Question Most Secure Home Routers

[PowerEngineer]

I just stumbled across this article:

Home router warning: They're riddled with known flaws and run ancient, unpatched Linux

Truthfully, I've pretty much always known that I should be paying more attention to router security. Right now I have a Linksys/Cisco EA8300 as my main router and a Linksys E4200 as a remote access point. I'm sure there are better choices out there.

What are the most secure routers available today? I'd also appreciate your tips on how to properly configure them.

Thanks!

 

[mxnerd]

Maybe pfsense + TPLink Deco M5 Mesh 3 pack

https://www.amazon.com/TP-Link-Deco-Whole-Home-System/dp/B06WVCB862

 

[mikeford]

Last time I was concerned, was a LONG time ago, hint firewall was a Mac IIci with two network cards running some Linux. I recall there were free web sites that would do some kind of security probe of your IP address, and this old IIci rated best claiming my IP was invisible when probed. Anything like this still exist that actually tells you anything as opposed to claiming serious issues their product is needed to fix without details?

Current router is Archer C7.

 

[UsandThem]

Last time I was concerned, was a LONG time ago, hint firewall was a Mac IIci with two network cards running some Linux. I recall there were free web sites that would do some kind of security probe of your IP address, and this old IIci rated best claiming my IP was invisible when probed. Anything like this still exist that actually tells you anything as opposed to claiming serious issues their product is needed to fix without details?

Current router is Archer C7.

I remember using Shield's Up back in the day for scanning ports: https://www.grc.com/x/ne.dll?bh0bkyd2

In fact, the site looks exactly as how I remember it from all those years ago.

 

[mikeford]

Thanks,

"
THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES! "

Sounds good for now.

 

[Freejack2]

After reading all this it sounds like I really should flash my router with a more secure firmware.
I have a Netgear R7800. My choices are DD-WRT, OpenWRT, or LEDE.
For people who have flashed their routers with one of these, which of the 3 is the easiest to keep updated?

 

[brownstone]

Plug for the Synology RT2600AC model. I've had it about a year so far and it's been stable and is regularly updated. My experiences with their NAS devices was the same, which is why I gave the routers a shot. So far I've been pleased.

 

[razel]

I have a Netgear R7800. My choices are DD-WRT, OpenWRT, or LEDE.

You're fine. Last official Netgear firmware was end of 2019.

 

[ch33zw1z]

Anyone try out a netgate appliance ?

Appliances

Compare the wide range of appliances by Netgate. From desktop to rack there are products that meet all different cost, performance, and specification needs

www.netgate.com

I'm slightly curious / considering one for a friend.

 

[thecoolnessrune]

Anyone try out a netgate appliance ?

Appliances

Compare the wide range of appliances by Netgate. From desktop to rack there are products that meet all different cost, performance, and specification needs

www.netgate.com

I'm slightly curious / considering one for a friend.

Yep, my home Firewall is an SG-3100 I got late last year when we were moving, and I was tired of my lab environment having to be treated like Production to keep the internet on. It's been rock solid, and has had no issues keeping up with my 400Mbps connection. You can always build yourself one for cheaper, but I didn't for these reasons:

1. Power consumption. Even the smallest x86 machines, especially the old used ones a lot of people choose, don't hold a candle to the power efficiency of this little ARM box.
2. Supporting Netgate. I'm financially able to do so, and had interest in supporting the ongoing efforts of Netgate in their developments around PFSense.
3. HCL Approved. The few times I've had issues I've been able to skip the whole "well is there a problem with this random NIC card with this Driver, with this firmware." I do that enough at work. I got tired of doing it at home. If there's an issue, the conversation is immediately around configuration and similar things, not the Hardware.

 

[sdifox]

Yep, my home Firewall is an SG-3100 I got late last year when we were moving, and I was tired of my lab environment having to be treated like Production to keep the internet on. It's been rock solid, and has had no issues keeping up with my 400Mbps connection. You can always build yourself one for cheaper, but I didn't for these reasons:

1. Power consumption. Even the smallest x86 machines, especially the old used ones a lot of people choose, don't hold a candle to the power efficiency of this little ARM box.
2. Supporting Netgate. I'm financially able to do so, and had interest in supporting the ongoing efforts of Netgate in their developments around PFSense.
3. HCL Approved. The few times I've had issues I've been able to skip the whole "well is there a problem with this random NIC card with this Driver, with this firmware." I do that enough at work. I got tired of doing it at home. If there's an issue, the conversation is immediately around configuration and similar things, not the Hardware.

I am running a server 24/7 anyway, so one more vm is not going to change anything in terms of power consumption.

 

[thecoolnessrune]

I am running a server 24/7 anyway, so one more vm is not going to change anything in terms of power consumption.

Yep, like I alluded to in my post, I have a rack full of systems to reproduce Hyper Converged infrastructure. My issue was that the PFSense VM was the one "important" VM in a sea of things that needed to be breakable. Because it's a lab. While I could have formed yet another "semi-serious" cluster outside of the lab, the SG-3100 extrapolated well enough from that entire environment, and removed the concern of the VM, Host Upgrades and Maintenance, and all that other stuff. It "just works", and for having Internet in the house, that's the main goal. I actually have yet another PFSense VM that sits in lab that acts as various sub-labs for things like DHCP, DNS, Internal VPN access, etc.

 

[sdifox]

Yep, like I alluded to in my post, I have a rack full of systems to reproduce Hyper Converged infrastructure. My issue was that the PFSense VM was the one "important" VM in a sea of things that needed to be breakable. Because it's a lab. While I could have formed yet another "semi-serious" cluster outside of the lab, the SG-3100 extrapolated well enough from that entire environment, and removed the concern of the VM, Host Upgrades and Maintenance, and all that other stuff. It "just works", and for having Internet in the house, that's the main goal. I actually have yet another PFSense VM that sits in lab that acts as various sub-labs for things like DHCP, DNS, Internal VPN access, etc.

my setup is nowhere near as complicated as yours and I control uptime so no issue for me to control restart time.

I just tell my family I need to reboot

 

[PowerEngineer]

Interesting. Thinking PFSense is already a bit of a stretch for a noob like me, going with the appliance might be a wise simplification over trying to configure hardware myself.

I had read that somewhere that PFSense had toyed with dropping support for CPUs that didn't support AES-NI. It appears that the SG-3100 (and SG-1100) do not have AES-NI. Do you think this is a worry for future software updates on these lower-end appliances?

 

[mxnerd]

pfSense 2.5 and AES-NI

Find out about the new requirements for AES-NI support and how it will enhance encryption capabilities.

www.netgate.com

==

If you are going to use any sort of VPN, you still should consider AES-NI models.

 

[thecoolnessrune]

Interesting. Thinking PFSense is already a bit of a stretch for a noob like me, going with the appliance might be a wise simplification over trying to configure hardware myself.

I had read that somewhere that PFSense had toyed with dropping support for CPUs that didn't support AES-NI. It appears that the SG-3100 (and SG-1100) do not have AES-NI. Do you think this is a worry for future software updates on these lower-end appliances?

pfSense 2.5 and AES-NI

Find out about the new requirements for AES-NI support and how it will enhance encryption capabilities.

www.netgate.com

==

If you are going to use any sort of VPN, you still should consider AES-NI models.

The poorly worded statement was eventually expanded to note that the main requirement for 2.5.0 was going to be a need for Cryptographic offload. While the SG-3100 does not have AES-NI (because that's an x86 instruction set), the CPU in the SG-3100 contains the "Marvell Cryptographic Engine and Security Accelerator", which Netgate fully develops around and supports. Eventually, they completely removed the need for that. But just because it's not needed, doesn't mean you don't want it.

As @mxnerd mentioned, any device you get should have some sort of supported Cyrptographic Offload. Really old systems without that capability are going to really be in a disadvantage in the future as we head more and more towards cryptography-on-everything.

The SG-1100 does not have a cryptographic offload. It's driver has been under development for well over a year now, but various difficulties means it has yet to see the light of day in production use. That said, the SG-1100's use case (very simple WAN <--> LAN transfer <300Mbit with only a <4 Watt Power Consumption), it might be forgiveable, especially considering that they still plan to (eventually) enable its crypto functions when the stars align.

 

[PowerEngineer]

Thank you for the explanation on AES-NI. It seems that the SG-3100 might be the way to go. More food for thought....

 

[pauldun170]

My Asus AC68 get s regular updates even after all these years.
Just did a firmware update this morning

 

[mikeford]

Here in Calif anything 24/7 has to have power usage considered, my peak rate is an insane $0.47 / kwhr., and add to that the pay twice once to generate heat, once to run the AC to remove it.

 

[sdifox]

Here in Calif anything 24/7 has to have power usage considered, my peak rate is an insane $0.47 / kwhr., and add to that the pay twice once to generate heat, once to run the AC to remove it.

Yeah low power appliance if you live in Cali.

 

[ch33zw1z]

I'm also considering the Amplifi HD setup for my friend. It's something that would be more manageable for a small office / older person with limited tech XP