Usually, commercial and enterprise grade network routers (such as Cisco, Juniper, HPE etc) run on their own proprietary operating system (OS) software which runs only on the specific vendor’s hardware devices.
However, the Open Source community has developed some great Router OS software that can power commodity hardware such as x86 computers or regular SOHO WiFi devices and turn them into feature-rich network routers.
Such Open Source firmware/OS for your router allows it to access features not available on most stock routers, or even turn an old PC into a powerful network router or firewall device.
Some features and capabilities offered by open-source router OS might include bandwidth monitoring, VLAN support, advanced wireless setups, VPN integration, advanced security and much more.
In this article I have researched and found 13 great open-source router OS on the market today. These router OS can be used in networks ranging from home networks, small business networks or even in large corporate environments.
The ranking below is in no particular order.
VyOS is a company that believes that Internet access is as vital as food and water. The company is an open source software company run by engineers who strive to democratize access to networks. Their router OS provides a number of features, including the following:
- High performance routing even for large networks.
- Most popular dynamic routing protocols supported (BGP, OSPF, RIPng, policy-based routing etc).
- Reliable operation with high number of connections.
- Protection from unauthorized access for internal resources using stateful firewall and other security mechanisms.
- Accessibility for remote workers and site-to-site connectivity via VPN (IPSEC, VTI, L2TP over IPsec, OpenVPN etc).
- High availability configuration using VRRP for redundancy.
- Support for Important network services such as DHCP, PPPoE access concentrator, Netflow, QoS etc.
VyOS supports many different technologies, and offers an open-source router OS that can meet the requirements of both small businesses or even large enterprise networks.
In its most basic usage form, it offers Source NAT to provide Internet access to the entire network, and it uses connection tracking synchronization to make sure that high availability is achieved. However, this is only the most basic functionality.
It also has integrated VPN support and encryption to make sure that remote workers can access intranet resources when away, plus all the regular features of an enterprise router.
It can work on bare-metal commodity x86 (64-bit) servers and also supports a multitude of virtualization platforms such as Vmware, KVM, Hyper-V, VirtualBox and many others.
Keep in mind though that there is no graphical GUI to manage the device. You need to use Command Line Interface.
Although the Vyos software is open source and free to download and use, you will need an annual subscription license for getting software updates and security fixes, support etc. The Corporate Subscription cost is $4320 /year.
2. RouterOS from MicroTik
RouterOS is the operating system for the MicroTik routerBoard hardware based on Linux kernel.
You can also install it on your PC (x86 hardware) and it turns it into a router with the most important features you will need, including routing, firewall, bandwidth management, wireless access point, backhaul link, hotspot gateway, VPN server, and more.
It is easy to install and has a simple user interface which is provided by the management software WinBox (windows application).
In fact, RouterOS supports different methods of configuration from local access to SSH access across networks and also WinBox as stated above.
Its firewall can provide security functions, and it can prevent access by unauthorized people.
It also supports static routing as well as several different dynamic routing protocols (BGP, OSPF, RIP, IPv6 routing protocols etc) just like a regular enterprise router device.
It supports virtual routing and forwarding (VRF) and MultiProtocol Label Switching (MPLS), which makes it ideal for high-end enterprise networks.
If you want to make full use of the RouterOS capabilities when installed on a PC x86 hardware, you will need to buy a license.
There are 3 license levels ($45, $95, $250) per each router device. Licenses never expire and offer unlimited software upgrades.
The OpenWRT Project is designed to target embedded devices using a fully writable filesystem with package management in place of a single static firmware.
Users can replace the router firmware that comes with their stock routers and customize their devices. It is more secure and stable, and it offers more features including the following:
- Extensibility: many routing capabilities only found in high end devices
- Security: secure by default
- Performance and stability
- Strong community support
- Research: teams are constantly improving this platform
- Open source/no cost
OpenWRT is updated constantly, so bugs are discovered and fixed quickly. It is made of standardized modules that are used in all supported devices and you can replicate the same setup on any supported device, even with older routers.
They strive to ensure that everyone has access to router firmware that keeps networks safe, secure, and reliable.
Because OpenWRT is mainly for embedded devices, it is usually used to power SOHO WiFi routers etc.
However, it can also run on x86 hardware (e.g PC, servers) to take full advantages of the much more powerful components of such machines (compared to embedded devices).
The pfsense project offers a free open-source network firewall distribution, based on the FreeBSD operating system with a custom kernel. Although many people know pfsense as a network firewall, it has many routing capabilities as well.
It includes third-party free software packages to give you additional functionality. It includes a web interface for the configuration of all the included components so you don’t need to have programming experience to use it and set it up.
You can choose the hardware that you want to use and then use the pfsense software to customize it.
It runs on many hardware flavors such as i386, amd64 processors, powerpc, sparc etc. You can also use one of the ready-made Netgate hardware appliances that come pre-loaded with pfsense on them.
The software is also available in the Azure and AWS marketplaces, and it provides you with full-featured firewall protection on the cloud (in addition ofcourse to on-premises network protection if used in your enterprise network).
As stated above, Pfsense is mostly a firewall, but it comes with many regular and advanced routing features such as:
- Load balancing
- Traffic Shaping
- VLAN support (802.1q)
- Multi-WAN failover
- Dynamic Routing Protocols (RIP, OSPF, BGP)
- Many more
Although ClearOS is still an open-source software (based on CentOS Linux), it is used on HPE (HP Enterprise) servers to create a combined Server, Network, and Gateway IT platform.
It is an affordable solution with an intuitive graphical web-based user interface. It also offers more than 100 different apps via an online marketplace.
You can choose the apps and support levels you need. They make it simple for a small network, home, remote network, or branch office to have a server/router ready to use with no additional cost.
It is simple and secure, and it allows small businesses to customize their servers to their specific needs.
ClearOS teams up to provide a low-cost hybrid IT experience for small businesses and it is free to use, so you only pay for the apps and products you use on the OS.
Many people use ClearOS installed on HPE servers as network gateway device by using the relevant networking and security apps such as firewall, IDS/IPS, content filtering app etc.
Free for the ClearOS Community edition. However, this is not for production use.
For production use, you must get ClearOS Professional, Home or Business editions.
Similarly to Pfsense, IPFire is another versatile open source firewall that is based on Linux. It is free to use, and it is developed by an open community.
It is a powerful firewall engine and intrusion prevention system that protects your network from DDoS attacks and Internet attacks.
It will split your network into different zones with different security policies to manage risks based on your needs.
It is built specifically as a firewall and it protects itself from attacks while protecting your network. It employs a Stateful Packet Inspection firewall that filters packets quickly.
It supports VPNs that allow you to connect securely to your internal network, and you can turn IPFire into a Wireless Access Point and do more with IPFire’s package management system, Pakfire.
I’m including this option in this article because it can be used as a great border router for business networks. Although it is mainly a firewall solution, it works great as a border router to protect your LAN and provide internet access to users.
DD-WRT is a well-known open-source firmware router that is based also on Linux. It is great for a number of different WLAN routers and embedded systems.
They try to provide a simple solution as well as a number of different features to make the platform functional. The OS is fast and stable, and it provides reliable operation.
There is a large user community that gives support to developers. Flaws are detected quickly and corrected. It supports more than 200 different devices and all current WLAN standards.
It allows for VPN integration, and it supports different Hotspot systems. It allows for bandwidth management, and it allows users to create reliable and powerful WiFi network infrastructures.
Many people buy a stock WiFi SOHO router device and install DD-WRT on it to make it a more powerful and flexible router device.
Just like OpenWRT described before, DD-WRT can also work on x86 PC hardware.
8. Advanced Tomato
The original “Tomato” router firmware is called “Tomato by Shibby” and similarly to DD-WRT is mainly used on smaller embedded devices and WiFi SOHO routers.
“Advanced Tomato” is an open-source GUI based router firmware that is a fork of Tomato by Shibby. It works on Broadcom-based routers.
It allows you to use the features of Tomato, but you can also change the GUI to a clean and contemporary design. The features include the following:
- User-friendly GUI
- Bandwidth usage monitor
- Advanced QOS and access restrictions
- Wireless features including WDS and wireless client modes
- Higher P2P maximum connections limit
- Ability to run custom scripts
- Connection through telnet/ssh
- Reprogram SES / AOSS button
- Ability to perform wireless site survey
- Port Forwarding, VPN, QoS, NAS, Security etc.
- And much more
The AdvancedTomato version has all of these features, but it allows users to use a modern intuitive GUI compared to the original Tomato firmware.
Most users configure their routers by the graphical user interface, and this firmware allows you to do it using a clean and flat contemporary design.
EDIT: AdvancedTomato seems abandoned nowadays since it is not updated for many years.
9. Fresh Tomato
Fresh Tomato is an alternative open-source firmware for Broadcom-based routers, similar to the previous Advanced Tomato described above. However, Fresh Tomato is still maintained and updated.
It is based on Linux and dedicated for routers that have the Broadcom chipset and are distributed on the GPL license. It has a friendly interface so anyone can use it easily. It includes the following features:
- Bandwidth monitoring
- Advanced QoS
- Access control
- Enabled ssh/telnet protocols
- Configurable buttons and LEDs
- Support for different wireless modes
- Built-in OpenVPN server/client
- SNMP protocol
- IP/MAC BW limiter
- ARP binding
- VLAN support
- Many Built-in servers such as SAMBA, FTP, print server, Tor, Web server etc.
- And more
This router OS is great if you want to upgrade your home WiFi router into a more flexible and feature-rich device.
Zeroshell is another open-source Linux-based distribution, that can be administered via web interface for the implementation of router and firewall appliances.
It is available for x86/x86-64 platforms (e.g you can use it on an old PC) and ARM-based devices such as Raspberry Pi.
Here are some important features:
- Load balancing and failover of multi-WAN connections.
- VPN site to site and VPN for remote access of users.
- Captive portal access for an Internet hotspot.
- Firewall rules using deep packet inspection.
- Quality of services and traffic shaping using deep packet inspection
- Transparent web proxy with antivirus and URL blacklists
- RADIUS authentication and accounting
- VLAN management and bridging
- Wireless access point and multiple SSID support
- Mobile connections
- Ability to track and log network connections
For example, as described on the official website, you can have for example load balancing of 1 ADSL WAN connection and several Mobile Connections.
With the DPI manager (Deep Packet Inspection) you can perform content filtering and block for example social media access (to Facebook etc) for your internal users.
Such functionalities are found only on high-end Layer 7 firewalls.
OPNSense is an open source project that offers a lot of features from virtual private networking, multi-WAN access, intrusion detection, SD-WAN etc.
It is free and offers everything you need to protect and secure your network. You can find all of the information on GitHub, including contributors and sources.
Here are some important features:
- Stateful firewall with support for IPv4 and IPv6 and live view on blocked or passed traffic.
- Multi-WAN capable including load balancing and failover support
- VPN with integrated support for IPsec and pluggable support for Tinc and WireGuard
- Hardware failover to get highest possible availability
- SD-WAN for easy setup, configuration, and monitoring
- Intrusion detection and prevention
- Support for two-factor authentication
- Routing protocols (OSPF, BGP)
- Web filtering
- Intuitive user interface
- Ability to select multiple languages
- Free online documentation
- And more
Just like some other options in this article (like Pfsense, IPFire etc), this is mainly a network firewall OS, but it can double as a modern router as well.
Especially if you place this device on the perimeter/border of your network, it can provide BGP routing load balancing, WAN balancing, firewall security, VPN termination, SD-WAN management etc.
This is an ISDN, DSL, and Ethernet router distribution that is Linux-based, just like almost all other software in this article.
It can be used on hardware that has a 586 CPU with MMX extensions and above. You don’t need knowledge of Linux to use it, but you should be familiar with networks.
It is modular, which allows you to create an individual router that has varying functionality. It has the following features:
- Modular design that allows individual configuration
- Easy remote update
- Ability to avoid obvious misconfigurations
- Network imond server with least-cost routing monitoring and controlling functions
- Execution of commands based on dial-up
- Parallel operation and routing of Mobile, DSL and ISDN circuits.
- Firewalling, DMZ, port forwarding etc
- Suitability for firewall and routing
- And more
This software uses kind of older technologies (such as ISDN etc) so it is not a very modern option.
13. Sophos XG Home Firewall/Router
Sophos is a well known and trusted vendor of security antivirus software, however, they manufacture also a home firewall/router as well. This is the free home-use XG Sophos Firewall.
It offers complete protection for your home network, and it has anti-malware, web security, URL filtering, application control, IPS, traffic shaping, VPN, reporting and monitoring, and more.
It has its own operating system and it will overwrite all of the data on the computer during install, so users should use a dedicated computer for this software. It can then be used as a security appliance or home/business border gateway router.
Here are some features:
- Prioritize applications and use traffic shaping to Increases Internet bandwidth for critical applications.
- Lets you monitor and control family web surfing with content filtering.
- Offers Web browsing protection
- Lets you access your internal LAN network from anywhere with VPN
- Scans for viruses with double scanning engines
- And more
You can install Sophos XG on a dedicated Intel-based PC with 2 network cards. CPU and RAM should be max of 4 cores and 6GB RAM.
There are a lot of good choices out there if you are looking for a great open source router operating system.
Take a look at each of those listed above, and investigate them further if you need more details. The open-source community contributes a lot in networking as well.
- 10 Useful Network Documentation Tools for IT and Networking Professionals
- Top 10 PRTG Alternatives for Monitoring Networks and IT Infrastructure
- Comparison of GNS3 vs EVE-NG vs Packet Tracer for Networks Simulation
- Top 10 Network Administrators Software Tools (Free&Paid)
- A Complete Guide to Scaling your Network Monitoring Solution