It uses coreboot, which you can recompile from source to be reasonably sure no BIOS backdoors, and it also has a hard firmware flash write jumper (thanks to me)... to make sure your recompiled BIOS doesn't get overwritten remotely when a vulnerability is found in your OS (easy with coreboot if you leave the .config in the firmware image which is the default). I suggest you run the latest OpenBSD, and add the NEUG USB RNG. This is a dream machine. 64bit 1ghz dual core... up to 4 gigs of ram,low power, great great design, two PCIe card slots, gig eth. The best. And I have tried everything.
Building your own PC tower as a firewall, well been there. Its not the way. Fun project sure, but wasteful and inefficient.
There are a few really good cheap routers that can run OpenWRT amazingly fast ie.
and 3. change the DNS to googles 8.8.8.8 and 8.8.4.4
Then you have the ultimate home router setup. But if you want secure / vpn / tor bridge etc then you need to go to the above mentioned with OpenBSD and be careful to buy a compatible wifi PCIe card.
Why do you say Soekris dropped the ball? I've been running Gentoo on a net5501 for years now (since 2009) and never had any problems except with the USB (which I'm using to read out my SMA inverter).
They promised new designs that just never appeared, or came too late to be competitive. I remember being very happy with my 4801 units. I could run OpenBSD with OpenVPN and asterisk. Neato back then. I had a crypto phone system in 2007 complete with IAXYs (remember those ?)
But running Atom on a router is a big turn off and Coreboot is a major win for PCengines in the new climate.
The PCengines design is a lot slicker. Its lightweight and appropriate for the demographic. IMO the current Soekris product line shows that they don't really have strong concept of who their customer is. My impression is oversized, underpowered with too many ethernet ports and a 10 year old case design. Not on my desk. And if we are talking about the server room, well for that kind of money I will buy a Sun coolthreads server and drop OpenBSD on that. A t1000 goes for what $80 now ? Atom is just so bland. Its mcdonalds.
This is a good example of the marketplace being so huge and varied that one guys requirements make no sense to someone else.
My Soekris box is my home PBX asterisk server, and its killer feature is being "directly" connected to a 12 volt deep cycle battery directly, it can run the entire system (cable modem, the soekris box (also acting as firewall) and a couple of the phones and LAN switches. The battery capacity is around 100 aH and it could run the phones for at least two days although I've never had to run more than 24 hours. One of those, if I'm going to work at home, its going to be reliable things.
The electrical wiring is exactly what ham radio guys would use, it is exactly what I do use for my own ham radio gear, including power pole distribution/fuse panels and automatic chargers although instead of powering a 2M rig its running my networking gear.
Some of the networking gear is powered by DC-DC converters, "around 12 in" and 5 volts out.
The aesthetics of the case was not a major design decision. I almost used those "useless" extra ethernet ports to plug my phones in directly, eliminating the need for powering an ethernet hub, but I have too many phones.
I don't really use my landline much anymore, which begins to make the whole topic irrelevant.
If you're speaking to the original Atom, yes, it was bland.
If you're speaking about the C2000 SoC (Avoton or Rangely), then you're dead nuts wrong. These things are 2-8 cores (6-20W) of 2008-era Xeon fun. EPT runs, AES-NI runs, etc.
The PC Engines APU (we sell a TON) is significantly underpowered compared to the C2K series SoCs.
Soekris does not have C2000 series models available yet. Their top-of-the-line router seems to be currently a E6xx based board, ie using 4 year old Atoms.
The main problem I have with the PCEngines APU is that it has Realtek 8111/8169 NICs, while the Soekris net6501 has e1000 Intels... Realtek NICs tend, from my experience, to behave erratically under high load on Linux, and sometimes simply not work on FreeBSD and OpenBSD
The full-sized PCIe slot is also a nice touch.
(disclaimer: possible bias, am running a OpenBSD/net6501 as an edge router for a hackerspace)
I tracked down the r8169 problem to a problem when multiple descriptors are fetched in one IRQ. Kernel 3.12 includes a fix that only fetches one at a time. Have you tried a kernel with that fix in it?
Meh, Soekris was so 2006. Their designs are IMO a bit tacky. And since they use Atom and intel network chipsets, the question needs to be asked... do we trust intel hardware anymore ? I agree intel nics are a bit more reliable.
Which is why you trust AMD, a company that's headquartered a whopping 600 second drive away from Intel [0]. How is Intel's stuff backdoored, but AMD's stuff not?
I never said AMD silicon wasn't backdoored. Its a solid bet that it is. I don't trust either, but having a intel chipset and processor together on a edge router sounds like a bad idea to me.
Highly recommend Mikrotik for those interested in something beyond your average household router. Their Tilera-based CCR series routers are quite nice and affordable. More L2-L7 features than you could wish to nerd out with for your home network.
Also agree with the statement that rolling your own is generally a bad idea.
Yeah, Mikrotik routers are insanely feature-rich. I got RB2011UiAS-2HnD-IN (Level5 licence). I would recommend RB951G-2HnD (Level4) actually, because I have no use for SFP optical cage or 5 extra 100mbit ports (both have 1+4 gigabit ports). Both run on Atheros AR9344 600MHz CPU.
Rolling your own firewall is almost always a bad idea. Hardening a full blown distro is a terrible place to start, and no place for a novice to "guess" that they have it locked down "enough".
There are numerous open source firewall distro's that have the advantage of being authored by people well practiced in security coding, pen testing, etc, and are continually crowd tested for loopholes and shortcomings.
It's your edge device for security - not exactly a place you want to take risks with.
Given that you get a stateful firewall as a facet of NAT, the main risk would be if your edge device was listening on the external interface with vulnerable services.
I appreciate the level of specific engineering that goes into purpose-built firewall distros, but "locking down" a device whose sole function is to perform NATing for a network is not terribly complicated.
While I sympathise with the sentiment, there's a couple of things to point out here.
Firstly, none of the firewall distros I've seen have really prioritised security all that much - they tend to prioritise fancy interfaces and rolling lots (often far too many) features into one box. I'm not aware of a single one of the commonly used firewall distros that enables selinux, for example (although I've not looked at all of them - I could have missed one).
Secondly, this is clearly a home product - not a device that's likely to be the focus of a large amount of determined attacks. As long as you don't allow password-based logins, and regularly apply security patches the likelyhood of being compromised is very small. Modern mainstream linux distributions aren't as horrendously insecure by default as you imply - the job of locking them down isn't a massively complex black art.
"I'm not aware of a single one of the commonly used firewall distros that enables selinux"
commonly used "for" firewalls distro is Debian and selinux "works" on vanilla Debian. Its a labor hog making it less efficient to enable selinux than to look for / fix other problems, but it can be done if you insist and are willing to spend less time securing more important areas (pretty much everything, unfortunately)
On the other hand I am also unable to find a "firewall distro" solely for FW work that does selinux as of last time I looked. Hard to prove a negative but it is possible to prove that if it exists, its well hidden. The marketplace for FW distros is focused on ease of use, security theater, and authoritarianism and credentialism so actual security related features are going to be a pretty low priority in the market, which is humorous / ironic.
They are absolutely not. Not compared to general purpose distros.
Just look historically at semi-relevant security holes and how long it took Debian to patch openssl (hours? minutes?) vs "one dudes spare time project" maybe weeks, or worse, never.
"have the advantage of being authored by people well practiced"
You'd like to think so, but other than hopes there seems to be no evidence...
"locked down enough."
It has a stateful firewall probably as part of the NAT function? Good enough. The rest of it is mostly security theater.
As far as I know, generally speaking doing things yourself, is what makes learn how to do them.
So if you don't play with firewall rules, block yourself a couple of times, do something stupid you'll never learn.
I could argue that doing copy-paste firewall rules from the internet might not be a good thing. Will give you the idea of security while there might be none.
What risk? You don't need to harden your distro if you're only using it for NAT. There's basically nothing to attack, save maybe the netfilter conntrack module's state machine. Here's all you need for your edge NAT device:
iptables -A INPUT -i ethwan -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i ethwan -j DROP
iptables -A OUTPUT -o ethwan -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ethwan -j DROP
iptables -A FORWARD -i ethwan -o eth0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ethwan -o eth0 -j DROP
iptables -A FORWARD -i eth0 -o ethwan -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o ethwan -j DROP
iptables -t nat -A POSTROUTING -o ethwan -j MASQUERADE
One (usually) don't roll their own firewall. One's provided with a robust solution and merely needs to configure it - that is, provide a description of their network. Because no matter how smart and well practiced software authors and distro builders are, they still don't know about your network and your needs. They only could provide tooling and examples to make some common concepts easily achievable.
And configuring your own firewall isn't rocket science that should be left to pros. Especially - as every sane guide out there suggests - if (for iptables) you start with DROP on INPUT and FORWARD chains and gradually open what's necessary.
I agree with this to an extent, a complete novice probably shouldn't take this sort of leap without understanding the configuration involved in securing down a Linux box. I wouldn't say it's out of the reach of most people familiar enough with Linux, though.
Regarding security programming, etc., I expose as little as possible to the world. Of the services that I do expose, I'm relying on pre-packaged software and the maintainers of Debian to keep it patched for me. I trust that those people mostly know what they're doing, and any code I write will mostly just be for internal automation.
Well if you really care about security you should run OpenBSD not linux. And it installs secure by default. Just grab the book of pf and write out your firewall rules.
What's my other practical alternative? Some $80 box at Best Buy riddled with security holes? While I agree that using something like pfsense is probably superior, its also fair to say that if you understand basic linux administration, you can roll out a firewall that's a lot more secure than the never updated boxes everyone else uses, and enjoy features like ssh forwarding, openVPN, etc.
> There are numerous open source firewall distro's that have the advantage of being authored by people well practiced in security coding, pen testing, etc, and are continually crowd tested for loopholes and shortcomings.
That's what I did at first, but what if there is none that does everything you need? Hacking it would be even worse than rolling your own.
Back in the mid-to-late 90s there were no home routers as they exist today. Just threw Openbsd on a machine with multiple interfaces and it worked just fine.
Does anyone know of anything a bit larger? There are a lot of great little devices for running WRT for your home, but are there any open distributions for, say, a 50-person startup? At that level, things like maximum connection count and QoS play more of a role. Is it possible to just scale up the hardware and run openWRT, or are there other concerns?
I was intrigued at first especially after reading the comparison with Cisco and Juniper gear and seeing that the Ubiquiti was out performing them. But when I read up on the forums I noticed that as soon as you enable any interesting advanced features the performance will drop because hardware offloading is disabled. A couple of examples: a modify firewall rule, load-balancing, netflow, QoS and probably many more.
"as soon as you enable any interesting advanced features the performance will drop"
This is highly insightful for OPs original question:
"Is it possible to just scale up the hardware"
In 1999 I was doing NAT and simple stateful firewall and some stereotypical appliance functions (DHCP, DNS, NTP) on a 25 MHz 486 desktop repurposed into my firewall and when maxing out the 1 meg dsl line I was running around 20% CPU, so I estimated the hardware wouldn't be limiting until 5 megs or so. I've upgraded a couple times since then.
Then again if you enable enough logging and packet inspection you can probably kill a brand new top of the line server on a 56K SLIP connection with one user.
There are certain pitfalls... at a glance comparing my 486 first firewall to a modern rasp pi, the pi should win, but the pi connects ethernet over its usb with pretty icky limits and latency. So my old 25 MHz 486 would probably crush a rasp pi acting in that role despite the orders of magnitude disparity in CPU speed.
In summary based on lots of experience, the variation in what you're trying to do, influences the "power" required, by several orders of magnitude more than the speed of the connection or number of users.
There is an interesting analogy in supercomputing that no matter how big the machine its not much of a challenge to submit an algo that scales poorly such that a modest appearing increase can crush it, see traveling salesman problem etc. In a similar way you could probably run a firewall on an embedded 486 appliance, although it would be trivial to configure a fw to absolutely crush a top of the line modern server no matter how much money was spent on it.
I have one and highly recommend it. The distro is actually Debian-based and is mostly an open source fork of Vyatta but has some proprietary bits for the Cavium offload.
An older laptop with two xircom realports[1][2] is a great platform for a router.
First, you never, ever have to futz around with monitors, monitor cables, serial cables, terminals, etc., because the kvm is built in. I don't care how slick your tools are, when things aren't working, you don't want to spend the first 15 minutes dicking around with tip and ring and your null modem cable, etc.
Second, with two xircom realports, you have a laptop with up to three full size rj45 ports, which is very handy. No dongles.
Bonus: it has a built in UPS!
[1] xircom realports were these really slick full-height pcmcia cards that were modular and you could mix and match them ... and they had real, full size rj11 or rj45 ports in them.
[2] xircom realports work in FreeBSD 8.3-RELEASE, but neither 8.2 nor 8.4. So you need to choose a pfsense build based on 8.3 ...
However, yes, a LiIon battery is not meant to be left continuously on charge. A lead-acid battery (typically used in UPSes) is meant to be left continuously on charge.
Shouldn't the charging controller in the laptop stop charging the battery once the battery is at full charge?
It seems to me that a great many folks leave their laptops plugged in for weeks or months at a time, and that this would be something that a laptop designer would account for.
(Anecdata: The six-ish year old battery in my primary laptop still holds ~60% of its original maximum charge. This laptop spends the vast majority of its time on, with the battery installed, and plugged in to an AC outlet.)
I built a mid-tier server-grade machine with Intel NICs and I run ESXi on it. My firewall (pfSense/FreeBSD) runs virtualized in an instance. It's very flexible, stable, and the performance is outstanding. I used VMware's vSwitches to connect the pfSense VM with dedicated NIC ports for each network segment.
Beyond the coreboot argument I don't see a whole lot of value in the SBC router arena anymore. I used to be "that guy" as well, but since purpose-built hardware exists that does routing better there's no point.
AMD and Intel CPUs are pointless in this space - you can get far more packet performance, accelerated in hardware, with CPUs like Cavium (MIPS). I happen to work for a company that uses a lot of Cavium processors in it's products and they are the defacto standard in networking gear that is accelerated today. There is a little company called Ubiquiti (not who I'm employed by) has one of the best values in this space for the money. You can buy a $99 router that has a dual-core 500MHz Cavium which will do 1M PPS, oh - and I forgot to mention it runs Vyatta, so hack away.
I get it - there are people who want to run soup-to-nuts on a SBC, and there are legitimate use cases. The reality is that Wifi in those platforms is flat out: horrible (again, go buy Ubiquiti UniFi for $80 and get real RF performance - http://www.ubnt.com/unifi/unifi-ap/) Putting an underpowered mPCI card that's sitting around all kinds of other RF noise and likely deployed in the wrong location compared to where your users are anyway isn't ever ideal.
But if you have a hypervisor laying around your house (and 9 times out of 10 on HN that's probably the case) throw your voice at a small instance - or a Raspberry Pi if you're worried about your carbon footprint / electrical bill. There's no shame in that - and at the end of the day you're going to have a far better network in terms of performance and reliability. SBCs are at that weird middle ground of being not worth the money when there's much better hardware targeted at what you're trying to accomplish. They feel, still, very 2005ish to me as they haven't really changed or added value - but the cost is still outrageous for what you get.
At the end of the day don't get caught up in MHz at your router - it's about accelerated packet performance. The Cisco and Juniper's of the world have known this for, well, ever. I have no relation to Ubiquiti what-so-ever other than having purchased a lot of their products over the years for personal use - and the brand is nothing short of undervalued IMO. I'm enthralled that they've branched out from a great line of cheap and reliable RF products to switching, routing, voice, video and even a small nugget of security (although - the L3/L4 firewall of days gone by is nothing more than useless in today's landscape).
You could not be more wrong. Citing the Ubiquiti ER-lite 'Tolly' results just shows that you don't understand what they did to get their cited "performance".
Disclosure: We sell a ton of Ubiquiti. Hell, I nearly bought the company in its formative days, when Robert's original two partners quit to get "real jobs".
I work for a company that uses Cavium in almost all of our products. To accomplish the performance per watt on Intel or AMD would be 1) ridiculously expensive 2) still not scale to what we can do with Cavium. We do ~20Gb of DPI in Cavium today in a construct of roughly 24 processors on a dataplane.
Intel can't touch that - and I've seen a lot of attempts. I don't agree with Miercom / Tolly or, hell, even NSS - they're all paid for results. But the Cavium truly can do the offload and it does in a $99 device, some of what people have said around QoS and other aspects is true, it's writing your software to take advantage of that.
Not to be a detractor but your sentiment seems bitter - but I'd be interested in real perspective if you have one.
And, just to clarify. I've done extensive testing for large organizations using most test tools under the sun testing a lot of 10-100Gb platforms. Ixia BreakingPoint, Spirent, etc. I can also say that I've tested the EdgeRouter Lite and know that, in terms of pure packet processing, it will beat an APU1C in packets per dollar every day of the week.
I also understand your perspective now - coming from Netgate. I'm sure I'd be kicking myself as well, but - then again Ubiquiti probably wouldn't be what they are today.
This mirrors my experience pretty closely and I think is really good advice, especially the comment regarding RF performance. Dedicated APs (especially the Ubiquiti devices) seem to have far superior performance than anything I've ever built myself.
I ended up buying an APU1C to play with, but in the end that's all I'm doing with it.
Thanks for the vote of confidence on Ubiquiti. I am looking to get internet out to an off grid cabin about 250 ft from my main dwelling. I was thinking of running cat5 out to a PoE device, but just running a weather proof AP up a pole on my roof will be a lot easier.
I have a pair of their devices doing just this. I'm using a NanoStation M and a Rocket M with a sector. I get a nice 300Mb link between the two buildings (roughly 300 ft apart) and I spray wireless over a dock within range where I run an IP camera. Both units have survived, now, 3 brutal midwestern winters and I've remotely upgraded them well over 20 times over that time period. They have been nothing short of impressive for the price. Skip the hardline, unless you need more bandwidth than a few hundred megs!
>There is a little company called Ubiquiti (not who I'm employed by) has one of the best values in this space for the money.
I've gotten out working with this kind of thing regularly, but Ubiquiti has always offered incredible value for the money for really solid, hackable hardware.
I remember rolling out a mesh wifi network with cloud-based management (before cloud-based management was even a thing) for a customer using UBNT gear the better part of a decade ago. The cost per node was as cheap/cheaper than COTS consumer grade gear at the time, I seem to recall something in the range of $70-80/node.
I was about to replace my home router, and I looked a Ubiquity AP. Unfortunately I did not see on their web site that any of their products will act as a "broadband router" i.e. switching + routing + NAT + SPF. It seemed the idea is you would pair some of these with a separate firewall (e.g Juniper SRX). I bought a Mikrotik instead. Did I miss something?
The EdgeRouter Lite can do everything you're asking for with the exception of switching - but buy a switch for that. Again, you get what you pay for and managed L2 switches between 16-48 ports @ 1Gb are dirt cheap today. In fact Ubiquiti has some managed L3 switches coming to market very soon - 24 ports with full PoE for $400, can't beat that. The 48 port version has 10Gb SFP+ ports for $800, try that with Cisco/Juniper.
There's also a newer platform that is often overlooked in their lineup, see here:
I don't own one and haven't tested one - so I can't comment beyond having looked at it. Seems to be an expanded EdgeRouter Lite (same proc specs) but with additional software to run the UniFi gear (which is a nice addon - otherwise you need to run UniFi software on something else if you want to be able to manage and log from your controllers).
I'm not sure what you mean by "throw your voice at a small instance". Are you saying to set up a VM with a dedicated network card and use that as your router?
Would an edge router lite be appropriate for home use with cable/DSL service? The specs are amazing for the price: 2GB flash, 512MB RAM, dual-core 500mhz CPU, 3x GbE.
I'd love to use something like this as my router/DHCP server and use my old routers and just AP access points in the house.
And if you're running an SOHO all-in-one today what most people don't realize is that all of those devices are underpowered for the features they run and the packet processing is the piece that takes the hit. You'll likely improve on latency numbers and just general performance from a network perspective. Splitting out good RF and a decent router are two things that people never seem to understand can make as big of a difference as it does until they do it.
6 months ago I would have told you the EdgeRouter needed some hard edges ironed out in software, but now it's rather functional. I use it for a lot of interop testing of OSPF and BGP with our product in my home lab.
Instead of reinventing (and unexpectedly exposing your whole network) you should use something like shorewall to setup your firewall. http://shorewall.net/
Now if only there were a PCI ADSL2+ modem that was a real network interface and not another crappy, exploitable, buffer bloat infested, traffic intercepting cesspool (but embedded on a PCI card)...
Any DSL modem is going to be a proprietary cesspool of who knows what - putting that on a trusted PCI bus seems like the exact wrong thing to do.
I was just looking into ADSL2+ routers supported by OpenWRT and concluded it wasn't worth the bother. Just get any old proprietary ADSL2+ modem, set it to bridge mode, and treat its ethernet as the actual demarc point. Better galvanic isolation, too.
One problem there is that you lose all queue management and it seems they all do awful things. Many of them also randomly intercept and tamper with tcp connections even while not natting.
Yes, it's less than ideal. But I don't think you're ever going to find a nice, proper, trustable device. Communications gear is basically just complex software (DSP and the like). The parts count will be minimized to keep costs down, so the necessarily-proprietary parts get mingled with the needlessly-proprietary ones. Redeveloping those blobs as free software is certainly possible, but it will always lag behind the proprietary version. IMHO, that effort is better spent on working around the brokenness of such devices - maintain your own txqueue at a slightly slower rate than the modem, etc.
(My thinking on the "ideal cellphone" is the same - physically separate the baseband from the personal computer, with an IP-only interface (eg Wifi) between them.)
FWIW, I haven't noticed any packet mangling from my ADSL2+ modem in bridge mode, but I haven't looked very hard either.
Eh? Any laptop or wifi-only tablet would do, so I don't see why you're implying there's a shortage?
I've been meaning to enumerate the possibilities of things with long battery life that will ideally run normal GNU/Linux with a chorded keyboard for input. If that works out successfully, then a smart watch for notifications would be the logical next step.
Ah sorry, good point. I had other requirements in mind that made me think I would end up with a larger device (battery life, un-tablety to hopefully run GNU as a base), and forgot about those when writing my comment.
Not that I really want something that won't fit in my pocket, so thanks for your suggestions of things to look into :>
Although a device with a baseband (but antenna removed) could even be a decent starting point. Lacking a network channel, it would be basically equivalent security to a desktop CPU (that's an uncomfortable truth).
Well, I'll add a disclaimer that my comment was from a rough theoretical perspective. To successfully "remove the antenna", you're going to have to make sure communications don't continue to function on any remaining parasitic antenna - I wouldn't be surprised if removing just the obvious antenna still left you with a phone that worked in 80% of places. I don't know enough about cellphone chipsets to know if the mixer/external amp are integrated, or are still discrete things that can be removed. But you'd have to investigate these details on a specific model of phone and then measure the its actual emissions before you could have something even approaching a "guide".
Hm, are you sure? It has a jumper to change it to "PCI" instead of "LAN", which I guess would expose directly a PPP interface, but I can't seem to find any documentation on that feature.
Disclaimer: I run the cerowrt project as part of bufferbloat.net's efforts to reduce latency across the internet. The hardware it runs on is getting long in the tooth (netgear wndr3800), and we've been trying to find new hardware as a base for a while.
I LIKE ubnt's gear, however their default firmware for their APs did not do ipv6 when last I looked, which makes it a non-starter. Most of their gear takes a load of openwrt barrier breaker quite well (or dd-wrt), and that's what I do to most of it.
Openwrt has excellent features, gui, firewalling and security, and runs on a huge variety of platforms so if you can find an off-the-shelf platform you like that it runs on, goferit.
The edgerouter lite (vyatta based) is ok (does do ipv6), but the hardware forwarding engine is not featureful enough on the edge gateway side to do everything I need it to do, and when disabled to use software rate limiting, we are only getting forwarding rates in the 70-90Mbit range. The edgerouter pro is better...
Work is in progress on that front, see the ubnt edgerouter beta forums for more details. I keep hoping cavium will put more effort into their forwarding engine firmware...
Nearly no platform out there today is terribly good at doing forwarding rates > 100mbits with QoS/AQM/packet scheduling enabled, certainly nothing in the below 150 dollar range that i know of.
The APU box mentioned here barely forwards at greater than 500mbit without qos. You CAN do pretty well with e1000e based boxes today, but the ivy bridge/rangeley stuff is WAY better than the atom is for packet processing. In either case you are getting well above the 200 dollar range and into potential heat and cooling issues.
Lastly, most of the first and second generations of 802.11ac gear are pretty terrible at getting anywhere close to the peak rates of the medium, partially due to hardware limitations, and partially due to terrible queue management.
Obviously I'm pretty focused on delivering a low latency network experience using the algorithms developed by the bufferbloat.net project... YMMV.
At the moment what I'm leaning towards at the > 100mbit level is dedicated hardware for each of the gateway and wifi functions, and that steers towards rangeley gateway (running openwrt) and ubiquiti (or at least atheros based) wifi (also running openwrt).
I use these little guys. A bit overpriced and only 100mb but they work well, run pfsense, openWRT etc and generally do what I want for years in a closet with no further intervention.
That, and the ~6 watt current draw at full tilt (at least that's what it was when I was load testing a couple of 2d3 boards) is very nice on the utility bill. Their newly-released APU boards are very nice, with GigE interfaces, increased RAM, and much faster CPUs.
Yeah, fanless/low power draw is a must for me. I'm willing to pay a bit more for it too. But since I also want to run a transparent proxy it needs a bit of beef.
I've been running PFSense on an old Acer Aspire (now called veriton) and it's worked decently well for home use (100 Mbit downstream internet). It's only real downside was a single gigabit NIC, so I had to use VLANs and a router-on-a-stick configuration on a managed switch.
Since the hardware is aging (and I want more NICs for no good reason) I recently found the edgerouter from Ubiquiti. It's running a modified version of Vyetta/vyos and shares its powerful CLI. It's also dirt cheap at <$100 and has been said (I haven't tried to max it out yet) to handle 500Mbit throughput.
So far I haven't found anything that it can't do. It will also POE a few Ubiquiti access points, if you are into those. Makes a really nice home setup for the home network engineer for <$200.
If you want to switch the device that gets assigned an IP address by Comcast's DHCP servers, all you need to do is reset the cable modem. At least that is how it always was for me.
I have a gigabit ethernet connection now, so I quit using a router. All the ones that I have couldn't manage more than 500 megabits/sec through the WAN port, even though they were supposedly gigabit.
I did some research at www.smallnetbuilder.com and I found that generally speaking, "gigabit router" actually means "router with a gigabit switch" unless you are buying something that isn't marketed to consumers.
and the enclosures are also very nice too
http://pcengines.ch/apu.htm http://pcengines.ch/case1d2u.htm
It uses coreboot, which you can recompile from source to be reasonably sure no BIOS backdoors, and it also has a hard firmware flash write jumper (thanks to me)... to make sure your recompiled BIOS doesn't get overwritten remotely when a vulnerability is found in your OS (easy with coreboot if you leave the .config in the firmware image which is the default). I suggest you run the latest OpenBSD, and add the NEUG USB RNG. This is a dream machine. 64bit 1ghz dual core... up to 4 gigs of ram,low power, great great design, two PCIe card slots, gig eth. The best. And I have tried everything.
Building your own PC tower as a firewall, well been there. Its not the way. Fun project sure, but wasteful and inefficient.
There are a few really good cheap routers that can run OpenWRT amazingly fast ie.
http://www.amazon.com/TP-LINK-TL-WR841N-Wireless-Router-300M...
If you
1. add the packet shaping module and fill in your modems speed
2. replace the routers /etc/hosts file to block all internet advertising inc youtube ads with this ;
http://winhelp2002.mvps.org/hosts.htm
and 3. change the DNS to googles 8.8.8.8 and 8.8.4.4
Then you have the ultimate home router setup. But if you want secure / vpn / tor bridge etc then you need to go to the above mentioned with OpenBSD and be careful to buy a compatible wifi PCIe card.