Avoid Consumer Routers

OK, so this argues that consumer routers are bad.<p>However, no evidence is presented that &quot;business class&quot; routers, as the author calls them, are any better.<p>And the &quot;Consumer Router Alternatives&quot; section [1] of the site is <i>entirely</i> non-helpful. Just 20 random bullets of different brands with unhelpful notes like &quot;I have no experience with them&quot;, &quot;I have heard good things&quot;, and &quot;build your own router&quot;. The first bullet that recommends the &quot;Peplink&quot; router justifies it solely with... Peplink&#x27;s <i>own product page</i>. Which is the <i>furthest you can get</i> from an unbiased third-party evaluation.<p>Don&#x27;t the same companies make enterprise routers and consumer routers? Don&#x27;t they presumably employ the same engineers to write software across them?<p><i>All</i> of the arguments against consumer routers seems like they could apply against enterprise routers too, unless there&#x27;s real evidence otherwise. But this post, unfortunately, seems to be quite evidence-free. :(<p>[1] <a href="https:&#x2F;&#x2F;routersecurity.org&#x2F;resources.php" rel="nofollow">https:&#x2F;&#x2F;routersecurity.org&#x2F;resources.php</a>

Actually, consumer router running openWRT is quite good[1] or Asus WIFI router using Merlin firmware[1].<p>[1]<a href="https:&#x2F;&#x2F;openwrt.org&#x2F;supported_devices" rel="nofollow">https:&#x2F;&#x2F;openwrt.org&#x2F;supported_devices</a> [2]<a href="https:&#x2F;&#x2F;www.asuswrt-merlin.net&#x2F;download" rel="nofollow">https:&#x2F;&#x2F;www.asuswrt-merlin.net&#x2F;download</a>

As someone who has worked on firmware for network devices, including the UI&#x2F;presentation aspect, I feel obliged to point out that there <i>are</i> people working in that part of the industry who take security seriously, and likewise there <i>are</i> people working in that part of the industry who take the presentation of both hardware and UIs seriously.<p>At the same time, I can’t really disagree with the general sentiment that a lot of firmware in embedded devices, router or otherwise, is very poor. The thing I’d add is that it’s not just consumer-grade products with this problem, there are plenty of supposedly professional-grade devices where the firmware is junk too. The worst products I have ever had in my typical small-office work environments were the Cisco-branded “small business” range, which in specs and appearance did look like they were being pitched at that market, yet which never performed accordingly and mostly failed after an unreasonably short amount of time for equipment in this class.<p>To be blunt, a big part of the problem is money. Think about the kind of developer who has gained a few years of experience and has the skills and interest to do a good job solving challenging technical problems. Look at what that person can earn working for a FAANG or a financial services firm, or the potential upside for them at a startup if they get in early and there is a big exit. Look at the work environments they have in those roles. Now look at what <i>a whole team</i> of those people would earn <i>collectively</i> for writing router firmware and tell me which number is bigger, and look at their work environment and tell me where you’d rather be spending a significant fraction of your waking hours. In short, the people you find working in this area with real ability tend to be those who enjoy this kind of work enough to give up a lot of other benefits to do it. Obviously that restricts your talent pool and then manufacturers have to fill the gaps with whoever else they can find.<p>It comes down to the age-old reality that many customers prefer to buy junk as long as it’s cheap. Sadly, I doubt this will change any time soon, whether we’re talking about consumer routers or TVs or whatever IoT device someone decided would make their home smarter this week. Maybe if something really bad happens, the market will shift and&#x2F;or governments will step in and regulate to try to force better standards for things like security and updates. In those cases, I would expect to see both significant consolidation in the consumer devices market and significant price increases follow quickly afterwards.

I have a rule of thumb, which didn&#x27;t fail me yet - don&#x27;t buy fancy looking networking gear. Buy the ones which look like ugly military tech (not fancy military tech) or something you could see in a factory. I have two failed fancy wifi routers, two failed good-looking switches, but one wrt54-gl still working and two metal-cased 5&#x2F;8 port switches which are older but still working. With fancy looking gear, while it worked, there were always stability problems.

Personally, I would never buy SoHo networking hardware that does not have decent OpenWrt support - the platform is supremely flexible, hackable, and secure.<p>If you&#x27;re in the market for a new device, look at <a href="https:&#x2F;&#x2F;openwrt.org&#x2F;toh&#x2F;views&#x2F;toh_available_16128" rel="nofollow">https:&#x2F;&#x2F;openwrt.org&#x2F;toh&#x2F;views&#x2F;toh_available_16128</a> as a first step (and avoid devices with Broadcom&#x27;s involvement).

I&#x27;m using a 7 years old TP-Link router wifi, the last official firmware available is from 2018. I disabled features like remote administration and file-sharing. I also setup WPA2, disabled WPS and have a strong password on the admin. What is the real risk for me? I get that it is always preferable to have an up to date device for security but I also wish to not create more electronic waste (and I unfortunately have stability issues with OpenWRT). From my understanding cracking a WPA2 passphrase isn&#x27;t as easy as it used to be with WPA1 or WEP, and not having the admin interface exposed to the outside world limit the risk of someone breaking in. So realistically, assuming I&#x27;m not targeted by some APT group, would breaking into my router be that easy?

Simple question:<p>What if my space at home doesn&#x27;t allow for a half rack of equipment and required cabling?<p>OpenWRT is no panacea. It generally doesn&#x27;t support higher throughput modes in wireless radios in said routers and I <i>need</i> these features (thick walls, wifi first devices, etc.).

Mikrotik is doing better at offering home router solutions. They now have a quick-setup page and an Android application that makes it much easier to configure.<p>Just got a new Mikrotik RBwAPG-5HacD2HnD that has a quad core ARM CPU, dual chain, dual band wifi. Highly recommended.

is the Fritzbox available in the us?<p>it&#x27;s an excellent security maintained choice in europe, for combined cable or dsl modem, router, wifi access point, nas device, phone switch and voice mail box.

The majority of the points tend to be based on the facts that the firmware is shit, isn&#x27;t updated for long, and visibility into the firmware and it&#x27;s releases is murky and opaque.<p>So what if you wipe out the firmware and go for openwrt? how does balancing for compatibility with openwrt and consumer router hardware rank on this scale?

It surprises me how many otherwise experienced system administrators consider a home router something you have to buy and get a completly unsuitable plastic throwaway gadget. It’s an internet-connected device, therefore you have to treat like any other server¹. Get a computer, stick a wifi card in it, install your favorite Linux distro, configure the networking (including DNS resolver, DHCP daemon, hostapd, firewall rules, etc.). Keep it updated in whatever way you keep all your other servers updated. <i>Done.</i><p>Normal consumer routers are bad for the same reason that just about all IoT devices are bad. This will not change unless the incentives involved change; i.e. don’t hold your breath.<p>1) <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=18019343" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=18019343</a>

What are people’s thoughts about the Turris Omnia[0]?<p>Does it hold up to their claims and is it playing nice with American ISPs like charter?<p>[0]: <a href="https:&#x2F;&#x2F;www.turris.com&#x2F;en&#x2F;omnia&#x2F;overview&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.turris.com&#x2F;en&#x2F;omnia&#x2F;overview&#x2F;</a>

My stock Debian x86 mini-ITX firewall is now 7 years old. It has been upgraded across three stable releases and will go to bullseye sometime this year. It handles stateful firewalling, IPv6 routing, failover DHCP, DNS caching, NTP... and it has lots of available capacity in CPU and RAM.<p>It was expensive for a home firewall but not horribly so, and I fully expect it to have a ten or twelve year lifespan with full support. If the NIC fails, I can replace it -- it&#x27;s a PCIe card. If the storage fails, I can replace it -- SATA SSD. Neither of those have happened yet, but I might replace a fan sometime soon.<p>These days I would probably buy a tiny NUC-like object with enough gig-e ports.

MikroTik hAP ac2 (RBD52G-5HacD2HnD-TC) - all you need and then some for fair price.

I am loving my Edgerouter 4 + Unifi APs. Home network is rock solid. If only I could figure out why my ISP is dropping 20% of packets to Cloudflare DNS.

Anyone consider the Odroid H2+? It&#x27;s a relatively fast CPU (for a router) the Intel J4115, relatively low power (10 watt TDP), max ram 32GB (plenty for a router), has two 2.5 Gbit ports, with an option to add 4x2.5 Gbit for $47. Also has a eMMC and M.2 slot for reliable storage, to avoid any ugly USB connected storage for boot.<p>Seems like it would make a quiet and fast 6 port x 2.5 Gbit router and run well with Linux based OS, unsure of the state of drivers for *bsd.<p>I did see a thread about getting it to work well with OpenWRT.

Ok I get it.... any recommendations for acceptable routers?

You can also use this as plausible deniability when you get raided by the police and they discover your collection of pirated music.

Another postive note here for Mikrotik - $50 USD buys you the hAP ac lite - enough for a &quot;home&quot; router but with all the features of top end enterprise routers.<p>Other comments have addressed security concerns - there&#x27;s lots of CVE&#x27;s out there because there&#x27;s lots of Mikrotiks out there. As far as I&#x27;m aware, all or nearly all CVE&#x27;s are patched before they are public; there&#x27;s always the risk of zerodays but everything has the risk of zerodays.

The state of all network firewalls&#x2F;routers is appalling. Even high end Cisco, Fortinet, or even Palo Alto gear is riddled with security issues, critically outdated packages, and general poor maintenance.<p>IMO, the only way to have a reasonably secure device is to build it yourself. That&#x27;s not going to be a popular opinion where the prevailing motto is &quot;nobody gets fired for buying Cisco&quot;, but I don&#x27;t really see any alternative. OpenWRT&#x2F;Tomato are decent, but they still expose a web UI which is potentially a greater attack surface than ssh w&#x2F; public keys.<p>I&#x27;ve seen some people have good results with OpenBSD or FreeBSD, others with skinny versions of Debian or CentOS. I took a crack at it last year on Debian (shameless plug: <a href="https:&#x2F;&#x2F;nbailey.ca&#x2F;post&#x2F;linux-firewall-ids&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nbailey.ca&#x2F;post&#x2F;linux-firewall-ids&#x2F;</a>), and I&#x27;ve been happy with it so far. It is more expensive to build, but I expect this device to last more than a decade, or until I need greater than 1gbps per port.

About a year ago I decided no more crappy plastic boxes as my main home router, and now use a headless Linux PC instead. No regrets and have plenty of resources to run things like ntopng and anything I need right at the edge of my home network; and QoS is something I can control as well.<p>I don&#x27;t care about the small increase in cost of electricity where I&#x27;m at.<p>Now I do also have an Asus RT-AC56U but configured for an access point only. Which had pretty decent firmware IMHO with it&#x27;s OpenWRT variant &quot;AsusWRT&quot;--decent because it&#x27;s easy to get root without flashing it and really do what you want. With all the cloud service stuff disabled, it goes into a 2nd NIC into my PC-as-a-router and is appropriately firewalled.<p>At least one other comment talks about getting business class hardware for Wifi and that might be a plan in the near future, but for now it&#x27;s working OK for me.

Agree as OpenWrt user.<p>&gt; &quot;Linksys is by no means alone in using its customers as beta testers<p>No sure, but my Linksys router starts painfully <i>slow</i> and kinda 10x faster on OpenWrt. Crazy slow for dual-core machine. Maybe it&#x27;s the part of their plans to force clients for buying new routers?

If I disable wifi on the shitty router my ISP gave me, and assuming the physical device is secure, am I safe from having my home network hacked into?<p>I assume the ISP could still backdoor their way in (is this likely?) but that is a separate concern.

Yes some are really atrocious, dlink come to mind. Some are better, the high end gaming routers by Asus actually have good support but just like phones they have a limited shelf life...<p>One thing I tried to find but couldn&#x27;t is stand alone modems, most routers today don&#x27;t come with a modem and you have to use the shitty one given to you by your ISP in bridge mode, I&#x27;m not sure about the risk of compromised bridge mode router to infect down to the router given it&#x27;s &quot;secured&quot; but it&#x27;s still can be a bot in a botnet.

Okay cool but....<p>I&#x27;m still just plugging these supposedly awesome routers into bargain bin, un-updated, garbage quality, broken, insecure, spying cable modems provided by or &quot;compatible with&#x2F;verified for&quot; my internet service.<p>So what if my router is secured? My connection is still beholden to whatever garbage software written in 2008 my damn DOCSIS 3.0 compliant box has, with all the unfixed bugs and performance issues that entails.<p>Are there any cable modem&#x2F;routers that can be customized? Have openWRT or similar installed? Or are otherwise pretty good?

Assume the physical network is insecure. The only exceptions might be secure backplane networks carefully configured and isolated, but these are basically data busses for clustered computing.

I was in the market for a home router a couple of months ago and I was astonished that 200-300 euro is now considered &quot;mid-range&quot; for a wireless router.

My favorite solution is a thin-client class computer with opnSense, and a Ubiquiti Wifi Access Point.<p>I have used a Ubiquiti router, but find opnSense easier to use.

I got an Arris SURFboard SBG7600AC2 a couple of months before the pandemic hit. Don&#x27;t know about the security but the device itself has been rock-solid. Here I am 14 months later without any complaints. Four people are working remotely on it, numerous mobile devices are connected and some are streaming - it&#x27;s never broken a sweat.<p>If anyone knows of a security issue I&#x27;d love to hear about it.

I like the Juniper SRX series, BSD-based and find the configuration syntax (mostly) very logical. But, no WiFi (I use Ubiquiti for that).

I have recently bought a Mikrotik RB4011 for my home. It was a bit pricey, but I love the feeling of control I got when I set it up. The model with built-in WiFi had very poor coverage, so I exchanged with it for a model without wifi as that one can he mounted into a rack, and now I will se my old consumer router in bridge mode as an access point.

the recommended pepwave surf soho has mult-wan support, including wifi and cellular, which is one of the reasons i went with it (along with robust vlan support). i&#x27;ve yet to find a way to bridge&#x2F;route everything i want from my main vlan to my iot vlan while isolating everything else appropriately.<p>unfortunately, mine has intermittent radio timeout issues (or something more obscure that i can&#x27;t diagnose, like frequency-hopping induced congestion), where i have to log into the router and force a rescan of the airwaves for it to reestablish connection to the upstream wan wifi. it&#x27;s also lately having issues with the 2.4Ghz network dropping out (i may eventually dig up my old wrt54-gl with tomato on it to run the 2.4Ghz separately).

I have a NanoPi R2S with OpenWrt for almost one year. It&#x27;s a ARM device so uses very litter power. One of its two gigabits ports is converted from USB3. Works well with 500Mbps downlink. There is a newer mode (R4S) with a PCIe converted gigabits port.

Consumer electronics are pretty much all bad. Usually the software devices are shipped with is poorly designed at best (it needs to look nice to sell, ergonomics don&#x27;t matter) and pathologically user hostile at worst (smartphones and PCs.)

Does the AmpliFi fit into this category? I got an Instant a while back and while it&#x27;s not super tweakable, it&#x27;s been incredibly stable and easy to use.

How exactly would I go about avoiding consumer routers when every provider in my area forces me to get some kind of modem with built in router and wifi?

OpenBSD on a PC Engines APU2 is a good choice for those that would like to enjoy setting up a firewall with PF on low power consuming hardware.

Used to be easier in the DSL days. Hardware was easy to find. Then my ISP switched to VDSL and it became almost impossible to find better routers. Now I have a fiber link and the ISP&#x27;s router is so bad but I don&#x27;t really know if I can just buy a better one and connect the fiber to it. I&#x27;ve been told ISPs have remote access to the router and can update it remotely and deny access if it&#x27;s been tampered with.<p>It&#x27;s probably a wise decision to avoid consumer products in general but it&#x27;s becoming harder every year.

I wish there were cable modems available as PCIe expansion cards with OSS drivers so I could roll all my own home networking gear.

Every critique in this list could be levelled at networking equipment that costs thousands or tens of thousands of dollars.

Curious why nobody mentioned Turris series - they provide consumer routers with OpenWRT, and with upgrades.

Apple, you are missed in this space.

Avoid consumer laptops too

He&#x27;s gonna have to pry my Fritz!Box from my cold dead hands.

What&#x27;s the tl;dr?<p>Buy any router, but replace its software with dd-wrt or openwrt?

I like this little thing: <a href="https:&#x2F;&#x2F;shop.netgate.com&#x2F;products&#x2F;1100-pfsense" rel="nofollow">https:&#x2F;&#x2F;shop.netgate.com&#x2F;products&#x2F;1100-pfsense</a><p>Nice little pfsense box.