Wireless Router vs. Separate Firewall/Router & AP

Hello. I feel that I’ve outgrown the capabilities of my Netgear Nighthawk R8000 on my home network and I’m trying to identify the best route to take.

Questions I have, as yet, been unable to answer:

1. How do the security features of Bitdefender on Netgear routers and Trend Micro on Asus routers differ from/compare to the likes of PfSense and Untangle?
2. How does the speed/throughput of something like Asus’ RT-AX89X compare w/ Netgate’s 3100, 5100 or 6100? (Can one compare them?)
3. If I go the separate firewall/router path, can I use my old router as an AP? How can I make sure the Bitdefender software doesn’t interfere if I do?

Regarding devices, I have a Roon server and Plex server both installed on my QNAP TVS-672N NAS. On my network I also have an iMac, HDHomerun Flex-4K, AppleTV 4k, NVIDIA Shield TV, Oppo UHD player, and Phillips Hue. Since most devices are connected via RJ45, I have two 5-port unmanaged switches as well. For wireless devices, I have a Harmony Hub, 2 iPhones, an iPad, and a MacBook pro.

Because accessing Roon isn’t natively accessible outside one’s home network, using a VPN enabled router seems best (ZeroTier hasn’t worked for me, but enabling OpenVPN on my R8000 has sort of worked). Also, since my NAS has port trunking, two 1 Gbps ports, and one 5 Gbps port it’d be nice to take advantage of that as well.

I appreciate any feedback you can provide. Thank you so much for your time!

Well you haven’t said what it is you have actually outgrown

The main security feature is that you get updates of pfsense, once Netgear decide their router is end of life then no more updates. Speed is a bit tricky, as there are a few variables that need to be accounted for on the network. Your old routers can be used as an access point for a single LAN, if you setup vlans you’ll probably need to install OpenWRT.

My thoughts are that if you are prepared to get dirty with pfSense then you will be rewarded, however, it’s a fair effort that you need to apply including time. It’s also a good idea to just buy a managed switch, if you then do that you may as well buy a proper access point, so also consider a POE switch.

You can use LACP with QNAP, though your switch needs to support it.

I came from an array of Asus routers, Trend Micro wants your data is you use any of the security features.

My recommendation is to buy a device to run pfSense on, a decent managed switch, I use Netgear and they are fine for my needs, an access point with poe that you can place anywhere. Price that up then decide if you want to spend the money. Donate your old kit to any passer-by.

Cool. Thank you so much @neogrid! I sincerely appreciate your input. My apologies for not being specific to what capabilities of my router I feel I outgrew. I rewrote my initial submission so many times to keep it short, it got lost in the shuffle. My Netgear router has been freezing once or twice a month for awhile now, and when I’m using Roon when away from home, it often cuts out. Granted, the cause could be anything between my router and my cellphone; however, it could also be issues w/ data transfer within my home network and router and I want to ensure that’s not the case.

Working w/ pfSense does sound like a cool project, and working on it while my current router still works most of the time would be the best time to do it. For pricing it up, are there APs that don’t need a cloud key or other device to go in between the AP and the router?

When you mentioned buying a device to run pfSense on, could it be one of the Netgate devices (like the 3100 or the new 6100)? Or do they also fall under devices that would stop receiving updates once they receive end of life status? Would that be “cheating?”

I figured the speed thing would be tricky. I’m not sure what this says about my current network setup, but below are ping results between my iMac and my NAS via ethernet, followed by my iMac and MacBook via WiFi. Lastly, I pinged my cell phone from my iMac after turning off my iPhone’s WiFi and activating OpenVPN (these devices are all in one room):

Wired: 50 packets transmitted, 50 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.276/0.370/0.468/0.046 ms

Wireless: 50 packets transmitted, 50 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.549/28.816/215.941/46.399 ms

OpenVPN to cell: 50 packets transmitted, 50 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 31.586/129.686/357.548/94.644 ms

Again, thank you so much for your prompt reply and honest feedback. I look forward to hearing back on my question regarding needing a cloud key and if using a Netgate device could become tagged as, “end of life.”

Well for the time being you can download pfsense and load it onto virtually anything, before spending any money, you can set it up on vm and decide for yourself.

I have

I have always liked the look of protecli devices

but just a bit costly for me.

I suspect if you get a Netgate device it will get updates for a long time, though for me the devices are a bit costly too.

The beauty of these devices is that you can buy them barebones and add your own ram and hdd. The CPU is soldered on so decide accordingly. Additionally, pfsense is easy to back-up, if you totally balls it up, zap the hdd, install pfsense and restore the backup, no fear of bricking up your investment (I’ve got three bricked routers from dealing with dd-wrt / OpenWRT!!).

The other thing with pfSense it has a great implementation of OpenVPN, you can tweak it to balance security and speed, though honestly I ramped up the security and haven’t noticed any drop in speed.

I use Netgear switches, as said, they are good value, the GUI is outdated, just read the manual to ensure it has LACP for link aggregation for QNAP.

I use a TP-Link AP

https://www.amazon.co.uk/TP-Link-Gigabit-Controller-Software-EAP245/dp/B01M7WS3IF/ref=sr_1_2?dchild=1&keywords=tp-link+eap245&qid=1627893094&s=computers&sr=1-2

it has a poe injector in the box (so you can plug it into a non-poe switch), reasonable price, multiple SSiDs for vlans. It can run without a controller, but if you want two it will need a controller which can run in a vm.

I think because you can better place that AP the wifi performance immediately improves over what you have currently, this was the case for me.

The other tip is buy more ports on your switch then you need, at least 24 if not 48 you’ll be surprised how quickly they get filled. Also consider a PoE switch, while you can just buy an 8 port PoE and plug it into your main switch, it could be cheaper to just buy a 24 port PoE main switch. These may well have a fan, which may or may not make too much noise.

I will comment on a borked pfsense… I’ve done this and thankfully had my backup config saved locally. I try to always keep a CD or flash drive with the version of pfsense that I’m running handy, just in case I mess things up again. You can not get old versions of the OS from Netgate, they do not keep them!

And for the record, the pfsense OS did not fail, I failed it. Didn’t want anyone getting the impression that is was unstable. Just don’t do stupid things to it, or if you think you are going to do something stupid, grab a back up config before you start the stupid things.

Also I moved my install from one type of computer to another using the back up config file. This was an old dual core Intel with single NIC and a USB to a quad core AMD with a 4 port Intel NIC installed. All I had to do was edit the NIC connections and was back up and running very quickly! Tom made a video and probably more than a few posts about this so it would be good to read up on it.

Regarding installing pfSense on anything @neogrid is I don’t think I have anything to install it on. I do have an old Dell e1705 from 2005-ish w/ a Core Duo, but it only has one ethernet and the HDD’s shot. I’m more of home theater/amateur audiophile than an IT guy, so I do have a ton of AV gear, but not much IT stuff.

I really like your idea of getting one of the, “bare bones,” products so I can save some $$$ and add my own memory & HDD. I do have the memory that came w/ my NAS that’s never been used and an old-ish HDD that came out of my wife’s old laptop. It’d be nice to put those to use if I can. Do you happen to know, is pfSense heavy on multi-thread/core usage of the CPU, or is it more of a single thread/core type program? In other words, would I be better off w/ dual core or quad core?

I’m glad to hear about the OpenVPN implementation because that’s what has allowed me to access Roon when away from home. I did try ZeroTier, but it hasn’t worked and I’m not sure if it’s my router or what. Plus, the version of ZT for QNAP is hard to play w/, mostly because QNAP’s version of Linux seems to use different commands than what I’ve been learning in Ubuntu (I.E. commands like, “snap,” and, “apt,” aren’t recognized).

Thank you for the AP recommendation. The person running hometechhacker.com recommended a similar TP-Link AP that I read about last night as well. I seem to be on a good track here.

@neogrid and @Greg_E, I appreciate your reminders about backing this stuff up. Having a back up cannot be stressed enough. I know I’ve been saved by them and it’s part of the reason I got a NAS.

The CPU in my box is

CPU Type Intel(R) Celeron(R) CPU 3865U @ 1.80GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: Yes (active)
QAT Crypto: No

It does ok, no issues. The netgate devices use ARM processors, so it doesn’t have to be very powerful for a home user with a moderate internet connection. Mine is a dual core, not so sure I would gain much benefit in a quad core.

If you end up using old kit, it’s likely you’ll spend more money on electricity.

The OpenVPN is rock solid on pfSense, you won’t have any issues.

Separate Firewall/Router & AP is the way to go. You can get a plain router, enable hardware offload to get gigabit WAN speed and use other features, like VPN and proxy, on your NAS.

Not an expert by any means, but found breaking Firewall/Router from AP function was worth the effort. Additionally separating network loads (Home & entertainment, Remote Office, Wireless Social Guest, Wireless Business Guest) is something a standard consumer router does not do well if at all. I had started long ago using a Linksys combo, then over the years migrated to a Linksys Biz VPN & several APs. I’m now in the process of my next upgrade for a much more complex set of requirements (two sites, with multiple locations and wireless access needed). What I have in process is a pfSense router with another in plan, one L3 Switch, several L2 Switches, TP-Link WAPS, Omada Controller, and to be order TP-Link Long Range CPE to reach a workshop 300’+ away.

With just separating the home& entertainment load from business loads, I found a great performance improvement, plus the added security

Thank you for the additional feedback. @Spectre, do you happen to know if the Protecli products offer the ability to offload hardware? Is it something pfSense can program? I’ve been looking at them, as well as Qotom and some other generic ones on Amazon. So far, Protecli sounds like the most value, unless I get one of the Netgate routers.

Reading about hardware offloading, it sounds like a nice feature, but not sure if Protecli products come w/, “Smart NICs,” which is what I read are the ones best to offload hardware to when it comes to network throughput.