Hardware Firewall/Router Recommendations for Home Network

Discussion in 'other firewalls' started by TheKid7, Oct 7, 2018.

  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,605
    Currently my Internet Speed is ‘adequate’ for what I do. Last week my ISP upgraded my bandwidth to 300 Mbps. My Cable Modem states a maximum speed of 383 Mbps. My UTM Firewall states a maximum speed of around 160 Mbps (However, real world tests for my UTM Firewall show about 60 Mbps which is about what Internet Speed tests show.).

    I would like to replace my UTM Firewall with somewhat faster hardware.

    At one time I was thinking about making my own UTM Firewall with Sophos UTM as the Free OS. However, now I am thinking about just getting something less complicated.

    Some things that I have been considering:

    1. Ubiquiti Router (If you think that this is a good choice please, suggest a model.)

    2. Pfsense powered Firewall (If you think that this is a good choice, please suggest some reasonably priced vendors that sell hardware with pfsense already installed/configured.)

    3. Purchase a ‘Name Brand’ Gaming Router (Turn-off wireless since I don’t need it.)(If you think that this is a good choice, please suggest a good/reliable manufacturer and model number(s).)

    4. Please suggest any other option(s) that you feel may be a good choice.

    Thanks in Advance.
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,907
    Location:
    localhost
    For your number 3, the simplest solution, sort of "set and forget" is Asus RT models with AiProtection lifetime license (Trend Micro malicious site blocking, Two-way IPS, IoT protection). A good model would be the ASUS RT-AC86U.
     
  3. entropism

    entropism Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    500
    If he doesn't use wireless, why pay that much? You can get the RT-AC68U for as low as $50.

    I can't believe someone wouldn't have a use for wireless in their home though.
     
  4. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,605
    I have an ASUS Wireless Router that I changed to an Access Point (AP) and only use it maybe once a month for short periods of time. I purchased the AP primarily for a Relative that visited for a couple of weeks earlier this year. I leave the AP turned off when I don't need it. I like 'hard-wired'.
     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,907
    Location:
    localhost
    Well, RT-AC68U can suffer if under pressure and with AiProtection turned ON. I understood that the operator needs something robust which can cope with the stress. :)

    @TheKid7 Not sure if your model support AiProtection, in any case it will not work in AP mode (only router mode)
    If you don't use WIFI then turn it off
     
  6. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,605
    I leave the AP Powered-Off.
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,907
    Location:
    localhost
    why you don't use it directly attached to your modem and get rid of the firewall UTM?
    Or it is an old non-supported model?
     
  8. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,605
    This is what I am using for an AP:

    Model: ASUS Wireless-N300 3-in-1 Router/AP/Range Extender
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,907
    Location:
    localhost
    I see, that model does not come with AiProtection.
     
  10. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,605
    Do you know of a list of Model Numbers that come with AiProtection and have at least 300 Mbps hardwired speed?
     
  11. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    If you want a real router with a proper firewall get a Router OS based device , a cheap Mikrotik router.
    What you get is often software updates and furthermore , highly customisable firewall.
    Keep in mind the default rules are lax and that you need to enforce block all rules on all chains(input ,forward, output) after you let tru what you need.
    Do not block untill you allow yourself thru though.
     
  12. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,907
    Location:
    localhost
    Here you have a complete list, sorry you will need to double check for Mbps. Most of those should anyway.

    https://www.asus.com/AiProtection/
     
  13. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    I'm also searching for a hardware firewall because I only have the router from my ISP atm. I don't necessarily trust the software Firewall. Are there different options than those mentioned? Years ago I had an IPCop running in a seperate PC, but the OS is end-of-life. I'm particularly after a free or very cheap solution, so "RouterOS" is ruled out.
    I want to put the new Firewall inbetween my Laptop and the ISP-router. (That I have to use because I have Internet over cable and they identify me via the MAC-Address of the router. There's no login or something.)
    Is something that runs on an RaspberryPI recommended? Speed is only 100Mbps or 75Mbps.

    Generally speaking I want something that gives me security, privacy and freedom after my laptop. That rules out most manufacturers. And something like IPCop would even be interesting for the OP.
     
  14. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    117
    Location:
    Here
    I'm also looking into this. I currently run IPFire in a virtual machine; All inbound and outbound connections to and from my PC have to go via the VM. Although this works I know it's not recommended to protect a host machine with a guest firewall.

    Regarding the Raspberry Pi I believe it's limited with only 1 ethernet port sharing the USB bus? I'm currently looking at the slightly more expensive Banana Pi as an alternative but I'm not sure it's capable of the speeds I need.
     
    Last edited: Nov 1, 2018
  15. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Hm... generally speaking: Could I block all ports to WAN except 53 (DNS), 80 (HTTP), 123 (NTP), 443 (HTTPS)?
    Would I need any more? Like, these? https://support.microsoft.com/help/832017#method46
    I've read through that site and it seems Windows 10 doesn't need any special ports for updates and stuff. Why would anything even need a special port these days?
     
  16. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    117
    Location:
    Here
    Outgoing connections? For basic web browsing sure, but if you use software like steam you'll likely run into problems with this approach. In fact I'd be surprised if it didn't cause issues with other windows services/apps like the store in windows 10.
     
  17. scorpionv

    scorpionv Registered Member

    Joined:
    Jan 28, 2016
    Posts:
    33
    Lots of programs use other ports, like Whatsapp (voice), games, VPN software, remote support software and so on. Even IOT related stuff (for example smart lighting, thermostat, and video surveillance) uses other ports.

    Best practice is to start with the ports you mention, and only add an additional port when something does not work without it.
     
  18. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Thanks! :) So far it works. I left out the VPN ports (IKEv2) in the list i made intentionally because it is not standard.
    I wondered why ping.exe was working until my firewall told me it uses port 53. Weird, I thought it uses Echo: TCP 7, UDP 7 or icmp. Why does it use the DNS port?

    I also installed my old TP-Link Archer C2 router between my laptop and the cable-router/modem. It has some functions the router/modem doesn't have and it let's me use any MAC I want. Unfortunately OpenWRT is not quite ready for it yet. (I leave it stock as long as they work on it.) And it is not really a firewall ...sigh, I want my IPCop back xD
     
  19. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,264
    Location:
    USA
    Untangle is a pretty powerful UTM. There are alot of basic features you have access to out of the box. You can pay $50 a year though to get some of the more advanced plugins. Can be installed on a PC with dual NIC's. Your ISP connection will come in, connect to the UTM, then go to a switch, router in bridged mode, etc. I used to run this from a spare PC with dual NIC's for a few years until I got my Meraki MX appliance. The Meraki appliance is far superior, but for something cheap if you have a spare PC Untangle will do the trick.
     
  20. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,605
    Which model of Mikrotik router would you recommend?

    I saw one which looks like overkill (RB3011UiAS-RM).

    Mikrotik RB3011UIAS-RM RouterBOARD 10xGigabit Ethernet, USB 3.0, LCD, RB3011

    https://www.amazon.com/Mikrotik-RB3011UIAS-RM-RouterBOARD-10xGigabit-Ethernet/dp/B01EL7TF9E

    It seems like many of their lower models have Ethernet/FastEthernet Ports.
     
  21. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,605
    I changed my mind again.

    I am near 100% certain that on the way home tonight, I will stop by the Computer Store and purchase an Ubiquiti Edgerouter 4. The cost with tax is around $200 and is probably 'overkill', but I want to get a new router.
     
  22. longshots

    longshots Registered Member

    Joined:
    Oct 20, 2017
    Posts:
    735
    Location:
    Australia
    I see this word often creeping into posts and reviews of hardware. A lot of hardware is rated at 4 stars instead of 5 because of the price, which of course is a ridiculous way to assess it. If you are financially restrained from paying big bucks then you will have to adjust your choices, but if have the money and are looking for the best solution, with all the bells and whistles, then put your hand in your pocket and buy it. It will serve you well, and you never know, you may one day require those features that now seem like 'extras'.
     
  23. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    This is true, but we all should keep Apples behaivior in mind: Building electrically inferior devices for the highest prices on the market. At that point the price is a valid point to assess during reviews.
     
  24. longshots

    longshots Registered Member

    Joined:
    Oct 20, 2017
    Posts:
    735
    Location:
    Australia
    And the battle begins.:shifty:
    "electrically inferior devices" should be exposed as such during the review and rated accordingly - eg - "Although this is the highest priced item it is poorly made and does not have the features of many of our other reviewed stuff"
     
  25. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Yes, and this is essentially the same as
    People just mostly lack the specificity to evaluate such things and go with their guts.
    ... ok, I see, it's not a good point. :D
     
    Last edited: Dec 14, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.