Build or buy a router


New here and this is my first post. I apologize in advance if it is not in the right spot. I have built a couple of computers before so I am comfortable doing that. I was wondering if it would be better/easier, in the long run, to buy or build a pc as a router.

I would buy a Kingdel NC1037U 8GB ram 128 GB SSD.

If I built it would be all of these, might get some fans as well for airflow.
CPU/Motherboard ASRock J5040-ITX
Crucial Ram 8GB 2400 MHz
Kingspec 64GB SSD
TP-Link 10/100/1000 PCI Express network Card
Silverstone ML05
FSP 350W Mini ITX 80 plus bronze

I want to be under $350 ish. I want it small but doesn’t have to be tiny like the kingdel.

Related to this I also want to do wifi. I have the google mesh wifi. Would I be able to use those as wireless access points? I have a switch and would be able to connect them all directly to the router. Would I be better buying a wifi card for my router? I know I might have to change some of my options if I go that way.

I will use either pfsense or opnsense I think. If you would recommend something else please let me know.

I know I have a lot of information here so I apologize. Let me know if I am missing something or if you have any questions. Thank you!

What about one like this Protectli FW4B?

I saw that it’s what @PhaseLockedLoop was getting and it looks pretty nice I think, and cheaper than that Kingdel one.


if you are going to buy. Definitely suggest the protectli’s with coreboot over the kingdels or netgates

If you are going to build. Well you can build something infinitely better any time. If you are building shoot for raw IOPS performance. This will help you with IDS/IPS and OpenVPN and such

1 Like

I’m sorry to ask but what do you mean by raw IOPS performance and what should I focus on for that?

1 Like

Thanks for the input!! I’ll take a look.

1 Like

I should have said OPS… oops… What I mean is you want a powerful CPU. the more powerful the CPU and the faster the ram the more OPS …

The issue with running these firewalls on tiny processors… like mine if you check out Phaselockedloopable- PLL's continued exploration of networking, self-hosting and decoupling from big tech

([Table of Contents](Phaselockedloopable- PLL's continued exploration of networking, self-hosting and decoupling from big tech skip to Suricata Section)

It will absolutely destroy your throughput. I have 600 symmetric from comcast. It went down to about 349 sym. The faster the CPU the less this occurs. The faster the ram the less this happens. Does that make sense?

AES-NI is a must

So if you are building and have budget room save on the motherboard as much as possible. Just get a gold power supply (you dont need much) save on the SSD as much as you can… and Toss the best RAM and CPU you can afford in

@Buffy feel free to link any section of the blog. I like to branch it out like this to help direct people on the forum to existing information

The format to do so is simple

1 Like

Thank you for clarifying. I kinda understand what you are saying. I was going to go with an embedded cpu/mobo cause of the tiny case I found. Now I might just do separate board and cpu. In your tiny one it’s DDR3, so going to DDR4 should make a big difference there right?

Any knowledge or input on the google mesh wifi pucks? Would I be better off trying to use those or get a wifi adaptor that goes into the pcie?

1 Like

In order to answer your properly. What are your goals. They werent clear in the OP

Goals are to have a better internet system. Not sure past that since I don’t know what’s possible still. Kinda why I want to build one so I can upgrade if necessary. I have a network switch so have a couple of rooms that are hard wired. The goal with the google wifi pucks are 1. I already have them so less money I have to spend. 2. I’ve noticed a better connection and speeds with the wifi pucks. I also have home security stuff so it is hard to have them all connected to one regular router. Does that answer your question?

sort of. Okay here is my diagramn

Mind telling me how your current setup is running

Im guessing it is sort of like this

                                          |Wi|Fi Puck 1+-------------------+
                                          +----+-------+                   |
                                               |                           |
                                               |                           |
                                           +---+--+                        |
     +-------------------------------------+SWITCH|                        |?
     |                                     ++-----+                        |
     |                                      |                              |
     |                                      |                              |
     |                                      |                              |
+--------+--------+                +------------+-+               +------------+----------------------------+
|Hardwired Devices|                |Aux Wifi Pucks+---------------+Devices I dont know about or Wifi Devices|
+-----------------+                +--------------+       ?       +-----------------------------------------+

You want to place an OPNsense ahead of the puck 1 between it and the internet. I order to help you buy I need to know because to my knowledge… the OPNSense ahead of the puck will cause a double NAT which is a no no

The issue with your pucks is they would need to operate in dumb AP/switch or a bridged mode and to my knowledge there is no way. Maybe @Kat or @Novasty has an AP suggestion here.

If you are going to build or buy a system. We need to make sure we can actually do what you want with the hardware and the google wifi system to my knowledge doesnt act as a bridge which throws a monkey wrench in your operation :wink: Im all for building this but you may have to give up the pucks.

So what I know now is

Cable from ISP —> google mesh main puck. That’s the only wire. I’m not using the switch right now to make thing simple. The other pucks aren’t hard wired in.

New system would be (theoretically)

Cable from ISP —> built router/firewall/vpn (not sure if what I build can do all that so still some work there) —> switch —> puck 1,2,3 each individually wired.

I’ve been trying to figure out if I can make them an access point by hard wiring all of them and still have the mesh capabilities. That is my question.

Let’s say I can’t do that though. What should my next option be? The reason for the mesh was to get a good signal in all parts of the house and outside for ring doorbell and security cameras. I had a Netgear AC-1750 before and it wouldn’t work. Tried the outlet plugin extender things and wasn’t a fan. So what would might option be here?

The rig will probably be a new AMD or Intel (is it better for single or multi core performance?) with 8gb of DDR4. That shouldn’t be the bottleneck right?

After looking around, that does not seem to be the case:

I use Linksys Velop at home for my bridged mesh APs. They are pricey though.

I would recommend the protectli boxes as they are the “just works” out of the box solutions for pf(OPN)Sense.

It cannot to my knowledge.

If you want AP recommendations im sure there is many depending on what you want

If I buy the router I make/buy into bridge mode does that defeat the purpose of it?

The linksys is basically the same thing just doing it right ha.

With the protectli boxes will I get to a point where I’ll need to upgrade it or wish I had a more powerful rig?

Thank you guys so much for the help!

So the deal here is your OPNSense Protectli would become your networks router. It doesnt defeat the purpose of it. It disables the functionality no longer used and needed that would conflict with the protectli

Ehh yes and no depends on what you want. Do you want open firmware and a system that is entirely open (ive done this its a challenge but after its setup your golden

I mean it depends. Are you going to upgrade your internet speed? Is it symmetric. Will you be running a lot of services outside your home. These are the questions and “goals” @Novasty and I want to know before recommending a purchase

If you don’t care about compact, build a low end ryzen system using whatever $50 ryzen cpu you can get. That cpu is so much better than the 1037u or the other 6W pentiums / celerons…

As a bonus you might be able to use the machine to do things alongside routing … because of all the motherboard expansion and cpu overkill you’ll get from using a full fat platform.

1 Like

build or buy a router

Depends what you want / need. If you just need a router for networking and nothing else, or maybe at most a VPN, buying a router is always easier (and cheaper) and maybe flash OpenWRT / dd-wrt / Asuswrt-Merlin on it. If you have a hardon for pfSense / OPNSense (as the tags would suggest), then it depends on what your needs are. As I see you mentioned, you don’t necessarily want an USFF router, so building is the way to go if you go with a full-fat appliance OS.

As for what CPU to go for, I always suggest ASRock motherboards with soldered Celeron / Pentiums with Atom cores. I skimmed through the comments and I saw one where virtualization is mentioned. I’m against virtualized routers, at least for small scales, because you are definitely going to reboot the hypervisor from time to time, while the router will stay up. You really don’t want to have your whole network go down just because of a reboot (and even worse, your hypervisor going berserk and taking your router with it).

If you just want to learn pfSense / OPNSense, then virtualizing it is not a bad choice, but it is understandable that not having it run on a hardware is not so attractive.

I got an ASRock J3455M, 4 gb of RAM and a quad 1 gbps HP (Intel) NIC. I’m doing some firewall blocking (nothing fancy) and run OpenVPN on it (got AES-NI enabled). Got separate LANs (LAN, WLAN and untrusted), each going to either my managed switch (separate VLANs) or to my wireless AP (an old router in bridge mode). And it’s completely overkill, I’d probably get away with 1 gb of RAM and a dual-core (as long as it has AES-NI for OpenVPN). If I didn’t need the firewall part, I would probably get away with one of my dd-wrt flashed TP-Links. From my testing, Wireguard is better than OpenVPN anyway (running on a Pi 4 2gb, a windows laptop, a linux pc and a linux off-site backup VM).

1 Like

The OPNSense would conflict with the protectli? My thought was instead of putting the Google wifi into AP mode or something i would bridge to OPN Sens Protectli to the Google wifi. From what I read the google wifi can bridge.

Speed won’t get above 1Gig. I apologize I cannot answer more of your question. I am still learning what is possible. I won’t be running a server or trying to access stuff from outside of my house if that helps. Still learning what I can do inside. From what I’ve read (sorry if this sounds ignorant) there are add-ons with pfSense. Not sure what would be beneficial. Maybe this is a better way to ask. You know what I won’t be using it for. So inside the house what would you guys recommend it be used for or what is possible?

I don’t have a hardon for pfSense/OPNSense just the first thing I found about having your own router and improving your home internet. As you mention later if you didn’t need the firewall you would do a flashed router. I would like a firewall. I am thinking Protectli (is that a USFF?) for ease of use and the fact that it will still be overkill maybe.

Let’s say I did build. You said that you have AES-NI enabled. Sorry to sound dumb, but where/what program are you using to enable it or is it in the hardware itself?

Protectli and Mintbox Mini 2 / Mintbox Mini 2 Pro (with 2 NICs), I would consider USFF (ultra-small form factor).

No worries. AES-NI is disabled by default in pfSense (not sure about OPNSense). You have to enable it manually in system -> advanced -> misc -> Cryptographic Hardware. Pretty much all Intel CPUs >=BayTrail have AES-NI. I think pretty much all AMD CPUs have AES-NI. AES-NI is an instruction to use hardware acceleration for cryptography. You only need AES-NI for OpenVPN and for pfSense 2.5 onwards it will be mandatory (not sure about OPNSense).

If you want a network wide firewall, then yes, go for pfSense / OPNSense.

1 Like