this post was submitted on 11 Aug 2023
7 points (100.0% liked)

networking

2779 readers
1 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 1 year ago
MODERATORS
 

For a while I have been planning to switch from an all-in-one wifi router to having separate devices because that way they can be upgraded piece by piece instead of having to replace the whole thing.

I am confused about the role of the firewall.

If I have a router running OpenWRT, does it have a firewall included? Either by default or by installing certain packages?

Or is it required to have a separate firewall running opnsense/pfsense?

If not required, what would be the benefits that would lean in favour of separate firewall?

use case: small home network 2-3 users. some internal self hosting and maybe one day external self hosting.

ETA: The best internet I could subscribe to where I’m at is 1024 Mbps down, 50 Mbps up. So don’t worry about wasting fibre speeds. :(

My assembled components so far are: router, WAPs, switches, ethernet cable and cable modem.

Thanks for any advice.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 1 year ago (1 children)

Openwrt includes a firewall, but most wifi routers aren’t fast enough to run complicated firewall rules, VPNs, etc. at full speed.

Not my experience. Right now I'm running 2 Wireguard VPNs and a moderately complex firewall on a single core 775Mhz Atheros TP-Link router and it's not even breaking a sweat. More than 60% of memory is available, and even when transferring a huge file the utilization doesn't exceed 50%.

[–] [email protected] 2 points 1 year ago (1 children)

Memory normally isn't the bottleneck. When you say "moderately complex firewall" does that include policy-based routing? What speeds do you get between a wireguard client and a wireless client?

[–] [email protected] 2 points 1 year ago (1 children)

PBR is in use and different LAN clients use different Wireguard VPNs or bypass the VPNs entirely. Download speeds are limited by remote server uplink speeds to about 100Mbps. Just ran a test and at full VPN utilization the router's loafing along at 22% CPU. No matter how complex I've made the config this cheap router has been able to easily handle it.

What VPN speeds were you running that maxed out your router CPU? Were you running Wireguard or OpenVPN?

[–] [email protected] 1 points 1 year ago (1 children)

I'm talking about 1gbps between multiple clients on LAN and VPN. I don't think there are any 802.11ax routers with a support that can handle gigabit speeds without any performance loss when you get the cpu involved in routing.

But I'm also saying most people will be fine with just an openwrt router. The features you get are usually worth the slight performance loss, and buying a separate firewall to squeeze an extra 100mbps out of your connection when you're already getting >850mbps doesn't always make sense.

[–] [email protected] 1 points 1 year ago (1 children)

In your response to the OP's question where you said "most wifi routers aren’t fast enough to run complicated firewall rules, VPNs, etc. at full speed" were you also "talking about 1gbps between multiple clients on LAN and VPN"?

OP: "use case: small home network 2-3 users. some internal self hosting and maybe one day external self hosting."

From their comments they don't even have a gigabit Internet connection, much less anything that would stress even a moderately priced router.

Openwrt isn't capable of providing enterprise level performance either but that's not what's being discussed. A high end router running Openwrt (and likely even cheaper hardware) should be able to handle OP's stated use case without breaking a sweat.

[–] [email protected] 1 points 1 year ago

Yes, that's what I was talking about. And yes, OP has said in other comments that they have gigabit upstream. OP's original question was about why some people use openwrt as just an AP and use a separate machine for a firewall. I gave a common reason.

Personally, I'm building a NAS with 8 SAS drives controlled with an enterprise RAID controller and 2.5gbps ethernet. Total cost is under $300 (including drives) since it's all used hardware. Enterprises have moved past 1g/2.5g ethernet and SAS 2 a while ago, so lightly used hardware is cheap.