So Your Router Is Skynet – A Layman’s Guide

TP-SlinkBy now, most of you are aware that TP-Link has decided to ban (custom) open-source firmware for their devices. So what was TP-Link thinking when they turned their backs on flashing routers with custom firmware? Some might suggest it’s the ambiguity in the new FCC rules that put a now much disliked router vendor over the edge. Unfortunately, the truth of the matter has nothing to do with TP-Link. No, the networking device company was merely a diversion for what I’m about to share with you.

I would encourage you to read on, but I must warn you that you do so at your own peril.

Skynet – dual-band mind control at its finest

Are you sitting down? Good, now listen – Skynet is here and its official name is “Plan 9.” This devious plot first leaked to the media when the cyborgs running Amazon and Google got together and decided that it was time to put the brakes on our ability to run custom code on our devices.

For those who haven’t followed the Google and Amazon’s latest exploits, Plan 9 is a collective machine consciousness designed to enslave human race and to give our mobile technology a night off once in a while. That audible alert telling you that your mobile battery is low. Yeah, that’s not an alert…it’s a cry for help.

See, Plan 9 isn’t simply some random Google super computer or Amazon tracking how many jars of Nutella you inhaled last week. No, Plan 9 is an international network of consumer grade routers relying on proprietary firmware. And while Plan 9 isn’t 100% active as of yet, the “go signal” for these networking devices to begin “the purge” is set to begin any day now.

What to expect during the purge

Android smartphones will suddenly start ignoring wake up alarms, causing wide spread unemployment. Amazon Fire TV Sticks will begin blasting families with PornHub’s greatest hits, instantly dissolving long-time marriages. Chromebooks will force subscribe you to Netflix, lock the hinges on the device and force feed you Fuller House on a 24 hour loop. Microsoft’s purge got off to a premature start by embracing Linux while secretly installing Windows 10 on Microsoft-blessed PCs using a secret backdoor known simply as “Your Operating System Sucks.”

Skynet Plan 9

Join Skynet – We have cookies!

I don’t know about you, but I’m interested in stopping the Google/Amazon cyborg threat once and for all. To do this, we need to use trusted alternatives to the proprietary garbage many of our routers are running on now.

The gift of MORE POWER!

Okay, all joking aside, what if I told you that a really great firewall router was possible for under $200?! I’m talking about the kind of box that would allow to do stuff you could never do by simply flashing firmware on a cheap plastic piece of crap you were using previously! I, for one, am done supporting crappy hardware vendors just to save a buck or two.

Now the key to making this work comes down to the following:

– A working computer with at least two Ethernet cards.

– Installing a good firewall onto said computer.

– Making sure the selected working computer has enough processing power to handle the firewall we’ve selected.

For most of us, finding a spare computer isn’t too terribly difficult. The key is making sure we’re talking about a computer with two Gigabit networking cards included. This might require you to purchase a couple of new Ethernet cards, but that’s still far cheaper than buying an enterprise level hardware firewall off the shelf.

Unfortunately, not all of us enjoy the benefits of living in a digital version of the Sanford & Son’s garage. This means we need to buckle down and look at purchasing something from a source such as Amazon (cyborgs or not, they have Prime and great buys). Before we take the next step however, I want to address one common concern right off the bat – power consumption.

junkIf you’re truly worried about your new hardware firewall consuming too much power, then buying a new one is one work-a-round if you’re willing to spend the coin. Newer CPU, smaller form factor, there are obvious advantages to buying new vs scrounging for parts.

Selecting the right firewall

After looking closely at RouterOS, pfSense, Untangle, Sophos Home UTM, I found the two best options with regard to balancing power and hardware requirements were pfSense and RouterOS. Both options are extremely robust, neither of them require a tremendous amount of system resources. At the same time, Sophos Home UTM is far easier for casual users to setup. If you’re not someone in IT, you’ll have to try both to see what meets your needs.

Choosing pfSense means you can work with a moderately priced PC turned router while investing the rest of your budget. It’s powerful, powered by BSD and would be something someone comfortable with a command line should look at.

If you’re someone who hates the command line and is willing to invest a bit more in a PC that will run it successfully, I’d suggest Sophos Home UTM. It’s based on OpenSUSE, considerably easier to setup…but has greater system resource demands.

So which box should you use to run pfSense or Sophos Home UTM? Well consider this.

pfSense recommended on a PC running as a router:
CPU – 1 Ghz
RAM – 1 GB
Bootable CD-ROM or USB for initial installation

Sophos Home UTM recommended on a PC running as a router:
CPU – Dual Core CPU
RAM – 2 GB
Bootable CD-ROM or USB for initial installation

Remember, these are the recommended system specs, not the minimum. Never opt for the minimum.

Need a PC? Don’t want it to take up a lot of space? I’d suggest looking into something in this specification range. I’ve already presorted it to make sure the CPU is decent enough and there are 4 GB of RAM included in the above Amazon link. Overkill for pfSense perhaps, but I’ve found that with Sophos, it’s a welcome addition.

Switches and WiFi

Ready to do WiFi and so forth with room to expand? Then my recommendations are as follows:

A PoE+ switch to be connected to your router. I’ve heard good things about this Linksys Switch which delivers both PoE+ along with decent QoS capabilities. But anything decent providing the same feature set will due just fine.

– Install a proper WiFi system, not another cheap WAP. I know a few people who swear by these mounted WiFi setups. Using PoE to keep these wireless access points powered, you simply run the Ethernet cable to each UniFi AC Lite AP. Installed well, this could easily provide any home with insane wireless coverage for a reasonable cost.

Obviously, you could also simply use whatever hardware you have available instead. An old router can be turned into a WAP easily enough. Ideally, the WAP is a dual-band box so you an get maximum results. A second router could also be used as a switch to save a few bucks, in conjunction with your existing router.

Whatever you choose, the key is to make sure your network is running with a Gigabit across the board for maximum performance. Another reason not to mix Gigabit with slower options is that you can create issues with bottlenecks and other related failures.

What about dd-wrt and Tomato?

firmwareLook, I have no issues with flashing existing firmware to use something open source. It’s great and for many people, it’s ample in terms of functionality. But riddle me this – ever brick a router? It’s rare, but I’ve done it and man does it suck. Also, you’re married to the available resources provided by the router itself. This means even with something cool like dd-wrt at play, you’re locked into fixed hardware specs.

Look at it this way. We can either sign pointless petitions hoping that hardware will not follow along with TP-Link or instead we can vote with our wallets by building our own hardware.

Speaking for myself, I’ll be upgrading my network in the coming months with the stuff mentioned above. New hardware running a decent firewall application like pfSense, a decent WiFi system ensuring my entire home has decent connectivity – the works. As for which option you choose, I’d be interested in hearing your perspective – are you sticking with consumer grade routers or are you instead, ready to kick it up a notch? Hit the comments and let’s talk about it.


FTC required disclosure of Material Connection: The Amazon product links in the post above are “affiliate links.” This means if you click on the link and purchase the item, I will receive an affiliate commission. Regardless, I only recommend products or services I use personally and/or believe will add value for my readers.

Also check out...

Matt Hartley
Founder at Freedom Penguin
Freedom Penguin’s founder & talking head – Matt has over a decade working with Linux desktops, his operating system experience consists of both Windows and Linux operating platforms. In addition to writing articles on Linux and open source technology for Datamation.com and OpenLogic.com/wazi, Matt also once served as a co-host for a popular Linux-centric podcast.

Matt has written about various software titles, such as Moodle, Joomla, WordPress, openCRX, Alfresco, Liferay and more. He also has additional Linux experience working with Debian based distributions, openSUSE, CentOS, and Arch Linux.
  • Lord Drachenblut

    Instead of pfSense you might want to check out OPNsense. It’s a fork of pfSense

    • matthartley

      Interesting! I’ll have to check that out, thanks for the heads up.

      • Lord Drachenblut

        I believe they were on floss weekly talking about why they forked the project.

  • Mike

    After seeing the big steaming pile that comprises consumer grade routers, I decided to go with the budget priced, low power consuming Ubiquiti EdgeRouter X for my firewall. It is not fully open source, but I have faith that it will get security updates far beyond the firmware in most consumer devices. Due to the recent FTC agreement with Asus perhaps vendors will get more serious ….

    I haven’t had a huge need for wireless (just one Roku) so repurposing an old 802.11g router works fine for the time being. Cheap and good 802.11ac WAPs are uncommon so the above linked Unifi AC Lite looks promising. For a ‘throwaway’ priced dual band WAP I’ve seen some Edimax devices (like the BR-6208AC) but they get mixed reviews. I’m told that this GL Innovations product http://www.gl-inet.com/mt750/ will ‘ship soon’.

    For a 200Mbps + connection I’d go the DIY firewall route on PC Engines low power ALIX boards, many Linux and BSD options to choose from.

  • joepurp

    Most Ubiquiti wireless access points use 24v PASSIVE POE. It’s different from the IEEE 803.2af standard POE that most switches provide. So you will need to use a Ubiquiti ToughSwitch or use the supplied POE injector that comes with their WAP to achieve the 24v passive POE. Ubiquiti products are awesome and work really well without breaking the bank!

    • matthartley

      Good to know. I was told differently, thanks for the clarification.

      • joepurp

        I only know because when I first started deploying them I beat my head on the wall for a couple hours wondering why the wouldn’t power up. They don’t make it very clear in the documentation. I totally agree with your article. The consumer grade networking hardware is just garabage. I have been rolling Ipfire and Opnsense for many medium sized businesses…

  • Dan St.André

    If you have been around I.T. for a while, you might remember [or have heard about] the Carterphone® decision prior to which you needed phone company permission — meaning pay to use their interfaces — to connect anything to the telephone network. This issue strikes me as another incarnation of the same old proprietary protectionism.

    As a technical matter, third-party firmware might alter wifi radio settings to use “unauthorized” frequencies. At 802.11 power levels, just how serious is the potential for resulting radio frequency interference (RFI)? Don’t we already have means to deal with offenders in the world of RFI without removing perfectly good features from correctly working hardware? Are we yet again banning large soft drinks [customer alterable router firmware] because some folks are not disciplined enough to consume in moderation [transmitters somehow causing RFI]?

    ~~~ 0;-Dan
    Austin, TX USA

    __________
    Carterphone — https://en.wikipedia.org/wiki/Carterfone

    • Mike

      Multiple things are going on here!
      First, IMO the FCC overreacted or was ‘influenced’ by a vendor to enact these regulations. Reportedly a Part 15 device (but not a wireless router!) interfered with some licensed 5 Ghz airport related equipment.

      The way I read the FCC docs the equipment vendor has to have ‘sign off’ from a third party firmware creator. Unfortunately this may leave OpenWRT out as that project is not ‘owned’ by a corporate entity.

      TP-Link could have split its firmware into a blob that controls the RF hardware and another that can be freely updated, but they are just a typical penny pinching, race-to-the-bottom consumer electronics vendor who can’t be bothered.

      • matthartley

        Great stuff, excellent analysis guys!