Looking for a Router/Firewall

I’ve been using EdgeRouter X since 2016. It does have a sophisticated firewall when configured as an Internet gateway.

Shouldn’t my switcu basically handle inter VLAN routing?

Currently, the J4125 looks very promising to be honest…

It’s also a more or less dead-end platform bring MT7621 (MIPS), not like their Octeon platforms are any better in that regard but the EdgeRouter X is quite cheap at least…

Be aware that FriendlyElec hardware in general have quite poor support overall despite using popular SoCs etc

Not only them, many sbc have a similar situation, so I always advise to choose a sbc that has good support somewhere and by someone. From FriendlyElec I have ZeroPi and armbian supports it without any problem. For sbc it’s a good idea to choose one that has armbian or dietpi support… or very specific ones like ipfire.

MT7621 inside ERX is still suitable for SOHO use. It manages my Internet connection starting from 100M to now 1000M. No problem.

I run 100+ firewall rules, one of them a blacklist of over 50k malicious IP addresses/networks. Run a SSH forwarded connection to the cloud across continents, peak speed ~50Mbps. Run a IKEv2 VPN for my smartphone when I’m out and about, peak speed ~150Mbps. Also run a HTTP load balancer for a couple of Internet servers behind the router. All these are in addition to usual router tasks.

However, the EdgeMax line is long over due for a refresh in both hardware and firmware. I won’t recommend people to buy ERX or other EdgeMax routers. In fact, I don’t recommend people to buy any Ubiquiti products. They got a big problem in managing the company for the last five years or so.

Many EdgeMax corporate users have quitted. My ERX is on its leg. I’ve planned to move to VyOS on tiny x86_64 PC. Since ERX is still doing very well, I can’t find a reason to pull the trigger yet.

You’re likely better off getting one that’s supported by mainline Linux and/or BSD distro(s) as Armbian seems rarely upstream patches etc. Never looked into DietPi but looking a their website it appears they’re most about packaging and not so much about platform development?

MIPS still works however “everyone” is moving away from it at this point however the MT7621 can service quite fast connections if you don’t task it with too much stuff compared to lets say Atheros MIPS SoCs but it’s not something I would recommend buying “new” unless it’s dirt cheap.

In that case, the number of sbc will probably decrease even more?

Yes, but you’ll get something that works with little to no issues at all in the long run.

I know 2 people on the forum that are very happy with protectli fw4b.

Those things can even be flashed with CoreBoot if you want a FOSS router, but they are on the expensive side at almost $400 for the barebone. But for the price and size, it is pretty hard to beat, it is a block of aluminum (so completely silent), has 4x gigabit ports and WiFi and has included VESA mount. But you already bought a Unifi 6 LR, so the WiFi is kinda redundant, unless you have a use for it (multiple APs).

The Netgate 1100 is pretty neat, but hasn’t been updated in years, so it has lackluster specs, although it is a novel pfSense running on aarch64 and you get the full support of Netgate (and you support them by buying from them). Not as upgradable as the Protectli, but doable.

Like diizzy mentioned, the RockPro64 can be a good setup, I’m running one as a router myself (well, soon, need to fix some kinks, you can find more on my biky in armland thread towards the bottom - just use the search function in the thread for “rockpro64” or “rkpr64”) and it’s cheaper than both options WITH a case and 4 port NIC. You can run FreeBSD on it no problem (or OpenBSD if you make it work, I’m too much of a brainlet to make it, even though it is officially supported), just don’t try to glue stuff with the USB ports, like WiFi or Ethernet like I did, or you’ll end up running Linux on it.

If it is a L3 Switch, maybe?

Is probably more than enough for home use.

It’s a layer 2. Nowhere on the website is VLAN even mentioned. Looking at the spec sheet, it does seem to have VLAN support, but it’s not a layer 3, it can’t be for that price, lmao.

@Azulath take note that you want a router that has good throughput for inter-vlan routing if you plan on using VLANs on your switch. Which you should, segregation (of your subnets, lol) is good. So you need something a bit beefier than the meager dual-core Cortex A53 cores. The RockPro64 and the J4125 will be more than plenty though.

I’m going to be a shill for RockPro64 again, if you get a dual-port Intel Gigabit PCI-E NIC, you can set up 1 or more VLANs on each port and use the Realtek built-in one as the WAN (pretty much more of less of what I have done in my old homelab 5 years ago with a Celeron J3455 / Asrock J3455M and pfSense, but with 4 ports Intel NIC instead of 2). That should give you close to Gigabit throughput on multiple subnets beween vlans, i.e. Instead of getting 480 Mbps from vlan 2 and 3, going with 480 Mbps on vlan 4 and 5 when using a single Gigabit port, you can get 960 Mbps from vlan 2 to vlan 4 and 960 Mbps from vlan 3 to vlan 5 (assuming vlan 2 and 4 are on a port and 3 and 5 on another).

If you don’t plan on having vlans, which then doesn’t justify why you bought that Unifi in the first place, then you can just go with the Netgate 1100.

$

@ThatGuyB, I am going to disagree respectfully with your advice to @Azulath. Let me start by mentioning my background and the equipment I am running. I now work in entry-level hardware support for the company I work a. The type of calls I get at work are fundamental hardware problems anything I can’t handle or can’t solve in 10 minutes gets transferred to the more senior hardware specialist. An example of the type of calls I get is the computer isn’t getting power; I then have 10 minutes to figure out by asking questions what the problem is, then if the person has tried every idea I come up with. His problem isn’t solved in 10 minutes. I have to create a ticket, and the matter gets deferred to the senior hardware specialist. A better example of what I do for work would be when a person calls their ISP; I would be the person they would first talk to. Now that I have established my credentials let me share the network equipment I use at home.

I have two separate networks. The home uses an ASUS RT-AX88u; in my office, I have a Netgate 5100 A Unfi USW 16 Poe layer two switch and a Unifi6 Short-Range AP. I have established my work experience and the equipment I use in my home. I will get to the point of this post.

While I agree with Biky, the RockPro64 and the J4125 would work for @Azulath. However, when you start adding apps like IDS and IPS, your throughput goes down; that is my experience, at least. I am afraid that if @Azulath wants to start playing with enterprise-level router apps, He has to raise his budget. My advice to @Azulath is to make sure any device he purchases is upgradeable. Good Luck.

I will also politely disagree.

When you start adding IDS/IPS software to the mix, you probably don’t ask people for opinions on what hardware you need. Suricata or Snort will require that you get a very beefy, high clock speed, at least quad-core CPU, preferably with lots of cache, unless you want your network performance to tank.

Besides, he asked for a budget of <$300, he maybe can get an old i5 6500 Dell Optiplex machine for that money if he’s lucky, but it won’t be sipping power like a home router should.

Playing around with it doesn’t mean that it will run 24/7, or run on all interfaces or subnets. So I believe what I recommended will work just fine and be plenty powerful, except the Netgate 1100, running too much stuff on it will not make it happy. Seriously, Netgate needs to update their hardware, dual-core can be fine, but they need something beefier, Cortex A75 at 2.6 GHz and 2GB of RAM would go a long way (although 4GB would be nice, but not really necessary). If they can make it a quad-core, even better, but again, not really necessary, for a router, it’s more important to up the clock speed.

I often get the impression that tech forums that doesn’t just scratch the surface tends to overengineer things quite a bit simply because people have a very strong opinion of something for whatever reason without looking at the requirements and what’s actual suitable for the task. For example, if you need a car for commuting you’re not likely to get a Dodge RAM 3500 instead you’d go for a much lighter vehicle and better fuel economy/effiency unless “just because” is a very strong argument.

So lets rewind this a bit…

It’s a “home/residential” network, it’s not your Fortune 100 company network. Sure, you want things to work but the workload or feature set required wont be anything near you have at work in 99.9% of all cases.

There’s also nothing that necessarily requires you to shoehorn everything like Suricata or Snort onto your firewall device itself. You can mirror WAN-port traffic on your switch to another port and have another box/device/VM/* process network traffic later on if that’s of interest and so on.

I was trying to share my experience with @Azulath; we have the same switch and almost the same Unfi AP. He has an Unfi six Long Range. I have a short Range. I was going to purchase the same unit as @Azulath, but it was out of stock when I made my purchase. So my opinion is different than Biky’s and dizzy’s. This is all right. As long as we remember, it is alright to disagree as long as we are respectful of other people opinion’s, which I feel Biky and dizzy are.

I fail to see how that’s relevant to the firewall / gateway and what unit are you referring to?

A Unifi Gateway or Gateway pro would allow all your devices to be managed by Ubiquiti’s Unifi controller software. Would be worth considering. EdgeRouters don’t work with Unifi controller.