For a while I have been planning to switch from an all-in-one wifi router to having separate devices because that way they can be upgraded piece by piece instead of having to replace the whole thing.

I am confused about the role of the firewall.

If I have a router running OpenWRT, does it have a firewall included? Either by default or by installing certain packages?

Or is it required to have a separate firewall running opnsense/pfsense?

If not required, what would be the benefits that would lean in favour of separate firewall?

use case: small home network 2-3 users. some internal self hosting and maybe one day external self hosting.

ETA: The best internet I could subscribe to where I’m at is 1024 Mbps down, 50 Mbps up. So don’t worry about wasting fibre speeds. :(

My assembled components so far are: router, WAPs, switches, ethernet cable and cable modem.

Thanks for any advice.

You are viewing a single thread.
View all comments
3 points
*

Openwrt includes a firewall, but most wifi routers aren’t fast enough to run complicated firewall rules, VPNs, etc. at full speed. If you want to set up complicated firewall rules or run a VPN server on the same machine as your firewall (you can always use a different server), AND you have a fast internet connection (like 1gbps) and want full speed then it’s a good idea to use a faster x86 machine for the firewall. Lots of people just use openwrt and live with the performance penalty, though.

permalink
report
reply
1 point

The best internet I could subscribe to where I’m at is 1024 Mbps down, 50 Mbps up. :(

Sounds like I can just use the router then.

permalink
report
parent
reply
3 points

1024Mbps = 1gbps

That’s fast enough to hit the limit of most hardware people put openwrt on, but if you stick with standard firewall rules and don’t install anything else on the router you should be ok. The router might limit your download speed slightly, but you should still easily get 800+ mbps.

permalink
report
parent
reply
1 point

ok, ok, I don’t know how numbers work oops

I doubt the WAN would provide the advertised top theoretical speed most of the time; I just don’t want to be running at like 10% of potential or something like that. If I were to do that I should at least get a cheaper plan.

permalink
report
parent
reply
2 points

Isn’t 1024 Mbps the same as 1 Gbps?

permalink
report
parent
reply
1 point

aaahh yes… you are right. I got the place values mixed up. ty :)

permalink
report
parent
reply
2 points

Openwrt includes a firewall, but most wifi routers aren’t fast enough to run complicated firewall rules, VPNs, etc. at full speed.

Not my experience. Right now I’m running 2 Wireguard VPNs and a moderately complex firewall on a single core 775Mhz Atheros TP-Link router and it’s not even breaking a sweat. More than 60% of memory is available, and even when transferring a huge file the utilization doesn’t exceed 50%.

permalink
report
parent
reply
2 points

Memory normally isn’t the bottleneck. When you say “moderately complex firewall” does that include policy-based routing? What speeds do you get between a wireguard client and a wireless client?

permalink
report
parent
reply
2 points

PBR is in use and different LAN clients use different Wireguard VPNs or bypass the VPNs entirely. Download speeds are limited by remote server uplink speeds to about 100Mbps. Just ran a test and at full VPN utilization the router’s loafing along at 22% CPU. No matter how complex I’ve made the config this cheap router has been able to easily handle it.

What VPN speeds were you running that maxed out your router CPU? Were you running Wireguard or OpenVPN?

permalink
report
parent
reply

networking

!networking@sh.itjust.works

Create post

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

Community stats

  • 56

    Monthly active users

  • 126

    Posts

  • 659

    Comments

Community moderators