Some things I realised after going through my OpenWRT and later OPNsense phases:
- complexity is fun to play with during the initial setup, but it sucks long term
- VLANs and inter-VLAN firewalling is needlessly complex, brings endless frustration*, and you shouldn't trust the network to do your auth anyway
- letting a vendor to do something is Actually Good
- dashboards are useless, I can't recall ever using them for anything
So I sold most of my networking gear and replaced it with
- Aruba Instant On fanless PoE switch and a bunch of their APs
- a £100 Topton fanless PC box with VyOS on it, powered with a PoE splitter
- a UPS
No VLANs, simple flat network. Everything internal is either on Tailscale or behind auth. Everything is PoE, things that don't are on PoE splitters, so no power bricks and everything is UPSed. Arubas require zero configuration and are managed through a cloud portal. The router needed to be configured once and required zero intervention for close to two years. It's ridiculously performant, perfectly balances load, and just works.
*: I really have better things to do on a party than debugging firewalling an obscure protocol Airplay uses when my guest can't Airplay from their phone
Is there something that puts VyOS in a separate class than openwrt/*sense? I really liked VyOS when I tried it out, but OpenWRT seems like _mostly_ the same thing. A bit less polished, but more likely to run on different vendor's hardware and let me unify the software without shelling out for a bunch of brand name gear.
I tend to agree on the VLAN stuff. I don't feel like I've found a good reason to do that on my home network (yet, at least). Fanless gear is also great.
For me it was the stability. I haven’t tried OpenWRT, but OPNsense was quite troublesome. I don’t do anything exotic, just standard dualstack and some firewalling, but OPNsense at some point stopped being able to get the ipv6 interface up, with no config changes. I also noticed pings regularly spiking for no discernible reason. I tried to debug both for a few days and just gave up.
VyOS is Debian with effectively a single file config, so it’s both simple and rock solid. As a bonus, pings got a couple ms lower on the same hardware.
Huh, I considered BSD to have a good reputation for stability and I believe network stack performance as well. Too bad.
I did very much like the debian base of VyOS. I've had pretty good experiences with OpenWRT. But it's command line configuration isn't quite as polished as VyOS imo. Interesting note about the pings.
IMO the biggest reason why you'd run OpenWRT rather than anything else is the hardware support. OpenWRT has very broad hardware support for a huge number of commercial devices. VyOS and (pf|opn)sense basically only run on x86_64.
That sounds like a really nice, simple setup. I have an unfortunate mix of gear from different vendors, but my setup is broadly similar. VyOS on an old SFF box, PoE whenever possible, etc. My physical topology means I need more layers of switches, though, and I do have a single vlan for my work machine. There's no inter-vlan routing there, just internet.
Amen to this. I've followed pretty much the exact same path as you (pfSense instead of OPN though) and reached the exact same conclusion.
I have a sizeable networking background, but still absolutely hated having to keep up with this many moving parts. I very much didn't enjoy troubleshooting this setup.
- complexity is fun to play with during the initial setup, but it sucks long term
- VLANs and inter-VLAN firewalling is needlessly complex, brings endless frustration*, and you shouldn't trust the network to do your auth anyway
- letting a vendor to do something is Actually Good
- dashboards are useless, I can't recall ever using them for anything
So I sold most of my networking gear and replaced it with
- Aruba Instant On fanless PoE switch and a bunch of their APs
- a £100 Topton fanless PC box with VyOS on it, powered with a PoE splitter
- a UPS
No VLANs, simple flat network. Everything internal is either on Tailscale or behind auth. Everything is PoE, things that don't are on PoE splitters, so no power bricks and everything is UPSed. Arubas require zero configuration and are managed through a cloud portal. The router needed to be configured once and required zero intervention for close to two years. It's ridiculously performant, perfectly balances load, and just works.
*: I really have better things to do on a party than debugging firewalling an obscure protocol Airplay uses when my guest can't Airplay from their phone