For a while I have been planning to switch from an all-in-one wifi router to having separate devices because that way they can be upgraded piece by piece instead of having to replace the whole thing.
I am confused about the role of the firewall.
If I have a router running OpenWRT, does it have a firewall included? Either by default or by installing certain packages?
Or is it required to have a separate firewall running opnsense/pfsense?
If not required, what would be the benefits that would lean in favour of separate firewall?
use case: small home network 2-3 users. some internal self hosting and maybe one day external self hosting.
ETA: The best internet I could subscribe to where I’m at is 1024 Mbps down, 50 Mbps up. So don’t worry about wasting fibre speeds. :(
My assembled components so far are: router, WAPs, switches, ethernet cable and cable modem.
Thanks for any advice.
Openwrt includes a firewall, but most wifi routers aren’t fast enough to run complicated firewall rules, VPNs, etc. at full speed. If you want to set up complicated firewall rules or run a VPN server on the same machine as your firewall (you can always use a different server), AND you have a fast internet connection (like 1gbps) and want full speed then it’s a good idea to use a faster x86 machine for the firewall. Lots of people just use openwrt and live with the performance penalty, though.
The best internet I could subscribe to where I’m at is 1024 Mbps down, 50 Mbps up. :(
Sounds like I can just use the router then.
1024Mbps = 1gbps
That’s fast enough to hit the limit of most hardware people put openwrt on, but if you stick with standard firewall rules and don’t install anything else on the router you should be ok. The router might limit your download speed slightly, but you should still easily get 800+ mbps.
ok, ok, I don’t know how numbers work oops
I doubt the WAN would provide the advertised top theoretical speed most of the time; I just don’t want to be running at like 10% of potential or something like that. If I were to do that I should at least get a cheaper plan.
Openwrt includes a firewall, but most wifi routers aren’t fast enough to run complicated firewall rules, VPNs, etc. at full speed.
Not my experience. Right now I’m running 2 Wireguard VPNs and a moderately complex firewall on a single core 775Mhz Atheros TP-Link router and it’s not even breaking a sweat. More than 60% of memory is available, and even when transferring a huge file the utilization doesn’t exceed 50%.
Memory normally isn’t the bottleneck. When you say “moderately complex firewall” does that include policy-based routing? What speeds do you get between a wireguard client and a wireless client?
PBR is in use and different LAN clients use different Wireguard VPNs or bypass the VPNs entirely. Download speeds are limited by remote server uplink speeds to about 100Mbps. Just ran a test and at full VPN utilization the router’s loafing along at 22% CPU. No matter how complex I’ve made the config this cheap router has been able to easily handle it.
What VPN speeds were you running that maxed out your router CPU? Were you running Wireguard or OpenVPN?