I’ve had no end of trouble with routers and ones you should choose to be sure of.
The ones where you can flash OpenWRT seems the only choice if you want some semblance of security. But even my current Xiaomi router with stock firmware creates hash mismatches using apt to download things, and I don’t 100% know with confidence that using OpenWRT on it instead is keeping me right.
As opposed to, TP-Link, Cisco(Linksys) and other off the shelf routers it seems some will only go for brands with their own proprietary firmware?
I grabbed that Xiaomi router on the premise it has OpenWRT, but I’d like to see Ubi / Unifi routers put under the same scrutiny instead of just lumping a brand name as a no-go.
Mine was a half-joke, but it’s not the first time chinese hardware was caught sending data around. Now I can’t recommend anything specific since the last time I bought a router was ages ago, and even though having one running OpenWRT is good I’d avoid it to be on the safer side.
Mikrotik is great for features, but their UI definitely feels ancient and you will sometimes question why something takes this many steps.
However, I’ve never had an plan I couldn’t replicate with their routers.
Mikrotik is pretty decent but their configuration method drives me up a wall. Ansible helps mitigate the annoyance, at least (in that I only have to figure out/remember the arcane incantation for configuring VLANs once, and then subsequently just have the machine do it).
They are frequently targeted because they offer enterprise grade configurations at consumer prices.
Which means, there’s a lot that can be misconfigured, and a lot of short staffed and under budgeted IT departments that deploy them, which means they are a good payoff when exploited.
That’s the bad part, and the good part.
You really cannot beat their price point to value for professional grade networking equipment. Just take the time to understand what you’re doing when doing your configurations, and keep them updated.
Very little is changing over time… I have a proliant salvage server running proxmox with some hosts and the router only port forwards to an NGINX proxy manager instance for the web interfaces on those hosts. I run a synology NAS separate from the proliant hardware that runs through the proxy.
I know I don’t understand it all, and i’m open to suggestions.
Yes, I attribute security significant misconfigurations to a lag between new service deployments and a relevant review by network security (in a business environment. At home it’s just me.)
So I’m running Milestone VMS, Synology NAS and maybe in a day a minecraft server for the kids, which should all be available outside my home. I’m using the mikrotik HexPOE which is my main router/firewall.
Fairly popular in my neck of the woods and rock solid.
I literally had a bad sparky put 230V through one of them. It killed the RJ45, it killed two client hosts on the same bridge, it killed the port, but the Switch itself continued to work.
(Still replaced it, though)
The only thing I find them really bad and ironically replaced them with TP-Link (Omada )is Wifi.
(and the fact that they let the promising “The Dude” die).
Security wise they seem to do their homework so far.
Fun fact I made my sales team standardize on Omada for all network hardware we are providing (highrise security systems, so SDN is usually out of scope) I was considering replacing my ubiquiti AC Pro soon, but I didn’t settle on a new model of access point yet. What are the mikrotik wifi APs bad at? if it’s meshing I will only have one.
I didn’t look at The Dude before, but it doesn’t seem depreciated?
Their solution to central management (Capsman) is a burning mess, when WiFi6 came out for a long time(I think 2 years) you were unable to keep older and newer APs on the same controller, so you needed two Capsman instances.
Roaming between them is very unreliable and generally their hardware is underwhelming in terms of antenna quality, etc.
For one AP it is not as bad, but still annoying, if you want to centrally manage more APs it is a nightmare.
I replaced my MK APs with Omada with the software controller on a LXC and couldn’t be happier - they play along nicely with my MT infrastructure and are way more reliable.
Years ago, another trade worker on a construction site was using their wifi stuff, and mentioned using it at home. I went and picked up the hexPOE router and i’m pretty happy with it, but all i’m doing is port forwarding and I set up a rule to capture all DNS requests and shunt them into my pihole.
No doubt, and I would really love someone with more knowledge than me to poke into why that was going on (*edit: for clarity, this behaviour stopped after installing OpenWRT and is the stock Mi firmware that causes this)
I’ve had no end of trouble with routers and ones you should choose to be sure of.
The ones where you can flash OpenWRT seems the only choice if you want some semblance of security. But even my current Xiaomi router with stock firmware creates hash mismatches using
aptto download things, and I don’t 100% know with confidence that using OpenWRT on it instead is keeping me right.Ah I see the problem right there…
As opposed to, TP-Link, Cisco(Linksys) and other off the shelf routers it seems some will only go for brands with their own proprietary firmware?
I grabbed that Xiaomi router on the premise it has OpenWRT, but I’d like to see Ubi / Unifi routers put under the same scrutiny instead of just lumping a brand name as a no-go.
What’s your recommendation?
Mine was a half-joke, but it’s not the first time chinese hardware was caught sending data around. Now I can’t recommend anything specific since the last time I bought a router was ages ago, and even though having one running OpenWRT is good I’d avoid it to be on the safer side.
Any opinion on Mikrotik?
Mikrotik is great for features, but their UI definitely feels ancient and you will sometimes question why something takes this many steps.
However, I’ve never had an plan I couldn’t replicate with their routers.
Mikrotik is pretty decent but their configuration method drives me up a wall. Ansible helps mitigate the annoyance, at least (in that I only have to figure out/remember the arcane incantation for configuring VLANs once, and then subsequently just have the machine do it).
They are frequently targeted because they offer enterprise grade configurations at consumer prices.
Which means, there’s a lot that can be misconfigured, and a lot of short staffed and under budgeted IT departments that deploy them, which means they are a good payoff when exploited.
That’s the bad part, and the good part.
You really cannot beat their price point to value for professional grade networking equipment. Just take the time to understand what you’re doing when doing your configurations, and keep them updated.
Very little is changing over time… I have a proliant salvage server running proxmox with some hosts and the router only port forwards to an NGINX proxy manager instance for the web interfaces on those hosts. I run a synology NAS separate from the proliant hardware that runs through the proxy.
I know I don’t understand it all, and i’m open to suggestions.
Did you mean to send that reply to me?
I ask because I’m not quite sure what specific suggestions you’re looking for.
But in general, I would suggest not exposing port forwarding.
What services are running behind NGINX? What router/firewall are you using?
Yes, I attribute security significant misconfigurations to a lag between new service deployments and a relevant review by network security (in a business environment. At home it’s just me.)
So I’m running Milestone VMS, Synology NAS and maybe in a day a minecraft server for the kids, which should all be available outside my home. I’m using the mikrotik HexPOE which is my main router/firewall.
I love their switches but for routing/firewall I stick to PFSense.
Personally I use OpenWRT for access points.
OPNsense is better, because it’s the same thing but doesn’t require registering an account to download the image.
Its been a couple of months but I don’t remember that requirement…
You need a Netgate account because they gated the download in some kind of online shop. Try it yourself.
I have setup plenty of MikroTik routers, never had any issues myself.
Fairly popular in my neck of the woods and rock solid. I literally had a bad sparky put 230V through one of them. It killed the RJ45, it killed two client hosts on the same bridge, it killed the port, but the Switch itself continued to work. (Still replaced it, though)
The only thing I find them really bad and ironically replaced them with TP-Link (Omada )is Wifi. (and the fact that they let the promising “The Dude” die).
Security wise they seem to do their homework so far.
Fun fact I made my sales team standardize on Omada for all network hardware we are providing (highrise security systems, so SDN is usually out of scope) I was considering replacing my ubiquiti AC Pro soon, but I didn’t settle on a new model of access point yet. What are the mikrotik wifi APs bad at? if it’s meshing I will only have one.
I didn’t look at The Dude before, but it doesn’t seem depreciated?
Their solution to central management (Capsman) is a burning mess, when WiFi6 came out for a long time(I think 2 years) you were unable to keep older and newer APs on the same controller, so you needed two Capsman instances. Roaming between them is very unreliable and generally their hardware is underwhelming in terms of antenna quality, etc.
For one AP it is not as bad, but still annoying, if you want to centrally manage more APs it is a nightmare.
I replaced my MK APs with Omada with the software controller on a LXC and couldn’t be happier - they play along nicely with my MT infrastructure and are way more reliable.
I really love MT,but not their WiFi.
Run them in a lot of places, love them.
They’re good at being configured and forgotten about.
My main rack, that’s more complicated, I have proper gear, but mikrotik is great for everything else.
that’s why that guy seemed so unburdened! I understand him better now
Never used them pal, but seen them used in Enterprise environments?
Something I’ve found on a SOHO environment though and what I bought a family member?
Gli-Net mini routers. They come with OpenWRT as a base and then lipstick it with a nice interface. But as always, YMMV
Years ago, another trade worker on a construction site was using their wifi stuff, and mentioned using it at home. I went and picked up the hexPOE router and i’m pretty happy with it, but all i’m doing is port forwarding and I set up a rule to capture all DNS requests and shunt them into my pihole.
The documentation is pretty spiffy and public.
I’m not really sure if this seems good because I don’t know any better, or it’s good because it’s good.
edit Gli-net seems nice, but i’m a stickler of using a WAP separate from the router. I know I pay more.
It’s exactly why I bought her two of them. One their main router and the other in AP mode ;)
That’s a huge fucking red flag and I would yeet any network equipment responsible for fudging such a thing.
No doubt, and I would really love someone with more knowledge than me to poke into why that was going on (*edit: for clarity, this behaviour stopped after installing OpenWRT and is the stock Mi firmware that causes this)
https://files.catbox.moe/2i5ekl.jpg
I remember finding this thread where someone said they replaced their entire networking equipment
https://stackoverflow.com/questions/72022569/cannot-find-fixes-to-apt-error-hash-sum-mismatch
My router is this model for anyone wanting to nosey
https://openwrt.org/toh/xiaomi/ax3600