Looking for a new router

[Jojomatik]

Hi,

 

I'm currently looking forward to buying a new router for my / my parents house.

 

At the moment we are using an ISP-provided (Telekom - Speedport W724V) Router which has limited functionality but it was fine for what it did and so I never thought about changing it.

 

The main reason i want to switch to a new router is that i installed a NAS and played around with webservers on my Raspberry Pi. My domain is pointing at my router which is redirecting the request to the devices. This works with no problems with requests from outside my home network. But from the inside my router blocks the connection to it self to protect me from NAT loopback. Since I am not able to disable this "security feature" in the settings i can't connect to my devices with the specified domains. 
I read that other devices are able to disable NAT loopback protection for certain domains, but since the data (from what i read on the internet) is going through the router twice in this case the router can become a bottleneck pretty quickly if i try to move larger files between devices.

Now I've set up an DNS Server on my RaspberryPi which works without problems. It redirects my (sub-)domains to the internal IPs where i want them. 
When i went into the settings of my router i noticed that i would have to switch from "Telekom" -> "other ISPs" to even access the dns settings, which blocks some sort of "telekom support features" i don't really need but if not neccessarry i would like to not touch this. 
Even if I try to change this though, I am only able to change the IPv4 DNS-Server and since basically any device in my home is IPv6 ready i don't want to change back to IPv4 which i would have to since the IPv6 dns is the primary dns.

 

So i started looking around for other devices.

What i found (I am from germany so i dont really know if prices and products are identical in great britain or the US)
 

I only know of two brands of whom i would say that their products are stable and offer much functionality but if you have additional products please tell me.

 

I don't really know if I am allowed to change the router at this moment (I don't know if my ISP will get angry at me if i change it and i think my parents acctually pay for this thing monthly)

and idk if the telephones which are kindof connected to the router with some old adapters and stuff because they are like 20 years old and my parents dont want to switch so i dont want to risk the telephones (and the ISP provided "Entertain" TV Satelite Receiver with internet functionallity)

Sorry if this sounds confusing.

So my current idea was to make double NAT with the ISP Router connected to the Internet and the new router connected to the ISP router

 

1. FritzBox 4040

    Looks like it is great performance/dollar 

 

2. Ubiquiti

   I already have an unifi acces point and it would be neat if everything was integrated with the unify controller. So im looking at something like the Unifi security gateway.

   The USG has no wifi on board and im not sure if my one and only AP is able to supply the whole house. 

I think i would have to disable WIFI on my ISP router because devices in this wifi would not be able to use the DNS-server? Or is it possible to spread the wifi of the USG with the ISP-Provided router again? Like this: Internet > ISP router > New Router > ISP Routers WIFI > devices? I dont think thats possible so I'd like to add another AP to the setup but thats not the main question of this thread.

 

My requirements for a new router:

- Many Options in Software

- Performance

- Compatibility with Unifi controller would be very nice

- Money (This is just a normal home with some smart home gadgets and wifi devices no office or enterprise thing, so it shouldn't be totally overkill)

- Simplicity

- Stability

- ? Looks

- Easy to maintain

 

I also looked at the amplifi gear because the router looks interesting but i dont think its compatible with unifi and i dont want to change the Accesspoint once more.

 

I hope this thread isnt to confusing and i might get some suggestions for what i can do.
Thanks for helping me.

 

Jojomatik

 

[sazrocks]

Since you seem sufficiently network competent, pfsense running on an old desktop sounds like an option here. It has pretty much every bit of configuration you could ever want, aside from real time deep packet inspection (but come on, that requires crazy large ASICs), and is free assuming you already have an old computer laying around and a spare NIC. You can use the money you saved to buy another Ubiquiti AP, then set up your network as Internet>ISP Modem/Router (with wifi disabled, I'm not sure whether NAT could be disabled without impacting the satellite reciever/telephones)>Pfsense>switch>Ubuiquiti AP, and everyone's happy.

 

Only downside is additional configuration time, and no unifi compatibility.

[Kered124]

I completely agree with sazrocks. I run pfsense at home and at work. At home I have it on an older dual core system with a couple gigs of ram and a second gig network card. At work, we use a small appliance from netgate. Both have been crazy stable, and pfsense also supports awesome plugins such as bandwidthD and squid.

[Jojomatik]

15 minutes ago, sazrocks said:

Since you seem sufficiently network competent, pfsense running on an old desktop sounds like an option here. It has pretty much every bit of configuration you could ever want, aside from real time deep packet inspection (but come on, that requires crazy large ASICs), and is free assuming you already have an old computer laying around and a spare NIC. You can use the money you saved to buy another Ubiquiti AP, then set up your network as Internet>ISP Modem/Router (with wifi disabled, I'm not sure whether NAT could be disabled without impacting the satellite reciever/telephones)>Pfsense>switch>Ubuiquiti AP, and everyone's happy.

 

Only downside is additional configuration time, and no unifi compatibility.

 

4 minutes ago, Kered124 said:

I completely agree with sazrocks. I run pfsense at home and at work. At home I have it on an older dual core system with a couple gigs of ram and a second gig network card. At work, we use a small appliance from netgate. Both have been crazy stable, and pfsense also supports awesome plugins such as bandwidthD and squid.

 

Well actually i do have a spare computer. The problem with this option is that this machine is kindof power hungry, loud and big so it would be very inconvinient to have it enabled all the time.

Even though i like selfmade solutions normally, in cases like this where my mistakes actually affect "important infrastructure" (my internet :D) and since I am not at home that frequently i dont want to risk anything. 

 

This might sound kind of evil to you but I'd prefer a "proper" solution in this case.
Any further suggestions in this case?

[Kered124]

If you want a more proper solution for this, have a look at the Pfsense appliances. Pfsense will run on lots of hardware, being linux based. If you take a look at amazon, there are many barebones security appliances you could put PFsense onto that take very little power.

[Kered124]

I took a screenshot of the dashboard of the PFsense appliance we have so you can have a look. It is a clean interface with tons of options.

[sazrocks]

2 hours ago, Jojomatik said:

 

 

Well actually i do have a spare computer. The problem with this option is that this machine is kindof power hungry, loud and big so it would be very inconvinient to have it enabled all the time.

Even though i like selfmade solutions normally, in cases like this where my mistakes actually affect "important infrastructure" (my internet :D) and since I am not at home that frequently i dont want to risk anything. 

 

This might sound kind of evil to you but I'd prefer a "proper" solution in this case.
Any further suggestions in this case?

There are many barebones systems that run pfsense and even systems sold with pfsense already installed. Aside from that, ubiquiti’s edgerouters seem to be your other option, with (AFAIK) support for unifi, though at cost, and with no AP included. 

 

I am of course deliberately avoiding all consumer routers, as these are complete and utter garbage on the routing side, not to mention numerous security vulnerabilities (for example for a time you could add “/cgi-bin/;” to the end of the router url and then any linux command, which would then be run as root, for many netgear routers.).

[Timotheus2]

I would get an OpenWrt compatible router and flash it. Much less power hungry than an old computer running pfsense and still very capable, since its linux. You wouldn't be able to run anything too demanding with this hardware, but everything should be configurable (at least with command line).