Home router recommendations
48 points by strongoose
48 points by strongoose
Hi lobsters - I'm interested in your thoughts on home routers. I have used the crummy ones provided by my ISPs for years (currently I have something called a FritzBox), but I'm increasingly considering getting something a bit more customisable.
My requirements are minimal. My flat is small so coverage is not a problem. I would like to do some DNS filtering so if I can run pihole or similar on the router itself that's a plus. I would love better logs in the event of network issues. Tell me about your setups/experiences? :)
I've been using a few GL-iNet ones since they are intuitive for the average user and also support OpenWRT for good enough use cases like AdguardHome for one.
I personally have few of these for home as well as travel purpose + an x86 box with SFP+ ports that runs a firewall like OPNSense for more granular control over the network.
I'll give a strong recommendation for GL-iNet. I've been using their Flint router for a couple of years now, and it's been an absolutely amazing router.
I recently got myself the GL iNet Flint 2 and installed plain OpenWRT on it right away.
It's been running with multiple VLANs to separate IOT and guest devices from my LAN, is acting as a WireGuard endpoint and does DNS based ad blocking without any issues so far.
I don't know about the quality of other GL iNet devices, but wholeheartedly recommend the Flint 2.
I opened this thread just to also suggest GL-iNet. The MT6000 was highly recommended when I needed to upgrade my router, and it's awesome and solid and feature rich, and the OpenWRT support is great.
+1 for GL-iNet, specifically also for their travel routers. Their built-in support for Mullvad VPN is great
Anything from Ubiquiti is also quite good, but for a small flat, the Ubiquiti Lite would probably be a good option
I can highly recommend Mikrotik devices. They are very powerful for how inexpensive they are. They can be configured via web interfaces as most brands, but also offer CLI and even a dedicated GUI app. The interfaces is not the best UX wise to be honest, as it simply exposes to you all of its features with minimal abstractions. I see that as a good way to learn though. Most importantly, you can easily back up your configuration and they have a "checkpoint" system where it resets to the last committed config if you lock yourself out by accident. Also made in EU if this matters to you.
I only have a quite old Mikrotik switch with SwitchOS that is gathering dust, but we are reducing US tech reliance and the Unifi devices everywhere in the household are becoming a bit of a concern. Does Mikrotik provide something similar to Unifi's controller where you can admin all the Mikrotik devices in your network from a single interface? I have found that this is especially useful for configuring VLANs.
I’m pretty sure their desktop WinBox app allows for this. The biggest downside when I used it was that it was Windows only (though it worked fine in Wine). But apparently there are Mac and Linux editions of the latest version.
Can vouch that Winbox has a native Mac app and works well. There is no central config à la Unifi Controller however for managing multiple switches in the same place (you’ll need to go in and out of each switch through the winbox UI)
I thought I remembered it having central management capabilities but on further research I was thinking of CAPsMAN which is only for central administration of WLAN AP settings.
Mikrotik routers do offer a lot of possibilities, and do just work out of the box. But for a lot of more advanced functionality, their documentation is atrocious.
I'll third this recommendation. Especially if the flat is small enough, you could just put one RB4011 somewhere central and use that for firewall, router, and WAP.
In theory, you might be able to get Pi-hole running on Docker on the right Mikrotik product, mine are older so that wasn't an option for me and I just run it separately.
I've been decently happy with logging and have a bunch of stuff (netflow, logins, DHCP, DNS, interface status, some other stuff) all kicking out syslog messages over to my centralized logging for the network, as well as dropping to disk. There are a few networks I admin which I'm able to aggregate nicely using built-in VPN functionality over to a cloud host. They now support things like wireguard out of the box, so it is pretty plug and play (if you're plugging and playing a sharp knife that'll happily cut you if you click the wrong button in the GUI).
Agreed. I really like routerOS: it has both a web gui and a CLI. The CLI is particularly useful when asking an LLM questions. It can just spit out commands and you can run them. I managed to get ipv6 working just through CLI commands provided by an LLM.
One thing I wish I understood earlier is that what most people call a "home router" is actually four different devices bundled together:
If you use separate devices for each function, you have more control over your networking setup and you can optimize for the features you care about.
For example, I used to shop for all-in-one routers based on how many Ethernet jacks they had, but that's ridiculous because you can buy a $20 switch to add more jacks with minimal impact on performance. Or, I'd want the latest WiFi standard and have to buy a whole new router, but if you unbundle, you can just replace the WiFi access point.
If you're just getting started and don't care about open-source, I recommend just getting Unifi gear. Their stuff is pretty user-friendly and customizable, but then it's sort of like Apple products where the main value is how well different Unifi products integrate with each other.
If you're more interested in software freedom, I've had mostly good experience with OPNsense, though at this point, I'm ready to simplify to FreeBSD and write scripts to configure it how I want.
I have a Ruckus R310 WiFi AP (not open-source), and I've been happy with it. It's meant more for businesses, but the R310 is super cheap used. It lets you do things like define multiple WiFi networks with different networking rules (VLAN IDs).
Edit: Forgot to add "modem" to my bundle list.
My problem with buying a separate modem is that they're almost business-only product, so they tend to be expensive, to the point where a comparable home router is almost the same price.
I like Ruckus too. The 'unleashed' ones have the controller on board so it's relatively easy to set up a bunch of APs if needed.
I have a couple R650s from aftermarket and they're amazing but my goodness they're expensive, lol
Yeah strictly eBay for me too lol. There are good deals out there but I wonder sometimes if it's employees stealing company stock...
you could even separate "firewall" and "gateway" - two very different functions that happen to be often bundled together even in professional gear
As a note, be sure not to confuse Unifi for Ubiquiti’s consumer AmpliFi line too, which has drastically pared back configurability in an effort to be more “appliance like”.
My goto is: https://toh.openwrt.org/
After some filters applied, the list gets short really fast, and decision gets easy.
Ensure you've read the actual device's support page before purchase.
Is it just me or the table does not allow filtering or sorting by number and speed of Ethernet ports? the "Normal" view hides them. Clicking "All" or "Network" shows them.
Neat!
This is a tough question to answer, and it depends on a lot of factors:
Based on these factors there are these major choices:
(But as said, the actual solution is far more nuanced, and depends on far many other factors than what you have briefly described.)
My own recommendation:
"I strongly suggest staying away of hyper-converged brands like Unify!"
Could you elaborate on why?
The main reason is that all of these hype-converged solutions like Unify are closed source and proprietary. Not only that, but you can't just install an alternative firmware on their devices.
Thus, depending on their whims or quarterly sales quotas, you might get (or not) your updates or security fixes. Or, in the case they push for a truly cloud-only management approach, you'll not even have the opportunity to run obsolete and unsupported hardware, instead your hardware will become a brick...
Besides these fears and suppositions, these offerings are many times more expensive and (needlessly) complex than the alternative. For example with Unify, if you just need an AP or router, you can't manage it without a VM (or another device) to run the management software on.
Question for commenters:
Wouldn't it be more educational to use a bare OpenBSD, FreeBSD, or Linux installation, and learn how to make it do effective routing?
Like why not a little tiny computer with two ethernet ports, and a default OpenBSD installation as a fully-cutomizable learning experience instead of OpenWrt?
Wouldn't it be more educational to use a bare OpenBSD, FreeBSD, or Linux installation, and learn how to make it do effective routing?
Indeed, I’ve done this: I took a bare Linux kernel and wrote software until it was an effective router: https://router7.org/ ;-)
(I know you meant to set up existing software, but just in case folks are curious how a typical stack works…)
Gokrazy ran my unifi controller on an rPi until I finally got a unifi router. Now it runs adguard.
This is what I do with NetBSD. Rather than try to learn what a router OS offers me, I run what I want on NetBSD and customize it to my liking. This includes BIND, dhcpd, IPv6 forwarding over a Hurricane Electric tunnel, ntpd, tinc and more.
I'm not a fan of the lack of control we have when we're waiting for others to build and update containers, and I don't like being tied to a specific architecture, so this works well for me. Others may have different priorities, but if you want to fully and properly control what goes on in your networks, it's an excellent way to go.
My home router for awhile was a Raspberry Pi running NixOS and a usb ethernet dongle. It mostly worked, and having proper declarative configuration was quite nice, but depending on the specific hardware you can expect to hit both throughput limitations and wifi AP driver bugs. In my case, the raspi wasn't able to route more than about 400Mbit from usb to onboard ethernet. I also hit several wifi driver bugs in AP mode specifically, both with the onboard chip and an external usb wifi dongle. I think that's just par for the course for hardware and drivers not intended as APs: the support might be advertised, but if not a lot of people are using it as one, those code paths are probably not very thoroughly tested. In my case both pieces of hardware manifested different varieties of "the AP's interface became unresponsive/disappeared after awhile, and required a reboot to restore."
All that to say: you can certainly home-roll yourself a router, which has some nice operational advantages over a consumer thing, but don't assume you'll necessarily get performance parity, and there's a good chance you'll find bugs that would've been found and fixed by Someone Else on a consumer router. It was still a fun experience, but I've since switched to a pre-built router, largely because I wanted my wifi to stop crashing :).
Incidentally, those driver issues do often get fixed by kernel updates eventually, but only if your hardware actually gets kernel updates. If you're using, for example, a Raspberry Pi 5, and you're stuck using the vendor kernel because they don't much care to upstream their patches, you might be SOL on actually receiving those updates.
I ran OpenBSD on Raspberry Pi 4 as my travel router until I realized what the performance cost of the RPi hardware was. Believe it or not, a MacMini running MacOS and OpenBSD under VMware fusion will out perform an RPi at this job easily. It also has the added advantage that it uses modern WiFi without big issues so I stopped looking for live ethernet jacks on the customer VLAN in hotels.
If you're using, for example, a Raspberry Pi 5, and you're stuck using the vendor kernel because they don't much care to upstream their patches ...
I ran git bisect on a Raspberry Pi 4 to pin down an SMB issue, with a mainline kernel, and usually, everything worked. What wasn't getting upstreamed?
Mainline on the Pi 4 worked pretty well for me. The issues on the 5 are largely around their RP1 I/O controller, is my understanding, which among other things the board's USB and ethernet is connected to. Last March, when I was using that board last, there was ~zero upstream RP1 support, though it sounds like there's been some progress since.
Lots: https://forums.raspberrypi.com/viewtopic.php?t=360653
6.18 is closer: https://forums.raspberrypi.com/viewtopic.php?t=394580
Ah, the notes on Pi 4 updates was informative. I only started the kernel testing about a year ago, so it was well incorporated by then.
depends if you need your router functional until you learn how to set everything up..
I don't recommend this because usually people have work, family or generally prefer to have some kind of life outside of endless software configuration.
but if you want to make it a hobby project, why not
I do this and I'd actually say: "yes it's more educational" but "most people wouldn't benefit from this as the first step". OpnSense is a wrapper around FreeBSD and their ages ago fork of OpenBSD's PF packet filtering software. For someone who's brand new to networking, OpnSense is a really good first step that makes the learning curve a lot more shallow without imposing big performance or capability costs. I run OpenBSD for my gateway / packet filter. If people ask, and I know that they don't know much about networking, I tell them to start with OpnSense or OpenWRT.
I do this with Debian. The first one was a mini-ITX system which handled things nicely for 14 years, then I replaced it before it could die with a fanless "miniPC" with 4x 2.5Gb ethernet ports.
I love having mainline security support, the ability to run any Debian package I please, and never having to worry if my router is a network bottleneck. (Home service is symmetrical not-quite-a-gigabit.)
I setup a Debian system like this a few weeks ago. N100 board with 4x2.5G and 6 SATA means it’s both serving as router/gateway/firewall and my local NAS. systemd-networkd configures the lan bridge and forwarding for the needed devices. systemd-networkd is also used as DHCP client towards my ISP and as DHCP server for my lan. DHCPv6 towards my ISP for PD and RA on the lan is also handled with systemd-networkd. Systemd-resolved is acting as a caching NTP server for the lan. Simple nftables script for firewall.
I've used a few different options:
Given that list, my personal setup right now is:
edit: as for DNS filtering, my honest opinion on this is that it breaks more things than it fixes, and is very annoying to work around when it does. I tried pihole for a while and ended up going back to just using things like uBlock Origin instead.
The moment you were outside of what the hardware acceleration could handle, the performance was basically unusably slow.
can you expand on where hardware acceleration would not work?
On the ERL it was this one from the docs that tripped me:
It is currently not possible to enable IPv6 offloading for PPPoE and VLANs simultaneously.
Most Openreach based internet connections in the UK use PPPoE, and I have a complex home network (hence buying something like an EdgeRouter Lite to start with!) :)
edit: the other case was any kind of QoL on upload took that traffic out of h/w accel too.
I have good experiences iwth gl-inet, and turris omnia, and openwrt on wrt54g :)
My recommendations for home
I'm looking forward to trying out
Given that they mentioned Fritz!Box, which is normally sold only in European markets, they probably aren't concerned about the US tariffs that are increasing the US price of the OpenWrt One, which is shipped directly from China. So I suspect the One will actually be a good recommendation here. :)
crummy ones provided by my ISPs for years (currently I have something called a FritzBox)
I don't know if they somehow cut down on features or anything on ISP-provided ones, but in my (limited) experience normal store-bought FritzBoxes are absolutely not that bad. I'm not saying you'll be happy if you're used to OpenWRT, but I find them far from crummy (like the usual ISP-provided ones).
I agree, Fritz!Box are pretty high-quality consumer routers. ISPs sometimes send very old models that have a slow web interface, but the newer ones are pretty snappy and great as consumer routers. My current ISP even has Fritz!Box as the upgrade option (pay a few Euro more per month to lease a Fritz!Box in place of their own somewhat crappy router). I also installed a Fritz!Box at my parent's place - it has been rock solid (which the default ISP router isn't).
That said, Fritz!Box is profoundly a consumer router, you cannot setup VLANs or anything like that.
Yep, no disagreement here. I had to replace my old one in 2025 after the old one died after 12y of 24/7 service.
I've been quite happy with my OpenWRT One, the project's first-party hardware. The web UI's about as simple as most consumer routers, and unlike most consumer routers it's pretty extensible. wrt pihole, I haven't used it but it looks like there's an ad blocker that works pretty similarly.
What I've seen is that any computer -- an old laptop, a single board computer, anything -- is miles more powerful than even expensive consumer routers. OpenWRT and pfSense runs on almost all commodity hardware and gives a nice, much more powerful admin UI without having to futz with anything.
My own home routing is taken care of by a NanoPi R6C running OpenWRT. It's wildly overkill, if I were to buy something specifically for this task I'd have bought a cheaper SBC, but we happened to have a few laying around and it has two ethernet NICs.
The lack of two ethernet NICs is probably going to be the biggest obstacle for most commodity hardware. You may have to use USB dongles if you repurpose an old laptop, and that might not be the most reliable.
I used to have a fanless Ubuntu PC with Intel Wi-Fi as the home Wi-Fi access point. After the third Intel Wi-Fi card started to malfunction, I gave up and bought Ubiquiti APs.
The PC is still the router, but now I have three Ubiquiti “Lite” APs configured to 5 GHz only. So much better. (Why three? The apartment is smaller than many houses served by a single AP, but the interior walls are rather opaque to 5 GHz. I’ve thought about getting a fourth AP.)
The single most useful thing I learned and have applied to the setups of extended family is to turn off 2.4 GHz Wi-Fi. It’s slow but goes through walls better than 5 GHz, so if you have both, client devices end up choosing the slow option.
The lack of two ethernet NICs is probably going to be the biggest obstacle
Hehe, I had already typed up a reply quoting your first paragraph, but yes. That's basically the reason why I don't like that.
Mikrotik if you don't want to configure anything
OpenWRT: GL-iNet if you got a few bucks or any cheap chinese router (like cudy) that's listed here: https://openwrt.org/supported_devices
Literally any other routers that you feel like you want to experiement with or don't care about security and want something like tplink to plug and play
My setup is an ISP-provided modem (a FritzBox, too) and an Access Point that provides Ethernet and WiFi connection (that's what i'd call the "router" in this case, i'm not sure that's correct). I found it educational to get the router for cheap, say 50 € from Kleinanzeigen (the local Craigslist clone), and install OpenWRT on it. That usually means you're a couple of years behind the latest networking gear, but the way you describe it you might not really need it? For me personally it's also a nice opportunity to keep old hardware out of the ditch, and OpenWRT means you'll continue to receive software updates. The OpenWRT forums have recommendations for different price ranges.
I also find FritzBoxes to be just fine. I also have a small NAS and run a nice ad blocking DNS there, and it's all fire and forget.
Unfortunately these are now out of production, but I have an apu2 running stock Debian and am very happy with it. On the software side, the actual home router part is pretty boring (systemd-networkd, dnsmasq as a DHCP server, Unbound as a DNS forwarder+cache), but I also run various VPN tunnels to remote servers and friend/family networks which are handled with WireGuard (actual tunnels) and bird (routing).
For wireless connectivity I have a separate old UniFi AP which only does up to 802.11ac but otherwise works reasonably well.
I used a TP Link for a while then used a GLiNet Flint. My house is small but tall and the router is in the basement. The GLiNet Flint does a bit better than the TP Link Archer.
The GLiNet uses OpenWRT which is open source firmware.
I find it fun that even my router is a Linux machine I can log into and run iperf3 on.
One day I’ll figure out VLANs properly.
I have had a lot fun recently upgrading my home networking to 10Gbps, VLANs etc. Part of the process was to replace my ISP-provided router with a custom build. I bought a refurbished Dell Optiplex SFF machine from a couple of years ago, installed a 2-port 10Gbps NIC and installed OPNsense on bare metal. It’s so much better than an ISP router I can’t believe I went so long without it… full control over DNS, DHCP, firewalls. VLANs, proper monitoring.. can’t recommend it enough Working on a proper writeup of my setup that I hope to share soon
I have my gotos that I always recommend when people ask for help on the Internet without providing super much context. As you progress down the list you go from "consumer" to "prosumer" to "wannabe network technician".
Whatever TP-Link or Netgear has with many antennas. You won't be able to do many advanced things, but basic QoS, maybe VLANs, maybe VPN. If you're really lucky, maybe even syslog!
All in Ubiquiti. In your case you'll probably be content with a UDR7.
2,5. All in Ubiquiti 2.0. Buy a firewall/router that only does that (e.g. UCG-Ultra), a PoE switch, an access point and off you go!
Roll your own! I have been running pfSense for the past 10 years. I also know OPNSense has increased in popularity as Netgate has been dropping the ball again, and again... PC Engines are unfortunately not around anymore, but anything similar to their APU 2 with at least two NICs and you're good to go! (In addition to your own-rolled router/firewall you will also need a switch and access point(s), similar to bullet 2,5.)
i use opnsense. it's pretty amazing. you can get one from aliexpress (minipc, 2.5gbe,...) goes for ~$200 i think
Responding to a few questions since there are some common themes in the comments: I'm mostly looking for an all in one device which I can use as a WiFi access point and gateway.
I would technically be able to repurpose some old hardware rather than buying a dedicated device. But it would definitely be a learning experience, and both my partner and I work from home. I would worry a bit about the reliability of my hacked together learning project during work hours 😅
I appreciate all the comments about using old devices as a router, and the clarifications around switching vs. routing vs. WiFi access points - they have been useful to me to reinforce my understanding, and hopefully other lobsters may also find them helpful!
For learning I would suggest the following.
I assume your FritzBox is good enough for the basic bits (routing, WiFi access point and modem). If not, it's relatively cheap to find a newer one on the used market. It's not doing everything you want, but the things it does do, it does them well and reliably.
You said you have two people working from home, so just keep those essential bits simple and working. So reliable is good.
If you need more network ports, many switches will be fine, that's almost never something you'd manage at home. I personally even use a couple of those ethernet over power things to extend my wired network - for my kids computers it's just fine, no trouble at all. You rarely manage hardware bits and pieces, you usually want configurable stuff.
Now that I left for the last thing. You can build a small silent low power but powerful box. I have one that I built to be my NAS, but i run a pihole on it and a few other things and that acts as both a learning tool as well as the place to run experiments. I chose it so it's silent, but powerful, not some weak arm board. It's low power due to that Pico power supply. So it's not killing my electricity bill. And I can run all my experiments on it.
If I break something, I can always just fall back to the good old Fritz, and none's the wiser.
I got an OpenWRT One which I wrote a terraform provider for. OpenWRT is fun to play around with and work fine for my home and home infra use.
They are comming with an OpenWRT Two, made by GL-Inet, soon? Might be worth looking at. The production specs have not been released, but the voting results are here.
I love the software stack on MikroTik devices. I currently run a CCR2116-12G-4S+ and feel like I have full freedom over my home network. I'm super happy I was able to support split brain DNS (not NAT hairpinning) with incredible insights into all of my devices over the network. I'm extra surprised by the developer friendlyness, but also the native client application WinBox
Netgate 1100 with pfSense. I have it as a second NAT'd router behind my ISP box and it routes all my WLAN/LAN traffic via an external VPS over OpenVPN. So I get a static egress IP and can do incoming stuff via the VPS easily too. There are newer VPN alternatives but OpenVPN works well and is pretty quick. It has its own DNS server with custom options but you might want a bit more than that. The UI is really good and it's been extremely reliable for 3+ years.
I have an older Turris Omnia that I use on my LAN. I actually turned off the WiFi on it because the WiFi from my current ISP's router (a FritzBox 7530AX) is faster, but at the time I bought it the WiFi on it was a lot better than my previous ISP's router (Virgin Media SuperHub3?)
My main use case is that I can create a guest network on the LAN that is completely isolated from my home LAN, and I use that to connect my corporate laptop to when I work from home (it has various network scanners on it, and I don't want it probing my home network).
I have automatic updates enabled on it, and you can choose whether you want to be on the stable or more bleeding edge channel. I am on the stable channel, and I can't remember a situation where an upgrade would've broken something.
They have a newer version with better WiFi hardware now: https://www.turris.com/en/
I use Ubiquiti equipment and NextDNS for filtering (which has the benefit of working on mobile devices to get the filtering while on the go).
I have a Synology NAS which can receive syslog logs, and I have the Ubiquiti equipment sending logs there, which can be viewed with Synology's log viewer.
I've run a Ubiquiti Dream Machine at home for 5.5 years now, and really like it. Coverage is pretty decent despite me placing it very suboptimally (basement), performance has been excellent (though we are not very demanding), and I can set it up with a monthly update schedule and forget it about it entirely.
I might add an AP to the mid-level to improve coverage but it remains firmly in the nice-to-have camp.
If you feel like saving money, hit a thrift store and pick up something that supports OpenWrt. Many American thrift stores have a technology section that where home routers are common. For the last few years, I've been using an old Linksys EA6300v1 that I picked up at a Goodwill for $10, and it works great. Every so often I ssh in to update OpenWrt; takes about 5 minutes.
I highly recommend the x86 + vanilla OS route. It will be very performant, it will run forever, you're not tied to getting software updates from some closed-source vendor, and can upgrade/swap out components as needed.
Personally I run OpenBSD on an old HP Microserver. Typically any NUC-style mini PC will work. Some are more specialized, such as the Protectli products. You can also find similiar unbranded ones on Ali Express or Ebay.
OpenBSD is well documented and everything you need is part of the base OS: DHCP server, DNS server, providing IPv6 to the local network using radvd, DHCP client, DHCP v6 client (my ISP uses this to assign prefixes), and of course PF - the best packet filter/firewall. The benefit of going x86 is that you can simply add the hardware you need. I wanted to terminate the fiber directly in my router, so I simply added a Intel NIC with a SFP port.
To connect devices to the network I use a Ubiquiti switch and access point.
I've been running an EdgeRouter X, reflashed to OpenWRT for the last few years. They are cheapish (at $50), power efficient but powerful enough for a gigabit FTTH connection while also running Adguard Home and various other services. My ISP's router is boxed up, ready to be shipped back to them eventually. Wifi is done via seperate/dedicated accesspoints, connected via wired ports (which in my case are 3 sets of ASUS RT-AC85P's, also running OpenWRT, and supporting roaming between the APs)
My current setup is openwrt on a x86 minipc from qtom (any with 2 or more NICs is fine as you can just add a switch). Foss and modern wifi dosent really go hand in hand, so the only real solution is a self contained access point. Ubiquity is fine, tplink omada should also work (never buy general consumer stiff from tplink its internet dependent)
I have an old EdgeRouter-X and an even older UAP AC Lite. The ER-X has been completely fine. I have to factory reset the AP every time I want to change anything on it, which is admittedly like once every five years, since they switched from the http 192.168.1.blah configurator to some trash Unifi app but other than that it has been basically fine.
As far as I can tell all the new UBNT stuff needs the app now and their product lineup is confusing (I think "cloud gateway" is the new EdgeRouter?), so when my current gear dies I will probably replace it with something else.
I've heard eero stuff is alright but have no experience with it.
I’m using HALNy router + Milk-V Vega switch (with NanoBSD), serves me perfectly well. Traffic is wired through the remote Firezone gateways.
I'm quite happy with one of those from protectli. Has coreboot preinstalled and you can boot stuff with UEFI.
It runs a customized image of frood
Most protectli boxes also have a built-in USB to serial adapter, which is really handy if you need to debug something with a laptop when the box is in a less convenient space. Hook up an USB cable, run minicom, and you are game.
Unifi's Cloud Gateway series with a Unifi AP 7 Pro has worked amazingly well for me. Super fast, can handle plenty of clients, has a super easy app.
I've used OpnSense/PfSense and all that in the past but I've found Unifi to be nice and simple and stable. I don't want to fix my custom router when I really just want to watch movies at night.