Is it a bad idea to have an old router in front of a new one in a cascade configuration (the old router for the external network - connected to my ISP, and the new router for the internal subnet) ? At this moment I am using a single modem/router (Fritz!Box 7590). But I still have my old router (Fritz!Box 7170, is not supported anymore by the producer) somewhere. Next month, solar panels will be installed on our roof and the corresponding inverter (SolarEdge) will be connected to the website of the supplier. I assume that I have to regard this inverter as a an IoT application, so I am thinking to make a cascade setup for the routers. My thinking is that as long as my internal network is up to date and protected by the 7590, it does not matter if my outer network is not up to date, since any IoT application is already a vulnerability. Is this rationale correct? Also the 7590 does have a WAN port (the 7170 does not), and its manual explains how to configure it when you install it behind another router. Thanks in advance for your advice.
My understanding is that you are creating a kind of DMZ with 2 boxes, but with the DMZ untrusted. It's a very good idea to want to segregate untrusted devices, there is a significant Trojan horse threat from these things, which have much more power than a minicomputer and have dreadful security and privacy characteristics. But, I wouldn't use your suggested configuration for a couple of reasons. First, you have 2 different boxes with different security policies and operating systems and configurations. Errors in configuration are a main source of breach. And you cannot update one of them. The problem with the old router is that, if it's taken over, it has full control over the routes that are taken to the internet for your "real" traffic. This would be the case for many ISP-supplied routers too, but why allow that to happen? My personal approach is to use a 4--port pfSense router with one of the ports dedicated to any IoT rubbish as well as guest devices and mobile phones. They are isolated from the real network by configuration and only get to see the internet, and you can apply whatever filtering you want to them, including sending them out on a VPN, no exceptions (so that they cannot infer your physical location from the Iot phoning home). VLANs are also useful in this context, but you need a VLAN switch and a VLAN aware WAP. Very powerful and simple-ish, at the expense of (modest) expense. The alternative is to do the same thing but with multiple cheap boxes running something like ddwrt or tomato. I believe @MisterB successfully runs this way.
Thanks for your input, deBoetie. I am not familiar with such a 4-port pfSense router, so I will have a look at that solution. It does sounds like it is what I am looking for. You also said: "The alternative is to do the same thing but with multiple cheap boxes running something like ddwrt or tomato" Does this solution use more than 2 routers? My problem is that I don't know much on networking, installing something like ddwrt would require a lot of study first, for me...
Basically, that means any x64 machine (but not Celeron) with maybe 2 GB RAM and the smallest SSD you can find (only need a few GB). Plus an old Intel four-port gigabit server network card (available used on Ebay etc). And the pfSense OS, which is free. Maybe get a basic support contract, if you want hand holding.
pfSense routers are available as official hardware from Netgate, although the multiport options are probably designed and priced for businesses. There are also integrated 4-port boards for a DIY build which have fanless processors (often Atoms) on them, but you'd need to check what's applicable as of now (the pfsense forums are a useful starting place). Generally, Intel NICs are better supported. I got a Gold subscription for a year which helps you with configuring the setup and acknowledges the developers. The advantage of using the single box is clearly eased administration, the multiple-physical-box approach (starting with 3 probably, 1 internet, 1 untrusted, 1 trusted) is more admin. If you want to try seeing what pfsense is like, it's quite possible to run it as a virtual machine (with other VMs behind it on virtual networks). Also, it does many other things apart from basic routing functions - for example, implementing ad-blocking and filtering on the router with pfblockerng, or even IDS if you want to go that far. It will also act as a VPN client and server if you wish. There's VLAN support so you can further segregate internal traffic in a reasonably secure way on each physical port, and this also allows you to support multiple wireless SSIDs on different VLANS (so you can have distinct guest wifi, and IoT wifi, and internal Wifi. You could, if you wanted, just get a 2-port box and use VLANs for internal segregation to minimise cost, although this requires much care in the configuration of the VLAN to retain security.
Thanks guys, for all your info. pfSense does seems very worthwhile, so it is a big hole in my knowledge. Starting to use it will be a serious project for me, taking several months to accomplish. In the meantime, since I will need something by the end of this month, I think I will just use the guest-access option of my current router. I found out that this Fritz!box 7590 has some functionality to limit and filter accesses that is connected to the Lan-port 4, making sure it can only connect to the internet, but will have no access to the home network or to change any setting. And this access to the internet can be restricted in time and probably also to only certain websites.
Great, take your time, and I think you're realistic about timescales. Although a very simple config is easy enough to achieve, you can make it as complex as you want or time allows.
