OpenWRT is amazing. It's a great distribution that's incredibly well tailored for routers/APs. Not having to deal with whatever the manufacturer slapped together is amazing.
For those that have never tried it it's also worth it just to understand more deeply how amazing these cheap devices are. For ~100$/€ you get a single board computer, plus a managed switch, plus 1 or 2 wifi cards. The managed switch in particular is very interesting. The computer is just another connection to the managed switch and you can configure it in any way you want. Traffic can go directly from one port to another without going through the CPU.
These capabilities together make a network of OpenWRT devices really flexible. I use it to replace the included router from our Internet/TV/Phone provider. The VLANs are needed to access the different IP networks for the different services. That you could do with a normal network card but then I also use VLANs inside the house wiring to take the IPTV network to the TV box. I then use a separate SSID to carry that VLAN in a point-to-point connection to another OpenWRT AP as a client so I don't have to run wire to that place and so the broadcast traffic doesn't swamp other normal Wifi clients. All this can be done with these very cheap devices that already have all the needed hardware. For all the deserved fame RaspberryPI gets these routers are equally amazing hardware for a lot of things.
This is a pretty significant release - it marks the end of iptables in the main distribution; the OpenWrt-specific translation layer (previously firewall3, now firewall4) for netfilter-related configuration now targets nftables. Also, yet more devices have made the switch from swconfig to DSA for configuring Ethernet switches.
I've been using 22.03 release candidates on all my networking gear (router, switch, access point) for several weeks without problems, and can only recommend giving OpenWrt a chance :)
Such as adblocking (pi-hole like experience without additional gear)
ssh access, printserver, dynamic DNS, VPNs, different routing protocols, vlan support, tunneling protocols, monitoring, home Automation, wireguard, wpa3, OWE (encrypted open wifi), lots of goodies known from other linux distros, etc
I can do over 270Mbps down and 80Mbps up (May be limited by my upload, download is a CPU limitation) on a RBM33G as a client-router.
I'm not 100%, but it may actually be 370Mbps down, but I don't want to advertise that number without being sure. I replaced it with a RPi4 as a router-on-a-stick WG gateway. The RPi4 has no problem keeping up with my 500/100 fiber connection.
The RBM33G has a pretty weak MTK7621a dual core 800mhz MIPS cpu.
I should setup two of them and run some proper benchmarks at some point.
You'd be surprised; I'm pulling 150Mbps on a years-old $40 Edgerouter X (it was on sale when I bought it; it's normally $60) over Wireguard to Mullvad.
You get frequent software updates with meaningful changelogs and detailed lists of bugs/vulnerabilities fixed.
Also, you can be quite sure that there are no software components active that serve the interestest of the device's manufacturer more than those of its owner and users.
I have two cheap WiFi Access Points. They worked fine when I got them. After a few weeks one of them stopped working and I had to restart it. A few days later the other one had the same problem. This repeated every few weeks. Once i got tired of restarting the APs every now and then, I looked into it and figured it was a memory leak in the firmware. Then I installed OpenWRT and I didn't touch the APs since. It just works. Pretty amazing if you ask me.
This is a serious pet peeve of mine with other routers. I don't need a heavy frontend just to configure my router, I want to open port forwarding quickly. Fading effects and fake loading swirls are utterly unnecessary. There's none of it in OpenWRT.
Better security in general. The firmware on consumer-grade routers is an afterthought. They are routinely running 10-year-old versions of services which are sometimes exposed to the internet, and all insist on rolling their own shitty web UIs which often include command injection vulnerabilities.
Integrating wireguard routes into your local network and overriding DNS with trusted endpoints. These are common enough needs these days to be considered ordinary.
Default router firmware is often a security nightmare the vendor barely bothers to patch. OpenWrt firmware receives regular security updates. I'd rather my router not become a botnet participant.
Massively decreased chances of run-by attacks exploiting known vulnerabilities in mass produced mainstream routers. Having a "more exotic" setup already avoids a lot of (non-targeted) attack vectors.
Looks like the OpenWrt `/etc/banner` no longer includes a bartender recipe (which I think they had since before alliteration, including for White Russian).
I once included one of the OpenWrt login banners in a "screenshot" for the Racket community, and neglected to explain why alcohol was involved: https://www.neilvandyke.org/racket-openwrt/
Tangential but on the topic of IP routers - recently my EdgeRouter X died. During autopsy, heat deformations were found on its Flash right next to an inductor for input DC-DC circuit.
So, naturally I hopped onto a train and bought a used NEC UNIVERGE IX2105 to replace with; a compact, fan-less, half A4 sized sheet metal pizza box with blue accent on matte white. Functionally a Cisco ISR 892J or 1941, physically smaller. Current models in its siblings range from ~$750 to $2.5k, however this Model 2105 is no longer officially supported, and are sold cheap in used market($30-50). It still has one GbE and one integral 4-port L3 switch, with up to 440Mbps advertised VPN throughput, an Apr/2022 built firmware, and full support for IPv6, OSPF, BGP, etc(that shamefully I had failed to understand).
I suspect it runs BSD in some shape or form as `show copyright` command shows licensing terms for FreeBSD and BSD library among others, but it won't let me drop into shell, nor does the typical *nix daemon parade on boot. The CLI is basically a Cisco, or like VyOS/Ubiquiti, except there are no obvious telltales of dancing bash contraptions and required facade massaging, unlike with many Linux-based routers. Firmware files for its lineage are also extremely small by modern standards(~8MB), RAM sizes are small too(16~128MB).
It does its things, and does well. A downside is it's proprietary. I used to run OpenWRT in 11b/g days but I suspect that was before it incorporated a unified config file. I was obviously on VyOS/EdgeOS until last week, and while it had served me good, it did trip over stones once in 2-3 years. I've also heard RouterOS is great but stable as Stable build bricking itself. I've used OpenWRT but that was before iPhone and perhaps before it even had a unified CLI configuration. Is OpenWRT better in stability/footprint/simplicity these days?
I run Openwrt on an Edgerouter-X nowadays and it's rock solid. Has same/better routing perf + stability as the original ubnt firmware, but with native wireguard, full package management, a much better UI, much better configuration and backup system and no phone home stuff.
Just did the upgrade today and it was flawless. Which is much better than I can say for the stock firmware upgrade process!
It's incredible that the openwrt team can produce such a better product in pretty much every way than the original manufacturer can.
That's a known issue on Edgerouter X and Edgerouter Lite. I use an Edgerouter Lite and am on my third flash drive. The flash drives are just cheap USB drives, in contrast to X where they're soldered on. An industrial grade USB drive would cost almost the same as the device itself. I bought a 2 GB one but it refuses to install EdgeOS on less than 4 GB. However the device itself works well, and has three ethernet. As switch I use an EdgeSwitch 16 port, which provides PoE for the Unifi WLAN AP (UAP Pro or whatever). It all runs Linux, and I got root on the devices. Wouldn't want it any other way. Except perhaps a Turris Mox modular router or running the firewall/router on the same server as my NAS (as VM in Proxmox). But it allows less flexibility IMO. Then I would use OPNsense, Turris runs op OpenWrt. I don't want to use a proprietary OS like RouterOS or an out of date OS which is no longer supported.
It is worth noting that this release currently breaks the banIP package [1], which relies on the old fw3. So for those relying on it, it might be worth waiting for a short while.
I do love OpenWrt but the upgrade experience is still a pain because user-installed packages need to be reinstalled manually. More so if your WAN connection relies on these packages (USB modems), then you have to either pre-download them or build a custom image.
It does exactly as much as using `sysupgrade` with any other suitable image will or would do :) So yes, limitations apply - but for most users with a bunch of custom installed packages, this is enough of a game changer regardless.
> I do love OpenWrt but the upgrade experience is still a pain because user-installed packages need to be reinstalled manually.
Just use image-builder. Or better, create a script which uses image-builder for you.
For me, upgrading to newer releases for my 7 OpenWRT devices, is mostly just updating a version number and waiting for the build to complete (a few minutes at tops).
It's not really hard.
I may have gone in a bit over-the-top, with makefile and dependencies at all[1], but at the core of things, it's not really hard.
You could also make the OpenWRT router connect trough your phone’s hotspot feature temporarily, while you set up your primary connection. Three clicks in the GUI is all that’s needed to join a wireless network for WAN connectivity.
One question I have is: I would like my wifi router to be 100% "invisible", as in: I want the router to behave exactly as if it was an ethernet switch, where devices connected to the router via wifi would behave exactly as if they were connected to an ethernet switch.
In other words configure my router such that the only difference between it and a switch is the fact that connected devices are not connected via an ethernet cable but via a wifi connection.
I specifically don't want any kind of NAT, firewalling, filtering or any other kinf of "smart" features. Just a dumb switch that uses wifi instead of ethernet physical connections.
Yes. If you’ve bought a consumer router, and not an “access point”, it will likely have a Ethernet port labeled WAN. Due to this label, the OpenWRT profile for this model will most likely also set up this port as a WAN port for you by default (where it requests DHCP from somewhere and applies NAT and some basic firewall rules). Just delete this interface, and make the LAN network also span the WAN port. Then disable DHCP and IPv6 RA on the LAN interface. Your router is now a dumb “access point”.
I think you're looking for a secondary router set as a "Wireless Access Point" or "Dumb Access Point".
I have the same issue, I have 2 wifi routers, with 2 subnets, and it's a pain for some devices, if I'm connected to wifi on subnet A with my phone, I can't cast Youtube to the TV if the TV is on subnet B, I have to switch networks.
https://openwrt.org/docs/guide-user/network/wifi/dumbap
They are connected, and defaut gw is set so you can have internet without problem, but maybe I'm just missing additional routes to specific devices, didn't spend much time looking into it since I usually am connected to the right network when close to my TV.
Either way, it's an use case for dumb access points so I should set this up.
- nice simple GUI for your typical stuff
- advanced GUI (that runs in parallel) for advanced stuff
- auto-updates with timely patches
- open source (inc. their additions) -- based on openwrt
- developed by a reputable non-profit that's been around since the 90s (CZ.NIC)
Cons:
- a little pricey
- current model is a few years old, so it's not the fastest option out there
- the current model doesn't support 802.11ax
To turn off the firewall, you just uncheck a box. I think all the other advanced stuff was opt-in.
"Router" is a bit of a misnomer, because most products are package deals with routing features and access point features built into a single unit, but there is no recognized word for a "Happy Meal" and the equivalent to "hamburger" is used. The word for "fries" is access point.
Thank you! I love openwrt and have been using it as a workrouter for years now with vpn integrations, wifi repeater function and some routing magic, I was able to create the perfect business network for my needs.
Thank you OpenWRT. Wifi 6 support is gonna be awesome!
With 80MHz channels configured (160Mhz are possible, but I do not need/want that) on the 5GHz band, I can get about 480Mbps TCP bandwidth over the air using iperf3. Client is a laptop with Intel Wireless 8260 running GNU/Linux.
Reports on the OpenWrt forums I've seen range up to ~800Mbps.
I use one on my full-duplex gigabit connection and it generally sits in the 800-900 Mbps range. This will vary depending on things like if you decide to enable smart queue management (SQM) or other features.
More important to me, how stable is it? My WRT3200ACM has good peak bandwidth, but it can't deal with interference of other routers and needs to be rebooted frequently.
The WRTx series has a broken driver that got nixed after NXP bought out Marvell
My WRT32x will randomly have its 5Ghz AP just seize up once every week or two and require a reboot. I'm slowly working up the willpower to replace the thing
Yeah, I have found x86 openwrt wired router + AP (currently, Ruckus R710), to be a good combination. Don't mind getting an openwrt AP if it beats Ruckus, but I find that to be a high bar.
OpenWRT is amazing, it's a regular Linux on consumer-level routing hardware. I kinda feels a bit like a BSD in some design decisions.
A pain point in upgrading the OS is that packages that were previously installed need to be reinstalled. In my case, this includes `dnsmasq-full`, which is dnsmasq with DNSSEC support and a few other features that are enabled in the regular `dnsmasq` package that comes by default. So after an update, there's not even DNS/DHCP in my local network. I need to configure static IPs, SSH into the device, and start reconfiguring it.
I keep very tidy notes on how to reconfigure from scratch, so it's not a big deal, but I really shouldn't need to do this on every OS update. Having to do this leads me to just sticking to a very close-to-default configuration, because any customisation will result in more issues upgrading next time.
It's improving though, this upgrade was smoother. Or maybe I just keep better notes?
> A pain point in upgrading the OS is that packages that were previously installed need to be reinstalled.
Which when you start having lots of OpenWRT based devices kinda gets a pain. And we hackers we solve pains, don't we? ;)
So when a new OpenWRT release hits the market, I usually just have to update the OpenWRT release-number at the top of my makefile, and Github builds all the images for all my devices, with all the packages and customizations I already have in place.
On the firmware download page, there’s a link you can expand to “customize image”. You can add more packages there and get a single image with everything included. You’ll still want to backup your config beforehand, as sometimes new releases need more space so the config partition is wiped out. But that’s still much easier to restore afterwards.
Or you might also use the “attended sysupgrade” process which takes care of the firmware update directly from the device.
I hoped this would fix the squashfs corruption[1][2][3] on the mt7621, but it doesn't seem so. It looks like I'll have to keep playing russian roulette on every boot for another two years, at least.
Unfortunately the issues are not with just the reboot: as files are (re)read from the flash storage the kernel pages become corrupted and files unreadable.
Eventually the programs start crashing as config, shared libraries, etc. are being pulled from under their feet.
If you got cash to burn, Protectli devices are nice. Random chinese Celeron boxes with 2.5g PHYs will do the job just as well, just without Coreboot. APs should always be seperate, imho.
Really enjoy OpenWrt. One complaint/suggestion is they really need official Ansible support or some better way at automating deployments. I was able to create something myself for the time being but having official support would make things so much better.
Setting up a router involves more than starting or stopping services, and again I am looking for something officially supported. I was able to use the UBUS API to do this but unfortunately the unofficial modules or roles appeared to use more convoluted methods.
No you don't and even if you did the amount of RAM is not really an issue for more modern devices, but I agree Python isn't ideal. However, OpenWrt already has a capable API but no one has built the integration yet.
OpenWISP is for creating configuration packages and they still have to be deployed somehow, also it was lacking last time I checked. It also is not a single lightweight package but recommended to be deployed as a separate server. Hardly the same if you ask me. What I have now uses SSH and the UBUS API and I don't need to setup an entirely separate server or infrastructure to configure a single network device.
Much wider hardware support with OpenWRT. If the hardware is accessible and supports Linux, there is an OpenWRT target for it.
There’s even a x86 and a raspberry target.
If you’re happy with DD-WRT, no pressing need to change it.
But if you want more features or specific packages, OpenWRT is the thing to look at.
openwrt is the more serious/upstream friendly distribution that is maintained and updated like traditional linux distributions. DD-WRT may support some abandonware like broadcom wifi devices.
I've been using FreshTomato, which I got pre-installed from a seller on ebay, but IIRC DD-WRT has better support for some Broadcom chips because they allow binary blobs which have better hardware support.
glinet ship their own builds of a forked openwrt (most based on 19.x) containing proprietary patches and binaries. I got a handful of their most recent devices as of last year and all of those are officially still stuck on an ancient 19.x with several security issues that are fixed in upstream but don't make it down.
Got the GL-MT1300 working with a self-built open-source OpenWrt 21.something pretty straightforward but the E750 has been nothing but trouble, weird bugs and unreliability as soon as I try anything except light tweaks of the out-of-box experience. The last thing on the E750 is that my self-built firmware will initially work fine but at some point (and all subsequent boots after), there is not way to get network access either via wired or wifi, despite the OLED indicating everything's as it should. It's in the drawer waiting for me to figure out how to get serial working to debug it as a full factory reset is the only way to recover otherwise and I replicated the issue a few times already.
This is all after several hours of trying to dig apart their convoluted github org to figure out how the builds are made and where the code comes from in the first place.
I'd be really surprise if there will ever be anything 22.03-compatible for any of their current devices given all the iptables voodo in their custom scripts...
Given the combination of poorly maintained official images, inconsistent compatibility with open source upstream, and no way to reproduce their builds, I'd say these can be fun little toys if your use-case perfectly matches the out-of-box provided features but sadly enough you should seriously consider and test each model individually before relying on it for production use even just personally. At least until public progress is made on some of that.
They list[1] which device supports an official OpenWRT, but the E750 you mention is in this list for version ">21.02" without any remarks. So this list is not accurate?
IME yes, inaccurate. I have previously compiled OpenWRT for a wide range of devices from manufacturers with no official support and spotty community coverage so it's not like I'm not used to things like this. There's some talk about the issues with the E750 drivers/firmware on the openwrt forums or mailing list IIRC.
This should give an idea of how much much attention they pay to security updates and the response one can expect when opening issues or PRs on their repos:
I had the same experience with a AR-750s. The GL-iNet OpenWRT image with its fancy web UI had a lot of small bugs and required some reboot from time to time to be working properly.
I completely resolved the issue by flashing the mainline OpenWRT image from openwrt.org. It has been working pretty well ever since.
> glinet ship their own builds of a forked openwrt
Imma let you finish, but you've always been able to install vanilla OpenWrt on GL.iNet devices. I've been doing this for years across most models. Actually there are only a couple of recent GL.iNet routers that I don't own.
Have you been able to produce a working 21.02 image (or 19.x with critical security patches, for that matter) for the E750? I'd seriously love to pool resources on this.
My rant above comes from multiple days of struggling to get a working build that doesn't have stability issues not present in the official image.
Like I mentioned, I don't recall any surprises with the MT1300 that couldn't be worked around.
I don't own one of them so I haven't looked into it sorry. However there is usually an owrt forum thread for a device or a platform which goes into details. If you haven't asked on there, I encourage you to. They're usually pretty friendly and helpful, especially to people who try themselves and ask good detailed questions.
I know you're probably trying to be helpful (and still might be helpful for others) but If it wasn't obvious from my original thread I've already read every single comment mentioning this device several times.
That community repo is a fork of the GL.iNet build infrastructure repo, just with less definitions that allow compilation to succeed.
My understanding is that infrastructure fetches the official owrt sources and applies the patches listed in the yaml files, but I didn't audit the entire build system in 15 minutes :P
thanks for the info. It've had one old GL.Inet router sitting around, occasionally using it as a backup / test AP. Never realized their OpenWRT isn't stock...
Is there an alternative HW You'd recommend for OpenWRT?
I'd give it a shot with vanilla OpenWRT first. As noted, it's very device-specific how open, supported, and accessible they are. Maybe you're lucky.
Other than that I'm yet to find anything that beats taking a generic x86 or aarch64 that happens to have a miniPCIe slot , put in appropriate wireless modules and treat it more like you would a normal linux installation. Separating AP/router duties between two separate devices will help a lot to simplify things whichever route you go (makes little sense for the "pocket travel router/ap" scenario obv).
OpenWRT has some great extensions and luci modules, some of which integrate very well. If you don't need them and want to do anything more than a standard home network setup, I'd consider if the trouble with OpenWRT is even worth it and set things up from a base debian/rocky/freebsd/openbsd/whatever base instead. Things that can be super time-consuming to get right in OpenWRT can actually be surprisingly straightforward once you remove their abstractions. Especially with nftables, if you're on Linux.
To handle bufferbloat (too large buffers without queue management causing long latencies) pick a router based on ath9k, ath10k, or mt76 wifi chips. Those are not the most common ones, and might take a slight amount of effort to match what's available in your local gear store, the above chips, and the openwrt table of supported hardware at https://openwrt.org/toh/views/toh_extended_all
(Personally I have an ath10k based ZyXEL NBG6817 (product name is "Armor Z2") which I'm happy with. But it was a few years ago I bought it, don't know if it's still on the market. Also still running the previous openwrt 21.02, haven't yet upgraded.)
if you want to solder and be on the cutting edge - mt7622 is really fast (based on arm-cortex so it's magnitudes faster than other wifi routers - wireguard is also a lot faster, reaching gigabit speeds) - xiaomi ax3200 for example is near sub <50$ https://openwrt.org/toh/xiaomi/ax3200 - how to flash via serial console: https://github.com/mikeeq/xiaomi_ax3200_openwrt
one caveat at the moment: 802.11ax is? was unstable.
I got two for 48€ eatch, Euro now is cheaper than dollar so its sub 50$ for sure.
Flashed and using it, its a great/cheap router for home. Really speedy, using it with Wireguard on the entire network, perfect really
Since you specify US$, I'm assuming you are based in the US. Walmart had special offers of the at the moment probably best-suited OpenWrt device there is only a few days ago, where they sold the Belkin RT3200/Linksys E8450 for 60US$. If you can get that, it's definitely worth the 10US$ premium. Check https://forum.openwrt.org/t/belkin-rt3200-currently-60-at-wa... for pointers.
I did not know that one can flash openwrt on top of mikrotik. I have nothing against mikrotik, just not a big fan of learning yet another command line interface for doing same stuff I do for living on linux - manage firewalls and stuff.
Besides their very dubious product strategy which consists of shipping the org chart, which with the apparently high turnover results in multiple competing but basically abandoned product lines..
There's the security issues. If their AWS infra for their cloud services is that shit (as was revealed by a hack by an internal person), i doubt security is taken seriously in the org in general. Not to mention them suing security reporters.
Unlike their sometimes dubious hardware QA, it doesn't impact you that much if you plan on flashing your own firmware on their hardware, but still, those are kind of turnoffs. Hardware quality seems to vary somewhat, but is mostly decent.
but they're determined to run their company into a wall chasing people who want dumb guis instead of their basically abandoned uniquely awesome edgerouter series that isnt really matched in terms of consumer performance.
What does it matter what they do with their OS ? That's their OS to ruin. Making a crap OS is the rite of passage for every hardware vendor. The whole reason for running openwrt is to replace the vendor's OS. As long as they don't lock bootloaders, hardware is judged based on upstream support, and ER-X is perfectly fine.
For that budget, the wifi is likely going to be subpar. Get a wired router and manage your AP separately. Ubiquiti ER-X and ER-X SFP are decent wired routers in the sub $50 bracket, covid price gouging notwithstanding.
So today I installed openwrt on my Asus AC-3100, configured it to behave as a "dumb access point" and finally managed to get wireguard to run.
It does work well, but it wasn't straightforward to configure all of these things properly through the UI.
In particular, I had to figure out the hard way that one needs to add
option route_allowed_ips '1'
to the wireguard config in file /etc/config/network
(this option doesn't seem accessible via the UI)
There also seems to be a couple of very wonky things around static route management and also the 5GHz radio band that stubbornly refuses to move where I want it to be, but otherwise it works really well.
I'm going to play with it for a month and drop dd-wrt altogether if I don't encounter major problems.
Are there any suitable alternatives for OpenWRT? My huawei 4g router that i use over sim connection does not support OpenWRT or Tomato unfortunately...
Easy, get yourself a OpenWRT router, Xiaomi AX3200 is perfect, you need to flash it but there are many howtos.
Then, use Huawei as Modem, connected to LAN port.
If the Huawei has Bridge, great, if not, Double NAT but you get to control everything on OpenWRT.
For those that have never tried it it's also worth it just to understand more deeply how amazing these cheap devices are. For ~100$/€ you get a single board computer, plus a managed switch, plus 1 or 2 wifi cards. The managed switch in particular is very interesting. The computer is just another connection to the managed switch and you can configure it in any way you want. Traffic can go directly from one port to another without going through the CPU.
These capabilities together make a network of OpenWRT devices really flexible. I use it to replace the included router from our Internet/TV/Phone provider. The VLANs are needed to access the different IP networks for the different services. That you could do with a normal network card but then I also use VLANs inside the house wiring to take the IPTV network to the TV box. I then use a separate SSID to carry that VLAN in a point-to-point connection to another OpenWRT AP as a client so I don't have to run wire to that place and so the broadcast traffic doesn't swamp other normal Wifi clients. All this can be done with these very cheap devices that already have all the needed hardware. For all the deserved fame RaspberryPI gets these routers are equally amazing hardware for a lot of things.