I’m refactoring our home network, and splitting out the router/firewall/dhcp/etc from Wifi/Switch. The Mikrotik units we’ve had have worked well for the past several years, but our network has grown as our children have, and the management interface for both has gotten more complex.

Hardware Selection

My ideal device would be compact, silent, inexpensive, and supported by OpenBSD. There seems to be a growing number of Intel J-something celeron systems that look fine, but they’re a bit … something. EdgeRouter has several models that are supported by the OpenBSD Octeon port, and have been well regarded in the past. They’re not high performance, but they check all the other boxes.

Installation Process

The INSTALL.octean document is a bit light on some of the specifics for EdgeRouter4, but it all made sense as I worked through it. The only thing that wasn’t documented was that you could start with the full install73.img file dd’d to a usb stick and not just the ramdisk image. I didn’t have the device hooked up to a network, but since I started with the install73 image, I was able to use ‘disk’ for the location of the sets. Everything else was exactly as documented.

Configuration

In order to ease maintenance and upgrades, I’m trying to stick with just the base system–no packages or ports. I think there are some scripts that will help with this.

Functional Goals

  • Mediate endpoint device access to intra- and inter-net content
  • Log network traffic
  • VPN Concentrator
  • NAT64
  • Web Filtering
  • “high-speed” wifi (802.11ac)

Project Plan

My network closet is already a bit of a mess, and I need to refactor my mouning solution before adding any additional hardware. I’ve designated a space in the stud wall, and working on some sort of semi-protected mouning system. I think I’ll be able to have “mounting modules” of a uniform size, and mount each device to its own module. Pictures to follow, hopefully. All the devices will be connected to a UPS, with wires running behind the panels.

I plan to install and mount the hardware before any software or network reconfiguration.

Results

OpenBSD

The OpenBSD and EdgeRouter systems performed flawlessly. I have one port connected to the modem, one port configured with a bunch of VLANs, and one port configured as a basic DHCP-configured network.

MikroTik

The MikroTik hardware is performing great. I haven’t had to tweak or poke at it once the Layer 2 and 3 networks were configured. L2/L3 configuration was not intuitive. I ended up with one port configured for VLAN trunking, one port configured for “IoT” VLAN, and one port for “Services” passthrough.

Core Services

The core network services are working great. Details to follow, but the summary is:

  • Split networks for hosted services, wifi devices, guest, IoT
  • Static DHCP leases, with each device in a designated group
  • per-group DNS filtering
  • per-group network downtime (overnight blocking)
  • Network bandwidth utilization with MRTG

Things I didn’t get done

  • VPN Concentrator (wireguard in process)
  • Network traffic logging
  • NAT64

I attempted to get all the goals met with just the base installation, but it was a bit more convoluted than I expected. A writeup of the results to follow in a separate post.