I have really been enjoying the gear that comes from FS (fs.com).
Late last year I kitted out my home with a switch and two wireless access points.
The switch (S3410-10TF-P) does everything that you expect a switch to do. It has a pretty simple web interface, and a pretty comprehensive CLI.
The access points are AP-W6T6817C (6800mbps WiFi 6, 802.11ax). It is rebranded from Ruijie Networks. The access points have a simple web UI for configuring everything, the range is pretty awesome. Multiple radios can be configured with separate SSIDs that have access to different VLANs.
The usability is less than Ubiquiti, but it seems that they work a little better than my old UniFi setup that this replaced (though, that was purchased more than 8 years ago).
There's WPA3 support.
Getting data via SNMP into Prometheus means that you can see per-client usage history, too.
for home use at this point I would also recommend mikrotik routers over anything ubiquiti edgeOS based, since they seem to have abandoned development on their fork of vyatta... the $50 edgerouter-x (ER-X) as a standalone wired gigabit router was a good choice in 2017 but not so much anymore.
I like Mikrotik gear but IMHO their wireless stack isn't great.
I moved my four HAP AC devices onto OpenWRT; speed and stability has been much improved, and roaming works much better. If you don't need WiFi 6 then I'd go as far as to say this is a great solution.
That has been my (one?) major complaint with my Ubiquiti APs - I have four of them scattered around my house/garage and moving between them always suffers a bit of a delay in handing over (or refusing to hand over at all).
I recently migrated a router (not Ubiquiti) over to OpenWRT and have been happy with the stability. I read a bit about roaming, but thought it looked a little daunting.
I did lose the central management interface of Mikrotik (CAPsMAN) but for my home set-up this wasn't a big deal. I used the backup and restore capability in OpenWRT's LUCI interface to clone most of the settings.
Roaming / fast transition now works much better. I do still lose a few packets as I wonder around but nowhere near as flakey as on the Mikrotik stack.
I did spend an inordinate amount of time optimising channels, signal strength and placement etc. on the Mikrotik stack before migrating over, and so I kept these settings on OpenWRT. I think a lot of making wifi work well is in this particular black art. All things being equal, though, OpenWRT works better for me.
for the majority of use I recommended them for the speed/pps bottleneck was the last mile DOCSIS3 connection (150-350Mbps down x 16 up), wouldn't try to use one with an actual symmetric gigabit link.
every once in a while this question comes up and i find myself browsing around on amazon at single board computers with built-in wifi and four port switches that are for installing openwrt or linux/freebsd yourself on them that run about $300-$400 and wonder "why not?"
are these any good? has anyone had any luck with going full oss for this stuff?
Yes, they’re great. Protecli is a solid brand with quality NICs (if a bit overpriced). I have several, running a mix of pfSense and Sophos Home for several years. Zero issues. Their Intel Atom units are plenty powerful for a gigabit cable connection.
You can also search AliExpress for “fanless pfsense” and find lots of options for less $$$.
For APs, you could also check out the Cisco Small Business line. Their 240 is the same hardware as some of their enterprise access points, and pretty trivial to set up.
If you are in the US, I'm pretty sure I saw very similar devices sold there as well, but didn't keep the link as buying from there would be too expensive.
TP-Link devices have been shown to ship with backdoors baked directly into the firmware.
The TL-WDR4300 and TL-WR743ND have a special unauthenticated URL that causes the device to connect back to your IP, download a file, and execute it as root.
The TL-WA701ND and similar models create a hidden SSID that acts as an unauthenticated bridge into your network.
If you can even manage to report security issues to them, they will only patch models you specifically tell them are vulnerable. So as a researcher you have to buy one of every model to actually get things fixed.
There are thousands of issues. I updated my comment with a few examples.
They suffer from extremely poor code quality, a complete lack of understanding of security, and severe code reuse without recording what devices the code ends up in. You can take existing TP-Link exploits, poke around in a new model of device, and often find the same vulnerable endpoint under a new "hidden" URL.
Edit: to address your specific question, CVE-2021-35004 is RCE against both routers and standalone APs.
You are comparing their consumer routers to their business line-up. The management interface for the business line-up can be properly segregated onto separate VLANs to protect it.
Sadly the consumer department doesn't seem to follow the same model as their business department.
