For a long time, the home network has been running on Ubiquiti gear – Unifi APs plus Ubiquiti EdgeRouters. But, late last year I started looking at alternatives to the EdgeRouter 4 that was running our home network. The EdgeRouter 4 is a fantastic piece of hardware for all the basics. Outside of the basics though, it either doesn’t have the functionality or it meant adding external hardware – like to replicate some (but not all) of the pfBlockerNG functionality, I would need to setup a Pi-Hole server. There are strange quirks about the EdgeOS (based on VyOS) like when hardware offloading is turned on for VLANs, all snmp reporting for VLANs gets merged into the untagged VLAN – making it impossible to see a breakdown of traffic on different VLANs.
I also look at what Ubiquiti is doing and I question if they are really invested in the EdgeMax line up anymore. Their focus seems to be on the Unifi side of the house and is clearly shown with the new hardware that they are releasing (like the Unifi Dream Machine and the Unifi Dream Machine Pro).
Also, finally after a year of releasing the 2.x line of firmware for the EdgeRouter line, it is finally stable enough for Ubiquiti to call it quits on the 1.x line of firmware. But, the 2.x line still has issues like traffic speed performance degredation of between 5-10% and a packet reordering bug that won’t go away.
I originally setup an old Jetway box with IPFire as an alternative to the EdgeRouter 4. But, I wanted more functionality and started looking at OPNsense and pfSense. Because the Jetway that I was using for IPFire didn’t quite get the performance I wanted with pfSense or OPNsense, I picked up a Qotom Q330G4 box on Amazon to try out OPNsense. The whole exercise was frustrating starting with the hardware. The Qotom box had an issue where getting into the BIOS was nearly impossible no matter how fast I hit DEL or F1.
Then after less than 24 hours of running, the SSD that was in the box died. If you buy a Qotom (or other mini PC), do yourself a favor, buy it barebones and add your own components. I swapped in a spare 2.5" SSD drive and reinstalled OPNsense and OPNsense ran for a week before I discovered it was dropping connections to different CDNs (Akamai, Google and Edgecast) for some reason. I wanted to reinstall, but I couldn’t get into the BIOS to switch boot devices. I gave up at that point and sent the box back to Amazon.
While OPNsense was running, one of the things I did was setup VLANs (finally) for the home network. Outside of the main network where trusted machines live, there is a VLAN for IoT devices (Google Homes, Google Chromecast, Nest devices, Ring devices, Kasa camera and Roku TVs) and another VLAN for gaming devices. One thing that I needed to get working was Casting and that wasn’t as bad as I thought it would be with a mDNS reflector.
After sending the Qotom back, I put the EdgeRouter 4 back into rotation and found that on EdgeOS the VLAN setup was much easier done than setting it up in OPNsense (and pfSense). I tried to figure out how to do VLANs with IPFire, but their fixed Green, Red, Blue and Orange networks did not work for me.
I ordered a Protectli Vault - 4 Port box to setup with pfSense. The machine works great, I ordered barebones and installed 8GB of RAM and 256GB of SSD for storage – overkill by any standards. The box has been routing a 1Gbps AT&T Fiber connection for almost a month now – and it has been doing great and routes traffic without breaking a sweat. The Protectli system has 4 Intel Gigabit i210-AT Ethernet NIC ports and an Intel J3160 quad-core processor with AES-NI support.
A lot of what I learned when setting up OPNSense translated straight over to pfSense. The YouTube videos on the channel Lawrence Systems are a gold mine of information about pfSense. I don’t have many packages installed:
- Avahi for mDNS repeating
- Status_Traffic_Totals so that I can have a quick view of traffic in the UI
- The killer feature of pfSense, pfBlockerNG – and to be specific the -devel version as it has a better interface and is stable for production use.
OPNsense has something that gets some of the functionality of pfBlockerNG (Aliases), but it is mainly replicating the functionality and has none of the tooling or monitoring – like the ability to get stats about what is being blocked and by which lists. There are quite a few lists that I have added to pfBlockerNG and I have been watching and tweaking as it continues to run. So far, there hasn’t been any crazy incidents with it. So, I am pretty happy with pfBlockerNG.
Last week, when pfSense 2.4.5-p1 was released, I was a bit apprehensive about installing it. But, the installation went without a hitch using the functionality in the web UI.
With shelter-in-place still a thing, the pfSense router/firewall has been getting lots of traffic because the whole family is at home and using the internet constantly. It has been functioning great, is fast and is blocking 20% of requests to ad servers and trackers. There’s not much more I can ask of a router/firewall – especially from software that is free to use.