| ▲ | CursedSilicon 3 days ago |
| I'm a staunch defender of OpenWRT. Having used just about every "router distro" folks care to name (remember SmoothWall?) for the last 20~ years, OpenWRT is built like a tank and just keeps trundling along I hope their experiments with the "OpenWRT One" keep going. I'd love to see OpenWRT take a (deserved) bite out of the "SMB firewall vendors" like Netgate or OPNsense. Or just undercutting Wi-Fi vendors like Ubiquiti who base their work on OpenWRT anyway Something I'm excited to try myself in future is running "OpenWISP" [1] to manage a small fleet (three) OpenWRT devices in parallel for a deployment in a shared workshop. This seems to also be something that OpenWRT could be better at integrating, but it's nice to see "a vendor" tackling it [1] https://openwisp.org/ |
|
| ▲ | pseudosavant 3 days ago | parent | next [-] |
| Ease of managing multiple OpenWRT devices is still its weakest link. OpenWRT is device centric, but I don't want to managed devices, I want to manage a network. Modern mesh WiFi systems I've seen do that so well. I know in theory that I could create a VLAN + SSID on my OpenWRT router and APs just for iot devices to only access the internet. But setting that up on a TP-Link mesh was a couple of taps in their app. Doing it on my OpenWRT devices would be quite a bit more hassle. |
| |
| ▲ | pseudosavant 3 days ago | parent | next [-] | | Thinking about this more, I doubt I'll setup any OpenWRT APs on my network going forward. Most of the things I like about OpenWRT, and need it for, are related to being my router. My OpenWRT APs are just "dumb" APs. Wifi is off on the router. For the APs, I could use a mesh kit like the TP-Link Deco unit I installed for a friend recently. Super easy setup, reasonable price (cheaper than equivalent OpenWRT hardware I'd buy), wired backhaul up to 2.5Gbps. | |
| ▲ | m463 2 days ago | parent | prev | next [-] | | There might be a workaround for some people - get a big openwrt switch. Openwrt supports the zyxel gs1900 switch, which goes up to 48 ports. | |
| ▲ | 3 days ago | parent | prev [-] | | [deleted] |
|
|
| ▲ | neilv 3 days ago | parent | prev | next [-] |
| At home, I built an OPNsense box to evaluate (using Sophos XG135 Rev 3 hardware, along with an OpenWrt nice Netgear WiFi AP on POE), but then went back to a plastic OpenWrt all-in-one box. OPNsense (and pfSense) are neat, but I personally don't need an IDS/IPS right now, and I like to be able to run the router fanless. One thing that OpenWrt could use immediately, for basic home WiFi router functionality, is easier ways to add guest-like VLANs from the Luci Web-based admin UI. (I currently have a guest VLAN config that I partly cargo-culted with numerous steps in Luci years ago, largely based on a blog post, and that would be a pain to reconstruct on a new install.) For techies whose households include non-techies, a little IDS/IPS could help keep some nasty traffic off your home Internet pipe, and I suppose that could now run alongside OpenWrt on some of the more powerful plastic boxes, or on a PC with the right WiFi devices/APs. (In addition to use of VLANs and routing to minimize damage from all the malware-infested devices, and also thinking "zero trust" for the techie stuff you run.) |
| |
| ▲ | tw04 3 days ago | parent | next [-] | | >I like to be able to run the router fanless. You don't need a fan for OPNsense or pfSense? Plenty of folks running protectli boxes without a fan, they're one of the most popular platforms for both OS' | | |
| ▲ | gonzopancho 3 days ago | parent [-] | | the entire desktop line from Netgate is fanless. | | |
| ▲ | brirec 3 days ago | parent [-] | | Netgate are _terrible_ at open source, though — they’re shit at accepting contributions, they’re shit at providing attribution, and they’re shit at providing any support whatsoever to anyone who prefers other hardware (even with their paid software). So I really can’t say I recommend their hardware… | | |
| ▲ | gonzopancho 3 days ago | parent [-] | | I ask that you provide evidence of your assertions: - they’re shit at accepting contributions - they’re shit at providing attribution - they’re shit at providing any support whatsoever to anyone who prefers other hardware (even with their paid software). In addition to pfSense (which is what I think you're criticizing) and all of its open source, we're upstreaming things to FreeBSD and fd.io VPP Try this on a fresh copy of FreeBSD 'src': % git log --first-parent --since="1 year" | sed -E 's/\^.*Sponsored.\[Bb\]y:\[\[:space:\]\]*//p' | grep -i Sponsored | sed -E 's/.*\[Ss\]ponsored\ \[Bb\]y://' | awk '{$1=$1};1' | sort | uniq -c | sort -rn | head or for VPP, look here: https://www.stackalytics.io/unaffiliated?module=github.com/f... | | |
| ▲ | CursedSilicon 3 days ago | parent [-] | | Well there was that time you guys paid that absolute nutjob to write a 60,000 line of code disaster Wireguard client. Which you then shipped to customers and tried to force-commit to the FreeBSD project because you wanted a marketing advantage https://arstechnica.com/gadgets/2021/03/buffer-overruns-lice... | | |
| ▲ | gonzopancho 3 days ago | parent [-] | | [flagged] | | |
| ▲ | justinrubek 2 days ago | parent | next [-] | | Your behavior in this thread and this comment especially reflect poorly on you and your company. You've come swinging with something irrelevant to the conversation at hand. I'd never heard of this company, but I'll keep this in mind for the future, and I will perform similar espionage to what you've done. | |
| ▲ | CursedSilicon 3 days ago | parent | prev [-] | | Weird flex of a comment after y'all got dragged (deservedly) for hiring Matthew Macy. But I guess we'll just have to agree to disagree | | |
| ▲ | gonzopancho 3 days ago | parent [-] | | yes, I contracted with Matt Macy, and I'd do it again, but he's well-employed now. Funny how you didn't complain about his current employment at AWS, or his previous work at iX Systems (trueNAS, primarily responsible for the port of ZFS on Linux to FreeBSD) or the fact that the whole epoch based reclamation in the FreeBSD kernel is based on his work. | | |
| ▲ | CursedSilicon 3 days ago | parent [-] | | I'm sure the LKML will enjoy his commits just as much as FreeBSD did | | |
| ▲ | gonzopancho 3 days ago | parent [-] | | yes, I'm sure that FreeBSD actually does enjoy all of his work on OpenZFS and epoch-based reclamation. | | |
| ▲ | CursedSilicon 3 days ago | parent [-] | | No wonder y'all are pivoting to Linux I suppose :) Also you should stop editing your comments after they're replied to. It makes it awfully confusing | | |
| ▲ | gonzopancho 3 days ago | parent [-] | | We already have a linux-based product (TNSR). Bringing that tech stack to a firewall is a logical move. |
|
|
|
|
|
|
|
|
|
|
| |
| ▲ | akaitea 3 days ago | parent | prev [-] | | > a little IDS/IPS could help keep some nasty traffic off your home Internet pipe the adblock package does a great job of blocking ads and other nasty stuff, it doesn't have fancy statistics or an interface like Pi-hole but it does its job without complaining |
|
|
| ▲ | fidotron 3 days ago | parent | prev | next [-] |
| I definitely believe people underestimate the potential of OpenWRT as an app platform. Before getting sidelined with work I did some proof of concept WebRTC SFU on it https://github.com/atomirex/umbrella which worked surprisingly well. Was also surprised, then not surprised, to learn it's used as the front end on many of the new generation of 3D printers. |
| |
|
| ▲ | hungmung 3 days ago | parent | prev | next [-] |
| > I hope their experiments with the "OpenWRT One" keep going. OpenWRT Two is scheduled for late 2025 from GL.iNet and should go for ~$250. https://news.ycombinator.com/item?id=43512495 |
| |
| ▲ | trelane 3 days ago | parent [-] | | I read about this on lwn and am pretty excited for it. | | |
| ▲ | hungmung 3 days ago | parent [-] | | I've been happy with the One, but two Ethernet ports is definitely not ideal for even casual home use. |
|
|
|
| ▲ | foepys 3 days ago | parent | prev | next [-] |
| OpenWISP states in its docs that you should be running at least 20 devices to make it worth it. [1] So it's not supposed to be a easy way to manage a few devices for home users. > However, OpenWISP may not be the best fit for very small networks (fewer than 20 devices), organizations lacking IT expertise, or enterprises seeking open-source alternatives solely for cost-saving purposes. 1: https://openwisp.org/faq/#suitable |
| |
| ▲ | rubenbe 3 days ago | parent | next [-] | | It's for exactly that reason I started with OpenSOHO.
It is targeted towards the typical home and small office network with less than 20 OpenWRT devices. (although there is no hard limit). https://github.com/rubenbe/opensoho It is still a work in progress, but it is easy to deploy (one golang binary based on pocketbase) | | |
| ▲ | pseudosavant 3 days ago | parent | next [-] | | Very interesting project! I was thinking of something that would fill this gap. Based on your experience, as OpenSOHO seems to use OpenWISP, what do you wish you knew about OpenWISP before you started this? | | |
| ▲ | rubenbe 3 days ago | parent [-] | | Initially I fiddled a bit with full Open wisp stack to try to make a smaller edition. But I quickly stopped that. But I know their two daemons well. The config one is a neat little piece of software. It will merge UCI configs and check the connectivity. You can adjust virtually any file with it (although not always with merging). My main issue with it is that it can't be easily temporary disabled from the central controller (I currently implement it by not sending the config, but that triggers retries on the AP end) The monitoring one spits out an amazing amount of data, although it needs some post processing to make it actually useful. Unfortunately that one can't be extented to add custom entries. I'm currently missing an easy way to see which MAC address is connected which LAN port since OpenWRT DSA puts everyone one the "br-lan". The whole thing is polling based. So it is quite chatty on the network since I use lower polling rates to make the updates fast. (I suspect on a setup with 100+ you will have longer polling times). All in all the existence of these daemons saved me a ton of time handling networking corner cases. Kudos to the Openwisp team. | | |
| ▲ | pseudosavant 2 days ago | parent [-] | | I had a GPT-5 agent help me think through a pull-only controller/agent model for OpenWRT. The controller keeps desired configs in git and serves the current version as a tiny tar/zip over HTTP(S), using the last commit ID as the ETag. Agents poll every ~5s with If-None-Match, so it’s usually a 304 and near-zero overhead; when the version changes they fetch the archive and apply it. The controller location is advertised via DHCP; no long-lived sockets or SSH push. On the device side, the agent only activates if there’s no WAN (so the main router isn’t a client). A new AP gets a LAN IP via DHCP, discovers the controller, pulls its config, and if none exists the controller can hand back a default Wi-Fi setup to come online immediately. Start with Wi-Fi-only changes (reload instead of reboot), aim for a “plug into LAN + power and it just joins” UX, and avoid OpenWISP complexity. It’s built from boring, reliable primitives: DHCP, HTTPS, git, tar, Lua. I think I'm going to have an agent start coding this up today and see where it gets. | | |
| ▲ | rubenbe 2 days ago | parent [-] | | Nice idea! I do notice quite some people focus the autodiscovery part where for me that's less of an issue (I do agree it would be VERY nice). The OpenWISP configuration on each AP is limited to: set IP address of controller & shared secret and click OK. The rest is all magically done for you by the controller. I do like the 304 idea, in practice it uses the same conceptual idea as the OpenWISP system: check if the MD5 (instead of SHA1) for the current config and the controller config are still identical and download and apply if not. An important reason I why chose the OpenWISP is that they "just work", are well tested and included in the OpenWRT package list. My main goal is to keep the OpenSOHO project as small as possible ;) | | |
| ▲ | pseudosavant 2 days ago | parent [-] | | I've been weighing the pros/cons of using OpenWISP. I considered using DHCP to distribute the controller IP and shared secret. For now, I like reasoning about /etc config files. I'm more familiar with those than OpenWISP. Adopting an abstraction like that offers some portability and possibly future proofing. But that is just the config format and how it is applied though really. I think once the router is setup, most SOHO users only ever have to add/replace (provision) APs and manage the WiFi settings. I want to make that kind of provisioning and management automatic. Making the APs as stateless as possible - kind of like a Chromebook. The agent will only have basic dependencies (lua, curl, tar). For this to really work it'll probably have to grow to support VLAN-backed SSIDs and wireless backhaul links. Wireless links would probably need to be wired for their first time setup. But I'd be happy even if it just solved managing my own APs and SSIDs. | | |
| ▲ | rubenbe 2 days ago | parent [-] | | OpenSOHO and OpenWisp do both send parts of /etc/config files to the AP. While we're discussing: someone did an attempt in the OpenSOHO discussions to have a freshly flashed AP register automatically with OpenSOHO: https://github.com/rubenbe/opensoho/discussions/1#discussion... The Openwisp agents running on the AP are surprisingly lightweight (they do use Lua, tar, curl and a bit of shell scripting) VLAN backed SSIDs are one of main reason I started OpenSOHO (although support is not there yet) I don't want to log into each AP to set it up manually.
I do have a wired back haul, but support for wireless backhaul will probably arrive, since quite some people have one set up. In case you would find an easy method of bootstrapping the setup via DHCP, certainly let me know! (Maybe that's easier to be discussed on GitHub) |
|
|
|
|
| |
| ▲ | CursedSilicon 3 days ago | parent | prev [-] | | This looks a lot closer to what I'm after. Bookmarked the git repo :) |
| |
| ▲ | CursedSilicon 3 days ago | parent | prev [-] | | I saw that. Admittedly I'm only interested in a few of its functions. Namely roaming and guest hotspots I could wire up all of that manually. But I'm excited for the chance to learn something new |
|
|
| ▲ | 1vuio0pswjnm7 3 days ago | parent | prev | next [-] |
| "Or just undercutting Wi-Fi vendors like Ubiquiti who basse their work on OpenWRT anyway." Not sure about today, but this company used to sell hardware whose capabilities were IIRC only "fully enabled" if the buyer used the company's closed source OS. An open source OS might work with the hardware but the buyer would not get the same performance. At the time, the HN comments continuously supported this company. It appeared that for these commmenters, this was a worthwhile sacrifice. They would just keep recommending Ubiquiti. (Unsolicted recommendations) |
| |
|
| ▲ | nottorp 3 days ago | parent | prev | next [-] |
| We once delivered a totally not router box running openwrt, just because it was very simple and bastardising openwrt was easier than yocto. |
|
| ▲ | whalesalad 3 days ago | parent | prev | next [-] |
| Related, I used to love going to the monowall website gallery to see all the labgore. It's still there like a time capsule: https://m0n0.ch/wall/gallery.php |
|
| ▲ | oso2k 3 days ago | parent | prev | next [-] |
| I went smallwall after m0n0wall was shutdown. I recall the smallwall & smoothwall maintainers briefly considered joining forces. |
|
| ▲ | tw04 3 days ago | parent | prev | next [-] |
| >I'd love to see OpenWRT take a (deserved) bite out of the "SMB firewall vendors" like Netgate or OPNsense. Or just undercutting Wi-Fi vendors like Ubiquiti who base their work on OpenWRT anyway Why? You don't want competition in the space? >Or just undercutting Wi-Fi vendors like Ubiquiti who base their work on OpenWRT anyway Huh? The older edgerouters were based on vyatta. The newer ones on a custom linux distro, neither of which are OpenWRT. They hired the original author of pfsense to build them a firewall based on Debian from scratch when they realized vyatta wasn't going to meet their needs. The UDM kernel is very much not OpenWRT https://github.com/fabianishere/udm-kernel Being excited about OpenWRT is great but spreading bad information and for reasons I can't fathom hoping for the downfall of other players in the market, not so much. |
| |
| ▲ | gonzopancho 3 days ago | parent [-] | | > They hired the original author of pfsense to build them a firewall based on Debian from scratch when they realized vyatta wasn't going to meet their needs. The UDM kernel is very much not OpenWRT You're (perhaps unintentionally) also spreading bad information here. The original 'author' of pfSense was Scott Ullrich, not Chris Buechler. While they were partners in the project, Scott was technical, and Chris did a lot of work back then on documentation, by by his own admission back then, "I am not a developer", and this, even though he was CTO. http://freesoftwaremagazine.com/articles/interview_with_jeff... Ubiquiti originally hired two of the devs out of Vyatta to maintain their fork of the Vyatta codebase. These two were known on the Ubiquiti forum as 'stig' and 'An Chen'. Both left in the first half of 2016, and then (and only then) did Ubiquiti hire Chris Buechler, in an attempt to maintain and extend the Ubiquiti firmware. Chris has since left Ubiquiti and is now at Alta Labs. |
|
|
| ▲ | brirec 3 days ago | parent | prev | next [-] |
| > vendors like Ubiquiti who base their work on OpenWRT anyway I thought Ubiquity’s firmwares were all based on Debian. Is this no longer the case? |
| |
| ▲ | bigstrat2003 3 days ago | parent [-] | | I don't know about newer devices, but the older ones (the Edge* devices) had software based on Vyatta. Not sure if that was in turn based on Debian, though. | | |
|
|
| ▲ | gonzopancho 3 days ago | parent | prev | next [-] |
| > I'd love to see OpenWRT take a (deserved) bite out of the "SMB firewall vendors" like Netgate I'll just leave this here: https://www.netgate.com/blog/pfsense-software-embraces-chang... OPNsense are unlikely to be able to make this transition, as they can't even reliably work on the FreeBSD kernel. |
| |
| ▲ | CursedSilicon 3 days ago | parent [-] | | Oh, was that before or after you spent however long spreading FUD by stealing their domain? The one that OPNsense had to go to the WIPO to fix? https://web.archive.org/web/20160314132836/http://www.opnsen... | | |
| ▲ | gonzopancho 3 days ago | parent [-] | | nobody stole anything. | | |
| ▲ | CursedSilicon 3 days ago | parent [-] | | Why do you lie about things that are so easily provable? https://www.wipo.int/amc/en/domains/decisions/text/2017/d201... | | |
| ▲ | gonzopancho 3 days ago | parent [-] | | I'm not lying. From the URL --- The Complainant is the owner of the European Union trademark registration Nos. 012771457 for OPNSENSE (figurative mark), filed on April 8, 2014 and registered on August 20, 2014, for goods in class 9, and 016287716 for OPNSENSE (word mark), filed on January 26, 2017 and registered on May 9, 2017, for goods in class 9. The Complainant also owns the domain name <opnsense.org>, registered on September 4, 2014, at which it promotes and enables users to download its open-source OPNSENSE firewall. The disputed domain name <opnsense.com> was registered on April 8, 2014, and is not pointed to an active website. --- I want you to look closely at the date April 8, 2014, and then I want you to look for anything that occurred before that date, vs. all that occurred after. | | |
| ▲ | CursedSilicon 3 days ago | parent [-] | | The Complainant further points out that the Respondent registered and used the disputed domain name in bad faith because the Respondent has no business activity at the disputed domain name and the only purpose of the registration and use of the disputed domain name is to bring discredit on the OPNSENSE products of the Complainant, by using degrading words and publishing a video, showing an actor interpreting Hitler, with the following phrase above it: “From deep within the OPNSENSE development bunker”. | | |
| ▲ | gonzopancho 3 days ago | parent [-] | | You seem to not understand the difference between a fact "The disputed domain name <opnsense.com> was registered on April 8, 2014, and is not pointed to an active website." and an assertion or claim, "The Complainant further points out that the Respondent registered..." How does bad faith exist when the domain "opnsense.com" was registered a full 8 months prior to the January 2, 2015 OPNsense announcement? Point in fact, we published nothing. That website was not ours. We pointed the domain at it. you also are ignoring this bit:
--- However, in contesting the Complainant’s supplemental submissions made by the Complainant to substantiate the asserted use of the trademark before the registration date of the disputed domain name, the Respondent introduces new elements which, in the Panel’s view, are relevant for the assessment of the Respondent’s position in this case and will thus be taken into consideration. Indeed, in its Supplemental Filing, the Respondent states that a document submitted by the Complainant in its Supplemental Filing (as Annex 17) does not demonstrate the Complainant’s use of the trademark OPNSENSE but provides, instead, evidence of use of a trademark PFSENSE in which the Respondent has rights. The Respondent also informs the Panel that it is the manager of Electric Sheep Fencing LLC, a United States company which owns the United States trademark registration No. 3571276 for the trademark PFSENSE, registered on February 10, 2009 claiming first use as of February 19, 2005, for services in International class 42 relating to technical support services, maintenance and development of computer software; and of the International trademark registration No. 1176766 for the trademark PFSENSE, registered on August 28, 2013, for goods in class 9, including computer security software. The Respondent also states that its company Electric Sheep Fencing LLC has rights in a book referenced on the document submitted by the Complainant entitled “pfsense.org The Definitive Guide to the Open Source Firewall and Router Distribution”. --- OPNsense were using the pfSense mark, and we were taking legal action to stop them. |
|
|
|
|
|
|
|
| ▲ | zokier 3 days ago | parent | prev [-] |
| I hope OpenWrt doesn't turn too commercial (like Netgate or opnsense) because that leads just to subscriptions, enshittification, feature gates, and drama. It is now in a good place as a solid platform to build upon, I hope it stays that way. |
| |
| ▲ | nicce 3 days ago | parent [-] | | If they had their money from hardware only, would that be the perfect route? | | |
|
