Brume 2 - More "Security Gateway" features - Requests

So as per title really. I love the brume 2, it's a great device however it still feels like a travel router in many respects.

The interface doesn't really have any extra gui options that can set it apart from say a standard beryl ax - actually the GUI has less as the guest section is missing, yes there's no WiFi antenna to attach to the guest network but what about people like myself that use access points and want to configure our guest network / DHCP inside the GUI?

Not only that but the guest network features are actually there if you recreate the interface inside Luci and by that I mean that if I make br-guest and set a DHCP range etc then I can then see the guest network in the glinet mobile app. When I also re-create the guest Interface I can then also manage them from the clients page (block, rate limit) and more, so why can't this be included?

I have managed to create a vlan guest inside Luci and I can get my guest clients to show in the clients list on the main GUI which Is great but as I have mentioned in a previous post, there is no way to show different interfaces in the GUI unless glinet have referenced the interfaces to show (from what I can gather)

So here's my suggestions / feature request.
Since this is aimed at a security gateway and the fact that you can use this as standalone router then its my opinion that it should have a few more "basic" features.

We can see LAN by default it would be good for glinet to create 3 default networks that come as standard with the option to enable and assign. For example

I would love to see two extra pages under Network.
Currently we have Network > Lan - and some settings to configure LAN

The two other pages would be ;
Network > Guest
Network > IoT

Or even better yet we could just name them whatever we like.

Inside the Guest or IoT pages we would see a similar settings page to Lan. We should be able to assign DHCP and scope but also we should be able to enter a VLAN ID for each network, that way we can then assign the VLAN ID to VLAN aware SSID for example (ubiquti, TP-Link)

Have an option to isolate each vlan (so it just creates zone to wan )

Theres potentially more i could think of but for me the network pages are one of the main features that's lacking.

Just to add. I am using the Brume 2 as my main router which is connected to a switch and some access points, hence my needs / request - I am not just using it as a VPN tunnel.

1 Like

Headscale as an alternative to Tailscale would be nice:

Perhaps with calling it a security gateway GL intended to have a smaller attack surface? I see and use this device primarily as a VPN server behind my perimeter router. I port forward the ports I need to use to the Brume2. I keep it fairly isolated and just firewall rules to allow access as needed. I don't want or need other features to be enabled or, like you said, I would just use another router. Had the Flint 2 been stable when I went down this path, I might have considered using it as my primary router and skipped the Brume2.

As you said, I am not sure you are using the device in the manner it was really intended. I don't think the Brume2 would have the performance I would want as my main router tbh.

I bought the Brume 2 as on paper it's actually pretty adequate with the specs compared to what is actually needed to run openwrt.

The device is a security gateway by marketing terms, it has all the features of a router without the WiFi, same as the ubiquiti gateways are. Let's face it, the brume 2 is a beryl ax without the WiFi and actually has more RAM, the beryl ax can be used as home router but the WiFi could potentially let it down hence the Brume 2 with access points would work better, it might even be better than running a flint 2 (not spec wise but the fact that WiFi wouldnt be needed and is cheaper / smaller) if you can't get WiFi everywhere due to the buildings construction or you are placing network equipment in a location that doesn't really require WiFi, like I am.

Under the hood there's plenty that can be done with Luci but the point is that more of the settings should be ported to the GUI or glinet should have maybe concentrated on modifying the Luci side of things as opposed to creating another layer.

Now I didn't go with the flint 2 as I didn't need the ports, I have a switch. I didn't need the WiFi, I use access points. I didn't see the cost to return benefit either, the brume 2 is usually listed at half the price of the flint 2 (wireguard speed and openvpn - my line doesn't even max out the brume 2 wireguard rated speed) as the flint 2 also has the exact same gui restrictions and features so the gateway is exactly the device for me. It has some really good features that make it easier to manager quickly.

I have used dd-wrt, Asus merlin, pfsense, opnsense and they have all their pros / cons.

Asus merlin was running on old hardware, no wireguard support at the time and I moved on.

Pfsense was running on my thin client and I migrate after pfsense started to to push more for their paid product.

Opnsense was / is great, I had adguard running, cloud controller running on it, VLANs and more. I already had a beryl MT-1300 so knew what to expect in terms of glinet products.

What swayed me to get the brume 2 was mainly curiosity, how could this device even compete with my opnsense box, well it does.

When I was using opnsense / pfsense then I couldn't easily block my LAN clients (no real app or quick gui block) but because I am running the unifi controller I could easily block WiFi clients via the unifi app. On glinet I can use their app and see my Lan and WiFi clients in one place and block / unblock as I see fit. Opnsense would mean I would need to create rules, find the IP and block and unblock, far more work, so the brume 2 wins here.

The brume 2 I can easily load a wireguard client profile from paid providers and within seconds route a device, again something that takes much longer on opnsense. I can also change wireguard configs on the fly via the glinet app, another win for the brume 2.

So although you say you wouldnt use it as a main router then I think you would be very surprised as to what it's capable of. Just look at the specs of most consumer routers that you can flash with openwrt and they are far worse.

I just did an iperf test and maxed out 1gbps down/up and also it was suggesting that my wireguard connection was actually maxing out at 450mbits (which I need to confirm properly) but those returns for a box that cost far less than the flint 2 and is more than capable.

Unifi gateway ultra was tempting for me (and still is) but you can't easily get under the hood unlike opnsense / openwrt. For example unifi are still waiting to implement DoT etc and the whole ecosystem is expensive. I also run selfhosted services and I need to run ddns scripts to cloudflare, again something not implemented yet in their gui (from what I've read)

Granted you didn't ask for the long winded response but I wanted to back up my reasoning for why I'm currently using it as my main router. I might one day fall back to opnsense but if I can live with the brume 2 and get more features then I'll be happy.

1 Like

I just wanted to highlight that I stated I own one. I am aware of the product and its strengths and limitations. Brume2 does not have the CPU for higher speed wireguard. Check the specs for Flint 2 vs Brume2. Most of the time the wireguard throughput of the Brume2 is not a big deal if I am just traveling and using cellular or whatever. However, if I am working on a jobsite, I hit the limit a lot and wait. While I am maxing out my wireguard speed on the router - if it were my only router - what would everyone else still at home be doing? I've got around 110 devices all total at my home, about 80 of those are wireless. I can't be hamstrung by a overworked internet gateway. I am not sure a Flint 2 would hold up either, but it would likely fare better than the Brume2.

Use whatever device you feel is best, of course. If the Brume2 works for you, you made the right choice. No need to defend it to me. I just don't feel a "security gateway" needs to have all of the features of a regular consumer router enabled as it will increase the attack surface.

I think it depends how you define "security gateway" if I am comparing to a unifi "security gateway" then it should have more features baked in the GUI.

And that's kind of my point. It's the exact same as the other glinet devices, all the features are already there so there isnt going to be an increase for attacks, it is a router without the WiFi hence they called it their gateway device I assume.

1 Like

Just because the GUI exists for it doesn't mean the software behind it is actually running, though. Have you explored the processes running to see if they have been started? I have not, so I don't know whether they are or not.

Thanks for the suggestions.

Security gateway should do more on vlan and DPI. So next version will surely be more powerful, more ports and include more DPI features.

That is good to hear with regards to more powerful hardware but can you consider the GUI / feature enhacments that I have requested in my original post for the current development. I can't see why any new hardware would be necessary to implement what I have asked as it's already there under the hood in luci

1 Like

next version as in Software or Hardware, as Brume 3 is probably being planned.

You do understand that WireGuard is using your upload speed for the download speed, if you have not set up QoS so that local network devices have adequate bandwidth when you are connected over WG, that's something you have caused.

My Brume 2 is my Security Gateway aka my router, I then have Access Points behind it for the rest of my network.
Security Gateway does not mean only a VPN Server.

Yes. I have symmetric gig, so network speeds are not a problem. QoS will not help an overloaded CPU. Security Gateway, to me, implies a hardened device purpose-built, not a general purpose platform.

I spoke to sales prior to purchasing the brume 2 to see if a V3 was in development as it's usually my luck a new model comes out a few months later. I was told there is currently no development of a v3 as we speak.

@alzhao That is great news. Some form of IDS/IPS would be great as well as some automated response capabilities for blocking malicious traffic/hosts (not just fail2ban). I am sure that will all drive the price up, but it would allow you to keep a cheaper option for folks who don't need the extra features as well.