After some consideration, I’ve decided to replace my consumer router at home with an OpnSense box I control, and use the consumer router as just an access point. The model I have doesn’t seem to support OpenWrt but the default firmware supports access point mode complete with mesh functionality, otherwise I would have just installed OpenWrt on it. I still like the consumer router’s mesh Wi-Fi capabilities, especially the wireless range extender, but don’t trust it enough to let it be the actual root device separating my home network from the open internet. My reasoning is that by having it behind the OpnSense router, I can monitor and detect if it’s exfiltrating any “analytics” data and block them. Worst case scenario I realize it’s too noisy with the analytics and buy a proper business grade access point, or an M.2 Wi-Fi 6 card with some beefy antennas.
Now I’m trying to decide if I should use one of my old mini PCs or if I should get a brand new one with an up to date processor and microcode. The biggest reason I don’t want the consumer router to be the root device anymore is because I don’t know how well they patch their firmware against attackers constantly scanning the internet for vulnerable devices. I imagine an open source router OS with tons of eyes on it and used by actual professionals would inherently be more secure than whatever proprietary cost cut consumer firmware my current router has. I’ve already picked out a suitable mini PC I’m not using and the reason I even started down this rabbit hole is because I have it, but after thinking more about it, I’m worried that whatever security I gain might be undermined by the underlying hardware being old and outdated, especially since the processor is definitely pre Spectre/Meltdown and I doubt it’s still getting microcode or firmware updates.
Again, the reason I ask is because the internet really wants me to think old disused computers are perfect for converting into routers, and I really don’t want to buy a new computer if I don’t have to. How important is the hardware for a router? Can I expect OpnSense to have sufficient security on pretty much any hardware or will a sufficiently old computer completely defeat the purpose of even switching away from the consumer router?
Alternatively, I also have another mini PC with a Ryzen 5 from 2020, and I can reposition it from its current job to router duty, though it would definitely be overkill and wasting the hardware capabilities. Would that be substantially more secure than an older Intel processor?
I also have a Raspberry Pi 4 I can put OpenWrt on, would that somehow be more secure than an x64 computer?
I been running a virtualized pfsense on a PC using Proxmox. It’s been serving me well for the last 2-3 years.
The benefits of running it on proxmox gives me the option to virtualize a few more servers on the same hardware.
And as a few people have pointed out in the comments, it’s not the hardware that’s providing the security per say, it’s the software you are running.
A PC running OpenWRT vs a modem running OpenWRT are more or less the same.
I don’t think you have to worry about security with old(er) computers that have been reassigned to be a server. You’re going to most likely be running an up-to-date Linux OS, and as long as you keep everything updated, you shouldn’t have any issues. Couple that with security deployments, and I think you will be good.
The problem is that very old computers are not as efficient when it comes to electricity to run them. Will it run your power bill up an extra $100+/month. Probably not. I would stay clear of old enterprise equipment because they definitely are power hogs. It really depends on how expensive electricity is in your local. For me, it’s relatively cheap. I think I saw an increase of about $25 which is probably a nominal amount that most people would spend on a hobby.
Wouldn’t that efficiency thing largely depend on what silicon you’re using though? Like, for example, if you have an old AM1 board sitting around, those are 25W APUs and shouldn’t use anywhere near that if used as the base for a router.
Meanwhile if you’re using, say, an AM3+ board and an FX-4300 for your router, the FX-4300 is a 95W part and more likely to cost more to run by contrast to, say, the Athlon 5350’s 25W on AM1.
Wouldn’t that efficiency thing largely depend on what silicon you’re using though?
I would think so, but anecdotally, I didn’t see a horrific rise in electrical costs. Most of my equipment is 5 to 10 years old. Some people spend way more on their hobbies so I figured my costs were in-bounds. If you are in a locale where electricity is at a premium, yeah, I’d probably want equipment more modern that has less power consumption. If OP did a little diffing around on ebay, they could probably pick up a dual nic, small form factor, fanless for pretty cheap.
I noticed this watching a solar powered gaming build. Better to run faster hardware slower than slower hardware faster for power conservation. The base minimum will be higher but the increase in requirements will rise slower.
Its a bad idea from a power consumption POV, your old PC will be very inefficient, and running it 24/7 as a router will rapidly add up.
Security wise, you’ll be running a fairly up to date Linux or BSD based OS, so its perfectly safe.
So the Raspberry Pi would be better in this regard?
I have a smart home setup. I originally used a Pi. Unfortunately, it started to become unreliable after about 12-18 months. Apparently it quite a common issue with long term Pi systems.
I eventually changed to a small NUC. A bit less power efficient, but it’s been bomb proof for a few years now.
Probably, but raspi only has one interface, and USB network cards can be flakey. You’ll also not get outstandingly fast speeds, so ifnyour on a fast fibre connection you’ll struggle to hit the full speed.
https://cameroncros.github.io/wifi-condom.html
This is my travel router setup, might be useful for you to start from.
Protectli sells opnsense routers with openboot, or you can roll your own on similar embedded like systems.
I second this. I run opnsense on a protectli
You should be fine. Linux and BSD systems have te ability to load microcode updates at boot even if you don’t update your BIOS.
I’d be more concerned about the noise and power consumption.
Also the number and the max speed of your NIC is a factor if you have a fast internet connection If you run OPNSense make sure your NIC is well supported (I had problems with realtek and paravirtualized cards). Otherwise you can always add more NICs with pcie cards.
I got a friendly elec nanopi r3 that I use as a router. It routes all my Ethernet connected devices, and my consumer mesh network does all WiFi connections.
It’s basically a raspberry pi, but they do use their own flavor of os, so I just run it using a fresh image on an SD card. Works no problem and power consumption is minimal.
Unless I’m mistaken, this mostly depends on software/os you install.
A RPI with OpenWRT will be secured in exactly the same way as a router with OpenWRT and a laptop with OpenWRT. (At least I think so, I vaguely remember hearing about some Intel CPU vulnerabilities, but I don’t think there’s anything remote).
Power draw will be the main problem, along with more limited range because of the strength of the WiFi card.
