I am going to intentionally exclude Unifi and Mikrotik along with the vendors like Cisco, Juniper, Aruba etc from this discussion as I don’t think they are relevant (especially since you can’t run them on your hardware).

  1. OPNsense: Considered the superior alternative to PFSense. Great firewall, routing capabilities, IDS and certificate authority, advanced features, can be a DNS server etc. Best option all around for x86, but BSD based - take note of available drivers. Don’t even think about running random WiFi antennas unless you confirm good support for them (use a distinct WAP).
  2. OpenWRT: built for consumer router + switch + WAP boxes on embedded hardware. Great OS and uses very little resources with many features, but doesn’t compete in features with OPNsense if you have x86.
  3. VyOS: Debian based router + firewall. Linux makes it easier for people to pick up the CLI but I’ve heard complaints about it being difficult to follow. Currently CLI only, at least without third-party solutions, but is powerful and competes directly with OPNsense for features for the most part. Edit: I made a mistake - LTS versions also have their source available for free, you’d just need to compile it with the instructions on their website. Seems to be stable.
  4. Debian + FRRouting + nftables + heavy SELinux for the paranoid/analogous alternatives on OpenBSD (the latter is considered more secure but YMMV, configuration plays a big part here).
  5. Freemium: Sophos free version for home use.

Which one of these do you run, and why? What have been your issues with one or the other, and what have you settled on? Any niche customisations that you might have made? I’m very interested to know!

Cheers


Edit: it would seem that OPNsense is a big winner in this space for stability. OpenWRT comes next because of it’s very light nature and ability to run on consumer routers.

  • h3ndrik@feddit.de
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    9 months ago

    Ah. Thanks for explaining :-)

    Yeah, the …keeping the mess somewhere else and not doing it on the important firewall… makes sense.

    I also like to keep it clean so everything is a bit more modular and better to maintain. (I made the mistake of introducing circular dependencies and overly complicated setups often enough.)

    I think the double-NAT is a bad idea. Such things just cause pain and break in unexpected ways. I’d rather focus on getting the firewall right. And the NAT doesn’t add anything here. A firewall is the correct tool to filter packets between two network segments. A NAT is a crude thing that happens to drop incoming connections from the other side. But you could as well instruct your firewall to drop those packets. It’d be the same result just without the added pain.

    And I have some IoT devices as well. Half of them use Zigbee, the other half is connected to my main wifi, I never got around to seperate them. But the’re all running open source software and talking to my Home Assistant via MQTT or Esphome. (I don’t own any smart dishwashers or coffee machines.)

    I don’t have too much info on IntelME. I suppose it doesn’t do stupid things, or someone would have found out already. And it’s really difficult to protect from. Especially in a setup that isn’t completely locked down. I hope they someday learn and replace that with an open solution.

    • MigratingtoLemmy@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      You’re right, I should have thought a bit more before I answered. Thinking about it, double NAT doesn’t achieve anything. With that said, the main way in which this is a problem is if one were to forward ports, in which case they’d need to forward ports from both firewalls.

      Yes, I will be dealing with firewalls on both appliances.

      I too will be investing more into Zigbee in the future, but having a central controller with MQTT can help. I haven’t decided if I want to go completely without WiFi. There’s certainly security considerations to going to Zigbee. Like you, I do not plan to utilise many proprietary IOT solutions and buy into the massive appliances being controlled with outdated software. I’ll stick to dumb appliances as much as I can.

      I don’t think it’s particularly malicious either, but the problem I have is that it is essentially at ring 0. As such, my OS can’t do anything about it, which means I’m going to have to find alternatives to deal with it. I would have loved to have every device have a FOSS bootloader but I suppose that’s a long way away.

      Thanks for your comment.

      • h3ndrik@feddit.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        9 months ago

        Zigbee

        Sure. I think Zigbee/Matter are proprietary standards. And you don’t have too much control over how it is implemented in the individual devices and any possible security vulnerabilities. It is a separate network though and easy to use. I bought a small Gateway to connect it to Home Assistant after the USB stick I was initially using showed some compatibility issues.

        What I really like are those cheap chinese devices that have ESP8266 or ESP32 microcontrollers in them. I can flash Tasmota or Esphome on them, take control and have them run free software. No manufacturer’s cloud needed and updates indefinitely.

        Yeah, and we recently talked about smart/dumb appliances. In this household there are lots of older appliances anyways. And we moved a few years ago so they’re just old enough that none of them have wifi. I think that has changed since. Nowadays it’s not an extra 150€ for wifi anymore, but part of most appliances. And you get an App along with your new diswasher per default. I like “smart” with lighting. And having the washing machine turn on 2h before I get home is a huge convenience. Apart of that, I’d like the heating unit to be smart, but it isn’t. I think we could save some energy if the gas heating stopped after everyone left. There is no steady weekly schedule I could program into the central unit, so it’s just some radiators I can turn down. Apart from that, I don’t think I have a good use-case for a smart diswasher, fridge or a bugging device that can play music.

        [Intel ME] it is essentially at ring 0

        I don’t like it either. It’s just a very stupid design choice to have some uncontrollable extra chips run god knows what with highest privileges. And in the past people already discovered several security vulnerabilities. And there is no alternative to it. I think AMD does the same. And coreboot is a bit niche. I’d have to put quite some effort in and make some trade-offs. And it doesn’t have to be this way. I don’t think the embedded controller firmware is a super valuable trade-secret anyways. They probably keep it a secret and locked down for shady reasons or because they don’t want people to see the amount of vulnerabilities in it. I don’t think it would do Intel or AMD any harm to just open up that part of the system.

        • MigratingtoLemmy@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          9 months ago

          I don’t think Zigbee is proprietary, but I might have missed something. Like you, I also really like the ESP controllers that I can get and run my own code/mature projects on them (this is for both Zigbee and WiFi versions)

          If you can replace your thermostat, that would make your heating reasonably smart. With that said, I’m now used to manually turning it down when I leave.

          • h3ndrik@feddit.de
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            You’re right. Both standards are open. I got confused by the German Wikipedia article about Matter which is very misleading.

            I have 2 thermostats but that’s not enough for the rooms. And I’m not entirely happy with them. Maybe I need to find a good model and buy some more.