Review: 6 slick open source routers

DD-WRT, Tomato, OpenWrt, OPNsense, pfSense, and VyOS suit a wide range of devices and networking needs.

Review: 6 slick open source routers

Hackers of the world, unite! You have nothing to lose but the lousy stock firmware your routers shipped with.

Apart from smartphones, routers and wireless base stations are undoubtedly the most widely hacked and user-modded consumer devices. In many cases the benefits are major and concrete: a broader palette of features, better routing functions, tighter security, and the ability to configure details not normally allowed by the stock firmware (such as antenna output power).

The hard part is figuring out where to start. If you want to buy a router specifically to be modded, you might be best served by working backward. Start by looking at the available offerings, picking one of them based on the feature set, and selecting a suitable device from the hardware compatibility list for that offering.

In this piece we've rounded up six of the most common varieties of third-party network operating systems, with the emphasis on what they give you and who they're best suited for. Some of them are designed for embedded hardware or specific models of router only, some as more hardware-agnostic solutions, and some to serve as the backbone for x86-based appliances. To that end, we've presented them with the more embedded-oriented solutions first and the more PC-oriented solutions last.


DD-WRT has proved to be a popular router firmware choice not only with hobbyists and hackers, but router manufacturers as well. Buffalo, for instance, has used DD-WRT as the basis for many of its home and prosumer router offerings. The original product was created in 2005 for the Linksys WRT54G router, a device designed to accept Linux-based firmware, and the core software is available as a GPL offering. Note that there may be fairly major differences in implementation or presentation between the core version of DD-WRT and third-party, router-specific editions such as Buffalo's.

Supported hardware: DD-WRT supports Broadcom, ADM, Atheros, or Ralink chip sets, but be aware that not all devices using these chip sets are automatically compatible. Some may require unit-specific hackery to work; some may not work at all, period. Also note that a newer router does not automatically mean a more compatible one, as it can take time to produce a version compatible with a newer router. The DD-WRT maintainers keep a database of supported devices, along with a list in their wiki of both devices and features, so it isn’t hard to tell if a given model is supported or to what degree.

Features: DD-WRT provides a breadth of powerful features not normally found in consumer-grade routers, such as ChilliSpot (for creating commercial-grade Wi-Fi hotspots), the AnchorFree VPN system, and support for the NoCat wireless community network system. It also comes in a range of different-sized builds, from the 2MB "micro" build that supports only the most essential functions to the 8MB "mega" build that has, well, everything. This allows the firmware to be placed on devices of widely varying storage capacity.

Limitations: The core version of DD-WRT is updated very infrequently. If you want more frequent updates, you either must go with an interim beta or pick a manufacturer-supplied version with regular revisions.

Recommendation: DD-WRT is the best choice for most users. The fact that DD-WRT comes as a stock preload (albeit with mods) in many routers makes it easy to get your hands on a router with it installed and tuned specifically to work with your hardware, as well as to keep it updated.

dd wrt

A commercial version of DD-WRT ships with many routers from Buffalo and other hardware makers. The unbranded version may vary in terms of presentation and feature set.


Originally devised as a replacement firmware for Broadcom-based routers, Tomato drew attention for its GUI, bandwidth-monitoring tools, and other nifty professional-level and tweakable features. Development has ceased on the original Tomato project, but other developers have picked up where the original project left off, intermittently releasing incremental upgrades.

Supported hardware: Hardware support is much the same as with DD-WRT, although you should pay close attention to exactly which builds are compatible with the particular hardware you're using.

Features: Many functions found in Tomato are also found in DD-WRT, such as sophisticated QoS controls, CLI access via telnet or SSH, Dnsmasq, and so on. That said, Tomato has been designed such that few configuration changes require rebooting. There's also been a wealth of custom scripting developed by the Tomato community, such as redirecting the router's syslog to disk or another computerbacking up router settings, and much more.

Tomato itself is no longer actively developed, but it has seeded a vast crop -- pun intended -- of spin-offs and offshoots. One regularly and recently updated Tomato build is offered by Shibby, which compiles many changes by other Tomato developers into a single bundle. Some of those additions included support for routers that have USB ports, thus allowing the mounting of removable media, improved QoS modules and IP traffic client-monitoring tools, support for SDHC (Secure Digital High Capacity)/MMC media storage, 802.11Q VLAN tagging, and the experimental MultiSSID web interface. Shibby has in turn added support for NFS servers, the HFS/HFS+ file system, USB 3G modems, and many other improvements across the board.

Another build, AdvancedTomato, adds an attractive web management GUI, although it’s available for only a small selection of routers.

Limitations: Tomato and its derivatives are limited to routers that use a selection of Broadcom chip sets, such as the “classic” Linksys WRT54G.

Another big drawback to using Tomato is that there’s no guarantee any particular edition will continue to receive updates or it will pass into capable hands if the current developer decides to throw in the towel. Also be sure to pick the right edition for your router firmware, which has become a little more difficult now that each fork of Tomato follows its own path.

Recommendation: Tomato is best for moderately advanced users. Working with Tomato is on a par with dealing with DD-WRT: You need to make sure you have the right hardware and follow the flashing instructions to the letter. Tomato isn't used as a commercial preload, though, so don't expect to see it in any off-the-shelf routers à la DD-WRT.

advancedtomato Image courtesy AdvancedTomato

After development ceased on the original version of Tomato, others picked up the torch. AdvancedTomato is an add-on skin for one of the many Tomato variants out there.


OpenWrt is a router firmware project that's like a full-blown Linux distribution for embedded systems. You can download the packages for a specific hardware configuration and build the code for the hardware using a supplied tool chain. This complicates the deployment process, but provides enormous flexibility.

To save time, various prebuilt versions of OpenWrt are available for common hardware types and router platforms. This includes everything from generic x86-based systems to the Broadcom and Atheros chip sets used to power many open-firmware routers. The makers of OpenWrt recommend starting with an off-the-shelf version, then learning how to roll your own once you've found your footing.

Supported hardware: Lots -- more than 50 hardware platforms and 10 CPU architectures are supported, from ARM miniboards to full-blown x86-64 systems. The project also provides a buyer's guide to help you choose the proper hardware for your particular needs, in the event you're shopping for a specifically OpenWrt-compatible product.

Features: In addition to broad hardware and platform support, OpenWrt includes support for the OLSR mesh networking protocol, which allows you to create mobile ad hoc networks out of multiple OpenWrt devices. Conveniently, OpenWrt, once deployed, can be modified without reflashing the firmware. Packages can be added or removed as needed through a built-in package management system.

Various spin-offs of OpenWrt are available, some with highly specific usage scenarios. The Cerowrt build, for instance, was created as part of the Bufferbloat project to address network bottlenecking issues in LANs and WANs. Gargoyle offers as one of its big features the ability to monitor bandwidth and set per-host caps. A now-dead project, FreeWRT, was even more developer-focused than the core OpenWrt builds and had a handy Web-based image builder for those who want to create a FreeWRT firmware with a little guidance.

Limitations: The biggest strengths of OpenWrt are also its biggest limitations. It's best suited for people who really, really know what they're doing. If you simply want to replace your stock router firmware with an option that's a little more current, steer clear.

Recommendation: OpenWrt is for experts. This is the firmware for people who want as few limitations as possible on what they can do, who are ambitious about implementing unusual hardware, and who feel comfortable with the kind of tinkering that would normally go into rolling one's own Linux distro.


Gargoyle is one of many breeds of OpenWrt, specifically offering special bandwidth-capping features. Like a miniature Linux distro, OpenWrt lends itself easily to this sort of respinning.

OPNsense and pfSense

In an earlier version of this review, we examined the m0n0wall and pfSense projects, which are FreeBSD-based firewall and routing platforms -- closer to a full-blown OS installation than a mere firmware layer. M0n0wall is no longer being developed, but pfSense has continued development under the aegis of Electric Sheep Fencing LLC. A project named OPNsense, developed by hardware maker Decisio B.V., is a fork of pfSense with its own road map.

Supported hardware: OPNsense runs on 32- and 64-bit x86-based hardware, with at least 512MB of RAM and 4GB of flash storage. A high degree of compatibility with common PC components is provided through the BSD driver library. As little as 256MB of RAM and 1GB of storage is needed for pfSense, although 1GB of RAM is recommended.

Features: Because both products are derived from a common base, OPNsense and pfSense share many features. Both support all common router features, including traffic-shaping and QoS, as well as features useful on high-end networks such as VLAN tagging and polling.

The OPNsense documentation contains details for getting the software running on local hardware, in virtualization, and on cloud providers like Amazon. OPNsense features a sophisticated web interface for configuring and managing the product.

Touted features in OPNsense include the ability to choose either LibreSSL or OpenSSL as the SSL library used in the product; an importer that allows you to recycle configurations from some versions of pfSense; and a plug-in system that allows for extension of the GUI. Recent releases of pfSense feature a redesigned web UI, which replaces one that was a constant target of criticism; an implementation of the netmap-fwd project to allow much faster packet processing; and other performance improvements by way of FreeBSD.

Limitations: OPNsense supports x86/64 chip sets only; pfSense supports x86/64 chip sets and Netgate ADI embedded device hardware.

Recommendation: Those repurposing old PC hardware as a firewall or router should check out either OPNSense or pfSense. Of the two, pfSense has slightly more modest hardware needs.


OPNsense (above) and pfSense (below) have common roots but radically different UIs and development paths.



In an earlier edition of this article, we looked at Vyatta, a Linux-based network operating system available in both a core open source implementation and a commercial edition. The open source edition was phased out after Brocade acquired Vyatta, but a fork of the open source version continues to live on as VyOS.

VyOS can work as a small-office or branch-office gateway, as a VPN concentrator, and as a bridge between datacenters or between datacenters and clouds.

Supported hardware: Like OpenWrt, VyOS comes in incarnations that run on stock 32- and 64-bit x86 PC hardware, so any such system can be transformed into a high-efficiency router, firewall, and network services box. What’s not available (yet) is an edition of VyOS for ARM/MIPS hardware, such as the Linksys routers that served as the original targets for open firmware.

Features: You name it, Vyatta probably has it. VyOS ported the features found in version 6.6 of the Vyatta open source project and from late 2013 onward began adding new features. Additions include a task scheduler, a command scripting system, an event-handling system (it fires scripts when a matching string is found in a log file), dummy interfaces for testing, and much more. Earlier editions of Vyatta had added RFC-compliant VRRP, a connection tracking and logging subsystem, and a stateful inspection firewall. VyOS also continues Vyatta’s support for many virtualization environments, including VMware vSphere and Microsoft Hyper-V.

Limitations: The single biggest limitation of VyOS, vis-à-vis the other products in this roundup, is that it's designed strictly for x86 devices. And not any old x86 devices, either, but hardware with a fairly large amount of storage (1GB minimum) by embedded-device standards. In short, VyOS is best suited for PC-class hardware, at least for now.

A number of key features available only in the commercial edition of Vyatta, such as the web interface, have not been re-created in VyOS. A web GUI is one of the proposed enhancements, but it hasn’t been implemented yet.

Recommendation: VyOS is a professional-level product with routing and security features beyond the needs of most small offices and home offices. That said, those building a network appliance using full-fledged x86-based PC hardware -- especially for larger environments -- will find everything they need in VyOS. Be prepared to do a lot of command-line configuration to get VyOS up and running.

vyos session Image courtesy VyOS

Powerful as VyOS is, its out-of-the-box experience is a good deal less friendly than you'll find with many of the other projects described here.

This story, "Review: 6 slick open source routers" was originally published by InfoWorld.

At a Glance

Copyright © 2016 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon