I have been tinkering with my home network for a while now. Over time I have settled on some requirements:
- Low power usage
- Almost zero noise
- Three or more gigabit (or higher) network interfaces
- Support for multiple operating systems (OS)
- Optional but highly desired: supported by FreeBSD, OpenBSD, or NetBSD
Ubiquiti EdgeRouter Lite (ERL for short) is a small and lightweight device that fits all these requirements.
Before I talk about my experience with ERL I want to mention some other devices I have investigated or trialed in my pursuit of a "perfect" device for my home network's gateway and firewall needs.
I have run TP-Link AC1200 Archer C5 v1.20 flashed with OpenWRT for a good period of time. It runs admirably on a less-than-50 Mbps WAN with multiple HD or better video streams. It has limited flash storage and not many OSes support it. Big thumbs up to the OpenWRT and LEDE teams for their awesome work in supporting such a variety of devices. More recently I have delegated it to wireless access point (WAP) services only. It has great range and covers about 1900 square feet of indoors space very well when placed strategically.
I have also run Mikrotik RB750GL. The box is tiny, light, and has five gigabit network interfaces: one for WAN and the rest up to your imagination. It runs RouterOS, whose configuration is initially daunting and documentation is not easily digestible. However, if you persist with it, it becomes easy to understand and configure. It has very powerful features which I did not have a chance to check out but the wider community has great things to say (among some consistent complaints) about it. Not-so-surprisingly OpenWRT also supports this model so if you like or understand it better then that options is also available. I would recommend the box and stock OS to anyone who wants advanced networking features.
I have been keeping an eye on Netgate for a while. They have a good variety of systems that support pfSense. However, none of them are in the sub-$100 range like ERL, Archer C5, or RB750GL. I can't afford to spend $299+ on an Intel-based firewall at this time. They do have a new ARM-based micro firewall, SG-1000, at $149 which seems reasonsable. I'm hoping for some chatter from the community on how well it performs before I invest in one. That said, I have used pfSense in production in a high traffic high availability voice over IP (VoIP) system and found it to be an excellent OS.
Another Intel-based firewall box that has piqued my interest is Compulab's fitlet-X. It has four gigabit ports and comes in barebones models starting at $262. The price is sure to increase after adding the missing RAM and storage. Once again the price point is prohibitive in my current situation. If I ever get something like this I'd be sure to try pfSense, OPNsense, VyOS, Untangle, Sophos UTM Essential Firewall, and BSD Router Project on it. Of course, FreeBSD, OpenBSD, and many Linux distributions are also good candidates for this hardware.
Some more devices to keep on your radar are UniFi Security Gateway and other EdgeRouter and Mikrotik models.
The thing I absolutely love about ERL is that its storage can be easily replaced: it's a single USB drive that easily disconnects. In my tinkering I must have already broken all kinds of warranties but it's a cheap enough device that I don't care as long as I learn something from it.
Since I can replace storage, I can invest in more disk space. This allows me to install a server OS (say OpenBSD) -- versus a network OS (say EdgeOS) -- to run other applications. For example, I can run Python scripts if needed, or a tiny web server or something. It doesn't matter right now what I actually run; what matters more is that I have the ability to do so.
It gets warm to the touch after a while but never too hot to be of concern. Many OSes support ERL, such as EdgeOS, LEDE/OpenWRT, FreeBSD, OpenBSD, and NetBSD. That provides significant opportunity to tinker and find the right solution for you.
Since it has three network interfaces it is more flexible than a device with just two interfaces. I can bridge two interfaces for LAN (as I did in OpenBSD below) or create two separate LAN networks (as I did in FreeBSD below).
I am also a big fan of the console port. I needed it to install OpenBSD but it proved invaluable when I was running FreeBSD and LEDE as well. I don't think I can go back to a device that doesn't either have console access or an HDMI output. I need that low level access since it opens new doors, like replacing the stock OS with another open source OS.
The opportunities provided by ERL are not available in many other competitor products at the same price point. It's a truly remarkable product and I am fully satisfied with it. Needless to say, I recommend it to every person who wants to take control of their home network gateway/router.
ERL comes with EdgeOS (PDF user guide) installed. I have watched a few videos introducing it but have not used it myself. After the excellent design decisions that went into making ERL I'm sure Ubiquiti's software is also top notch. I will give it a try one of these days, especially since it's apparently built on VyOS.
I started by installing FreeBSD on ERL. It took a lot of research into how to replace EdgeOS with another OS but it turned out to be fairly easy. Getting a FreeBSD 12.0-CURRENT image to install was also doable thanks to Colin Percival.
After I got it running -- with more help from community documentation -- the device worked very well. It handled my home's network load easily. Then tragedy struck: network on ERL would hang after irregular intervals. I researched a lot and came across a similar issue: (Workaround) FreeBSD 10.1, sudden network down. I suspect it is a driver issue. I should help the community by filing a bug report but I was burnt out enough with all the research that went into making this all work that I decided to drop the idea of running FreeBSD.
Since I have some experience with OpenWRT I decided to give it a try. LEDE project had a newer build than OpenWRT so I went with that. It installed easily -- although I needed to use my Raspberry Pi 2 running Ubuntu MATE to create the disk -- and ran flawlessly. Configuring it was simple as well.
It did have a quirk out of the box that eth1 was WAN and eth0 was LAN. Most other OSes do it the other way around as that's what most people probably expect. But it's no big deal and I didn't change the config back because it still worked.
A thing that kept nagging me while LEDE was running flawlessly was that it was a Linux distribution and not a BSD. It's a silly thing but I have consumed the kool aid that BSDs are better engineered than Linux. I have absolutely no solid proof for this. Neither do I have anecdotal evidence to support it since I have had nothing but great experiences using Linux and FreeBSD.
A second thing I wanted was to learn PF. I already use PF on my FreeBSD box running on Digital Ocean. I have learned quite a bit setting up that box but I wanted to learn more techniques. I have to admit Peter N. M. Hansteen and Ted Unangst have played a significant role in making PF something I must learn. Their marketing message -- that OpenBSD and PF are much better compared to other solutions -- has worked on me.
This is my first OpenBSD install and I leveraged a lot of experience I gained by running FreeBSD and LEDE on ERL. That made it easier for me to install OpenBSD on ERL. I must note that the apprehension I had of moving to OpenBSD because of the reputation it carries -- serious people use it for its focus on security and simplicity -- melted away. OpenBSD has excellent manual pages and community documentation. Everything that I needed to do was explained in some easily discoverable place. Moving to OpenBSD is not as hard as it initially looks.
As I write this post OpenBSD is running and my home network is "protected" by PF (as best as I could write its rulesets). Speed tests -- although not the most reliable metrics -- are showing no slow downs. I have both IPv4 and IPv6 connectivity. All the features I wanted are already implemented in this setup. I have not yet encountered mysterious network hangs either.
I am grateful for the work that went into making ERL as well as all the OSes that support it. We all stand on the shoulders of giants and everyone involved in making this an excellent solution deserves a huge round of applause.
Go ahead and tinker to your heart's content.