After some consideration, I’ve decided to replace my consumer router at home with an OpnSense box I control, and use the consumer router as just an access point. The model I have doesn’t seem to support OpenWrt but the default firmware supports access point mode complete with mesh functionality, otherwise I would have just installed OpenWrt on it. I still like the consumer router’s mesh Wi-Fi capabilities, especially the wireless range extender, but don’t trust it enough to let it be the actual root device separating my home network from the open internet. My reasoning is that by having it behind the OpnSense router, I can monitor and detect if it’s exfiltrating any “analytics” data and block them. Worst case scenario I realize it’s too noisy with the analytics and buy a proper business grade access point, or an M.2 Wi-Fi 6 card with some beefy antennas.
Now I’m trying to decide if I should use one of my old mini PCs or if I should get a brand new one with an up to date processor and microcode. The biggest reason I don’t want the consumer router to be the root device anymore is because I don’t know how well they patch their firmware against attackers constantly scanning the internet for vulnerable devices. I imagine an open source router OS with tons of eyes on it and used by actual professionals would inherently be more secure than whatever proprietary cost cut consumer firmware my current router has. I’ve already picked out a suitable mini PC I’m not using and the reason I even started down this rabbit hole is because I have it, but after thinking more about it, I’m worried that whatever security I gain might be undermined by the underlying hardware being old and outdated, especially since the processor is definitely pre Spectre/Meltdown and I doubt it’s still getting microcode or firmware updates.
Again, the reason I ask is because the internet really wants me to think old disused computers are perfect for converting into routers, and I really don’t want to buy a new computer if I don’t have to. How important is the hardware for a router? Can I expect OpnSense to have sufficient security on pretty much any hardware or will a sufficiently old computer completely defeat the purpose of even switching away from the consumer router?
Alternatively, I also have another mini PC with a Ryzen 5 from 2020, and I can reposition it from its current job to router duty, though it would definitely be overkill and wasting the hardware capabilities. Would that be substantially more secure than an older Intel processor?
I also have a Raspberry Pi 4 I can put OpenWrt on, would that somehow be more secure than an x64 computer?
You’re getting bad advice.
If you don’t expect to actually be shuffling packets back and forth or doing any kind of quality of service or vpn or really anything then the pi will be the better choice just barely because of its super low power consumption at idle. In that situation you would be at idle enough to actually justify using the pi. It would suck in the same way that using a pi for stuff usually sucks but you could justify it maybe.
If you plan to have a bunch of hosted stuff, a seedbox, qos, manage vpn connections and especially upgrade your lan to 1gb + later on down the line, the mini pc will actually be more efficient per cycle. In that circumstance you’d be at idle less, and the mini pcs more powerful processor, wider bus and expandability would make it less of a bottleneck presently and down the road.
Risc CPUs like the arm in the raspberry pi are really good at not doing anything, or doing a really small subset of things (it’s in the name!), but x86 is great at doing some stuff and being able to do a wide variety of stuff with its big instruction set. If you raise an eyebrow at my claim, consider that before gpus were the main way to do math in a data center it was x86. If the people who literally count every fraction of a watt of power consumption as billable time think it’s most efficient it probably is!
With ~08+ CPUs ability to turn cores and functions off at the clock tree and communicate back and forth with the os to orchestrate and coordinate it, there’s not as much daylight between the power usage of a pi and a mini pcs as some of these comments might make you think.
The long and the short of it is that you’ll most likely have a better time using the mini pc than the pi and claims that it’ll bankrupt you with power bills are greatly exaggerated.
In terms of privacy, I’d go for the mini pc. All your packages are most likely going to be open source, but the x86 stuff gets more scrutiny and isn’t as “magic blobby” as the arm world is.
Source: I have used over twenty different pi variants including knockoffs, wrote for microcontrollers before they were called sbcs, host a bunch of services on x86 which are monitored for their power usage using a power distribution controller by my lovely wife who keeps an eagle eye on the bills and I literally registered an account because people were telling you the wrong thing on the internet.
If you wanna verify that for yourself, get a cheap plug em in power meter and try both units running the package you choose under some artificial load like managing qos between a device streaming 4k and one torrenting 50 different Linux isos.
I been running a virtualized pfsense on a PC using Proxmox. It’s been serving me well for the last 2-3 years.
The benefits of running it on proxmox gives me the option to virtualize a few more servers on the same hardware.
And as a few people have pointed out in the comments, it’s not the hardware that’s providing the security per say, it’s the software you are running.
A PC running OpenWRT vs a modem running OpenWRT are more or less the same.
I don’t think you have to worry about security with old(er) computers that have been reassigned to be a server. You’re going to most likely be running an up-to-date Linux OS, and as long as you keep everything updated, you shouldn’t have any issues. Couple that with security deployments, and I think you will be good.
The problem is that very old computers are not as efficient when it comes to electricity to run them. Will it run your power bill up an extra $100+/month. Probably not. I would stay clear of old enterprise equipment because they definitely are power hogs. It really depends on how expensive electricity is in your local. For me, it’s relatively cheap. I think I saw an increase of about $25 which is probably a nominal amount that most people would spend on a hobby.
Wouldn’t that efficiency thing largely depend on what silicon you’re using though? Like, for example, if you have an old AM1 board sitting around, those are 25W APUs and shouldn’t use anywhere near that if used as the base for a router.
Meanwhile if you’re using, say, an AM3+ board and an FX-4300 for your router, the FX-4300 is a 95W part and more likely to cost more to run by contrast to, say, the Athlon 5350’s 25W on AM1.
Wouldn’t that efficiency thing largely depend on what silicon you’re using though?
I would think so, but anecdotally, I didn’t see a horrific rise in electrical costs. Most of my equipment is 5 to 10 years old. Some people spend way more on their hobbies so I figured my costs were in-bounds. If you are in a locale where electricity is at a premium, yeah, I’d probably want equipment more modern that has less power consumption. If OP did a little diffing around on ebay, they could probably pick up a dual nic, small form factor, fanless for pretty cheap.
I noticed this watching a solar powered gaming build. Better to run faster hardware slower than slower hardware faster for power conservation. The base minimum will be higher but the increase in requirements will rise slower.
Its a bad idea from a power consumption POV, your old PC will be very inefficient, and running it 24/7 as a router will rapidly add up.
Security wise, you’ll be running a fairly up to date Linux or BSD based OS, so its perfectly safe.
So the Raspberry Pi would be a better choice in this regard?
I have a smart home setup. I originally used a Pi. Unfortunately, it started to become unreliable after about 12-18 months. Apparently it quite a common issue with long term Pi systems.
I eventually changed to a small NUC. A bit less power efficient, but it’s been bomb proof for a few years now.
Probably, but raspi only has one interface, and USB network cards can be flakey. You’ll also not get outstandingly fast speeds, so ifnyour on a fast fibre connection you’ll struggle to hit the full speed.
https://cameroncros.github.io/wifi-condom.html
This is my travel router setup, might be useful for you to start from.
Protectli sells opnsense routers with openboot, or you can roll your own on similar embedded like systems.
I second this. I run opnsense on a protectli
You should be fine. Linux and BSD systems have te ability to load microcode updates at boot even if you don’t update your BIOS.
I’d be more concerned about the noise and power consumption.
Also the number and the max speed of your NIC is a factor if you have a fast internet connection If you run OPNSense make sure your NIC is well supported (I had problems with realtek and paravirtualized cards). Otherwise you can always add more NICs with pcie cards.
Unless I’m mistaken, this mostly depends on software/os you install.
A RPI with OpenWRT will be secured in exactly the same way as a router with OpenWRT and a laptop with OpenWRT. (At least I think so, I vaguely remember hearing about some Intel CPU vulnerabilities, but I don’t think there’s anything remote).
Power draw will be the main problem, along with more limited range because of the strength of the WiFi card.
I got a friendly elec nanopi r3 that I use as a router. It routes all my Ethernet connected devices, and my consumer mesh network does all WiFi connections.
It’s basically a raspberry pi, but they do use their own flavor of os, so I just run it using a fresh image on an SD card. Works no problem and power consumption is minimal.
