. To get everything you asking for you would need custom built PCBs and form factors. So here is my suggestion:
Buy a switch and APs
Build a OPNSense router
Get all those functions in a from factor you don’t want
2.5 Gb/s with IDS is probably going to be easiest with x86 router - OPNSense/PFSense
POE switches and AP’s → Whatever brands you feel comfortable to setup / can afford (If your asking here then probably Unifi as easiest to setup and competitively priced.)
If you don’t rack-mount all that it’s going to be a total mess.
Exactly, that is the cheapest way to do it. Its not all-in-one soho consumer router cheap, but they are trash for reason.
Purpose built opnsense appliance will last pretty much indefinitely functionality and raw power wise. So relatively puny difference in cost will pay itself back soon over much longe effective life span
Limit there is what you can set-up, not what hardware and crippled locked down firmware can do.
Pair that up with unifi wAPs, and you are golden. You do not need full unifi stack for APs themselves, and opnsense in more practical that unifi if want to be homelabbing.
Now that makes more sense and our task much easier. Now to understand your requirements a bit more. Why no rack mounted equipment? Also the 2.5Gbps is going to be tough as almost not network gear is configured like that (computers are network gear not so much). Regardless here is my suggestion then. Build the OPNsense/PFsense router in whatever form factor fits (mine is rack mount as it is everything else). Then go look at the TP-Link TL-SX3016F switch. It will give you 10 SFP+ ports that will let you run up to 10Gbps speeds on a managed switch. Then look at the TP link APs too as it will give you everything in a single ecosystem that can be centrally managed. Ubiquiti gear is good too, so don’t overlook them. I recommend TPLink’s Omada series as it is my preference but everyone has their own views on this.
Yeah I’m leaning towards some kind of x86 appliance with pf/opnsense, but which appliance will do the job is the question. I’ve updated my post to be more specific, and removed some extra bits about equipment I already own.
I have no issue selecting PoE switches, however in regards to APs, there are a lot on the market. I’m less concerned with ease of setup, and more concerned about reliability, cost and performance, so looking for input from those who would recommend specific brands/APs.
Due to the nature of the home, this equipment will be spread throughout and mounted in various hidden areas, however I cannot have rack mount equipment as there is no appropriate place for a rack.
For example, firewall appliance located with ONT in attic space. Appliance uplinks to switch in an under staircase storage area with devices including NAS, NUC + 1x PoE AP from this switch. Under stairs switch uplinks to office switch with more devices, 1x AP and PoE cameras. CAT6 ethernet being used.
This is just an example, please don’t over think the topology. In this scenario, I just cannot use rack mount equipment.
I wouldn’t put any such device in a non-climate controlled space as the temperature extremes can and will cause problems. Beyond that I get that space constraints and we all deal with that in different ways but in general a small 6u rack will more than hold all that gear and be more size and space efficient as it could be shoved in the corner of a closet without consuming much space. Regardless, it is your house and network so you do you.
I would have to disagree with @greatnull’s above remark. Running Unifi switches and Unifi AP without a Unifi gateway is asking for trouble. I had issues using Pfsense and Unifi second layer switches and their APs. The main issue I had every three weeks or so was the connection between Pfsense and my Unifi switch would somehow get corrupted, meaning the internet traffic would not go to my clients.
Believe me, in an ideal world I’d have a lovely rack mounted setup and I’d be using at least 10gig fibre uplinks! I’d also live in a bigger house
Theoretically, I could have a small rack in this house, however, the other half isn’t really on board with that idea haha. I appreciate that you want to recommend the best possible setup, however it’s just not feasible here, so I’m looking to make the best out of a situation which has limited physical space and budget.
In regards to climate control, I live in the UK and we really don’t get much extremes of weather and I don’t anticipate any issues, but again, I don’t really have a choice. But I appreciate the advice none the less
I agree with @StrY that a Mikrotik router has a steep learning curve, and I am trying to learn how to configure Mikrotik routers properly. I have a GNS3 appliance of their routers, and their switch switches are much easier to deal with.
The space constraints don’t change my gear recommendations as what I recommended can be rack mounted but it doesn’t have to be. And regardless of the climate, you would be better off putting your router on a shelf or even in the floor of a closet then in the attic. Attics are quite literally the worst possible place for any computer gear as that environment has every environmental hazard that is detramental to a computer (humidity, wide variations to temperatures with extremes, humidity, etc…). computer hardware simply isn’t designed for such environments (at least in most cases).
WireGuard VPN support while maintaining full throughput at 2.5Gbit.
This requirement is going to be hard to find. I don’t think WireGuard can sustain one 2.5Gbit tunnel, but multiple tunnels might be possible. I don’t know a lot about WireGuard.
I’d recommend running FreeBSD 14(.1), pf and install what you need. If you want to do source builds relatively painless go for 16Gb of RAM. Most other software will work fine too. As others have said, forget about IDS if you want it “budget-friendly” or at least be realistic about it.
For a home-setup would highly recommend you to NOT lock into some silly vendor software such as Unifi because it’s more work (and money) that it’s worth a small home network. Just grab two routers that supports OpenWrt (preferably based on Mediatek Filogic ones) and set them up as “dump APs” and you’re done. There’s no need to overengineer a home network setup just because and since you’re asking it’s likely not going to be utilized “properly” either way. You’ll also have better (aftermarket) software support further down the road than what any vendor will provide at least within a reasonable price range.
There is no official reason why it should be problematic for APs only and I have run that kind of setup in soho for ~~5y continuously without any observed issues. I am expecting this to be still the case.
I have moved on then to full unifi network, but APs + software unifi controller that was started once every few months for update was sufficient.
Hence my recommendation. It worked flawlessly in the past and I dont I was alone running this kind of setup.
Only potential issue is that not every unifi AP has integrated bluetooth for controllerless setup. They are only few though so far.
