Opinions on Asus Firewall is it good Enough?

[Magnus33]

We are running a restaurant and have free wifi so as you can imagine we get a lot of crap hitting the firewall.

Was toying with the idea of putting pfsense on a old pc.

Do you think the Asus ac68u firewall is up to the job or should i go for better protection?

Opinions / ideas?

 

[jpclarke]

Hi,

Don’t see any issue with the ASUS firewall but if your running a business setup you may be better to look at enterprise kit e.g. cisco Meraki or Ubiquiti where you can setup guest access via captive portal and they have integrated firewall options.

Both are relatively easy to use and configure but if you don’t need that type of control the ASUS setup should be fine.

 

[RMerlin]

Having a business-oriented router is probably best for this type of use. At the very least if you are sticking to an Asus router, make sure you secure it properly: set up Guest networking with AP client isolation, change the router username and password, disable UPnP, etc...

If going with pfsense, be careful with the idea of using an old PC: old PCs are more likely to die than anything recent. Can your restaurant deal with a hardware failure happening in the middle of the working day? If you do payment transaction over the Internet for instance, you might want to have a backup plan in case of a hardware failure (another PC, or even an entry-level router preconfigured for quickly swapping it in as needed).

 

[Magnus33]

Everything on the router is presently locked down and all quest networking is isolated from the internal network.
Wifi traffic for the customers is on a isolated router running as a ap.

Backup router is already in place running your firmware of course lol
I frankly trust your work over a router that may or may not get updated from some other company.

There is a backup server for the security cameras.
Another for the pos system and everything has its own ups.

I looked into a small business router but these days they don't seem to differ much from the consumer ones as anti-spam, anti-virus and content filtering is built into the Asus consumer ones now.

I do have to find time to port everything over to the new smart switch though.

Just wasn't sure if there was any real benefit to a separate firewall .

 

[RMerlin]

I looked into a small business router but these days they don't seem to differ much from the consumer ones as anti-spam, anti-virus and content filtering is built into the Asus consumer ones now.

One of the biggest differences that might not always be visible is general code quality. Home routers from Asus, Netgear, D-Link etc... are based on very old code, which was often written back when programmers didn't care much about buffer overruns and those type of issues. That's why you see Asus fixing so many reported CVEs these days. Hard to judge Netgear's efforts there, since their changelogs will only tell you that they fixed "some security issues" with no details.

That's not to say that Mikrotik or Ubiquity code is bug-free, just that it was generally written with a security-first mindset (or at least so I would expect from them).

Might be interesting to do a query by vendor on the CVE database, see who had the most fixed issues in the past, say, 12 months. I suspect Mikrotik and Ubiquity had fewer.

Using a smart switch with VLANs is probably a good idea, especially if you use APs. Having customer APs on a VLAN separate from the business VLAN would be ideal.

 

[jpclarke]

I highly recommend Cisco Meraki and ubiquiti kit, Meraki for cloud controlled WiFi or the ubiquiti for on-premise management.

Both are regularly updated but really depends on how much control and security you deem applicable for your use case.

If you are confident you could cope if the home router was compromised and something affected your business network then the ASUS setup would be the cheapest setup, if not the safe bet is enterprise level to ensure continued updates and support when required.

 

[Magnus33]

One of the biggest differences that might not always be visible is general code quality. Home routers from Asus, Netgear, D-Link etc... are based on very old code, which was often written back when programmers didn't care much about buffer overruns and those type of issues. That's why you see Asus fixing so many reported CVEs these days. Hard to judge Netgear's efforts there, since their changelogs will only tell you that they fixed "some security issues" with no details.

That's not to say that Mikrotik or Ubiquity code is bug-free, just that it was generally written with a security-first mindset (or at least so I would expect from them).

Might be interesting to do a query by vendor on the CVE database, see who had the most fixed issues in the past, say, 12 months. I suspect Mikrotik and Ubiquity had fewer.

Using a smart switch with VLANs is probably a good idea, especially if you use APs. Having customer APs on a VLAN separate from the business VLAN would be ideal.

Good point.

The code on consumer routers is less then great on many models


Yeah the smart switch with the vlans was me assuming something was going to hit the fan with either the customers or the staff.
Rather have it in place and not need it then not have it and need it

 

[JonnyB]

If your going to go with pfsense take a look at the sg-3100. It's new hardware (vs old PC) and has support included.

 

[coxhaus]

What about the Cisco RV345P router? They did a review on this site about it. You could add a Cisco WAP581 wireless which probably would support enough connections for a restaurant. If you need more you could add a second one. It has all the VLANs and separate SSIDs which would allow you to separate traffic and build a guest VLAN and SSID. This would be pretty cheap for business hardware.