We implemented a very similar solution more than five years ago. The NanoPi R3S was not available then, so we used the GL.iNet GL-MT300N-v2 (aka Mango) running OpenWRT as our edge gateways. It's slow and only has two 100Mb ports, but that was never the bottleneck. At that time, I was able to assemble a batch of 10 including cables and power supplies for only $300, which was ridiculously cheap for such a flexible solution.
If you need a polished, turnkey solution, by all means check netrinos out. If you have a strong Linux/nftables/wireguard background, this solution is easy to roll on your own.
I use UPnP. My Fritz!Box router disables it by default, controls UPnP access with per-device controls, and permits using it to open IPv6 ports on the WAN side as well.
None of the IoT crap can open ports but I don't need to use a web UI to temporarily open a port on my computer.
I know plenty of shitty routers have terrible security on it and should have it disabled by default, but the protocol itself is pretty useful.
Aren't those Fritz!Box routers (common in Europe) precisely examples of "shitty routers with terrible security?"
The first thing I would do with a typical residential Internet connection is to ask the ISP to give me an ONT so that I can use my own router, a commodity x86 PC running Linux. Their underpowered plastic boxes simply won't cut it when it comes to complex firewall rules and high VPN throughput. I also don't want to deal with their shitty web UIs and would rather script the setup I want.
I have yet to find a security issue with it. I know German ISPs misconfigured their management network at some point, letting the Fritz!Boxes access each other, but that would've happened with any managed modem that was misconfigured like that.
I bought my Fritz!Box. My ISP has no control over it. TR-069 and other upstream management protocols have been disabled completely.
So far, I'm easily getting gigabit+ speeds across both IPv4 and IPv6. VPN is too much to ask (beyond emergency LAN access, I suppose) but that's what the home server is for.
The web UI is kind of nice, actually. Maybe not to everyone's taste, but the firewall management is a lot less of a clusterfuck than trying to properly configure simple port redirects over the command line. Heaps better than OpenWRT in my opinion. I've run my own Debian router box for a few years and I can say I'm doing just fine without.
I'd say a Fritz!Box is a good router for normal users. Easy interface. Good enough hardware. Stable modems. Some nice software features. Absolutely not a device for prosumers.
No really, they are pretty decent. I stopped running an old PC for router and firewall after I got a Fritzbox. It can traffic-shape, forward ports, configure fixed IP addresses and DNS names, provide limited guest access to the WiFi, analyze the WiFi spectrum (and show a graph) to choose uncongested channels, and do a whole bunch of things that I don't use but which are conceivably useful like VPN server, file server and such.
> Aren't those Fritz!Box routers (common in Europe) precisely examples of "shitty routers with terrible security?"
Not at all. They had security bugs, sure, but not constantly. Each device has a randomized admin password from the factory. Some changes require physical hardware access because one needs to press a button to confirm. They support the hardware for ages. Their 7490 model just got a feature firmware update. The model is 13 years old!
In Germany, if you ask someone where his router is he might not know what you talk about. But he understand if you asked about "your fritzbox". (Even in cases where they have something else.)
But enough of the glazing. In 2024 they got sold to private equity. Lets see how the enshittification will treat them.
I do not use UPnP myself but I agree with the notion, hate the bad implementations not the protocol itself.
When limited to specific ports by specific devices it does have its uses.
Isn't fritz a derogatory term for Germans? That's a weird choice of a name for a router. Or is it like a joke? Or maybe Germans aren't familiar with that slur?
If you have the ability to disable UPnP on the router, then you presumably have the ability to set up port forwards manually. "Don't want" doesn't come into play; if you disable UPnP, that's the trade off you're making.
I mean, I don't want to disable upnp. The whole point of it is to not have to do forward manually. So my question is : if I want automatic port forwarding, and given that apparently UPNP is bad for some reasons that I don't know, then what are the other automatic options
It's hard to take this rant seriously when the author chose to clutter his rant with snowflakes. If he's looking for more readers he's lucky I run uMatrix and chose to disable javascript instead of just closing the tab and moving on.
Shareware has been around since at least the 1980s, kids. The value proposition is that you get to evaluate an app's quality first before committing a payment.
If an app is unusable without an IAP, then that tells you about the developer's ethos and what kind of support you can expect. Cancel and delete.
In Win98SE days, I setup a PC for my parents to use. It was their first computer, and I personalized it the way I setup mine: enable view extensions and path bar in Explorer, remove the Go button in IE, and so on.
Then I got a call from my Mom: "I typed in the web address, now what do I do?"
To me, it was obvious: hit Enter. But MS had done their A/B testing, and that Go button was for the beginning user.
For the OP to assume that everyone is as adept as they are is folly. As another user lamented, sometimes you have to rub the user's nose in it for them to know they can click something.
Looks like the transformation of RHEL into a Windows clone is nearly complete. I'm all for it, as I expect a modern fork without systemd will coalesce for those of us that prefer Linux over Windows.
reply