upvote
Because of lax security in commercial routers, this backdoor being a prime example of what I'm concerned about, I'd have my own shitty box as a firewall between them and my other kit anyway, so there isn't an efficiency saving either way. It is just a choice of where the walls are, and therefor where my shitty box(es) is/are, not whether my shitty box exists or not.

Currently my primary shitty box router does everything wrt external connectivity and a bought AP/router sits inside offering WiFi. I'd like to remove that AP completely with a WiFi adaptor controlled by my shitty box, but I've not got around to that as it would mean learning to configure a mesh (and so at least one more of my own shitty boxes!) to get good coverage everywhere (I only have a small place, but there are still a couple of blind-ish spots depending on where I put the primary AP). Not trusting a bought router/AP to not have back doors like this raises the question: if they are going to add backdoors for direct outside connections, what is to stop the firmware instead/also trying to tunnel out and letting unwanted connections in that way? (other than this having less “plausible deniability” once discovered)

reply
Pfsense or OPNsense can handle ~5 gbps routing/firewall on a low power AMD or Intel embedded chip. My now old Pfsense box I got off Aliexpress can comfortably handle 2.5 gbps on an ancient Celeron J4125 running around 10W total. 10+ gbps is feasible on a reasonable power budget with higher end hardware, though it starts to get more expensive.
reply
> do you ever go over 1gbit

No. None of the local ISPs offer speeds above 1 Gbps.

However, I use FriendlyElec NanoPi R5C as the main entrypoint router. It has two 2.5G ethernet ports. It costs less than 100 euros. And it runs OpenWRT.

It is not a multiport, multi-gigabit device though. And I have not tested it above 1 Gbps so I am unsure about its real world performance.

reply