Is reasonable to include a hardware router in a home setup?

[Deepshark]

Hello, I am currently designing my first home network.
My scope is pretty basic, I want to replace my ISP's router because it is a piece of trash and put an ASUS RT/AC86U instead.

I was checking for some nice plug-ins for Asus routers, such as Diversion or Skynet, when I started thinking if adding a hardware firewall would make any sense. I must say I plan to setup a local network based cloud soon, probably with a Raspberry Pi and Next Cloud, though I may end up going with a more straight NAS setup.

I am a complete noob, just making my first steps reading and researching, so I am entirely open to consider anything you tell me.

 

[Cosmo Naught]

Depends on how paranoid you are. I'm of the school that if they're trying to get you (and you know they are!), it's caution, not paranoia. I suggest a firewall.

Step 1: Turn OFF the WiFi on the ISP's router but keep that router. Or replace it with an old, wireless router with the wireless turned off or with the $50 Ubiquiti Edgerouter. The latter is nice because you can use one port for your cloud server and simplify the setup of the pfSense unit.

Step 2: Go to Amazon and get the 2GB/32GB version of the KANSUNG K190G4N. That's a four port, cheap ($200 with the shipping from Hong Kong; you'll need to be home to sign for the DSL delivery) router. Install the pfSense firewall. You then have three wired LAN ports and one wireless (not as powerful as a modern wireless router but plenty for your smart speakers and ChromeCast) LAN port. Figure out the firewall rules and isolate all the ports from each other and from the Kansung. Set the WAN port to block everything.

Step 3: Set one LAN port for your own 'puter and backup. Install firewall rules to let in nothing and to let out only exactly what you need (start with DNS, Internet, and secure Email), plus access to the cloud server and the router itself.

Step 4. Set a second LAN port for your Significant Other's 'puter and backup. (It's not that you don't trust your SO; it's that if one of you gets compromised the compromisee will not be able to infect the other). Install rules to let out only what is needed. Be sure that port (as with the 3d one and the wireless) can't reach anything local except maybe the cloud server.

Step 5. On the last LAN port, set aside one address for the cloud server. Allow it out for only exactly what is needed. Set aside another for your wireless router. Be sure to set up and isolate an ID for guests and a separate one for your portables and tablets and phones and another for those of your SO.

Setp 6. Once you get all that working and debugged (it will take a while; the logs are your friends), think about installing Snort on the firewall, esp. for the benefit of that cloud server.

 

[L&LD]

Hello, I am currently designing my first home network.
My scope is pretty basic, I want to replace my ISP's router because it is a piece of trash and put an ASUS RT/AC86U instead.

I was checking for some nice plug-ins for Asus routers, such as Diversion or Skynet, when I started thinking if adding a hardware firewall would make any sense. I must say I plan to setup a local network based cloud soon, probably with a Raspberry Pi and Next Cloud, though I may end up going with a more straight NAS setup.

I am a complete noob, just making my first steps reading and researching, so I am entirely open to consider anything you tell me.

Not to discount what @Cosmo Naught says above, but I am of the firm belief that you only get what you need.

The RT-AC86U along with RMerlin + amtm + scripts make for a very formidable 'solution'. Including security, performance, WiFi (possibly best of class) and ease of use. Not to mention the support available here 24/7/365.

I would start with the router + RMerlin, add amtm + scripts as needed and proven useful and if there is anything lacking then? You can always add a hardware firewall at that time while keeping all/most of the benefits of your set up to that point.

If you go looking to complicate things, you'll succeed. Keep it only as complicated as it needs to be, but no more.

 

[rnatalli]

PfSense is a great option, but I find Untangle is a bit more user-friendly. These are more advanced than Asus even with Merlin, but may be overkill.


Sent from my iPhone using Tapatalk