I need a new router

My Asus Merlin-WRT-flashed router is going EOL at the end of the year, so no more security updates, I guess.

I can obviously buy a still-supported, later-model Asus and continue with the familiar interface, but I’ll take this opportunity to ask forum members for their recommendations for other open-source-compatible brands/models.

(Please. :slight_smile: )

I just need to integrate my existing RaspberryPi/Pi-hole setup, and not have to replace the router again any time soon. I have no special fancy power or speed requirements, nor do I need to physically connect dozens of devices. I don’t want to spend US$hundreds for it, either.

Also, is there anything an out-of-support router can be used for, safely, on the home network?

2 Likes

If your local network is complex enough to warrant multiple subnets and your home internet gateway router can route ethernet-to-ethernet then yes.

Also, your typical home internet gateway router is really a combination of switch, wireless access point and router (from home network to internet i.e. internet gateway). Assuming that you no longer wish to use the routing function because it is too risky to have an out-of-support router directly on the internet (i.e. internet facing) then the switch and wireless access point functions should still be usable.

3 Likes

I guess you are aware of openwrt, an open-source OS for routers.

Open source (software) routers I know are
OpenWrt One - A just released basic low-cost router.
Turris (Omnia) - A more feature rich router. I have it and like it. Still receives updates, even they are a bit behind OpenWrt releases. (Well… small company.) And they still support even older routers, so I don’t expert its EOL anytime soon. Turris also have a modular router called “Mox”. But I cant say much about that one. Also, Turris is working on a Omnia predecessor and a enterprise router. But no idea when those are to be released.

If I would have to buy a new router, I would buy the Turris Omnia again, without even looking for a alternative. Am using it as server and NAS, but it has many more capabilities.

No idea how open the hardware of those routers is.

8 Likes

See also:

Open Router for Home & Small Business - General / Round Table - Purism community

Depends on your threat model. See also your previous similarly asked question and subsequent community replies:

1 Like

I interpreted that earlier topic’s question as literally two routers one behind the other.

I interpreted the above question more generally.

Some of the considerations are the same though. There is always some risk in using abandonware. It does, as Frankly says, depend on your threat model.

For me specifically, I only keep an old router as a spare. It would only get used if the router in use died and then only for as long as it takes to get a replacement. So there is a very low probability that the situation would arise that I am prioritising availability over security - but that is OK for my threat model. As it happens, right now I have a non-abandonware spare. So the actual old spare should probably be ewasted.

2 Likes

This popped up in my feed a few years back and I built something very similar to this. My old router is now just the Wifi access point. Very happy with the results and I don’t expect to need to change this any time soon.
I forget how much I spent on everything but it was less than $150 USD.

3 Likes

My threat model is that I don’t want malefactors to gain access to my network, of course. (I realize that I’m replying to a reply from the earlier thread, but just want to reiterate it.)

Ha! I had forgotten about that. Thanks.

1 Like

I do that, too.

1 Like

Then I would suggest using physical Ethernet/MoCA connections, up-to-date hardware/firmware/software, MAC address filtering, and turning off your network infrastructure when not in use.

1 Like

I have the Turris (Omnia) as well and would buy it again.

2 Likes

The Turris Omnia looks interesting. I was aware of its existence, but had never looked very closely at it. Wikipedia entry: Turris Omnia - Wikipedia

The fact that it gets long-term updates is attractive.

At least one reviewer wasn’t very complimentary of it in 2018.

Not currently available at Amazon US, but can be ordered from here: Turris Omnia Wi-Fi 6, silver | Discomp (VAT is removed in the cart, for orders to the U.S.)

2 Likes

I thought it was above your price limit. (But it does add all kinds of value beyond typical consumer routers, including much more RAM and much larger emmc.)

One very nice feature is that you can (reduce clutter and) run pihole in an LXC container on the Omnia itself. (To do this, you need to add a miniPCI or USB SSD to prevent wearing out the emmc.)

It’s also a nice toy. I have mine set up to flash one of the spare front panel LEDs red whenever pihole blocks a connection and to adjust the brightness of all the LEDs based on time of day.

2 Likes

I wouldn’t normally pay so much, but if it does receive updates way past the lifespan of other consumer routers, then it would probably cost less in the long run.

I also like the monitoring and notification functions (attempted intrusions, etc.), as well as its open source/Linux chops.

1 Like

They still support their kickstarter model.

They not only update, they announce updates in their forum with details regarding what the changes are. Rollbacks are also pretty easy and pre-update there are multiple release candidates which the bleeding edge customers download and test.

2 Likes

What’s your experience with the “phoning home” that the review I linked mentioned? I suspect it’s just something innocuous, checking for updates, etc. Turris’ privacy policy seems legit.

1 Like

I think that review is an honest reporting of experience by someone not an expert in networking in general, routing in particular (neither am I). He also does not seem to have much linux knowledge or cli inclination. I think some of his negative impressions reflect personal preferences.

As near as I can tell, there are 2 sorts of “phoning home”, checking for updates (enabled by default) and (optional) data collection for product improvement. When automatic updates are disabled, data collection is as well, but can be separately disabled. IMHO they genuinely try to be privacy respecting

I think the company is part of a Czech Republic (government?) ISP and and is under resourced and also has had some layoffs, but seems to be in better shape than Purism.

From my POV there are some “what were they thinking” and “why hasn’t this been fixed yet?” things. They tout the ability to add mSATA storage but the new user encounters multiple stumbling blocks. There are 3 miniPCI slots, 1 occupied by a full length 5 GHz wifi card and 1 by a half length 2.5GHz wifi card. But only 1 slot supports mSATA, but not the empty one. When the cards are swapped around, some of the cables between the antennas and the cards don’t reach. (Cables and the tool to gently remove tham are readily available online. The tool is probably handy for use with the Librem 5.) I also had to disconnect the motherboard from the case to move some of the standoffs around because of the mix of half length and full length cards.I got one of the dozen in stock at amazon earlier this year and it came with TurrisOS 3.x; they were at 6.x then and are at 7.x now. I’m guessing that the wifi6 model has whatever initial version that supports the wifi6 hardware. Web searches turn up very old documentation, which hasn’t been updated to point to the new tree. Navigating frpm the company home page didn’t always get me to where I need. Usually roaming the forum turns up a link to a new page.

The openWRT version on the Omnia is a major version behind the current openWRT version. Some customers are able get the current openWRT running, but I doubt it is easy,
The LUCI openWRT web admin GUI is available, but the Turris written ReForris web GUI is as well. Both can be used simultaneously (as I do). ReForris is probably easier (and safer) for most people. A few times, it has been easier for me to do something by ssh to the router.

I would recommend that a new owner browse the forum a bit, play with ReForis a bit, Then (or maybe before doing anything else download the latest stable “medkit” (flashable image) and flash it when ready. I don’t recommend a newbie trying to do a web update across major versions. Doing the firmware flash from a thumb drive is pretty easy. So don’t do a lot of customization that will be lost in a reflash. There are utilities to back up configurations, but restoring across versions might (probably IMHO) not work well or at all.

One thing I’m glad I did was move the cards and add the mSATA before ever turning the Omnia on because doing the moving and adding later would cause device renaming without automatically changing the relevant config files. Maybe that is trivial to do, but I wasn’t looking for yet another required task that I might screw up.

4 Likes

True for most of us(!) but … specifying your threat model includes an assessment of who your threat actors are, what their level of sophistication is, what their level of desperation is, what their motivation is, what they might be after / what you are protecting, what they might already have access to - and, related to all that, whether it is a targeted attack or an untargeted attack.

I review my logs. I see hundreds of attacks every day. It is my judgement that they are untargeted. There would be a wide range of actors, with a wide range of sophistication. Anything from a script kiddy to someone informally acting on behalf of a foreign nation state, to someone literally acting on behalf of a foreign nation state.

It is my judgement that their desperation level is low (i.e. probe and if unsuccessful, move on - because there’s always an easier target on the next IP address) and my security practices encourage that (e.g. temporary source IP address block against some unsuccessful attacks and e.g. correlate similar unsuccessful attacks that aren’t blocked by IP address).

Could I be doing more? Of course. But right now my threat level is not so severe.


Let’s say that you retain your old router and actually use it, and disable routing by not connecting the WAN side and disable switching by only connecting one LAN port and use it only as an extra, live wireless access point. Let’s say that there is a security flaw in the WAP functionality that is being exploited in the wild but which will never be fixed.

You can be attacked by anyone within WiFi signal range (which for most people would be a non-empty set) and it may not require a great deal of sophistication or desperation. The opportunistic wardriver could pick it up.

Now compare that with an alternative config where the old router has routing and WAP disabled and is being used solely as a switch i.e. to get a few more ethernet ports, and there is an unpatched known vulnerability in the switch functionality.

Realistically that is more difficult to exploit, requiring greater sophistication, because it probably requires a blended attack (one attack, a different attack, to get access to the local network and then the specified attack against the switch) or it requires physical access to the premises - and the vulnerability at your house is not readily detectable in the first place.

3 Likes

All that sounds quite complicated. :thinking:

1 Like

If you want to simplify your pool of product candidates, focus on listing your necessities and dealbreakers.

Indeed. For starters, is the requirement for a pure router or is the requirement for an omnibus router + switch + WAP?

2 Likes