Deciding my next home router and security considerations

[al2813]

for several months now, I have been hesitating on my next move around the home router. I was pretty much decided on the Edgerouter X, when again I am having doubts. There are two key reasons:

1. I am a bit worried about too many things requiring CLI tweaking
2. I am wondering whether I should not take my home network security one step further and move to a router/Firewall/UTM (no it's not WANNACRY - this started before yesterday......)

I always thought that as far as my home network concerns, hiding your hosts behind the NAT router and protecting each of them individually was sufficient. I am starting to have second thoughts. Especially as my older son is slowly but surely becoming an active gamer with a lot of online activity. So the questions are:

- What would you recommend in light of the above. don't hesitate to propose actual products (routers, UTMs whatever). I am open to pay subscriptions if this increases security. On the other hand I am not too technical and I don't have time to spend on tweaking......

And finally. My internet connection is 200/10, but of course would like to future proof just a bit. GBE cabling inside the house.

 

[CaptainSTX]

A huge risk to any system/network is operator error. Clicking on a attachement or other suspect file can destroy your network and all the stored data and take many hours to recover assuming you have good backups including system restore disks. No hardware can fully prevent the consequences of someone doing something stupid.

If you are worried that your son's online activity is the greatest risk to your network I would put your son an a different subnet than the one that you use and have your home systems and files on. You can do this by setting up a VLAN for your son and his online activity, but this will depending on your router probably not be something that can be done through the GUI.

Another option to accomplish the same thing is double NATing two routers. Can be accomplished in minutes and the setup is straight forward. If you take this approach put your son on the first router connected to the Internet and connect the rest of your network to the second router being sure not to enable any type of access from the WAN to the router's administrative pages.

Also whatever route you tke to protect you subnet/network never ever let your son connect his devices to the home network or VLAN.

 

[thiggins]

Two old articles describing the multiple router approach Captain suggested:
https://www.smallnetbuilder.com/lanwan/lanwan-howto/24428-howtotwoprivlan
https://www.smallnetbuilder.com/lanwan/lanwan-howto/24431-howtotworoutersharing

 

[abailey]

If you want a UTM you should check out Untangle. I tried a hybrid system, then another UTM and finally settled on Untangle and have been very happy. It has an outstanding interface so you don't have to be particularly technical to use it (in fact you should never need to use the CLI). Anyway for home use it is $50 a year. You can purchase appliances or load untangle on your own hardware.

Website
Appliance
Software Demo

 

[coxhaus]

If you want a UTM you should check out Untangle. I tried a hybrid system, then another UTM and finally settled on Untangle and have been very happy. It has an outstanding interface so you don't have to be particularly technical to use it (in fact you should never need to use the CLI). Anyway for home use it is $50 a year. You can purchase appliances or load untangle on your own hardware.

Website
Appliance
Software Demo

Hey abailey do you know how long you have on the demo version before you have to pay? I am thinking about loading it up again. I need to figure out if it can route my networks to my layer 3 switch using a 30 bit mask. I know it is a little slower than pfsense but it is protecting more layers of the OSI model.

Have you ever caught anything on the antivirus? In the past I used the light version which was free and I never caught anything.

 

[abailey]

Hey abailey do you know how long you have on the demo version before you have to pay? I am thinking about loading it up again. I need to figure out if it can route my networks to my layer 3 switch using a 30 bit mask. I know it is a little slower than pfsense but it is protecting more layers of the OSI model.

Have you ever caught anything on the antivirus? In the past I used the light version which was free and I never caught anything.

The download demo works for 14 days before you have to get a license. Also Untangle has made some changes to improve performance (where they can, considering it is a Layer 7 firewall). One change they made recently is as described: UDP layer-7 processing is very expensive. We added a "dynamic bypass" function for UDP such that if all layer-7 applications "release" interest in the session, the data will be passed at layer 3. For example, if you have only Application Control installed, once it has identified with certainty the application of a given UDP session, it will "release" the session. Once all applications release interest no more layer-7 scanning will occur and the data is passed at layer-3 without sending the data to userspace. This provides a massive speedup for UDP processing which will help on big and small sites alike.

Anyway I do see a few catches by the antivirus. I use the Webfilter module which blocks many of the sites where you might find a Virus. When testing, I tried only the Antivirus app and it was catching quite a bit more than it is now after I have many UTM apps running.

 

[coxhaus]

Sounds like a speed up for video which would be good. One of the problems I had back in the day was with iPhones on IOS 6 or 7 can't remember, where there were video issues which I just setup a by pass for.

I will probably try it in the future since pfsense is going to require an hardware upgrade before deciding whether I want to pay for new hardware.

Do you by chance use Untangle as a time source for your network or servers? I can't remember whether it supports it or not. It has been too long since I used it last.

Untangle is the easiest piece of layer 7 firewall software I have ever used. It sure makes it look simple.

 

[kvic]

I was pretty much decided on the Edgerouter X...

1. I am a bit worried about too many things requiring CLI tweaking

For 99.9% LANs at home, you seldom have to tinker with ERX through GUI or CLI after initial setup (which is handled by GUI wizards). After that how much CLI you've to deal with really depends on your tinkering need. If you rarely turn knobs on your current router, why would you expect to deal with lots of CLI in ERX?

One noticeable missing in current GUI (v1.9.x) is IPv6 configuration. If you need IPv6 now, you need drilling down to CLI. v2.0 (to be released in 17H2) will include IPv6 functionality in the GUI.

I'm very happy with my decision of moving to Vyatta^h^h^h Edgerouter. A little device whose software is clean, neat and extra-ordinarily functional. I do hope VyOS (open-source alternative) could take off. Competitions keep everyone everything honest! Do be reminded that ERX is best for 500/500 WAN (the MT7621 SoC inside is actually capable of 1000/1000...long story). For its price at $50 it's a no brainer purchase by any measure.

IMO, additional security from UTM is marginal. One big selling point of UTM is reporting. If you like fancy charts on tonnes of (useful/useless) stuff, attack alerts etc, UTM is a better fit for you.

 

[al2813]

Many thanks for the advice. Indeed it looks like a UTM will add a lot of admin time I do not have. I will stick with the ER X than. Indeed the price is a no brainer. Also because I pretty much decided to move wireless to a pair of Unifi APs so will have one vendor (but 2 GUIs :-(....

 

[CaptainSTX]

Many thanks for the advice. Indeed it looks like a UTM will add a lot of admin time I do not have. I will stick with the ER X than. Indeed the price is a no brainer. Also because I pretty much decided to move wireless to a pair of Unifi APs so will have one vendor (but 2 GUIs :-(....

Using APs and putting your son's activities on one and yours on another won't provide two different subnets so your protection/ isolation won't be complete.

 

[al2813]

Using APs and putting your son's activities on one and yours on another won't provide two different subnets so your protection/ isolation won't be complete.

of course not. Two APs are needed for coverage purposes.

 

[abailey]

Many thanks for the advice. Indeed it looks like a UTM will add a lot of admin time I do not have. I will stick with the ER X than. Indeed the price is a no brainer. Also because I pretty much decided to move wireless to a pair of Unifi APs so will have one vendor (but 2 GUIs :-(....

Have you looked at the Ubiquiti Unifi Security Gateways? I don't know alot about them but they use the Unifi GUI just like the AP's so you can manage them all from one interface.

 

[al2813]

I

Have you looked at the Ubiquiti Unifi Security Gateways? I don't know alot about them but they use the Unifi GUI just like the AP's so you can manage them all from one interface.

I did and even posted about the topic here. I was told the USG is more limited than the ERs, so kind of dropped the idea.

 

[System Error Message]

I

I did and even posted about the topic here. I was told the USG is more limited than the ERs, so kind of dropped the idea.

They are the same, only the USG has additional software. If you can get to the underlaying OS than they are both equal other than the GUI and immediate feature differences. If the OS can be accessed than you can turn them into one another except for USG's licensing/key.