Greymeister.net

2021 Router Replacement

I decided to finally replace the ERLite-3 router that purchased in 2017.

I purchased the Edgerouter to replace my old D-Link DIR-655 WiFi/Ethernet router that I had used for years. The router firmware was no longer receiving updates and I was a little perturbed trying to do some uncommon configurations with it. I looked around, and although I don’t have the research material I used back then, I was trying to find something that allowed the configuration options I wanted without having to buy something big and expensive from Cisco. The ERLite-3 worked really well, and provided the network separation I wanted between my WAN connection, my lab/server network, and the network with Wi-Fi access.

Eventually, there were a few things I started to dislike about the ERLite-3. First, firmware updates were less frequent, and eventually they bifurcated into a 1.x and a 2.x version. I had read about stability and performance issues in 2.x and had remained on 1.x even though the updates I felt were getting behind issues I was noticing on security sites. The NAT slipstreaming attack and DNS Redirect were just some of the issues I wanted to solve. Additionally, Ubiquiti or UniFi or whatever they call themselves now were pushing more and more towards management via “apps” on iOS or Android. To me this is a terrible idea, introducing the requirement of these ecosystems into managing my home network. I don’t trust these devices and I don’t know how you’re supposed to trust your network infrastructure management to something running on one. A web-based configuration was a dependency I was reluctantly dealing with, but fuck having to depend on a proprietary device to remotely control my router. It’s the same reason I hated Apple’s Airport devices. Finally I thought it might be a good idea to get off of the Edgerouter and replace it, but what to replace it with? A long time ago I remember using Freesco but figured there were probably better options today.

Luckily I’m not the only one looking to replace this device. That blog had a well reasoned explanation for what they chose, which in the end was a Netgate SG-1100 running pfSense. I have seen pfSense discussed quite a bit on different subreddits and blogs, so it seems like a reasonable choice. However, those choices didn’t feel right for me, as it would still be coupled to one vendor’s choices like with Ubiquiti. I was glad they mentioned PC Engines as it seems like a great choice for this type of hardware project. I also came across this site that someone assembled describing a router using OpenBSD and its pf capabilities. After my experience with Ubiquiti, this was a more appealing as I should be able to use generic hardware and pick my software stack. If I found OpenBSD lacking I could always switch to a different OS.

I ordered an apu2e4 system from PC Engines as it provides the same 3 NIC configuration that the ErLite-3 had. I decided to go ahead and use OpenBSD and found this page which gave a nice overview for booting a similar system with OpenBSD. Setting up the OS was pretty easy (although it had been a long time since I used a serial TTY) and I was ready to dig into setting up a replacement for my existing network. This meant I’d need to configure the 3 networks, DHCP, and a pf.conf that was at least as good as my current router setup.

Setting up pf.conf the way you want is a little tricky. For one thing, you see in alot of configurations they rightly block access out on the WAN network to any RFC1918 addresses. However, while testing locally, my external network will be a restricted network, as I’m testing it within my existing NAT’d network. Not only that, but to access my cable modem, I have to allow access to at least one specific class C network address. Things like this made getting a final configuration hairy. I was able to test my firewall rules by plugging in 2 machines to the 2 internal networks and doing basic port and nat testing within my existing network. Finally, it was doing everything I figured it should, and I made the switch. I had to shut down the ERLite-3 and then boot up the new box. Of course, a few last minute fixes were required before everything “worked” but those were mostly things I realized I had to fix about the WAN DHCP client configuration.

I’m very happy with how things are working. I ocassionally need to fix a few things, but I keep my pf.conf and dhcpd.conf files in version control so it’s easy to get back to a last known working configuration if something breaks. I don’t have any WebUI or dependency on some proprietary vending machine to manage my router, everything can be done via restricted SSH connections to the router. It’s a return to simpler times in alot of ways. I also find updates more frequent than I did with either D-Link or Ubiquiti, and there is a wealth of information online for mitigations and advisories. I don’t think OpenBSD is necessarily better at everything, but I appreciate the focus being on security and simplicity which is exactly the sort of thing you want on a box that’s just routing packets.

Coda

It felt a bit sad to remove the last MIPS system I still have running. I know it’s possible to flash it and install a different OS, but I read about some pretty ugly problems people doing this have run into with the storage the ERLite-3 uses. I decided to just factory reset and put it back in the box, hopeful that one day I can sell it to someone who wants it.