Ok fuck this I've worked around enough misfeatures on this thing. I need a router that:
* Has no wifi. No, I don't want to just turn it off. No wifi.
* Runs off PoE.
* Gigabit copper, no SFP, I do not need 2.5GBps.
* Handles ipsec and GRE tunneling. I need no other VPN support.
* Ideally at least 4 ethernet ports, otherwise I'm going to need to buy another switch.
* Can sustain bidirectional gigabit either without relying on hardware offload or with offload that works in all the above cases

* Small. If it's rack-mountable it's way too big.
* No fan.
* An actual product, I do not want to have to build it myself.
* I'm sure I'll find arbitrary ways to decide that whatever you suggest doesn't fit my arbitrary criteria but please suggest anyway

@mjg59 https://mikrotik.com/product/RB750r2 ?

@mjg59 Wait, no, this isn't going to meet your performance requirements. But, something on the mikrotik list probably will: https://mikrotik.com/products/group/ethernet-routers

(I think you probably need 2.5GbE hardware if you want wire-speed 1GbE all the time regardless of hardware offload though)

@mjg59 hang on you want a _router_ (not a switch) that does ipsec and GRE and itself runs entirely off PoE with no external power? Not PoE+? Not one that provides *downstream* PoE?

@mjg59 if it wasn't for the ethernet ports, a MinnowBoard wouldn't be too far off, and I've got one in a drawer I could send you...

@glyph Yeah, right now I'm using an Edgerouter X which is absolutely perfect except for the ways in which it sucks

@mjg59 nothing says "ubiquiti" like "I can't find the precise combination of features I actually need unless I spend $1000, in which case actually I still can't" (and I say this as a very happy ubiquiti user)

Oh wait hang on Ubiquiti released their first firmware update for this in two years last week let me try that first

@mjg59 anyway I'm not sure I fully understand the nature of your requirements but if https://mikrotik.com/products/group/ethernet-routers?filter&s=c&f=[%22poe_in%22,%22gigabit%22,%22ipsec%22]#! can't satisfy it then it probably doesn't exist anywhere

@glyph Yeah the hEX s looks promising

@mjg59 Mikrotik hEX routers are pretty close, except their PoE-in is only passive, not 802.3af.

@kevin so was the Edgerouter X, so that's fine

Nope echo 1 >/proc/mt7621/hw_nat and immediately anything going via the IPv6 tunnel ends up with missing fragments. Hmm. Maybe I can try something awful.

Sigh nope clamping the ethernet interfaces to 1480 doesn't help

…oh wait there's no actual reason my IPv6 gateway has to be the same as my IPv4 one, is there? Something else on my network can terminate the tunnel and RA

@mjg59 No good reason at all, you can terminate the endpoints wherever. Might mean some duplication of firewall rules but that's about it

@mjg59 Yeah, that should work perfectly fine. That's exactly what I did for my hurricane electric "lab-net" until I set up a netbook-in-a-tin that could properly do both.

@becomethewaifu @mjg59 you also don't need the same gateway for every device on the network in some cases. I've done unholy things during switchovers between old and new routers (there's a reason my default gateay is .252 on a lot of my current lab subnets lol)

@mjg59 How do you feel about Mikrotik? There are several models that will cover this nicely.

@uep @mjg59 yeah, that's the other direction, some hAP Lite or similar. they're good products, but it depends if you want to run your own thing or are fine with RouterOS

@wohali @mjg59 anything from the hEX S (2025) up. Happy to help further with model selection if it's a vendor you're interested in rather than one you object to.

@uep @mjg59

I too would be looking at Mikrotik for those requirements. The hEX might be a little small if there is actually a line rate gigabit IPsec tunnel requirement. It looks like measured IPsec on the hEX S is around 350Mbps (1400 octet frames, so probably PPS limited on crypto).

But there’s a bunch of faster CPU models that are still passively cooled and/or have more crypto offload.

(Even the older hEX will do gigabit routing without a problem, and GRE at a very decent speed.)

@ewenmcneill @uep I'm good with ipsec being below gigabit, that's only required for an especially weird setup

@warthog9
@kevin

I wish I could recommend a vendor that meets @mjg59's requirements and does not violate #GPL but I don't know one.

As a sneak peak, #OpenWrt Two, which is in the works, will likely meet almost all of the specs except that it does have Wifi.

Cc: @becomethewaifu

For anyone invested in the outcome of this: after failing to find anything that met these criteria and was a reasonable price, I swapped my Edgerouter X with another Edgerouter X, just with OpenWRT on it instead

@mjg59 OpenWRT supports hardware upload on that? Neat! I have one languishing in a drawer somewhere.

@zrail Ah, I was somewhat unclear in my requirements there - I need gigabit line speed on the internal switch, the uplink is between 300-500Mbit so less of an issue

@zrail But looking into it, apparently it is supported?

@mjg59 I've been procrastinating about pulling the trigger on openwrt on mine, as I watch the software on it get older and older. You been generally happy with it?

@atrus I've been running it for an hour, but I'd say better than stock as long as you're ok with openwrt's random bullshit

@mjg59 I've been running OpenWRT on an Edgerouter X for years now. I hadn't suggested it because last time I looked the hardware wasn't available. (Woops.)

@jbaggs yeah I ebayed

@mjg59 I've been using Turris Omnia for a number of years: https://www.turris.com/en/

Switched from "blue-black-box" LinkSys router when it finally died.

@mjg59 oops, right, does not address "no wifi" requirement