Hacker News new | comments | show | ask | jobs | submit login
Ask HN: Which wireless router do you use at home?
39 points by Perceptes 128 days ago | hide | past | web | 83 comments | favorite
I've been using an Airport Extreme for many years, but recently I started having trouble with wi-fi quality. I'd been thinking about getting a new router anyway, because I'd like one that can run a DNS server I can use to add a few records only visible to my local network. Which hardware do you use? If its software is customizable, what do you run on it (e.g. OpenWrt)?

Ubiquiti EdgeRouter X [1] with a Unifi AP Pro [2]

Extremely happy with the performance and quality. I don't know of any router for $180 that can rival this combination overall.

[1] https://www.ubnt.com/edgemax/edgerouter-x [2] https://www.ubnt.com/unifi/unifi-ap

+1 for this, I use it at home and I've never had any problems.

Runs arm Linux so I also have a VPN server running on it as well. Very convenient to not need a separate device for things like that.

Same setup for me. Two things to look out for with the EdgeRouter X:

1, IPv6 is not trivial to setup. In my case I struggled to find documentation on configuring it on a PPoE connection.

2, It can't reach 1 GB/s on WAN.

+1 for this. I used to use tomato. I also use a pihole for network wide as blocking.

This is my stack as well. I haven't touched it in a year.

I use the same combo

This might seem weird, but I use an old PC with a wireless card in it (get one with a good antenna, and connect wireless APs via ethernet if you want more coverage). I've put Ubuntu server on it, and it has quite a few advantages over my old router which had OpenWrt

1. Persistent DNS cache using pdnsd (even after reboot because it is on-disk) with a long minimum global TTL. You would imagine this would be a problem, but surprisingly I haven't had any. I've only had to get in once to correct something. You can manually purge a specific domain, and all of them if you think something is wrong.

2. Powerful enough for good OpenVPN settings. Automatically routes through a VPN, and can be disabled for a specific client if needed. The AES instructions (which are on any Intel chip after 2008) help out immensely compared to using just a generic router.

3. Smoother LAN transfers. A cheap gigabit PCIe card (Intel EXPI9402PT - on ebay for about $20) which takes away local transfer rate problems, especially if you have an NAS.

4. Use it as an NAS. It isn't a good idea to mix devices which need good security with non-critical systems, like NAS so be sure about your settings and know what you are doing.

Another cool thing is port forwarding to the remote VPN instance so you can login remotely and check out your network or access any files/media you have on your NAS.

There are more things people can do which give more control and/or better experience, like setting up rate limiting on clients, custom settings for clients with unknown MAC addresses, etc. Traffic shaping is a good one (prioritize specific type of connections over another - example VoIP > Netflix > torrent).

The extra power really opens up the possibilities of what a router can do.

If anyone has any questions, I'd be glad to help out.

Something to keep in mind is that even at idle, a PC will probably run at 50W or so. This would cost $80-100/year to run where I live, which isnt insignificant. Unless you are using it as a NAS, need very high speed OpenVPN (>100MBit/s), or other things that a PC can do best, you're much better off with something like an ER-X, which has a max power draw of 5W, and has no problem doing gigabit line-speed routing/NAT/etc.

True, power consumption should be considered. I guess doing this would be a good choice if someone has a NAS already running.

>you're much better off with something like an ER-X I pretty much recommend a plain jane router which can run DD-WRT for anyone. All this is clearly overkill, and more importantly useless for most people.

Another choice is getting a cheap NUC like x86 device and get AP-only devices for good coverage.

>The AES instructions (which are on any Intel chip after 2008) help out immensely compared to using just a generic router.

Be careful, this isn't true... most low end Intel chips (Celeron, Pentium, i3) don't support AES-NI. Starting with Skylake chips (2015/2016-era), the whole processor line supports AES-NI. See https://en.wikipedia.org/wiki/AES_instruction_set

That's good to know, thanks for the correction

How did you set it up specifically, what ubuntu packages are needed on the pc? Can you point to a resource where I can go from, I have a pc with two network cards an incoming line and a switch. To working DHCP, port forwarding and a firewall for the things connected to the switch?

For setting it up as a router first, I recommend this[1] guide

I usually build the software from source so I don't know if every thing will work fine for you. Nevertheless here are the package names I remember from when I first set it up.

pdnsd - for DNS caching read the manual so you can write a good config, and don't forget to change the bind IP to an interface so that it is accessible to the local network

openvpn, easy-rsa - Initial setup[2] there is a bug which for which there is a temporary fix[3]. Might be fixed by now.

Port forwarding: I currently use iptables, but I've been trying to move to nftables, which I recommend. Here's how I do it for now (this must be done on the OpenVPN server):

tun0 is the openvpn interface

eno1 is the public ethernet interface of your VPN

Say the IP addr of openvpn CLIENT (router in this case) is - eno1 port you want to forward to is 1234

say the client port (the router port to be forwarded) is 6789

#iptables -t nat -A PREROUTING -p tcp -i eno1 --dport 1234 -j DNAT --to-destination

#iptables -A FORWARD -p tcp -d --dport 6789 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

The above commands are not persistent so save them to /etc/iptables.conf

I always choose very conservative settings for firewall. Only a single port is forwarded to the VPN. Rest are closed, spoof open ports, and have a honeypot if you want.

There are many guides on iptables, but I would again recommend nftables. You're going to have to dig deep sometimes since it is still new.

If you have questions about anything, just google. Chances are, it has already been covered several times.

[1]: https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-bui...

[2]: https://www.digitalocean.com/community/tutorials/how-to-set-...

[3]: https://bugs.launchpad.net/serverguide/+bug/1504676

> 1. Persistent DNS cache using pdnsd (even after reboot because it is on-disk) with a long minimum global TTL.

What problem does this solve? Is it a bid to improve privacy?

Performance. Most routers also have DNS caches for the same thing. It is often recommended to use OpenDNS servers for privacy, but it is slower than your ISP's DNS or Google's.

This is especially useful when you have an application which doesn't cache DNS requests and issues a new one for every connection. Torrenting gets a big boost for example.

Privacy is just a side effect.

I would be surprised to learn that most routers DNS implementations enforce "a long minimum global TTL". What do you define as long by the way?

EDIT: Also, "Torrenting gets a big boost for example." sounds strange, don't trackers give out IP addresses? Why would BitTorrent be DNS bound?

Most routers just have a DNS cache, not a global TTL, sorry about the misunderstanding.

I have it set up to be 1 day. Most websites have been setting up low TTLs like 1 hour or less because they don't want to take a chance in case of a problem, and DNS is cheap or free these days.

About your statement - 'don't trackers give out IP addresses?', what do you mean?

Often trackers are addressed by their domain (I've never actually seen a tracker without one). So each torrent has its own specific set of trackers. So all those trackers are frequently resolved and contacted for peer exchange.

Well, trackers give out the addresses of peers. If those addresses were given out as hostnames, there'd be a lot of DNS work involved, but they don't (as far as I'm aware).

So then the DNS curb would be looking up the hostnames of the trackers, which I'd guess would be under a dozen or so hosts (I don't know, I'm just guessing) per torrent. That seems unlikely to be a hot-spot to the degree that enforcing a long cache would provide a "big boost" to overall performance.

When you have 1000+ torrents seeding 24/7, even the tracker lookups add up. Usually you aren't downloading. Most of the time, torrents stay idle which will make DNS requests a significant portion of the total traffic. Sure, this might seem overkill, but when the VPN is already slowing down things for you, you do whatever needed to shave those seconds.

OpenDNS look up for Google just now took me 500ms, even without the VPN. I use tunnel mode for DNS on the NAS, which can easily double it.

I have an Asus RT-AC66U w/ merlin firmware. I've been running it for years now without a single crash. It's only been rebooted once to update the firmware as it's on a UPS. I have a 2 TB HDD that turns it into our house's media server.

Similar: RT-N66U, with stock firmware. In Wireless Access Point mode, attached to my ISP-provided modem/router, whose WiFi is turned off. Very happy with it.

Same except I am using Advanced Tomato firmware.


RT-AC88U with a 4tb HDD to it and stock firmware. Extremely happy with it.

Same router. Very happy with it after 1y of usage

Very similar, with RT-AC68U.

RT-AC5300 here with Merlin

Mikrotik wAP ac [1] positioned in center of home with a Mikrotik Hex POE [2] as the main router and DHCP server. There is TP-Link HomePlug [3,4] between router and WiFi base station.

The wAP ac has a stronger and more reliable signal than any other WiFI unit I've tried (various Linksys, Asus, and BT units).

The Mikrotik gear is rock solid, but not exactly what I'd call consumer friendly. Great if you know or want to know something about real routers. I got fed up with buggy consumer routers and decided to go with either Mikrotik or Ubiquity rather than struggle to get the right hardware and firmware combo for Tomato et al. Nothing wrong with these, but none of my existing hardware had an image on the various options.

[1] https://mikrotik.com/product/RBwAPG-5HacT2HnD, $89

[2] https://mikrotik.com/product/RB960PGS, $79

[3] http://uk.tp-link.com/products/details/cat-18_TL-PA4010KIT.h...

[4] Always, always change the HomePlug network name and password :-)

For OpenWRT - at the moment the current code is at the fork called LEDE - here is a ToH: https://lede-project.org/toh/start - both projects want to reunite but it seems progress is slow - use the 17.01.2 release for LEDE at the moment - it's the most stable current version.

As for the hardware - If you want to use OpenWRT/LEDE you have to be selective about supported WiFi chips. ath9k is battle tested but no ac wifi. ath10k should work reasonable well if you only want to have an access point. Broadcom / Mediatek and others can have issues - stability or signal strength depending on the driver.

Check out kmod-sched-cake and sqm-scripts for the latest in research regarding bufferbloat - https://www.bufferbloat.net/projects/codel/wiki/Cake/ together with airtime fairness - https://linuxplumbersconf.org/2016/ocw/system/presentations/... you can archive some crazy results in good wifi (only on ath9k / mt76 partly on ath10k).

If you want something off the shelf - Mikrotik and Ubiquity and to a degree TP-Link and Asus models get good reviews. In terms of hardware and antennas Mikrotik and Ubiquity are usally better.

You probably want 802.11ac and 5GHz - at the moment 802.11ac Wave2 is probably not worth the money because you need support on the client side and that is rare.

TP-Link Archer C50 would be my budget pick (30€) and runs LEDE - no Gigabit through. Archer C7 for Gigabit.

If you don't mind soldering a serial console and flashing LEDE using the bootloader get a used Cisco Meraki MR18 / MR24 without licence and wall mount kit for a few $ from ebay - top notch hardware and antennas (but ath9k not ath10k) and lot's of CPU / memory.

+1 For LEDE/OpenWRT, I'm running 17.01.02 (uname -a=Linux LEDE 4.4.71 #0) I am using a TP-Link TL-WDR4300 v1 and am very happy with it so far.

I would probably be more happy with ubiquiti unifi

PFsense on a Dell Optiplex FX160 running a router-on-a-stick configuration with a Cisco switch (router-on-a-stick refers to pulling the external and internal interfaces over a single ethernet cable on separate VLANs)

Currently 1 Unifi AP with Long Range, with a RPi 3 as controller (docker image). Setup was done in 30 minutes, and I'm just amazed how well it all works. I'll soon buy another 1-2 APs for the other floors in the house, and expect perfect wifi signal everywhere. If I need to, I can let the RPi run things like dnsmasq, printer server or whatnot.

Apart from the Unifi centric hardware, I have an Asus router that currently handles all the routing (also DHCP), and a cable modem.

Google WiFi (mesh of 3 units). Really love it so far. Very easy to configure and manage. No more clunky webpages to navigate, no more worrying about firmware upgrades. Switched recently from Linksys WRT610N after using it for about 8 years without any issues except for lack of firmware updates.

Same here, but with 5 units, and I'm supremely pleased by its overall performance.

For some odd reason, after moving to a new house, the Powerline networking in my office degraded from the consistent 300-400Mbps in the old house to < 10Mbps in my new office.

The new house is old, with thick walls, and I wasn't getting good throughput with the old pair of OnHubs I was using, but I figured that enough mesh points would overcome that, and as one of the mesh points is in my office, I've found plugging the desktop ethernet output directly into the ethernet input on the Mesh unit to be extremely performant.

I did the same thing on one of the mesh units as well as it was in one of the rooms diametrically opposite from the main unit and on the second floor. The mesh shows great signal strength now.

Before paying for a Ubiquiti product, take a look at how they treat the GPL:


They also run PHP 2.0 (sic!) on all routers - https://www.theregister.co.uk/2017/03/16/ubiquiti_networking...

"A command injection vulnerability was found in 'pingtest_action.cgi.' This script is vulnerable since it is possible to inject a value of a variable. One of the reasons for this behavior is the used PHP version (PHP/FI 2.0.1 from 1997),"

The first time I heard someone is using a pre PHP 3 version. Must be perl/cgi based and really old stuff. Why do they even ship with an inbuilt web server with cgi enabled - it's so outdated and screams 1995 tech. (even back in 2002 cgi, and Perl and PHP3 were considered outdated, and we had already PHP 4)

EdgeOS is dumping PHP for Python in the next release, due any day now (already publicly in beta). Not sure the exact stack, but probably based on Python 2.7.

What's even more impressive is this:

"In 2015, Ubiquiti revealed that it lost $46.7 million when its finance department was tricked into sending money to someone posing as an employee."

How does that even happen?

a ubiquiti AC-lite with pfsense on an APU2

I'd rather have my wifi be a black box that just works and my router be a little more just raw hardware with openbsd or linux or pfsense.

Same here: APU2C4 running vanilla OpenBSD for routing, DHCP, DNS, attached to a Unifi AC configured in pure bridge mode. I was not too pleased with Ubiquiti's firmware though and flashed LEDE, for which you can find ready-to-use firmware images. No more need to install and run a java-based controller instance on another PC for just a wireless bridge. For guest WiFi, I got a GL-AR150 for 20€ and also run LEDE, this time in isolation mode -- guests are NAT'd on their own network and cannot see each other.

Cool didn't know about LEDE, I use the iPhone app to manage the ubiquiti. But I don't really need to manage much. Just upgraded the firmware once...

Have bought this gear myself and just waiting for it to arrive

Here's how our home router is set up at our code school:

I bought a cheap gigabit router (from craigslist for around $30) and then bought a wireless range extender ($60) for the far end of the house. The router is not connected to the modem (so obviously no internet). We built our own server to host all the code, exercises, videos, as well as a DNS server. Our gitlab repository is resolved to google.com, so they usually get a kick out of pushing their code to 'google'. We have our own internal q/a site that resolves to facebook.com. Everybody gets to pick their own domain name to host their own projects.

We experience 0 downtime (unless there is a power outage), pushes to our repository is almost instantaneous, and tests run blazing fast on our speedy i7 desktop with 62GB Ram (that I got for $600 on craigslist). Also, students are not limited to their machines, they can code on whichever device they want (as long as it runs chrome or ssh) because code is hosted on the server. This way, we don't have to deal with people's installation problems.

I didn't touch the router's firmware at all. Our server acts as a dns server. However, everybody would have to modify their dns records on their wifi settings to add our server's ipaddress.

> However, everybody would have to modify their dns records on their wifi settings to add our server's ipaddress.

Why can't you just push it over dhcp? (This is what I've always done for this use case...)

Thanks for the insight! Its my first time I've setup up something like this (coming from a front end dev background), so I didn't know about dhcp.

Where did you learn to set something up like this?

I learned from http://tldp.org/HOWTO/DHCP/x369.html#DHCPSERVER when I got tired of auto-managing IP addresses -- the basic setup is not terrible. If you're using something else for DHCP assignment (e.g. PfSense) you can usually just provide the extra DNS server in the config there and it propagates out.

as you get more experienced it becomes less of "where can I learn x" and more of "how can I do x". You should be able to take a high level concept and look for ways/tools to implement it. For starters, web devs should know about dns. The first step would be, 'install a dns server' and then figuring out as you go. I think the deeper into the rabbit hole you go, the less quality tutorials there are and you have to rely on your problem solving abilities to figure things out.

Netgear R7000 [1] with AdvancedTomato [2], which is Tomato but with a pretty UI. It runs DNS, nginx as a reverse proxy, SSH gateway and some other bits & pieces with minimal fuss. Pretty sure I've never had to reboot it outside of testing configuration changes. I even managed to upgrade to a significantly newer firmware version without blowing away the NVRAM/other settings and having to redo everything from near scratch as is IME so common with custom router FW builds (note: YMMV).

It has USB 3, GigE, wireless speed has been fine etc... certainly one of the best home tech purchases I've made in the last couple years.

[1] http://www.netgear.com.au/home/products/networking/wifi-rout... [2] https://advancedtomato.com

I had a quite pricey $120 Asus n66u as primary router and a cheap, TP link router, as backup, lying in the closet.

At one point, the Asus started to become unreliable and unstable so I disabled it and put the $40 TP Link instead.

Now, about 3 years later, I completely forgot about my router setup and this TP link is rocking it every day. I'm really impressed by the brand. I only had to pull the powercord to quickly reset it once, during several years. I can not say this of most other brands I've worked with in the past.

You can run OpenWRT etc on it. It's quite similar to the legendary WRT54G.

I also bought a Wifi 4G portable router from TP Link later, and this is also high quality hardware at affordable prices.


Ubiquiti Edgerouter + two Unifi UAP-AC-Pro

I've been using ASUS routers with the Asus Merlin[1] firmware for a very long time -- they're just fantastic if you want customizability.

Current router: ASUS AC3100

[1] https://asuswrt.lostrealm.ca/

PfSense on passively cooled j1200 celeron [1] running to a netgear PoE switch hooked to 3 ubiquiti unifi pro ac.

[1] https://www.amazon.com/dp/B01AJEJG1A/

I'm still using an old WNDR-3700 (gigabit ports, dial band, agn) with OpenWRT, though the 2.4 wifi has gotten pretty spotty lately and I now have it set to do nightly reboots.

I'll likely replace it with one of the newer Mikrotik routers soon, mostly because we've started using them at work and for clients and it'd be good to have another spot to get and stay familiar with them. That said, while RouterOS is powerful it has a not insignificant learning curve. I've also seen firmware images and wiki entries indicating that you can run OpenWRT on some models, but I'm not sure how well supported that is.

The ASUS Google OnHub. I used to face a router that reach DD-WRT and customised all the options... then I got sick of it all. The OnHub just works, and updates itself. It's not glamorous, but neither are my requirements.

Mikrotik hEX RB750Gr3 5-port Gigabit Router feeding an AmpliFi Mesh Wi-Fi System (router plus two meshpoints). Performance, configurability, and reliability have been excellent. ~$350 total cost.

Located in Germany where the company AVM has a very high market share. As a result, I use a Fritz!Box 6360 for Cable Internet (400 down, 25 up) with a Fritz!Repeater 1750E on every floor connected via gigabit ethernet. Manually set up 2.4 and 5 Ghz SSIDs to segregate devices like printer an other ancient stuff to the 2.4 SSID while using the 5 GHz SSID for my modern devices. I cannot imagine a better setup.

I'm from Germany too and am using a Fritz!Box 7490 behind a cable modem (200 down/12 up). The router let's you set up one wireless network with both 2.4GHz and 5GHz so devices automatically get switched onto the band with higher Tx rate. Currently pretty happy with the setup.

I have an (awesome) ASUS RT-AC5300 router but I use my Synology DiskStation to run a DNS server.

Everything worked out of the box. No custom software installation, no messing around. I love them both, they're very powerful.

It's easy to install dnsmasq on Synology but now you don't have to do that manually anymore, they have their own package system now which includes a DNS Server built upon dnsmasq.

I'm using TP-Link WR802N [1] and installed OpenWRT on it. Its small form factor is quite useful for me since sometimes I took it when I traveled back to my hometown (to easily have my local wifi network).

[1] http://uk.tp-link.com/products/details/cat-9_TL-WR802N.html

WR802N is excellent out of the box.

Unlike newer models it allows created your own WiFi access point that is routed to the Internet via another WiFI network. Very useful when travelling with multiple iPads and such - no need to connect them all one by one to a hotel WiFi (no need to configure them at all as a matter of fact) and you get your own isolated subnet with working broadcast and multicast.

We're using Google WiFi. Not super (or at all) customizable as you'd like to do, but it does work very well. It's stable and offers really good performance throughout our 1000 sq ft apartment (even given all the numerous networks around us). In the new home we're buying, I plan to use the mesh network (buy more Google WiFi units) capabilities to blanket the whole home.

I'm using eero (1st gen) and with the latest update I've became less happy, as I now have to reboot it once every two weeks to get performance back. And speeds became slower as well. Disappointed, but hope it's a bug, not a way to force me to gen2 model.

Didn't have the patience to sort through who knows how many options, so I just read The Wirecutter's comparison [1] and bought the one they recommended: TP-Link Archer C7 (v2).

[1] http://thewirecutter.com/reviews/best-wi-fi-router/

Router is a PC Engines APU2 (apu2c4) running OpenBSD, wireless APs are Buffalo and run OpenWRT in plain bridging mode.

I use a couple TP-Link Archer C7 v2 (dual band ath9k and ath10k) running OpenWRT. 1 of them acts as the router and the others are just bridge over Ethernet to extend wireless coverage and provide local switch ports. Works pretty well for me.

I would also suggest Ubiquiti and/or pfsense if you want an out-of-box experience.

A rackmount pfSense router built from an old Core i3 desktop from circa 2010 and a Intel 4-port NIC. I have 150/150 FTTH at home. Might have 250/250 or 1000/250 by the end of the year (the router can handle 800mbps WAN->LAN with about 50-75% CPU usage)

UAP-AC-LR for the wireless.

There was a black friday deal for the following router:


Which was easy to upgrade the firmware and then override so I could install Tomato.

At home, 3 Netgear WNDAP360s to cover 2 floors and a detached garage. I've needed to reboot a few times in 2 years.

At work, a Ubiquiti EdgeRouter. Fast and trouble-free so far, and easier to set up than the Netgears.

I've got Comcast Business Class, so I have one of their routers (Cisco/Technicolor) as the actual router - but I run my own DHCP and DNS - I use an Apple Airport as the access point itself.

AirPort Extreme with a couple of peripheral units acting as a Wireless Distribution System (WDS). I'm heartbroken that Apple won't be developing any new units.

Nice try NSA!

Omnia Turris, open hardware, OWRT by default, top tier hardware, HAC encryption, 2.4GHz and 5GHz.

Is it really worth the €330?

It depends.

Is the hardware worth 330€? Probably not. But IIRC everything is open source, including the hardware design, which you'd never get from a commercial router.

Is it worth 330€ as a router? CZ.NIC has put a lot of effort into the OS and updates. The router has 8GB of NAND and they are using btrfs to handle updates (snapshot, update, rollback if there are issues).

This kind of update feature doesn't exist in OpenWrt and LEDE, though mainly because most routers ship with 16MB of NOR flash and there simply isn't room to take a snapshot while upgrading. Some routers like the Xiaomi Mi 3 have 128MB of NAND and it would be possible if there was upstream support in LEDE (although that router has other issues with MediaTek WiFi).

So if you're looking for a reasonably secure router that auto-updates, I think it's worth it. Set it and forget it mentality.

If you have the technical skills and time to manage the router yourself, then just buy a low power PC (e.g. PCEngines APU, Solidrun ClearFrog, Marvell MACCHIATTObin) and install Linux/PfSense/OPNSense.

I don't own the Turis myself, I just saw some conference presentations of theirs about how they implemented the Turis.

PF-Sense on a SuperMicro server in a VM. Ubiquiti Unifi AP Pro HD

What access point/repeater with 2+ antennas (visible) can you recommend?

Often people go about doing this the wrong way.

It is better to get two cheap routers and use one as an AP only. The AP only can be placed where ever you want so it'll have better coverage than a multi-antenna router any day.

Have a peplink and typically like peplink or tp-link devices

Amplifi HD mesh, base station plus 2 APs

Unifi ER-X-SFP from Ubiquiti Networks.

Netgear WNDR3700 running OpenWRT.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact