New PC based home router which rouer OS to pick

I’m looking to set up a new PC based home router, currently I’ll using windows server but since I updated from 2012R2 to 2022 the routing has issues when addressing the server itself through a VPN connection, data rates to other LAN clients are fine but trying to talk to the server itself givs me only a few kb/s which is unacceptable. I tried re installing but the result was the same. So I’m thinking I’ll just put some unix based router OS in a VM to do the job.
Which brings me to the question which one fpSense, RouterOS, VyOS, or something else?
So which one would you recommend?

1 Like

I’m running VyOS, OpenWRT, OpnSense and a Linux router based on RHEL at home. If you’re a fan of the commandline I can totally recommend VyOS, it’s a great product, but you just won’t have a WebUI.

I personally really dig the zone based firewall and the BGP configuration. You can also run basic containers and do all kinds of routing. The OS is basically stateless and only the config has to be backed up.

What I don’t like is that you’ll have to don’t have a “stable” version. (Haven’t had any bugs, but I’m always a little nervous updating that thing) It’s also unfortunate that you can’t use FQDNs for WireGuard endpoints the cli needs a static IP. (The IP can of course change while the tunnel is up, but you can’t configure a domain name that has ddns). Also the VRF has a catch with the zone based firewall.

Opnsense on the other hand can also pretty much anything and works very well. But if you like the commandline and are familiar with Linux commands, you’re in for a wild ride as most tools have similar but different commandline options. Other than that I can’t say much bad things about it.

OpenWRT is good if you need something very simple that can do anything and doesn’t consume any resources at all, but imho it’s not a very good firewall.

Vanilla Linux can do anything, does anything pretty good, but you have to do it. No safeguards, no single file backup to get back up and running, but all da options!

FreeBSD works very well but it’s much a matter of preference as I doubt you need extreme performance. pf syntax is sane too :wink:

Opnsense has been rock solid for me for about 2 years for modest home networking…(5 physical gigabit interfaces, a few vlans for homelabing etc) all running on hardware that is a step above e-waste (10 yro optiplex)

1 Like

+1 for OPNsense, been using it for years now and it just works. I used to use pfSense but I got annoyed with feeling like I was walking on egg shells every single time I updated it after having issues after updates many times, especially with x.0 versions. OPNsense updates more regularly, but every update has worked flawlessly every time.

I switched over before the closed source spin-off off of pfSense, but I am glad that I did because I prefer FOSS whenever possible. Between Netgate (pfSense’s parent company) acting in bad faith towards Decisio (OPNsense’s parent company), the pfSense wireguard debacle, and now pfSense being split into a closed source version with a license agreement that makes you dependent upon Netgate acting in good faith and an open source version that hasn’t been updated in just a few weeks short of a full year, it feels like OPNsense is the obvious choice between the two unless you are already very heavily invested in pfSense.

1 Like

If you’re new to Linux, pfSense or OpenWRT are built to work as router appliances.

Either will work fine in either Proxmox or Hyper-V - which will allow you to easily utilize the same hardware for other stuff.

Personally I have used all the things you mentioned above for prolonged periods, these days at home I run a Debian (very small selection of package) on bare metal for routing, and a small selection of services in containers… dnsmasq and adguard and znc

As modzilla said I’d also not recommend OpenWrt unless you’re on dinky hardware.

Although most people don’t really use anything other than basic firewalling. Blocklists are about as far as most go

Do you still use IPTables or are you using nftables now? I gotta say the nftables syntax is just soo much better than IPtables. I copied the zone-based firewall idea of VyOS and that’s a lot nicer and cleaner to configure!

still iptables, I’ve actually been thinking what would make me switch and I just can’t think of a reason. I’m unlikely to have to build a new router from scratch. (1000/50 is what my ISP offers and nearly everything in my house is fine with just gigabit internally). I’m unlikely to get proper ipv6 (I’m not giving up my publicly routable ipv4 for some ds-lite cgnat just so I’d hop onto ipv6). Not sure, maybe if Debian removes the iptables frontend I’ll hop over to nft

It’s being deprecated quite agressively by distros so you probably want to make that change rather sooner than later.

1 Like

Your provider doesn’t delegate a v6 prefix to you? Oh my… Have you requested a prefix or tried DHCPv6?

But nftables is really nice, especially for v6 as you can just use inet and filter v4+v6.

My choices are

  • v4 only and no v6, or
  • ds-lite ie. v4 cgnat without port forwarding + bunch of public /64s I’d have to ensure I route/relay properly (no /56 and no /48)

Interestingly, the v4 is mostly static-ish - doesn’t change for months at a time (let’s call it stable, since it’s not strictly static). But the /64 change every once in a while.

This is a residential service plan and for most normies this works well - the ISP supplies you with a modem, you don’t need your own, you get internet on your phone and Netflix/prime on your tv - it’s all good.

But I like to self-host, so I’d rather not have v6 than not have a routed v4.

1 Like

Sure would do the same if I were you. No chance I’d go ds-lite…