ASUS RT-AX88U vs Dedicated Firewall (pfSense, OPNsense)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

essence

New Around Here
Hi all. I'm aware that there probably are some previous discussions on this topic, but if possible I would really appreciate advice geared for my particular interest and skill level.

I currently have the ASUS RT-AX88U running vanilla Asuswrt-Merlin install. I'm interested in securing my home network up to some "reasonably sufficient" level. I am relatively new to networks, though I am quite good with computers in general. Furthermore, to be perfectly frank, I want to spend as little time as possible on configuring my network. I'm not planning on making network building a "hobby", nor do I want to spend excessive amount of times optimizing security & privacy beyond what could be considered "Pareto efficient".

I have been considering purchasing a dedicated hardware firewall to run pfSense or OPNSense – based on the advice I've read on this forum. However, there are also a number of posts that suggest that the benefits and costs of getting something like pfSense to work well, make it not really worth it for the average consumer, and that you're fine as a typical home user running Asuswrt-Merlin, perhaps with some additional scripts. I would love to hear your opinion on what I should do.

Here is basically what I had in mind:
  • Running OpenVPN or Wireguard with a general VPN service provider on the edge device. I get ~90/90 Mbps from my provider when running OpenVPN on a single computer (haven't tried Merlin OpenVPN performance yet onboard RT-AX88U). My ISP connection is 100/100 Mbps. I don't have any plans on increasing ISP speeds currently, so I'm cautious whether it's relevant to have a dedicated hardware firewall, even when connecting multiple devices onto the VPN connection simultaneously. I want to max out 100/100 in total for the devices, which is adequate.

  • IDS/IPS. I'm currently using Trend Micro AiProtection – but as I understand it, it won't work if I'm going to encrypt all data with OpenVPN on the RT-AX88U. I would also prefer something better for privacy over AiProtection – like Snort or Suricata – but I'm not sure how those work with VPN encrypted data. Plus that apparently, they can't scan generally encrypted communications anyway. I am rather apprehensive about spending a huge amount of time on creating good IPS rules. However, I am rather concerned about applications and IOT devices "phoning" elsewhere from within the network.

  • Ad-blocking, various IP blacklisting, etc.

  • Anything else that should be considered "basic security" that is "good enough".

  • I don't intend to do port forwarding or opening anything in the firewall.

So a few posts seems to suggest that you can get by adequately, by simply running Asuswrt-Merlin and packages like: Skynet, Diversion… if you care to make suggestions?

However, if you really do suggest that I get a pfSense or OPNSense solution, because consumer-grade routers simply aren't secure enough, then I definitely am open to buying a hardware firewall and spending a few days on configuring it. I don't object to the idea or costs incurred per se. I am however having difficulties understanding what is really a rational cost-benefit analysis here, especially with regards to IDS/IPS.

I do appreciate that everyone's mileage may vary, and that preferences, skill levels, etc, are different. I would call myself more advanced than the average computer user, but just not so advanced that I'm not concerned I may screw something up in something like pfSense, which apparently has a relatively steep learning curve.

Thank you for your advice!
 
Last edited:

Tech9

Very Senior Member
Do you have any experience with pfSense/OPNSense firewalls? If not, this is an entire router OS and you'll need time to learn how to configure it. Since you already have AX88U, you're familiar with Asuswrt UI and your ISP is 100/100Mbps, I would recommend keeping AX88U. Keep AiProtection enabled, set DNS filtering servers like Quad9/OpenDNS/Cloudflare/Cleanbrowsing with optional DoT, set DNSFilter to Router. You should be safe enough. IDS/IPS can't do anything about encrypted VPN traffic, no matter what software you run. I wouldn't run VPN clients or Ad-blocking on the router.
 

essence

New Around Here
Do you have any experience with pfSense/OPNSense firewalls? If not, this is an entire router OS and you'll need time to learn how to configure it. Since you already have AX88U, you're familiar with Asuswrt UI and your ISP is 100/100Mbps, I would recommend keeping AX88U. Keep AiProtection enabled, set DNS filtering servers like Quad9/OpenDNS/Cloudflare/Cleanbrowsing with optional DoT, set DNSFilter to Router. You should be safe enough. IDS/IPS can't do anything about encrypted VPN traffic, no matter what software you run. I wouldn't run VPN clients or Ad-blocking on the router.
Thank you for your reply.

No experience with pfSense/OPNSense. I could probably learn it over the run of some days, but yes, I question the added benefit of doing so. But if Sense is basically "good to go" out of the box, and doesn't require altering default "bad settings", then it should be quite easy to learn it in chunks? The added risks of misconfiguring something in Sense must also be weighted vs. the risks of running an ordinary consumer-grade router that may be more easily compromised.

Curious as to why you wouldn't run VPN clients or ad-blocking on the router? Is this in the case of ASUS, or any router including Sense?
 

Tech9

Very Senior Member
I could probably learn it over the run of some days

Plan some months, it's not that easy. Install it on a PC and see if it works for you before you buy dedicated firewall hardware. It comes pre-configured with WAN and LAN interfaces, bare bones. You have to tell them what to do. Keep your network alive using your current router during the learning process.

Curious as to why you wouldn't run VPN clients or ad-blocking on the router?

Experience. Less configuration flexibility with VPN and issues with community supported block lists. I run VPN on devices when I need it and uBlock in browsers, when needed. That gives my family members a choice what they prefer to have. I don't want to enforce anything on my firewall, except security.
 

jeff3820

Regular Contributor
There are MANY videos with step-by-step videos showing setup of Pfsense. I watched a 17 min video twice and then setup a Pfsense firewall how I wanted it for me. It wasn't hard at all. Over time I explored various advanced features...it was all very straightforward. Again, lots of videos are available.

FYI, It's very hard to setup "wrong". By default, Pfsense passes no traffic. You create the rules to make it work so security is maintained.
 

Tech9

Very Senior Member
Yes, Lawrence Systems have good videos on YouTube explaining how things work. I would start with pfSense, better support and more information available online.
 

coxhaus

Part of the Furniture
Experience. Less configuration flexibility with VPN and issues with community supported block lists. I run VPN on devices when I need it and uBlock in browsers, when needed. That gives my family members a choice what they prefer to have. I don't want to enforce anything on my firewall, except security.
I agree with Tech9. Plus I would trust VPN ISPs less than local big ISPs plus you get much better performance not using VPN. If you need VPN for work so, be it. You should trust your work.

I used ublock for a while back a year ago. Now I like using QUAD9 and Microsoft store. I set my Windows 10 PC to only load software from Microsoft store and I use QUAD9 as it blocks bad sites. I think the 2 are good enough together. I don't mind the ads as long as they are not malware sites. If I get hit with bad stuff then I will go back to using uBlock. So far all is good. I have been running about a year this way.
 
Last edited:

coxhaus

Part of the Furniture
No, I did not. I know what uBlock is. I ran uBlock to stop malware sneaking through ads. I don't mind ads. As I said the 2 together give me the results I need. I don't need uBlock now. I think a lot of web pages look stupid without the ads.
You left off limiting software installs to Microsoft only.

If you don't understand think about it for a while.
 
Last edited:

Tech9

Very Senior Member
I think a lot of web pages look stupid without the ads.

Mmm... uBlock Origin re-arranges the pages and you don't even know there were ads there. You may have to try it again. It uses stealth technique and doesn't trigger most of ad-block detectors. It also blocks successfully most of YouTube ads. You can't replace it with Quad9. They do different things. With most modern browsers you don't even need Quad9 as DNS filtering service. Firefox, Chrome, Microsoft Edge - they all use Safe Browsing engine.
 

coxhaus

Part of the Furniture
Not all web pages when I ran it. And it is no faster on my laptop than running the ads. Of course, my Intel multi-core CPU is very fast. If you want to read about my laptop there is a thread on it on this site just look under my user's name.

I only use Edge for my browser with all the latest Microsoft patches using Windows 10.
 

essence

New Around Here
set DNS filtering servers like Quad9/OpenDNS/Cloudflare/Cleanbrowsing with optional DoT, set DNSFilter to Router. You should be safe enough. IDS/IPS can't do anything about encrypted VPN traffic, no matter what software you run. I wouldn't run VPN clients or Ad-blocking on the router.
Learning about DNS filtering services just now, thanks. Do they interact negatively with VPN privacy in any way if the VPN client is run either on computer or router? I presume not, but best to check.

What are pros and cons of using DoT (DNS over TLS) and what would be the alternative?
 

essence

New Around Here
Additionally, what do you all think about running Skynet on Merlin?

It appears to provide Malware Lists, and ability to block (detect?) Phoning Home, Country Blocking, etc. Interested in your opinions, also with regards to necessity and maintenance considerations.
 

Tech9

Very Senior Member
Do they interact negatively with VPN privacy in any way if the VPN client is run either on computer or router?

In general - no. Most commercial VPN services use/provide their own DNS. It also depends on how you configure your VPN client.

Additionally, what do you all think about running Skynet on Merlin?

In my opinion, it may add some value if:
- run on outbound traffic only, if no ports are open (to prevent you from accessing blacklisted IPs)
- run on inbound/outbound traffic, if there are open ports (the above + to prevent blacklisted IPs trying to connect to you)
You have to rely on community supported blacklists and there will be false positives - potentially extra maintenance for you. I don't like the fact custom scripts run off USB stick. USB sticks are not very reliable storage media. I would get an external USB enclosure with a small SSD inside.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top