Build your own router, buy enterprise-level wifi APs.
I needed to replace/upgrade from my dying Asus router a few years ago and couldn't find anything that worked for me. Did some research and went for a pfSense build with a Unifi nanoHD AP. Best decision I've ever made. It's very fast, much more secure, especially with far longer support windows on the hardware (technically, pfSense is forever) and snort/pfBlockerNG packages, and you can tweak to your heart's content plus even more addons to make things better.
Great thing about separate router/AP units is that if your house is appropriately wired (or you're willing), you can put the AP(s) in the best location while the router sits wherever the modem is.
PFSense on the front to handle FW / Security --> used Brocade switch like a ICX6450 to do routing and vlans + Ubiquiti APs = reliable, powerful and handle anything!
I run pfsense at the edge on one of these w/ 8gb ram: https://www.supermicro.com/en/products/system/1U/5018/SYS-5018A-FTN4.cfm that also has cellular failover and battery backup. It runs Suricata/PFblockerNG/DNS Resolver. Added my lists from pi-hole to it.
Have a 24port HP gbe switch (for now) behind it. Drooling on one of these: https://www.netgear.com/support/product/XS724EM.aspx HP Switch is also on battery backup
From there, unifi covers wireless and they all support AC, some are outside as well and they can wirelessly connect/mesh to each other. Most of these are also on battery backup.
Internal DNS is handled by Windows Active Directory(both DCs point to the PFBox)
At this time, I've not found an off the shelf router I like do to wanting updates. PFSense is always updated even when your hardware is ancient. Have a few ASUS routers with merlin firmware(openwrt based), one is used as a bridge ATM and never any issues.
Untangle is another router distro I like and had played with from v5-v9, they do have some neat modules and even a home use license which grants access to most packages(low cost). Researched Sophos hard but seems to be CPU hungry and Dev really needs more QA/Code review. SQL injection...not OK. Untangle and Sophos would work on x86 hardware like shared above.
I think it really depends on the specific use case, internet connection speed/type and how many clients are behind it. If you want just raw router the asus units with merlin are hard to beat.
If you want off the shelf/easy then would look at the netgear nighthawk routers.
As an Amazon Associate, HardForum may earn from qualifying purchases.
Total package was about $230 CAD shipped couple years ago when I got it, low power usage, small and could handle anything! Sold it recently though as i needed to add 10GB SFP+ to my network.
Untangle I ran long time ago and did enjoy the GUI for what it could do, but you def. want decent hardware to run it.
I had looked hard at those PCEngines a few years back but they seemed underpowered? IDK. I was going to do untangle but the home license does not allow IDS and there were some features on PF I wanted to play with.
OPNSense would be another distro to look at.
For PFSense they are more than enough, most people can still run PFSense on an old Core 2 Duo. When it gets slow is if you want to ruin Snort and other things on your pfsense. I ran pfblocker and had a 600mbps download speed and about 15 devices total on the network and it ran fine.
Can someone recommend a guide to pfsense hardware that calls out what kind of hardware is needed to sustain what kind of throughput with different features in play? My somewhat lay-person's understanding is that I would need one level of hardware for say 1Gbps basic routing; perhaps more if I overlay some QoS and/or filtering; perhaps yet more if I overlay VPN... while expecting to maintain the same bandwidth. If this is correct, what I am looking for is a guide to what kind of throughput can the expected (for a set of commonly used feature-combos) for some different sets of hardware.
I'd like to set something up over the winter holidays and optimize it, but most of the hardware I have is going to be too power hungry and physically large so I'd like to get a better feel for what an optimized setup would be.
(My ideal would be minimal compromise up to 1Gbps up/down to WAN)
Start there. Basically, without VPN, anything will do fine as long as you meet the storage/ram requirements of the add-on packages. VPN is a nonstarter without a CPU that supports AES-NI, and you should check to see if your preferred method is single or multithread (OpenVPN is single). You'll also need to add at least 1GB to your memory requirements for a tmp/var folder ramdisk (avoids wearing out an SSD or let's a HDD stay off longer)
My personal system runs donuts around my 250mb connection (cpu/mb/ram was a $100 combo on fleabay awhile back):
Haswell i3 4370
B85 motherboard
8 GB ram (typically 50% used plus a ram drive)
Not garbage cheap SSD
Intel i350-t4v2 nic
Packages: VPN, Snort, pfBlockerNG, some minor tools