Low power router for basic home lab (Netgate?). Also, switch and AP

Tl;dr: Looking for a low power router (under 15W–I don’t like that a router approaches my server’s level of power consumption), need VLANs. Less than 50 devices total (including IoT devices). VLANs used to separate between guests, personal, and IoT stuff. Also a managed switch, and wireless AP (also with VLAN capabilities). Budget for everything is ~$800 but I imagine that is a massive overkill. Current 100 Mbps plan is satisfactory, may want to “futureproof” for 1GbE if worth the price despite my usage. My situation at bottom of the post.

Is Netgate 2100 (or even Netgate 1100) still among the best options for low power router? Seems hard to believe there’s no good alternatives (lower power and/or better hardware for the price) given the 1100 is apparently well-regarded 5+ years ago. Besides that, there’s Protectli which is similar but x86 instead (consumes more power, not sure if the additional performance is applicable for me). Thin clients and above seem unnecessary for my case.

Mikrotik RB2100 and variants have been suggested, but I’ve also seen warnings that configuring their stuff is very daunting, hence I think looking at something that can run pfSense (I don’t intend to get certifications or learn more than what I need to know to set up a reasonably secure and efficient network) is a good idea.

Besides the router, I suppose I need a managed switch and a WAP that can also support VLAN. For the switch, I’m not sure if layer 3 routing support is useful for my purposes, though if it doesn’t demand a hefty premium I’ll require it. I think people regard Ubiquiti’s WAPs as industry standard, though I’m not sure if that’s just the opinion of people who can’t be bothered to deal with a little tech and want to find an ecosystem that can do everything (i.e. the Apple of network hardware).

Any advice, recommendations, or just name drops are much appreciated–there are way too many products out there and these are hardware that I think should last 10+ years considering I’m only managing a network for mostly myself and my desktop system is nearly that old.

My situation:

A basic home lab involving a i3-12100 server and plan to use Proxmox, running typical NAS stuff like TrueNAS, Syncthing, Jellyfin, Home Assistant, backup server, and maybe something like Pihole or similar. Currently, I have a garbage mesh wifi system that is connected to the modem, acting as a router. It lacks even basic settings like DHCP reservation, but unfortunately must be kept for roommates. I don’t think I need VPN (it certainly doesn’t need to be performant) and though I’m not sure running it on my server instead has any drawbacks to consider.

The new router will sit between the modem and the existing mesh wifi.

I would avoid official netgate hardware in a home use situation in most cases. You are 100% paying more for the validation. That being said you have implied that you would prefer arm for power savings and currently the only way to use pfSense on arm is the official netgate arm devices. If you don’t particularly care about the open sourceness of the product you might look into ubuquity’s edge router lineup. Less configuration options without using the command line, but fits the bill for what you are wanting. As far as specifically the sg-1100 or 2100 go there a few things to bare in mind. 1100 basically can’t do gigabit in real world use cases, although the 100 megabit you mentioned should be fine. Also going up 3100 or better is recommended for if you wish to use snort or something similar. (You did not mention wanting this, but I thought you should be aware.)

As for the switch, I have been unable to get VLan tagging to work with pfSense with the tplink smart managed switches. Which is unfortunate because they are basically unbeatable for the price to performance. It is possible that this is an issue with something I did, not actually something that is impossible as I have seen people do it on YouTube. That being said people seem to have more luck with the ubiquity switches.

As for the WAP, ubiquity really is the best option if you want enterprise grade solutions imho. It all just kind of works, and works really well. The fact of the matter is that Ubiquity is considered an actual competitor to cisco in the enterprise space when it comes to WAPs, and there is reason for it. They offer basically the same feature set, a competitive initial price, and no hidden licensing costs. All that and the setup is easy enough that most consumers can easily set them up, but there is always more advanced stuff too if you want it.

When I upgraded from an Optiplex router, I went with the Protectli VP2410 and have been very satisfied with the experience. It’s drawing only ~5 watts on average and that’s with a SATA m.2 and a SATA 2.5" drive running a ZFS mirror on OPNsense. I got mine barebones and filled in the rest of the components with spare parts and a few eBay scores. I also opted for coreboot and have not had any problems with it.

As for switches, I used to like Cisco gear but everything they make except for their highest-end enterprise gear is incredibly expensive crap anymore. You can make a case that even the highest-end enterprise gear isn’t that great either compared to the competition, but I digress. I migrated my homelab over to TP-Link JetStream switches last year and found the experience to be mostly painless. The Web UI and the CLI are both plenty good enough for a homelab. I am not using Omada because I don’t make changes all that often to my switches, it would just add unnecessary complication.

I don’t have much of an opinion on WAPs, I am using an old ASUS router in AP mode and it is sufficient for my needs.

This.

TP-Link is not the only play, but seems to currently offer the best compromise of features, performance, cost, power consumption.

I have a mix of network gear, but use the Omada capable TP-Link ER605 router and TP-Link EAP660HD AP as standalone devices (w/o Omada controller) along with several of their cheap 8-port smart switches (TL-SG108E, TL-SG108PE).

Can you explain why? If you hadn’t written that you don’t want them, I would have recommended one. Even if an x86 thinclient uses a little more power than an ARM-based router, they still don’t use that much power(less than 10w), and compatibility and extensibility are better.

Anyway, have you thought about some basic OpenWRT-compatible “plastic” router/AP combo? Even if you don’t need the AP? They certainly can handle 100MBit ethernet. Maybe something like this or this? (Found after only 2m of googling, you have been warned! )

A RockPro64 + dual port Intel NIC will go a very long way unless you have very specific requirements but pfsense doesn’t support anything else besides x86 for now. You can also save a few instances like PiHole and just run for example blocky instead on the router itself.

Just get a decent model from Zyxel GS1900-series (or so), they’re not crazy expensive and have good aftersales support overall.

While you certainly can dive deep into the CLI custom configurations on RouterOS (which runs MikroTik devices), the basics are really quite ok.
I dove into using one earlier this year (the hAP AX²) to replace my ISP router/AP at home. Yes, I did have to fiddle with settings a bit to set up the things I wanted. But I don’t think it is that much more difficult than another advanced networking device when you’re unfamiliar with the interface of it.

Especially if you’re already ok with diving into Proxmox, TrueNAS and all the other things you’re listing.
Yes, it has a learning curve, but all the other things you’re mentioning to try have as well.

And for the sake of future proofing, then I’d go for an RB5009 variant; it gives you 7x 1G, 1x 2,5G and a 10G SPF+ cage if you want later expansion. Then you could plug in a faster connection to your server and have room to spare for your other connections. Only downside with this model is needing a separate AP like a wAP (XL) ac, but you can still manage them through CAPsMAN.
Or if you want wifi6 out of the box, then maybe a hAP AX³; less ports (1x 2,5G, 4x 1G), but faster wireless and for the rest the same configuration options.

Massive overkill, similar to Protectli series.

Not sure if you considered running a router (openwrt) inside a Proxmox managed VM on your i3-12100 machine - would be the cheapest option.

Just get a switch for your other stuff, maybe it doesn’t even need to be VLAN capable if you’re only segmenting off your wifi stuff.

edit: what wireless do you have?

I’m real happy with my netgate 2100. Yeah you’re paying more than roll your own but you’re getting support if needed and the commercial pfsense product has some additional features (eg root on ZFS with full rollback etc).

Also it’s the only real supported way to run it on ARM and I consider that a security win because anyone writing shellcode for FreeBSD or pfsense exploits is likely targeting x86.

The appliance is also GF friendly with idiot lights on the front and 100% silent. There’s no power switch so power loss isn’t a case of forgetting to set the BIOS to restore power on AC power on etc.

I’ve run pfsense for years. Still run VMs of it for internal router/firewalls. But edge/internet device I definitely rate their hardware.

You could also run pfSense in side of proxmox too. That may even be more power efficient than running it on one of the negate arm devices. Definitely would have a lower cost of entry.

For low throughput/bandwidth requirements, you might even be able to get away with using a USB Ethernet nic .

It’d put the probably otherwise unused USB port and that spare dongle sitting in a drawer to good use, without exposing to the ISP something that might decide to pxe boot, or something that might offer some type of debug interface.

Pretty much this. My wife is technical, but lazy at this point, she gave up Comp. Sci. for Nursing after all so she just wants her appliances to work. If you are not the only one using it or if you will be in situations where you may not be present, then you will want to have something easy for the other person to troubleshoot. I also have the Netgate 2100 and it is truly set it and forget it.

If this is truly just a lab, then you have a lot of options out there but those Intel and Ryzen Embedded solutions are going to be your best bet.