table of hardware: https://openwrt.org/toh/start
- current master runs kernel 4.14 / 4.9 for most targets, flow offloading, performance fixes, wireguard in base, lua-based ui called uci.
- security fixes land after a few hours/days in master, a few days/weeks for a new stable release
- pretty much only non-commercial and volunteer effort, so be kind and friendly and help - check the wiki and the forum first.
The latest stable release seems to be ~8 months old, though, unless I'm looking in the wrong place: https://downloads.openwrt.org/releases/
Similar to installing say, Debian 6.1 and then running apt-get to update packages
How about instead of this, use open source software on your router? It will keep being updated, and with the manufacturer's proprietary software on the device you can't really trust it anyway.
I use Google Wifi and it updates itself. In the future I might put in a PFSense, but wifi solutions like Google Wifi/Eero/etc are the way to go if you're not a computer person.
I work on a product that gets connected to people's home wifi. In the last year we've had several with routers running WEP security.
WEP was superseded in 2003 by WPA, and deprecated in 2004!
I'm annoyed they discontinued support for x86-32. My Soekris could run with a VPN board and saturate its 100 mbit ports.
Good news there as well is that OPNSense supports x86-32 just fine though.
I wanted to make sure you saw this.
Updates are easy to manage, I use Pfblocker which is similar functionality to PiHole, and have cloudflares DNS (184.108.40.206) set up.
As for wireless I attach a Ubiquiti AP through a switch.
I've done this at a couple different sites for relatives and it's comforting to know there's some semblence of security and privacy for them.
Mine is active and working (I use it with OpenVPN right now).
Also the nic.cz people have a neat new product. It’s really cool, but I think still too pricey.
There are options for much lower power hardware. I may do an experiment to see. Be kinda interesting but also hard to duplicate traffic effect and CPU loads.
However the reliable updates, advanced firewall, physical multi LAN, and durable VPN can't be understated for my use.
If you're looking for a router that's never had a documented security flaw, you're probably going to buy a no-name brand that's full of them (because no one's looked yet, so it has a "clean" record).
The factors that you really need to look for are 1) good engineering practices for security, and 2) prompt and effective response to flaws. 1) can hard to verify completely, but you can get a sense of 2) based on patch cycles.
I have a Mikrotik router at home, and I chose it because their products are inexpensive and aimed at professionals, which means the software support is much better than consumer routers. Mine is quite old, but it still gets patches.
- Ubiquiti has a track record of GPL violations (e.g. u-boot which dovetails nicely with a security vuln)
- The Unifi AP is tolerable for a simple home env but not much else.
- Ubiquiti support is non-existent. They basically slapped a slick GUI on Vyatta and resold it. It's nice, but they don't have much in the way of developers. So, for instance, they still haven't fixed the hardware acceleration bugs in the ER-X or the WPA2 enterprise issues in the Unifi AP.
- Ubiquiti hardware itself is hit and miss. The ER-L, for instance, is known to overheat and cook itself to death. There was a mixup with some of the PoE stuff (UBNT historically used non-standard PoE) meaning you're not entirely sure what's in the box.
UBNT hardware cheap and you can hack on it, so that's nice. But, being aimed at professionals and actually suitable for professionals are two separate issues.
I don't have much going on with my router, a few open ports, blocked domains and its running a L2TP over IPsec VPN for when I want to access my home IP cams.
I bought the older RB2011UiAS-RM years ago for work to replace their two crappy BT business hubs and setup dual DSL failover with a 3G dongle as a backup. I've never had to reboot any of them due to a malfunction or crash, they just keep going and the performance is top notch for the medium size business they're servicing.
I have a dell optiplex 780. I paid $15 for a second nic. It's great.
unless you pay for your own power. An edge router lite uses <10w.
How much does it cost to run the pfsense box over the course of 2 years?
So 36 bucks a year versus 8 bucks per year for the ERL.
It will? No, that implies it is inevitably going to happen with every device which is not the case. A better wording is it might, depending on (unclear) circumstances.
At those temperatures (40C exterior temp at idle) cooking to death is pretty certain. Look at the complaints of glitchy ERLs as a proxy for impending death. Meanwhile it's pretty clear that the Octeon runs hot and UBNT didn't provide sufficient cooling.
I don't know how flexible they are though, RouterOS might be a bit of a pig to use but it can do pretty much anything you want, the Ubiquiti gear is very user friendly and that usually means less flexible.
If you want to, you can SSH into the machines. The disabled bash completion will bring you back to the 80s and reevaluate how "user friendly" it is (it does work as root, but then you gotta be root all the time...). I call this part of user-friendliness, and not in a positive way.
Regardless, I'm happy with the Ubiquity gear I got. The entry level hardware is cheap yet good quality. If you want the more advanced stuff, that's expensive though. 16 port managed switch with PoE costs nearly 300 EUR while 8 port costs 100 EUR.
Also note that $200 in “value” is mostly covering the massive marketing budget of Eero and Google. You do not need to pay $200 for a secure WiFi solution.
My time is valuable and I've been known to make mistakes. So rather set up and maintain my own router, I bought a Google Wifi unit, and now I'm reasonably certain that my wifi is not the weakest link in my home electronics security profile.
Isn't that a real value proposition for anyone who can afford one and unable to continuously update their DIY router?
I'd still say the point stands that 99% of the routers out there have awful security and it's just a matter of time (often months) because your router is overtaken by a botnet, especially if you don't update to the latest firmware (whenever/if that may arrive).
Open source software helps, but if the firmware for your particular router is updated less often than every 12 months, I think you'll also become just as exposed.
With most conflicts you won't know the whole truth, but it's a data point.
The Wirecutter also doesn't give the 'best' in everything. They do have implict budgets.
For example, they won't recommend $5000 stereo speaker pairs, even though they would be better than the KEF Q150s they recommend currently. They don't recommend full frame / medium format cameras either, since they are probably too high end and expensive for their target markets.
I don't really fault them although for having some cost limits although. They would probably make the valid argument that if your buying the full frame cameras and $2500 loudspeakers that you probably know what your doing and don't need the wirecutter. I do wish they pointed it out a bit more in some of their guides although.