router lab
A 2017 sub-$30 TP-Link Archer C59 v1 rebuilt on OpenWrt into a hardened, VLAN-segmented gateway — with private DNS-over-HTTPS, SQM/CAKE, adblock and zram memory compression squeezed onto 128 MiB of RAM.
The spark
During my Fixear internship, a coworker pointed out that OpenWrt was a cheaper, simpler path than standing up an OpnSense box from scratch — and the homeserver already needed something the ISP router simply couldn't give it: static DHCP leases. OpnSense was shelved (it still is), and the OpenWrt rabbit hole began.
Rescued hardware
The most open-source, low-budget route was used, working hardware. A 2017 TP-Link Archer C59 v1: a Qualcomm Atheros QCA9561 (MIPS) with 16 MiB of flash and 128 MiB of RAM. Modest by any measure — and exactly the kind of constraint that made it a great teacher for what a lean Linux kernel can really do.
Taking back the network
Static DHCP leases by MAC came first — the whole reason this started. The ISP router was dropped into bridge mode and demoted to a plain access point, while OpenWrt took over routing with internal firewall rules for SYN-flood protection and LAN segmentation. For the first time the network answered to me, not the carrier's box.
Breaking the 16 MiB wall
16 MiB of flash barely fits the OS. extroot relocates the root filesystem onto a standard USB stick, so packages and system parts live there instead — turning almost no space into ~16 GB of headroom. The trade-off is honest: the USB is written to constantly and wears over time.
Segmenting with VLANs
As the homelab grew past a single server, security demanded isolation — servers reachable only by the devices I choose, not everything on the LAN. Working at night (this is the router the whole family shares, so downtime was real), the homeserver moved into a dedicated VLAN. The payoff is asymmetric visibility: I can reach the server, but the server can't see back into the LAN — enforced with LAN→VLAN firewall rules — plus a much quieter wire, with far less broadcast noise.
A cleaner, faster network
Adblock Fast — a high-performance, router-level pi-hole — filters malicious and noisy domains for every device on the network. SQM with CAKE trades a sliver of raw throughput for fair queueing and near-zero bufferbloat, so latency stays enterprise-flat even under load. A WPA3-SAE (Dragonfly) experiment to defeat handshake capture was later rolled back — some devices weren't compatible, and the encryption overhead wasn't worth it on this silicon.
Private DNS over HTTPS
The router runs its own DNS on port 53, and a DNS-LOCK firewall rule forces every LAN→WAN query through it. Upstream resolution then happens over , so the ISP can see which sites I visit but not the contents of the lookups.
zram: the final squeeze
With DoH, SQM, Adblock and a growing homelab all fighting over a consumer MIPS CPU, memory got tight. A custom zram override adds compressed swap — written straight to sysfs, persisted through rc.local, with vm.swappiness tuned to 80 — buying enough headroom to stay semi-LTS and survive future updates. zram override on GitHub
An enterprise wannabe
A sub-$30 router that looked destined for e-waste now runs static leases, VLAN isolation, adblock, DoH and SQM, all leaning on a genuinely capable firewall — hardened, community-maintained, and far less CVE-exposed than the ISP box it replaced. Secure by design, and proof that with enough time and stubbornness the real limits are the user's, not the hardware's.