pfSense is generally the goto OS for this purpose though there are a few alternatives and forks out there.
It performs well on older x86 hardware so an old spare PC might be a good option if you have one around. I used an old core2duo system for years until I built my recent one based on a Ryzen 1200, which admittedly was a bit overkill but such a system can handle multiple VPN connections at gigabit speeds without issue.
If building new, I would look for CPUs which have AES hardware encryption support. PfSense has been looking to make it a requirement for a while now (though they’ve moved it out indefinitely at the moment). I believe all Ryzen processors have this but until recently only the more expensive Intel CPU’s had it. Check Intel ARK website to find out which ones support the instruction set.
For ports, I would advise to get a couple of dual or a quad port Gbit Intel NIC, they aren’t that expensive these days.
Such a system will probably run about 60-80 watts at idle… a bit more than your typical consumer router solution but this will be a prosumer grade router you are building with very powerful features. Still something to consider. Older hardware may eat up considerably more power at idle.
One final thought, is there a specific reason you are looking at needing 4+ ethernet ports? Typically all you really need are 2 NIC ports, one for the WAN side and one for the LAN side. You could then plug in a multi-port network switch into the LAN side and have as many (or few) ports as you like available for your network. If you want to segregate your network, get a smart managed switch and tag the various ports for VLANs which PfSense supports.
Usually when people configure their router with more than 2 NIC ports, they are setting up fail over or link aggregation.
I went and picked up an old thinkstation small form factor, dropped in a cheap quad port intel nic, added pfsense and an access point (my old router is now my wifi access point) and never been happier. I can definitely recommend the thinkstations as they generally are fairly cheap used, and have full BSD support, and intel nics onboard (which is great for BSD and networking in general)
Yes, generally its not the best to use built in wifi cards with pfSense as driver support is often an issue on BSD. That said there are many wifi access points which work very well. I also have purchased a Unifi AP Pro setup because my house is long and the easy mesh networking setup for multiple APs was a huge selling point to get complete coverage with multiple wired POE APs.
+1 for avoiding a “router” distro. A vanilla install has a lot less moving parts to it. You don’t have to fret with a gui making indirect changes to the config files. You set the configs yourself. And if all you are doing is routing, handing out IPs, resolving dns queries and firewalling there isn’t much to configure.
The price of that simplicity and control is there is no hand holding. That’s no problem if you are already familiar with linux (or bsd if you go that way). If you do want fancy graphs or a gui, it would be easier to go with a “router” distro, rather than configuring all those packages yourself.
Alpine will certainly result in a lean system, but I think an lts version of ubuntu server is a better pick. With ubuntu server you get debian package management. And with an lts release you get 5 years of support. So with 18.04, you know that unattended-upgrades is going to install security fixes within hours after release by Canonical until April 2023. Basically you know today how long you are supported and what your upgrade paths will be.
I don’t think there is another choice that offers that kind of stability. And will the simpler system, I think you have something that is more secure and easier maintained.
I’m personally running a pfSense box with an asrock j3455m and 8 GB of RAM (RAM is overkill, but I first intended to use this PC as a HTPC - bad decision). The box uses at most 20W (if even that). I have a quad 1Gbps HP NIC with Intel chipset, but I just suggest you get a separate 1 port, or at most 2 port NIC and buy a managed switch and configure VLANs and use an old Wi-Fi router in bridge mode as an AP.
To be honest, having a custom router / firewall at home is too overkill. You’re better off starting with a Raspberry Pi, installing Pi-Hole, enable DHCP, use your old router in bridge mode as a switch and AP and if you feel a little courageous and you like the smell of burning money, buy on a domain and a static IP or DynDNS and install an OpenVPN server on it as well.
Very much disagree with avoiding a well tested router distribution personally.
Why? Because to get the same level of features you’re just reinventing the wheel. I have other things i’d rather spend my time on.
The open-source-router problem is solved. There are plenty of established router/firewall distributions, take your pick.
Rolling your own, you’ll be screwing around setting up bandwidth monitoring, alerting, graphing, IDS, UPnP/NAT-PMP if you want it, etc. via the command line for what? It is a waste of time doing stuff that has already been done for you out of the box. Can I do this? Sure. I did it back in the 90s/early 2000s as my day job. Would i do it again today? Fuck no!
And if you aren’t putting on bandwidth monitoring/ids/etc. then you’re going to be pretty blind if/when something happens either to your internal network (host compromise via malware or whatever) or you’re dealing with someone hogging your bandwidth.
No NAT-PMP/UPnP = setting up port forwards for games, etc. will be a pain in the ass.
Eventually you find yourself wanting the things that a router distro has on it already, and you just end up hacking something together yourself.
At work, the IT staff before me used Ubuntu as the main router with iptables on it as the firewall and now I’m cursing my life for having to administer all those old rules, ipsets and routes (we also have a separate Ubuntu running Quagga serving as a BGP router, but I don’t mind Quagga), which is why I want to eventually migrate the router / firewall to pfSense. We don’t have money to spend on FortiGate. Once you start having lots of subnets and VPNs, it gets pretty hard to manage.
As far as stability goes, pfSense is stable. Here’s a photo from April last year of my pfSense box:
That’s great, this is for a home router. I don’t disagree that if you have a complicated setup, need “fancy” features or are in an enterprise environment, configuring it all yourself is not the way to go. That’s probably why I wrote almost exactly that in my original suggestion.
But most home use gets along fine without those things. I certainly do.
And it’s disingenuous to suggest that ubuntu server/bind/isc-dhcp-server/iptables are “rolling your own”, “custom” or not “well tested.” Or the simplicity of those programs is somehow going to result in lots of maintenance.
If you have a simple setup, pfsense is easier (and far, far less time consuming)
If you have a complex setup, pfsense is easier
If you’re in an enterprise (or even as a home user) you can buy pfsense support aimed at firewall use
Ubuntu isn’t so much rolling your own, but you are having to configure each and every package you install manually, and leaving yourself far more open to fucking things up in all manner of ways due to misconfiguration.
Generally, a dedicated router platform abstracts a lot of the shooting yourself in the foot away from you. The defaults are sane (in the context of being a firewall - they are purpose-built) outside of the site-specific configuration you need for your own environment.
Displaying firewall rules in sections with the GUI makes things clearer and easier to read, so you can identify errors in your firewall rules much easier.
Replace “pfsense” above with whatever mainstream firewall distribution of your choice…
Sure, a minimal install of ubuntu (or better, debian) can do the job if you configure everything manually and install the required packages manually, but you’re going to be spending a lot of time reading man-pages, figuring out the different configuration directives across all the different packages, etc.
i.e., wasting time and brain power on the implementation side (i.e., grunt work) of securing your network rather than having that time available for doing other things like say, implementing an IDS or fine tuning your IDS so it is useful…
Work smarter, not harder.
Perhaps you feel like you have more control doing everything manually with Ubuntu? Sure, maybe you do. But it’s not really required, and the cost of that control is a lot more time investment wasted doing wheel re-invention rather than doing something more productive (or more fun).
The point of the uptime wasn’t a “game” - the point was to show its stability. And while 352 days > 103 days, after 2 months it really doesn’t matter which person has the higher uptime, the fact of the matter is that they are both stable OSes, which was a counter-argument to:
pfSense and a DIY router using Ubuntu, Alpine or OpenBSD are all stable and simple, even if pfSense comes with a GUI. A GUI is not necessarily more complex. The advantage of a GUI is ease of administration. More “complex” than a GUI-less server? Sure, a little more. But complex in the real meaning? No, the GUI provided by pfSense or OPNSense are simple and don’t introduce a lot of complexity. Can a GUI be complex and introduce instability? Absolutely! But it’s absolutely not the case when it comes to most router / firewall distributions. Even OpenVPN server has a simple GUI if you want it to.
Based on my home router experience, you are exaggerating the complexity of a simple setup.
Each and every package? There are only two necessary, non-default packages: isc-dhcp-server and bind (or their moral equivalents). Admittedly you do have to do a little typing to configure them. Once. And you can’t shoot yourself in the foot. They are on the lan side.
Sane defaults like the iptables default policy to block everything? The only holes in my firewall are the ones I specifically typed in. I don’t have to worry about a miss click or just the gui altering in the configuration in the manner I anticipated.
To me that is worth more than being able to click on things or see my few firewall rules rendered in a website instead of a text editor.
The complexity you are referring to doesn’t exist on my setup that simply routes, hands out ip addresses, resolves dns queries and firewalls.
How are you planning to do DNS resolution for your LAN? You can certainly shoot yourself in the foot with bind (for example).
You’re not comparing apples to apples. If that’s all your box does, you have no real way of detecting compromise or monitoring your network.
Which is kinda the point of running a router distro or your own firewall. Not monitoring for anything is just basically rolling the dice and hoping (most compromises of internal hosts these days are via malicious website, malicious email, etc.). A firewall that just does ACLs (and no monitoring, scanning, content inspection, etc.) is next to worthless vs. just turning on host based firewalls on your end devices these days.