Did this earlier in the year with an rpi4 and a netgear managed switch. It can route 780mbit down/up (nftables)! Can probably get closer to 900mbit with some overclocking, and reduce latency slightly by pinning the rpi's clock but haven't really cared to.
The hard part was finding a cheap managed switch which does _not_ expose the management interface on every vlan. This is a specific product feature (wtf?) and often the only difference between two product lines.
Ended up with a netgear GS308T - the internet is full of rage at the device requiring you to log into netgear and register it, but I can confirm that I didn't have to do anything. I set it up with it connected directly to a laptop and have never signed up for a netgear account, though they may lock this down in the future. I was even able to upgrade the firmware. Would've preferred a model with ssh access but tp-link wasn't selling them at the time?
Wanted to be able to mix multiple ISP's together (but ended up only having one for now), which would've been 2+ USB NICs and not great for perf.
The other reason why I ended up here is because OpenWRT/etc support for wifi6 routers wasn't/isn't coming, and I want to be able to place my WAP in a different location than the router and main switch... so the WAP is a wifi6 thing running stock firmware but in "WAP mode" which turns everything off.
Anyway, works fine. Image your SD card when you're done configuring it. I need to go back and put it in read-only mode but haven't cared.
Indeed, the TL-SG105E/TL-SG108E is cheap because it's trash.
* The proprietary management interface listens to all VLANs no matter what.
* The VLAN separation is fake, multicast leaks freely across segments.
* The proprietary management protocol is obfuscated by a hard coded XOR string.
* Administrating the switch sends the admin password, "encrypted" only by the very same obfuscation.
* This most bizarre proprietary management protocol uses only broadcast for all communications, even though the switch has an IP assigned.
You do the math putting the above together... it's a mess bordering on genius, but there's more.
The switch will spew out various arcane, undocumented, probably providing more backdoors, not even IP protocols, including some Realtek proprietary protocol (0x8899), something used for HomePlug (0x893a) and TIPC (0x88ca), which sounds like the last thing you'd want a device of this caliber to use searching for more friends to talk to.
God knows what this monstrosity of a firmware hides and its reasons. It's just what I remember by heart, I have not had it powered up for some time. Still, this is just the surface and it's already a tire fire, it must be chock full of vulnerabilities, bugs and design flaws. It's the managed Ethernet switch which doesn't fulfill correct management nor implements actual Ethernet switching.
I have no idea, for all I know this could be better than other cheap switches, though I really hope not. The quality of home networking equipment and IoT in general is extremely low.
Regarding the management interface being exposed on every interface: I think this might be true for the TP-LINK device I linked in my article.
However, in this particular setup/context, I think the risk of this is minimal, as the actual interface should be using a private-IP address on your home network.
Hope that works :) I have this set up to an AT&T fiber gateway trashcan in pass-thru mode, so technically the RPI's vlan port has a public IP address. Otherwise I couldn't get upnp/etc to work when I wanted to.
I also want to be able to set up a DMZ'ed VLAN to hook up an old NUC to host something like a valheim/minecraft/whatever server if I wanted. So having the VLAN be safe was a goal for me.
Frankly, the more I think about it, the more I fail to seen actual way to attack the management interface.
Because the interface listens on a private IP-address on your home network. And if you want to be able to talk to that IP-address, you need some device that you control (as an attacker) connected to the switch, and be able to add an IP-address in the same range as your home network and then attack the managment interface?
The most likely scenario would indeed be the DMZ machine as a stepping-stone.
It's not really realistic, you're right. For my own goals it's "defense in depth" - just because I can't think of a scenario now doesn't mean it's impossible to do. Access also makes it easier to accidentally configure it in a way that is in fact easy to blow up.
From a practical standpoint, I just don't want any not-me traffic hitting the management interface for any reason (intentional or not), as I assume they're poorly written and can easily be crashed or even bricked. I've locked myself out of very expensive enterprise switches in past lives by ssh'ing to them too many times.
So if IE someone can poke my management VLAN by sending an ICMP packet with a spoofed return address and my RPI doesn't filter that right because I did something wrong... I'm happier if that can't tickle the management interface at all.
The only way I could see is if there is a malicious device on the WAN side (as in, actually on the same network as the WAN interface) that is configured on the same subnet as the internal network and it communicates with the management interface over the WAN VLAN - but very unlikely (and probably have to be an untrustworthy ISP, which sounds like a problem in itself :) ).
I did this as well on a small laptop. I had trouble reaching gigE speeds (with cake qos). Took a bit of learning and careful configuration of the managed switch beforehand, otherwise it worked fine.
fwiw when I bought it, it was on sale for ~$50 too. couldn't find a 2.5g switch that I liked in my price range, so went cheap as possible and will swap it when a 2.5g hits all my requirements :)
I was tempted to do this but am concerned that VLANs are not a security boundary, this might expose the switch’s control plane to WAN, and the Pi has a failure prone micro SD card. The Pi 4 CPU is faster than most consumer routers and can shape a gigabit!
VLANs absolutely can be considered security boundary. Sure, you can misconfigure switch and expose something unintentionally. But as a technology VLANs are pretty battle-hardened. Random reddit discussion on the topic https://www.reddit.com/r/networking/comments/opmjol/vlan_seg...
That BH presentation is 20 years old now, and almost completely Cisco specific. I would not make security decisions on such data alone.
Author here, I think the security of using VLANs isn't much of an issue in this context. The old layer-2 attacks you linked to are absolute risks, but not in this setting, I believe.
This depends on the type and quality of the SD card does it not? Also you can setup the PI's OS to be read-only, so no writes to the SD card. This should extend the life of the SD card by quite a lot.
The Raspberry Pi is a device I always see many capabilities for that are better served by other hardware devices that people usually already own, or there is a cheaper device that can do what it does, as well as many that does it much better for the same price. I don't get the useage of the Pi anymore since its no longer fanless, it is trying to be a desktop replacement with outdated hardware, and doesn't have anything specialized for it that is exceptional, in fact it is a jack of all trades, master at none while many more have better raw specs and have much stronger performance. I don't know the audience for the Pi4 anymore, except maybe people who had a Pi3 and just wanted to port their config easily and switch the hardware they had into it.
In regards to the suggestions for the better hardware, would you use an old laptop or desktop with a network card for the same purpose? It could act as a server as well, no need to get this hardware if you are going to just use it on a server you need anyway, unless you are using the hardware as a server.
Edit: I am posting too fast, but to the person under me, there are much stronger SBCs that are the same size, and with the fan requirements on the Pi4, it isn't as small as it was, nor is is power efficient as other SBCs that would be much better. If using a server at home, having a router with custom FW would save much more space (the pi hole project could be easily served with a hosts blocker and custom firmware), having a blade server with virtualiziation would save even more space in terms of computation if you are comfortable with virtualized compututing, an old laptop isn't going to make a significant size difference, but if it does the Pi 4 still isn't the best hardware for the job.
The reason everyone uses rpi's is because everyone uses rpi's. At this point there aren't any SBC's that are truly faster (some do have better connectivity/re SATA/PCIe/etc but 4 A72's and 8G of RAM which given a reasonable heatsink run at 2Ghz are faster than nearly every single other SBC less than $100). But overwhelmingly those boards are trash. The rpi is trash too, but its trash that everyone and their brother uses so it tends to work. Unless your good at reverse engineering GPU's or random SoC bugs, you stick to the rpi because someone else has already done the heavy lifting.
That, and at least in the USA, its really the only SBC most people can buy locally because best buy, microcenter, and various other stores actually stock them.
>At this point there aren't any SBC's that are truly faster
Which Pi 4 model are you comparing it to? What defines "trash"? You can easily use an older laptop since everyone actually uses x86 and likely has spare hardware.
>you stick to the rpi because someone else has already done the heavy lifting.
I wouldn't buy hardware with no support, and x86 has the most support.
Why does local stores matter for SBCs? People don't really buy hardware at stores since newegg, arrow/digikey/mouser and amazon exist. Online retail killed radioshack, and is currently decimating local buying. Cyber monday deals aren't excluding anyone when most people have amazon prime.
Well depends on what you mean by "support", but I tend to agree most people would be better served spending a bit more (or repurposing older hw) and getting a recent atom/low end x86. They are surprisingly power efficient these days, and idle as low or lower than the rpi4's, and finding one with multiple NIC's shouldn't be to hard. And most are probably much faster than the A72's on the pi.
But you wouldn't see people posting about their successes doing this with a atomicPi, chuwi herobox, or the dozens of other inexpensive x86 machines that might be considered competitors because its assumed one can install $RANDOM_OS and configure vlan+routing with them.
OTOH, while the rpi's support is weak they guarantee supplies for a fairly long time. Which actually makes them a reasonable choice for this kind of thing if you plan on designing it once, sticking it on box somewhere and expect to be able to buy another in 5-8 years when it dies. Chuwi like random android vendors churns their product lines every couple months with upgrades.
>Which actually makes them a reasonable choice for this kind of thing if you plan on designing it once, sticking it on box somewhere and expect to be able to buy another in 5-8 years when it dies.
I think of the Pi as mostly a dust collector for many people who will find a use for it doing some mundane task like pihole or as a desktop replacement for monitor they don't use and setting it up but never using it. A practical use can be you temporarily use it for capablilities: it is never stable, still can collect dust most of the time, but it will be used for a specialized task you don't have the hardware for temporarily like flashing chips, or running some linux distro you want to try. I don't think that is a bad usage of it since it uses its strengths which is its flexibility, while it can be purposefully used semi-permanent temporarily unless you have a reason to upgrade.
Without a purpose before an impulse purchase, its usually stuck in the limbo of the paradox of choice.
Don't feel bad, I was also lured by their slick marketing. Wow it can play Quake 3 with its "swanky graphics" and is like a pentium 2 and can do 1080p playback on the first gen one!
What scenario is that a huge factor? Most people have old x86 hardware laying around that isn't being used. If it is a huge factor, wouldn't you at that point just get a good router for less and have more space, or run virtualized computers on a server?
Can you name a scenario you think of for this purpose? I only see trying out hardware you may want, or just having it be good enough to stay as a temp semi-permanent solution to an issue you have.
As an example, I have a Dell R620 sitting behind me (among lots of other stuff,) it has 20 cores and 128GB of RAM. It's loud. It's hot. It's powerful and awesome. I bought it for $400 refurbished. It's sitting in a nice rack. I use it for VMs.
I have a stack of 10 RPI4's in a case on my left, a lot smaller. Deadly quiet. That's 40 cores and 80GB of RAM. Not loud at all. Bought them for $75 each. I use them as physical hosts for a number of things.
I treat them the same. General compute. One cluster is more convenient than the other.
Article touches on but doesn't clearly explain the bandwidth impact of a 1-armed router: Every routed packet is traversing the same link twice (in+out), so usable aggregate bandwidth is halved.
If you're fortunate enough to have a symmetrical Internet connection > 500Mb/s that means you can't upload and download at the maximum rate simultaneously. If you run multiple VLANs that also means the cross-VLAN traffic is competing with Internet traffic for bandwidth on the router's interface.
A while back I made some potato-quality charts to illustrate because this comes up all the time when discussing Ubiquiti's MediaTek-based routers that are architected as a switch with an internal router-on-a-stick.
It is actually possible to do it without a managed switch (and therefore vlans). You just assign a separate subnet between your router and modem than what you use internally and put both router addresses on the same interface.
With a single port? How exactly are you planning on preventing one of your end-hosts from pulling the external IP by accident anytime the modem or pi gets rebooted? Are you going to make every host on the LAN a static IP? Ignoring the security implications.
> How exactly are you planning on preventing one of your end-hosts from pulling the external IP by accident anytime the modem or pi gets rebooted?
Depends on the modem, but since many of them are also routers you just set them up to do single-nat to a static IP corresponding to the "WAN" address of your pi and otherwise not act as a DHCP server at all. Otherwise you could also get a static IP from your ISP so nothing ever changes.
> Are you going to make every host on the LAN a static IP?
No, they get DHCP addresses from the pi.
> Ignoring the security implications.
I said it was possible, not that it was a good idea.
>Depends on the modem, but since many of them are also routers you just set them up to do single-nat to a static IP corresponding to the "WAN" address of your pi and otherwise not act as a DHCP server at all. Otherwise you could also get a static IP from your ISP so nothing ever changes.
If your modem is doing NAT there's literally no reason for this setup. And it would cause even more issues because you'd have two DHCP servers on the same subnet offering up more than one IP. Even if you set the LAN side of the modem to disable DHCP and only offer a static address, you've still got both the "public" NAT address and "private" in the arp table of all of your hosts. You will absolutely run into issues.
>No, they get DHCP addresses from the pi.
If you have the modem spitting out DHCP addresses and the PI spitting out DHCP addresses you cannot force your end hosts to grab them from one or the other, they get whichever responds first.
> If your modem is doing NAT there's literally no reason for this setup.
Unless you wanted more options than your crappy router/modem gives you.
> And it would cause even more issues because you'd have two DHCP servers on the same subnet offering up more than one IP.
No, I specifically said the modem would have to not act as a DHCP server at all, just turn it off.
> Even if you set the LAN side of the modem to disable DHCP and only offer a static address, you've still got both the "public" NAT address and "private" in the arp table of all of your hosts.
Incorrect on two counts. 1) ARP tables only store address translations for your subnet precisely because all addresses not on your subnet must be reached through a gateway. 2) there are only two addresses in the modem<->pi subnet because the pi is performing NAT/PAT for your "LAN" subnet.
> You will absolutely run into issues.
Maybe, it has been a while since I've done anything this silly, but as I recall from doing stuff like this in a lab I had no issues shoving as many subnets as I wanted to on the same network without VLANs.
> If you have the modem spitting out DHCP addresses and the PI spitting out DHCP addresses [...]
if your connection require authentication, like pppoe, you can just disable the dhcp on the modem and use statis addresses between the modem and the pi.
then the actual connection will be established by the pi via pppoe and the only DHCP would be the pi when it is up.
As for the security implications, i agree.. It surely is a crappy design for the network but it can be done..
pcengines is as good as it gets for DIY whitebox router. Their prices are really good too, $100-150 USD for very capable high efficiency x64. https://www.pcengines.ch/newshop.php?c=4
They look mostly OOS, wouldn't a nice old x64 laptop be just as capable for cheaper? I see this in the same catagory of the smart clocks, its just a rebranded withered technology (nintendo term). Love the simple site though!
Old x64 laptops are great, and I've certainly used one as a router before, however they do have drawbacks (cooling profile is usually shitty for 24/7 use, and they often don't love to be stripped from their shell, lose their display and etc). A laptop generally does not have all the peripheral chipsets and connectors you want and usually has extra stuff you don't want.
For $120ish I'm not sure you could beat the value prop of one of these boards with a used laptop. Supply is certainly an issue and was even before COVID. Waiting until 2022 sucks, but I'd argue they are by far the best overall option for a DIY whitebox router I've personally seen.
I don't think there is a problem with stripping it from the display (I dont think its necessary or even desireable most of the time for negligible space differences), it comes with a free UPS and is usually "free"), the idle power consumption is rather low (x240 with screen on is 4w on idle http://forum.notebookreview.com/threads/which-lenovo-laptop-...) my requirements for a device are way lower than those devices listed. I sometimes think of devices such as whiteboxes as marketed tools, like the smart clocks that just look like stripped phones to me, or VR that are just dual phone screens.
I'm not an expert but I would say it's probably pretty hard to find a laptop with 2 Ethernet ports, and 2.5Gb Ethernet with that. Also the H2 is passively cooled which is not going to be the case for most laptop. And it's also tiny and energy efficient. It's really an amazing deal. Too bad the semiconductor crisis seems to have killed it for now :(
I've been lately drooling for Solid-Run ClearFog CX LX2. 4x10Gbe + 1x100Gbe should be enough for anyone, and pretty hefty ARM CPU is an additional bonus.
Yes, its absolute overkill for any sort of hobbyist use, and its not cheap. But it certainly has potential to be a networking powerhouse.
Yes there a a bunch of good rk3328 based board with 2 Gb eth ports. If you need something beefier there is the rk3399 based boards (pine64's rockpro64 has only a single Ethernet port but there is for example the nanopi r4s which has 2).
I'm not sure what's the heat is like if you do gigabit NAT with them though :)
This RK3568 board looks interesting, but I have no idea if "firefly" is any decent vendor; that is generally the problem with these random chinese boards.
RK3568 has 2xGbe built-in, and the board has additionally a Wifi 6 chip (broadcom), seems like pretty ideal router platform to me. There are even some hints that it might have half-decent mainline support, but who knows really though..
https://pine64.com/product-category/single-board-computers/ Try pine64 if you must, they release hardware for the software community to add features. You can just use a spare laptop with less cost, more performance, and neglegible energy cost differences unless your electric bills are very high rates.
Probably an unpopular opinion, but if you don't already know about VLANs, then probably shouldn't be connecting devices "straight to the internet" or configuring a firewall
I disagree. You can easily configure and manage your own failover-capable, multi-gateway home firewall without ever learning about VLANs if all you have is a cheap motherboard, a USB ethernet dongle and a cheap switch because your networking needs are quite complex before you ever even need VLANs. Maybe a home network admin might need to enter a "VLAN number" to get their traffic routed to their ISP, but that's it, and that's usually just a number you copy from some guide online.
Gatekeeping people because they never learned about or worked with the VLANs found in more expensive hardware is stupid. If you know you way around VLANs but don't know how to properly configure a firewall, you're much more of a danger to the outside world than the other way around.
I agree that there is some minimum skill level people should have before they hook stuff up to the public web (how to prevent being part of a botnet/DDoS amplification, how to block insecure/IoT management interfaces from the outside world, that stuff), but VLANs are an arbitrary and irrelevant thing to require people to know about.
> Gatekeeping people because they never learned about or worked with the VLANs found in more expensive hardware is stupid.
I'm not sure I agree with VLANs being limited to more expensive hardware. Like in comments, there are some very cheap switches (£40 netgear) that support it and tonnes of older managed switches on ebay for £10. I don't necessary think that a price-point is the gateway and didn't really mean to 'gatekeep' people.
> I agree that there is some minimum skill level people should have...
This was the point I was meaning, though maybe VLAN is not a globally perceived this way, I had thought it was a fairly core concept that I'd considered would be part of this, but maybe it's due to personal experience.. I'm absolutely sure there's tonnes of protocols that I don't know that other's would feel the same way the other way around. But hey, without the comment and this discussion being had, I wouldn't know if others felt the same way :) And I appreciate you writing the final paragraph, even if you overall disagree :)
I could see that, but when first learning about firewalls and such, start in an isolated environment.. test with VMs, old machines, whatever.
Putting machines on the internet misconfigured can both put you at risk, but can also mean another device ends up in the hands of a botnet - thinking the internet outside of a firewall is any friendlier than the "real world" in the matrix is just fantasy.
If someone is interested in weapons or guns, you wouldn't want them to try out their skills by putting them straight into a war zone.
If someone put a tutorial on a forum for gas-engineers, about how great and easy redoing the pipes in their house because they bought a blow torch, they'd be concerns for the safety of them and the people/houses around them, surely.
> I think that even people who do have some interest in running their own firewall, may not be familiar with VLANs.
Even the all-in-one appliances/disros provide a lot of documentation on the topic
That's a very neat trick. Thank you. I think I will use just that. I don't have much space for proper networking gear, so this will be perfect for me. Maybe with something more buff (an Intel NUC ?)
You're welcome. You can use any compute you want. Any x86 device from the last 15 years can handle gigabit internet including firewalling with iptables.
I bought a usb 3.1 gigabit Ethernet dongle for 15$ which seemed cheaper than trying to do a managed switch. On the rpi4 I can manage unencrypted traffic with a load average of near 0.
One that could be served similarly with an older computer you already own, or a router that supports custom firmware like Merlin, tomato or ddwrt. You will not really have a requirement for it, the hardware for Pi is not exceptional, it has decent software support, poor hardware interfaces, higher cost to comparable SBCs. Check this out. https://advancedtomato.com/ I have hosts blocking, VPN, prioritization, and used it with USB3.0 as NAS and it was $40 (Asus AC68U I think its called 1900 as well).
The kind of home routing that involves running your own Linux distro and firewall configuration.
That may not be for everyone, it's more for tinkering. You can also run other things like VPN services, DNS, DHCP and all that shit, fully configured to your likening / needs.
Someone mentioned above, and so I ask: have you given banana-pi r1 with openwrt a try? Would that setup be simpler than the current one with VLAN and netplan?
Speaking of netplan: I didn't quite catch head or tail of it.
What does it do and why is it required (in the context of the setup).
For ex:
ethernets:
enp2s0f0:
dhcp4: no # only dhcp6 allowed?
# or, is dhcp now handled by wifi-ap?
enp2s0f0.10:
id: 10
link: enp2s0f0 # down-link?
addresses:
- 68.69.70.71/24 # is this modem's public-ip subnet?
# or, could be anything?
gateway4: 68.69.70.1 # modem's public-ip?
enp2s0f0.20:
id: 20
link: enp2s0f0 # up-link?
addresses:
- 192.168.0.1/24 # subnet for the internal network?
# what does dhcp for this one?
> So all the routing and NAT that needs to happen, just happens on those two virtual interfaces instead.
The managed-switch NATs traffic? Or, you mean to say that rpi4 does? Or, am I misunderstanding how all of this actually works?
Now a days with open wrt and dd-wrt firmwares for many routers, there is not much point in using RPis and switches unless they are just laying around in your junk drawer.
It might be a usefull part of a RPi LAMP server setup I suppose.
> Now a days with open wrt and dd-wrt firmwares for many routers, there is not much point in using RPis and switches unless they are just laying around in your junk drawer.
I feel like it's the other way around. A Pi 4 is cheaper and more performant than many (Most?) consumer grade routers. They'll do cake at gig if you set the clock speed to 2 GHz.
I must clarify my wording on my original comment. When I said "junk drawer" it was not meant to disparage RPIs, I own a couple 3s myself and they are not junk. In fact most of the stuff in my junk drawer(s) is not junk, it is just a coloquial term for the drawer random objects of some value end up being placed rather than in their propper spot out of convenience or due to lack of organization.
Why not use an old laptop at that point? Pi4 isn't fanless anymore, and there is not a good reason to use one when there are better spec SBC, lower price ones, fanless ones, not even sure who the audience for it is.
Edit: can't reply but show the specs to the Pi4 model that you want me to compare, and I didn't know about the new fanless Pi4, but they are still not stronger than many other SBCs that exist, and don't have fast interfaces in comparison to other SBCs, the Pine rockchip SBC comes to mind as one that has great performance for cheaper prices.
The Pi 4 has just been re-released with the newer and cooler chip revision from the Pi 400. This should make passive cooling (w/ a heatsink) viable for most workloads. Though the Pi 400 heatsink design still adds a lot of heat capacity which helps performance there.
There is often a good increase in performance of a consumer grade router once one of the wrt flavours is installed, so in my mind it would be simpler to just flash it rather than set up a Pi4 like this. Anyways, as was said earlier, if you have a Pi4 in a drawer and you have a need and a managed switch, this is a good use.
You have very few consumer routers with a CPU capable of routing a gigabit with a firewall (using the Linux network stack). All (consumer) routers implement parts of this in hardware, most of which OpenWRT doesn't support.
(For this reason, OpenWRT implements software offloading which skips a lot of the Linux network stack, but is partially broken in the latest release)
I was getting at what options there might be with what is at hand, which a previous commenter mentioned, but your points are probably showstoppers for anyone comparing the Pi4 vs consumer router solutions as a starting point.
This is laughably wrong actually as most consumer grade routers will not provide adequete network throughput to standard home setup without eventually choking.
A quick perusal of /r/openwrt will show that most power users suggest fanless X86 boxes instead of consumer gear to handle modern GB fiber connections at full use.
Response feels a little harsh.. in terms of features he may be right (haven't used, but heard enough about openWRT).
But in terms of power (or ability to provide throughput), you're right... just "laughably wrong" feels harsh :D
You may be right, I am not yet fortunate to have a fiber connection to the net. Infact I am currently limited to about 3Mbs up and my downspeed is throttled at 8Mbs on my LTE connection.
I dont stream anything on my LAN side at 4K(or even own a 4K capable TV)
So I suppose yes a family of 5 with an infuencer Mom and 3 hard gaming kids and a sports addicted dad on a Sunday afternoon might overload a cheap router but I bet anyone with hardware capable of capping out a WRT would probably already have a far more expensive top of the line router and would literally "Laugh" at a RPI and Switch based non wireless setup.
But yes I could see a few good reasons for setting up one of these, if for just a learning experiment.
Ouch. As much as I love OpenWRT, the upgrade process for x86 is a bit convoluted[0]. Especially since people are being directed to use it for performance reasons, that's a sorry situation.
The hard part was finding a cheap managed switch which does _not_ expose the management interface on every vlan. This is a specific product feature (wtf?) and often the only difference between two product lines.
Ended up with a netgear GS308T - the internet is full of rage at the device requiring you to log into netgear and register it, but I can confirm that I didn't have to do anything. I set it up with it connected directly to a laptop and have never signed up for a netgear account, though they may lock this down in the future. I was even able to upgrade the firmware. Would've preferred a model with ssh access but tp-link wasn't selling them at the time?
Wanted to be able to mix multiple ISP's together (but ended up only having one for now), which would've been 2+ USB NICs and not great for perf.
The other reason why I ended up here is because OpenWRT/etc support for wifi6 routers wasn't/isn't coming, and I want to be able to place my WAP in a different location than the router and main switch... so the WAP is a wifi6 thing running stock firmware but in "WAP mode" which turns everything off.
Anyway, works fine. Image your SD card when you're done configuring it. I need to go back and put it in read-only mode but haven't cared.