OpenWRT compatible Router for 2024 in India

enthusiast29 said:
This is the exact reason why I shifted to x86 router.
Those consumer grade routers can't do SQM beyond 100-150Mbps. The CPU power ain't enough.
And SQM is helpful in load scenarios where your ping shoots up and causes bufferbloat.
Click to expand...
Yeah, even the ARM chip on the RPi4 is enough for 1 gbps, I guess. But I already get an A grade on the waveform bufferbloat test, with only 14ms of additional latency. So since I'm not playing any competitive fps games *while* fully saturating my connection with downloads, I don't think it matters. And even then 14ms is not that bad.
 
variablevector said:
I want to put my ISP's existing ont+router in bridge mode because their firmware is most probably dogshit in terms of security and use this as my router instead.
Click to expand...
Putting ONT in bridge mode comes with its own set of issues unique to each service provider. Tbh, almost all such routers have poor security but it doesn't matter to a typical home connection as nobody is going to DDoS a home connection & nobody would do network intrusion either when there are equally less unsecure but much more financially rewarding small business networks out there. Tplink itself is known to stop providing firmware updates after 3-4 versions/2-3 years depending on the model's popularity/selling targets. Of course the ISP ONT router is typically poor performing so just connect your good router to ONT via ethernet & place it in DMZ zone of ONT & then turn off wifi of ISP ONT & connect all your devices to your own router wifi & use its features like NAT/port forwarding etc.
 
guest_999 said:
Putting ONT in bridge mode comes with its own set of issues unique to each service provider. Tbh, almost all such routers have poor security but it doesn't matter to a typical home connection as nobody is going to DDoS a home connection & nobody would do network intrusion either when there are equally less unsecure but much more financially rewarding small business networks out there. Tplink itself is known to stop providing firmware updates after 3-4 versions/2-3 years depending on the model's popularity/selling targets. Of course the ISP ONT router is typically poor performing so just connect your good router to ONT via ethernet & place it in DMZ zone of ONT & then turn off wifi of ISP ONT & connect all your devices to your own router wifi & use its features like NAT/port forwarding etc.
Click to expand...
That risk calculation is not at all that simple. I've been hacked before and I work in a field where it can be very lucrative to target me. I had it happen that my Google accounts were compromised, despite using a 32 character password. Still not sure how that happened. I was travelling internationally, staying in hotels. So maybe I made a mistake while there. Though it seems unlikely I would fall for a MIM fake web portal attack, since I was using https and even a vpn most of the time. But I later found out that my dad's laptop was infected, and it was just there on my home network. So that seems the most likely cause.

Either way, I've ditched Google and now keep everything important either self-hosted or on pen and paper. As a result of that, I need to harden my home network too. Openwrt also lets me do things like isolate my wifi devices from devices on my ethernet LAN, or create a seperate VLAN etc. All of this is very important from my perspective of preventing another attack.

I did have to do the DMZ thing because the bridge mode wasn't working with my ISP. But I'm going to give it another try here soon.
 
variablevector said:
I've been hacked before and I work in a field where it can be very lucrative to target me.
Click to expand...
That already exclude you from the definition of "typical home user". :)

variablevector said:
I had it happen that my Google accounts were compromised, despite using a 32 character password.
Click to expand...
More than password length, what matters is which 2FA you used because without that even a 64 character password might not help.

variablevector said:
Though it seems unlikely I would fall for a MIM fake web portal attack, since I was using https and even a vpn most of the time. But I later found out that my dad's laptop was infected, and it was just there on my home network. So that seems the most likely cause.
Click to expand...
I hope it wasn't some free/Chinese vpn. Also, nowadays win 10/11 default security updates are quite good enough & assuming you follow the standard security guidelines on your pc in the network then someone who could bypass those from your father's laptop would also be very likely capable enough to bypass whatever router security you use in any typical consumer grade hardware available.
 
guest_999 said:
That already exclude you from the definition of "typical home user". :)


More than password length, what matters is which 2FA you used because without that even a 64 character password might not help.


I hope it wasn't some free/Chinese vpn. Also, nowadays win 10/11 default security updates are quite good enough & assuming you follow the standard security guidelines on your pc in the network then someone who could bypass those from your father's laptop would also be very likely capable enough to bypass whatever router security you use in any typical consumer grade hardware available.
Click to expand...
I had 2FA with Google Auth turned on for all of my accounts. Password length matters in the context of how long someone running hashcat on a GPU cluster will take to crack it, but that obviously wasn't the vector they used to get me.

As for vpn, no, it was mullvad. Believing Windows Defender was 'good enough' is what got me into that mess. His laptop was fully updated and it still got infected. I later learned that he had possibly clicked on a spam email attachment. Obviously someone on this forum is unlikely to do that but for the average person who can make a mistake like that once in a while, you need more aggressive heuristic based detection and monitoring of network traffic, which defender doesn't do. I have Bitdefender installed on my dad's laptop now because that was the AV that finally detected it.

And no, it doesn't follow that just because someone was able to infect my dad's PC, they would therefore also be able to compromise my router. Look into the Swiss Cheese Model Of Security. Someone having access to an exploit that compromises one part of your network does not mean they have exploits for the others. Also, Openwrt has thousands of eyes looking over its source code, which in turn uses the Linux kernal, which possibly has tens of thousands of eyes on it. That is why it is *secure* for all the intents and purposes I care about.
enthusiast29 said:
2FA is good to have but that's not fool-proof.
You don't even need to crack passwords or 2FA when you can just steal authentication/access tokens by some malicious browser extension.

That is probably how @variablevector's google accounts were compromised.
Click to expand...
This is a very good point, damn. I had probably logged into my gmail account on his laptop weeks ago and never logged out. It also explains how they were able to circumvent the 2FA.
 
This thread started as a query about the MT7621 Netgear R6850 router and then evolved into several branches.
Frankly speaking, given the pace of development of OpenWrt, it would be strongly recommended to get a Mini PC or a Pi with 2GB or 4GB RAM. Storage can be increased by using bigger Micro SD cards. This is because OpenWrt is fast becoming a large OS. And routers with hardware that can support the OS cost a LOT.
Be ready to invest more than $100 for a router with OpenWrt, or Build your own.
Moreover, manufacturers keep making minor revisions, making their devices incompatible with OpenWrt. This makes commercially available routers a risky investment for OpenWrt installation.
*************************************
Returning to the OP, the Netgear R6850 router is a decent router + Wi-Fi AC Access Point (AP).
It is a fairly old router but made by the American company Netgear.
It has a dual core 880mhz CPU with 128MB RAM and 128MB Storage Memory.
As an off-the-shelf router with Netgear's OS, it works reliably well. Netgear has ensured reliability and performance. However, one of the BIGGEST annoyances is Netgear essentially forces users to create a Netgear Account to access the local Admin panel of the router.
Coming to the OpenWrt OS for Netgear, there are Mixed reviews. OpenWrt, especially above v23.05, can struggle with 128MB RAM devices. But this is true for any and all MT7621 routers.
Secondly, for the asking price, the Netgear R6850 is a little expensive for such an old device. There are better routers in terms of performance, but OpenWrt support remains uncertain.
The reliability, performance, and Wi-Fi range of the R6850, however, is quite good, especially, if you plan to set it up and forget about the router. It won't bother you or need attention, especially when using sub 200mbps plans.
However, if using OpenWrt with apps and services on a router with a high-speed plan is a priority, then skip this router. Invest a little more and get a better product with at least 256MB/512MB RAM.
 
msvsme said:
What is the size of flash storage for x23 v1.2 Indian variant? I read in reddit it's only 8mb?
Click to expand...
v1 was 16mb & v2 is not officially supported by openwrt so what's the point. As the post mentioned above, if planning on installing openwrt then better get a used mini pc/nuc from here (check dealer's paradise section) which will leave any router far behind in dust.
 
msvsme said:
What is the size of flash storage for x23 v1.2 Indian variant? I read in reddit it's only 8mb?
Click to expand...
Yep. It's 8 mb on the AX23 v1.2.
1728741337875.png

Still works great for me. Probably because I don't run any other services on my router. If you have a homelab server, I don't particularly see the point of having storage on your router.
 
guest_999 said:
Then what's the point of running openwrt in the first place. Also, I have seen comments regarding routers struggling with openwrt on a 300mbps or higher speeds because of typical low powered dual core processors.
Click to expand...
The usual obvious reasons. Open source software. Much better security. More customization/features. No possibility of calling home to China as a typical Chinese router might do.

To me, it is the people running their adblock, wireguard etc on the router that seem a bit weird. Because during an update, you have to backup your configs and reinstall all your previously installed packages. I guess you can script that, but why even bother with all that when you can have them all running separately in VMs/LXCs in proxmox?

I get around 800 mb/s on lan. Software/Hardware offloading turned on. A bit lower than gigabit but I bet the 10m+ of cat6 in my walls doesn't help that. My wan maxes out at 200 mb/s so I can't really test past that. I have my nas connected directly to my pc via a 2.5 gbe card, so the lan speeds don't matter that much to me either. The 300 mbps limit is likely only if you use SQM.

1728815915478.png
 
How is the wifi signal on ax23 running openwrt?
Wifi 6 @ 2.4ghz gives good signal from 1st floor to 3rd floor at stock firmware. Wifi 5 at 2.4ghz gives 1 bar of signal strength.
 
I didn't notice any major degradation between openwrt and the stock firmware regarding signal quality. But I doubt it would be much better with openwrt, simply because it doesn't use the proprietary drivers. Perhaps it would be a bit more stable.

If you have multiple floors, I recommend using a router as AP for each floor. You can get a cheap used one from the classifieds section. I use an AC68U on my second floor. You'll have to either get ethernet to them, or just use them as a wireless extender.
 
Back
Top