Asus Router on its own or behind a double NAT ?

[TikingAlien007]

I have been reading many times all over the years in the news about multiple vulnerabilities and exploitation of Asus routers in the wild on the internet and I have been wondering what's the best way to configure the network when it comes to the security, I think there are two options here:

A) Use the Asus router itself which could be found via search engines like Shodan or scanning tools like NMAP and risk potential exploitation attempts.
B) Use two router system, have the first or front router so to speak then behind a second router that is ASUS, in theory that would mean the front/first router would need to be compromized first after which attacker/malicious scripts or malware would try to pivot into the second router that is Asus. However, wouldn't this approach make discoverability by search engines like Shodan or tools like NMAP impossible ?

What woud be drawbacks to each scenarion and which would be the best configuration in the mentioned options from above ?

Thanks !

 

[Tech9]

Behind two firewalls is safer in theory, but you have to do port forwarding on the ISP device as well, if you need it. Otherwise there is no user measurable speed or latency issues in Double NAT. Some Asuswrt features require external IP address, like Instant Guard. It is easily replaceable by OpenVPN server though.

If the ISP device has acceptable Wi-Fi, you can use it for Guest Network or IoT devices you don't want on your main network. The extra available LAN ports may work with VoIP ATA or something else wired. You'll have access to ISP router attached devices, but they won't have access to your Asus router main network.

 

[ColinTaylor]

However, wouldn't this approach make discoverability by search engines like Shodan or tools like NMAP impossible ?

You don't need two routers to do that. Just don't enable any form of remote access (web, SSH, VPN, etc.) and also disable "Respond ICMP Echo (ping) Request from WAN".