← back to projects

A 2017 sub-$30 TP-Link Archer C59 v1 rebuilt on OpenWrt into a hardened, VLAN-segmented gateway — with private DNS-over-HTTPS, SQM/CAKE, adblock and zram memory compression squeezed onto 128 MiB of RAM.

OpenWrt VLANs Firewall DNS-over-HTTPS SQM / CAKE extroot zram
2025 — present
Skills practiced
OpenWrt & embedded Linux administrationNetwork segmentation with VLANsFirewall design (SYN protection, LAN↔VLAN rules)DNS privacy (DNS-over-HTTPS, DNS-LOCK)QoS & bufferbloat control (SQM / CAKE)Working within tight hardware limits (extroot, zram)Hardening and securing consumer hardware by design
My current home network topology: ISP router bridged to the OpenWrt gateway, VLAN-segmented servers, and the private LAN.
My current network topology, end to end.
2025

The spark

During my Fixear internship, a coworker pointed out that OpenWrt was a cheaper, simpler path than standing up an OpnSense box from scratch — and the homeserver already needed something the ISP router simply couldn't give it: static DHCP leases. OpnSense was shelved (it still is), and the OpenWrt rabbit hole began.

2025

Rescued hardware

The most open-source, low-budget route was used, working hardware. A 2017 TP-Link Archer C59 v1: a Qualcomm Atheros QCA9561 (MIPS) with 16 MiB of flash and 128 MiB of RAM. Modest by any measure — and exactly the kind of constraint that made it a great teacher for what a lean Linux kernel can really do.

The TP-Link Archer C59 v1 — a 2017 budget router turned OpenWrt lab.
The TP-Link Archer C59 v1 — a 2017 budget router turned OpenWrt lab.
2025

Taking back the network

Static DHCP leases by MAC came first — the whole reason this started. The ISP router was dropped into bridge mode and demoted to a plain access point, while OpenWrt took over routing with internal firewall rules for SYN-flood protection and LAN segmentation. For the first time the network answered to me, not the carrier's box.

2025

Breaking the 16 MiB wall

16 MiB of flash barely fits the OS. extroot relocates the root filesystem onto a standard USB stick, so packages and system parts live there instead — turning almost no space into ~16 GB of headroom. The trade-off is honest: the USB is written to constantly and wears over time.

2025

Segmenting with VLANs

As the homelab grew past a single server, security demanded isolation — servers reachable only by the devices I choose, not everything on the LAN. Working at night (this is the router the whole family shares, so downtime was real), the homeserver moved into a dedicated VLAN. The payoff is asymmetric visibility: I can reach the server, but the server can't see back into the LAN — enforced with LAN→VLAN firewall rules — plus a much quieter wire, with far less broadcast noise.

2025

A cleaner, faster network

Adblock Fast — a high-performance, router-level pi-hole — filters malicious and noisy domains for every device on the network. SQM with CAKE trades a sliver of raw throughput for fair queueing and near-zero bufferbloat, so latency stays enterprise-flat even under load. A WPA3-SAE (Dragonfly) experiment to defeat handshake capture was later rolled back — some devices weren't compatible, and the encryption overhead wasn't worth it on this silicon.

2026

Private DNS over HTTPS

The router runs its own DNS on port 53, and a DNS-LOCK firewall rule forces every LAN→WAN query through it. Upstream resolution then happens over , so the ISP can see which sites I visit but not the contents of the lookups.

2026

zram: the final squeeze

With DoH, SQM, Adblock and a growing homelab all fighting over a consumer MIPS CPU, memory got tight. A custom zram override adds compressed swap — written straight to sysfs, persisted through rc.local, with vm.swappiness tuned to 80 — buying enough headroom to stay semi-LTS and survive future updates. zram override on GitHub

2026

An enterprise wannabe

A sub-$30 router that looked destined for e-waste now runs static leases, VLAN isolation, adblock, DoH and SQM, all leaning on a genuinely capable firewall — hardened, community-maintained, and far less CVE-exposed than the ISP box it replaced. Secure by design, and proof that with enough time and stubbornness the real limits are the user's, not the hardware's.