I need a new WiFi router, and thought I had zeroed in on the Ubiquiti Dream Machine, until I discovered that you apparently have to create an account with UI.com in order to use the device; and that is a deal-breaker for me. Can someone recommend a similar device that is completely 100% LOCAL ONLY?
I am willing to spend up to $300usd for such a device.
I have used OPNsense, open source and free, for nearly a year on an old x86 box with a 1Gb NIC and won’t go back to a proprietary router. You will need a separate access point but that is no big deal.
OPNsense is state of the art and regularly updated for both bugs (not many) & new features.
No accounts required.
I use pfSense, which has a common lineage with OPNsense. The router is followed with a manged switch (D-Link DGS-1510), which may not be necessary if the router/firewall host has enough NIC ports for your application.
For the Wi-Fi, I use an access point made by TP-LInk (EAP 245). You don’t necessarily need a controller (in the Cloud for UniFi) unless two or more access points are meshed. The controller can be hosted locally on Linux or Windows. Mine is hosted on my desktop PC.
Any of these functions can be mixed and matched with heterogeneous hardware, but the downside is the learning curve of a unique user interface for each function. Moreover, configuration can be arcane at first unless you have a background in networking. FWIW, I’m still learning.
Here’s a company providing off-the-shelf network appliances for the router/firewall software. The site has resources for selecting an appliance and configuring certain software-defined routers. Moreover, there’s plenty of information on YouTube to help you with initial installation and configuration. Of course, you can assemble your own using an x86 single-board computer or PC parts (as @Tromperie has done).
Thanks for the information. My Protectli hardware will be here in a couple of days. I know very little, but, am learning! I stumbled across all of this by listening to a podcast, Privacy, Security & OSINT with Michael Bazzell. I went with his recommended WiFi access point, a GL.inet Beryl, which so far is suiting my needs.
I just looked up the Beryl. It looks like a cool (little) router. Potentially, you could load OpenWRT on the Protectli and have a common software platform for both boxes.
The Beryl is designed to be a travel router, but, works well as an access point too, because its opensource, and because its not broadcasting your ssid to Timbucktoo. What advantages would there be with both the access point and the Protectli running OpenWRT? I am pretty well sold on pfsense. I am not sure there’s anything better.
The only benefit might be a reduced learning curve.
pfSense has been my preference and there are loads of online resources. I have a tiny single-board computer and it’s been loafing along (2 – 4 % CPU) for nearly three years.
I have been testing pfsense with an old desktop computer, and think I’ve figured out the basics. Corrected me if I’m wrong though … I assume, due to pfsense’s security, Home Assistant won’t talk to it, correct?
HA still needs external 'net resources for software updates, add-ons, DNS, NTP, and any integration with a network API. In my case, I use Nabu Casa for external access (requires no port forwarding) and I access a home thermostat via an API server in Canada (where there is the PIPEDA and the Privacy Act). I tolerate these and a couple other integrations. DNS and (I think) NTP have some hard-coded IP addresses requiring 'net access.
When you first install pfSense, it has no inbound forwarding configured and no uPNP or NAT-PNP enabled. All LAN connections will be initially allowed outbound access using the default “Automatic Outbound NAT” mode, and that includes your HA host. You’ll find no open ports from the outside looking in. From this default configuration, you can add firewall rules to restrict local hosts to access the 'net, or allow forwarded outside connections to traverse the router to the LAN (which requires great care). Ultimately, you’ll isolate and restrict internal LAN traffic and determine what’s allowed to connect to external resources. There are multiple strategies and methods for doing this, as I’m learning.
My apologies for being ambiguous. What I meant is: are there no HA integrations for pfsense? There was an integration available for my old router than allowed me to better monitor the presence of my phones on the network, and I think I’ve read there isn’t one for pfsense, and I assume its due to security concerns.
Just go with Ubiquiti, not necessarily the Dream Machine. I have the Ubiquiti Edgerouter and it’s brilliant, with two AP’s connected, but you could use the Security Gateway instead (the Edgerouter cannot be managed from the UniFi Controller). No need for an internet connection / cloud and the Unifi Controller is managed via HA which is where I manage the whole thing other than the Edgerouter hardware itself.
For the first initialization, you need a UI account indeed. Once done, you can create a local admin one & stop the link the cloud to have it fully managed locally.