I bough old FUJITSU Desktop (ESPRIMO D757/E90+) its ~2017 has 4 pcie. I bough cheap 3 ethernet NICs and 1 wi-fi on a maketplace/bazar and installed openWRT. Actually I installed proxmox and openWRT in a VM so that I can use that computer for other networking stuff like AdGuard, Tailscale, etc… Btw if you do this be careful which wifi you buy, not everything is easy to setup on OpenWRT.

I use OpnSense on a miniPC with an N100 processor. I got a decent one from HUNSN and added memory. I installed ProxMox and OpnSense runs in that along with a pihole instance and a few other services and it is really fast compared to any router I’ve had in the past.

I also use a RAM disk for OpnSense caching and logs, and anything I want to keep gets copied out to my NAS for permanent storage. That helps a lot with performance and SSD drive wear, but with memory so expensive from the LLM bubble, it might be more expensive now than a few years ago when I got mine.

Some standalone WAPs for WiFi and PC based router. Depends on what you are getting you can get it dirt cheap. WAP also need firmware upgrades, but it is less a problem.

I’m overkill and use ubiquity but you can also use their entry level devices, I’m a fan of hardwiring the wifi points to a switch or the router itself thru poe so you don’t have to use a wifi band for the mesh.

Only use network gear for wireless. The hardware in client devices is not designed to work well as a AP and will perform poorly.

I would just pickup some used equipment and flash openwrt. It is relatively straight forward and should work decently well.

Would the MacBook Pro or rpi4 with a second Ethernet nic running a firewall before the routers also fix the issue of not getting security updates?

No. For most routers, this provides no additional protection to the router. Your router should not be accepting connections from the WAN side that would be blocked by the firewall, but consumer routers almost always initiate connections to the WAN side, indistinguishable from normal client traffic to your firewall, and accept connections from the LAN side, invisible to your firewall. If the firewall blocks all incoming requests, it would create problems for UPNP, effectively giving you CGNAT, even if the firewall does not perform address translation.

I like my flint 2 router from GL.Inet. Uses openwrt on the back end but has a more normal interface in the frontend with the back end still accessible if you want it.

And you can install whatever firmware you want.

Right now using a pfSense router, it’s been working well but I’ll eventually replace it with hardware to run OPNsense (pfSense fork) when the time comes.

If you’re mainly just worried about wireless I’d just look into something to run OpenWrt or maybe FreshTomato if you’re sticking to older hardware. I have an older Linksys wireless router that is compatible with FreshTomato firmware so it’s been running on that and works well for my own usage, nothing fancy.

I use a 2012 Mac Mini running OPNSense. I use the Apple Thunderbolt to Ethernet adapter in addition to the built in Ethernet. You could probably do the same for the MacBook Pro. I have a separate switch and access point. It works really well. And it was cheap.

Opnsense any option for you instead of openwrt. I run an old hp with Intel Ethernet card and connected a unify AP to it. Works well since years

Many open source operating systems exist that can turn a computer with multiple NIC’s into a router or can be used in place of a hardware router OS. https://distrowatch.com/search.php?ostype=All&category=Firewall&origin=All&basedon=All&notbasedon=None&desktop=No+desktop&architecture=All&package=All&rolling=All&isosize=All&netinstall=All&language=All&defaultinit=All&status=Active#simpleresults is a search on distrowatch.com that gives you a petty good list to get started.

I personally use OpnSense with a Supermicro motherboard a Xeon E3-1226 v3, and 16GB of RAM. It was all used server equipment bought on Ebay. I run Caddy, an ACME client, Intrusion Detection, Chrony, UnboundDNS, Wireguard as a VPN endpoint, and Wireguard as a client for IPv6 connectivity through Route64 because my ISP only has an IPv4 stack. For WiFi access I’m running a couple TP-Link Omada EAP-650’s with the OC200 controller using POE so I can place them in ideal locations.

Will a firewall prevent issues if the Asus devices have some sort of Spyware on them. It can but not by default. Generally firewalls are configured to stop anything coming in and let anything out. Since the RT-AX3000’s are on your internal network by default they can send data out. Something like Intrusion Detection can watch for bad things running on your network and help but you would have to set static IP’s on each one and null route them. You could also flash them to an open source firmware if you are worried but is a personal decision.

I avoid two things in networking, router modem combo devices and really cheap routers or access points. Honestly you should ask, “Why is this so cheap?” Then look at the reviews for those super cheap Chinese android tablets and computers and you should begin to understand my reasoning why.

Also used commercial grade hardware on Ebay is a great place to get a steal if you are building a homelab. Most of the time this stuff is pulled because it no longer is fast enough for a server farm and functionally obsolete. The firmware will generally be very stable and well tested. I’m running a 10Gbps fiber backbone for my network that connects my router, server, 48port ethernet switch (using 2 DAC cables), and desktop computer together.

I have a 1Gbps fiber connection and speedtest at 950Mbps while everything is up and running. The Ethernet connection at 1000Mbps is the limiting factor. A speedtest from my cell phone (S26) over WiFi I test at 680Mbps. My testing internally from my desktop to my server using openspeedtest runs around 8000Mbps.

If I need to buy something off the shelf I’m looking at unifi.

I have a GL-AX1800 and I’ve been happy with it; going to get another for my mum.

I bought this one last month when it was on sale for $39: https://www.amazon.com/dp/B0BRK3CYY3

Haven’t deployed it yet, but it’s fully supported by OpenWRT. I would only be using it as an access point, though. My router is a USFF Optiplex with an extra NIC and runs OpenWRT.

Looking at using older hardware we have spare (a MacBook Pro 2012 or rpi4) seem to have a track record of underperforming

In what sense?

I’m having trouble finding good options particularly in regards to openwrt at least.

Everything I can get in local stores isn’t supported by openwrt (neither are the current routers).

IIRC, OpenWRT tends to support older hardware. I once bought new hardware to run it, so I know that it’s been out there, but if you want something to run OpenWRT and aren’t too fussed about having the latest hardware, you can probably grab something off eBay or something, especially if what you care about isn’t the WiFi side of things, where things have changed over time. Might be possible to run a USB WiFi adapter or something, if you want the latest WiFi protocol.

Would the MacBook Pro or rpi4 with a second Ethernet nic running a firewall before the routers also fix the issue of not getting security updates?

Pretty much, if you’re talking Internet-facing stuff. I mean, you might still want updates for, I dunno, NTP updates or something where the router talks to the Internet. And if it’s doing WiFi and there’s some vulnerability associated with that, theoretically you could be attacked locally. In general, I wouldn’t worry too much. There are probably a ton of unsupported, unupdated Internet of Things devices on LANs all over the place, so shrugs. It’d be nice to have maintenance and security updates for everything, but in practice, there’s probably a lot of stuff that is always going to be unmaintained on most LANs. Smart TVs, printers, whatever. Maybe we should change that, but as things stand, kinda the norm.