Question Most Secure Home Routers

[PowerEngineer]

I just stumbled across this article:

Home router warning: They're riddled with known flaws and run ancient, unpatched Linux

Truthfully, I've pretty much always known that I should be paying more attention to router security. Right now I have a Linksys/Cisco EA8300 as my main router and a Linksys E4200 as a remote access point. I'm sure there are better choices out there.

What are the most secure routers available today? I'd also appreciate your tips on how to properly configure them.

Thanks!

 

[ViviTheMage]

Roll your own with pfsense.

 

[sdifox]

I just stumbled across this article:

Home router warning: They're riddled with known flaws and run ancient, unpatched Linux

Truthfully, I've pretty much always known that I should be paying more attention to router security. Right now I have a Linksys/Cisco EA8300 as my main router and a Linksys E4200 as a remote access point. I'm sure there are better choices out there.

What are the most secure routers available today? I'd also appreciate your tips on how to properly configure them.

Thanks!

Pfsense or Sophos. Turn that Linksys into AP.

 

[ch33zw1z]

The actual study is from 2018, so even worse 2 years later, because Soho router makers tend to EOL devices without any notifications, and the list likely even larger now.

Yea, pfsense is good, ubiquiti ER-X wasn't reviewed in the article, but is still getting at least periodic updates, currently what I'm using.

 

[Fallen Kell]

Which is why I also prefer something like pfsense or at least DD-WRT/OpenWRT based which can be kept updated.

 

[razel]

Most secure one is one that gets updated regularly. Even the best have some vulnerabilities, it's how quickly they patch and continue to support that matters. So far, Google and any router in ASUS' AiMesh are top of my list.

Even with them, I believe Google is quietly saying goodbye to the 5 year old onHub, once they drop support, it's time to buy a new router.

 

[UsandThem]

I bought my current router in late 2016 (TP Link Archer C5400).

It's been 100% rock solid since I first bought it (especially since our kids connect more and more stuff to network). I had the Netgear Nighthawk before that, and when everyone was home and connecting, it became pretty unstable.

That said, TP Link router last had a firmware update in 2017 (and only two updates total in 5 years), and that was it. So that aspect is pretty disappointing.

 

[VirtualLarry]

I bought my current router in late 2016 (TP Link Archer C5400).

It's been 100% rock solid since I first bought it (especially since our kids connect more and more stuff to network). I had the Netgear Nighthawk before that, and when everyone was home and connecting, it became pretty unstable.

That said, TP Link router last had a firmware update in 2017 (and only two updates total in 5 years), and that was it. So that aspect is pretty disappointing.

Hate to say it, but it's probably exploitable at this point.

 

[UsandThem]

Hate to say it, but it's probably exploitable at this point.

Yeah, I don't that at all unfortunately. Over the years, I've looked for custom firmware from the usual places, and it seems like it just will never happen for this model.

If this was for a business, it would have been replaced yesterday. I don't keep a NAS on it, and I keep it pretty locked down concerning MAC addresses and such. I look at the log periodically, and so far nothing unusual. I'm sure if I had something of value that someone really wanted, with all the various exploits over the last 4-5 years, they could get it.

That said, I've been eyeing new routers over the last 6 months or so, and I will likely be replacing it at some point this year with something that is still being supported / has DD-WRT or OpenWRT support so this doesn't happen again so quickly. The lack of updates/support has really soured me on seriously considering TP Link again, even though hardware-wise it's been really stable.

 

[VirtualLarry]

The lack of updates/support has really soured me on seriously considering TP Link again, even though hardware-wise it's been really stable.

It's a real shame. TP-Link releases new hardware, to great fanfare, and then... abandons it. Very few, if any, updates.

 

[ch33zw1z]

It's a real shame. TP-Link releases new hardware, to great fanfare, and then... abandons it. Very few, if any, updates.

It is a shame. However, they operate in a very competitive market with a largely unknowledgeable consumer base. The other vendors operate the same way.

I know two people who have a Linksys AC1900WRT, one operates a small business. Since that router hasn't had updates in 2 years, it's assumed that it's vulnerable. I'm going to have to recommend (and probably do it) a replacement. Want the latest linux patches? buy a new model SOHO device, and MAYBE you'll get them....but it's not guaranteed.

 

[Ken g6]

I know two people who have a Linksys AC1900WRT, one operates a small business.

On Ars Technica someone mentioned OpenWRT. I think it supports that router. Never seems to support mine, though - I always have the cheap routers.

 

[thecoolnessrune]

As others stated, the best defense is a router that's actively updated. And yes, I have my own Netgate PFSense appliance for my home (SG-3100), but I also know the people I help, and most of them aren't going to be fudging around with PFSense. Instead, I usually recommend Unifi's gear. For instance, I gave my grandparents a Unifi USG and set that up, because it's more than performant enough for their connection (~25-50 Mbps cellular), and receives updates very regularly. The main driver, is that if something happens to it, they can set it up from scratch with the backup file, and pressing the physical restore button. That's immensely easier for them to do vs. needing to Console into a PFSense appliance, stare at command line, get a base configuration going, then logging in to restore the backup.

 

[ch33zw1z]

On Ars Technica someone mentioned OpenWRT. I think it supports that router. Never seems to support mine, though - I always have the cheap routers.

Yea, I dunno. For myself or home users probably no worries, but for a small business I'll probably stick with ubiquiti or pfsense

 

[Scarpozzi]

Yea, I dunno. For myself or home users probably no worries, but for a small business I'll probably stick with ubiquiti or pfsense

These days, I think it's more important to assume your network is compromised and verify that your systems and workstations are all locked down. If you have a server on your local network, you should have it on a private vlan protected by another layer of NAT that's separate from clients and be using iptables or other similar local firewalling configured to lock its communication to specific ports and/or IPs. I'm a huge fan of using layer 4 switches/load balancers to mask the actual servers and use that to throttle all your traffic through another layer of protection by directing all attacks to a system that's more like a higher-level (talking OSI model here) router than anything.

 

[Genx87]

Pfsense or Sophos. Turn that Linksys into AP.

Agreed on Pfsense or Sophos. I'd say consider ubiquiti for the WAP. If the linksys wap isnt patched. It is a vulnerability.

 

[Makaveli]

If you are not going to build you own PFsense or Enterprise grade hardware.

The next best thing is an asus router running Merlin firmware. Both Asus and Merlin update the firmwares on a regular basis and there is an active support community for both firmwares.

Yeah, I don't that at all unfortunately. Over the years, I've looked for custom firmware from the usual places, and it seems like it just will never happen for this model.

If this was for a business, it would have been replaced yesterday. I don't keep a NAS on it, and I keep it pretty locked down concerning MAC addresses and such. I look at the log periodically, and so far nothing unusual. I'm sure if I had something of value that someone really wanted, with all the various exploits over the last 4-5 years, they could get it.

That said, I've been eyeing new routers over the last 6 months or so, and I will likely be replacing it at some point this year with something that is still being supported / has DD-WRT or OpenWRT support so this doesn't happen again so quickly. The lack of updates/support has really soured me on seriously considering TP Link again, even though hardware-wise it's been really stable.

You aren't going to find really any custom firmware for TP link hardware. I believe it was possible in the past it was stopped on their end so now you are at the mercy of the vendor to update.

 

[PowerEngineer]

First, I appreciate all your responses. Thank you! 👍👍

Second, I was really hoping for an easy answer. But I can see that (as with most things) doing it right is going to take more effort than I anticipated. Time to start inventorying my retired hardware to see if I have the makings for a PFsense build.

Open to further advice!

 

[Makaveli]

What is your budget for this?

 

[PowerEngineer]

What is your budget for this?

I had been thinking that a new upscale secure wired/WIFI router would put me in the $250-$350 range, but I haven't really set myself a budget for this yet.

If I can safely use my existing Linksys units as WIFI access points to a PFsense router built using an old desktop or laptop with some new network cards and/or switches, then perhaps I could still be in that ballpark?

 

[sdifox]

I had been thinking that a new upscale secure wired/WIFI router would put me in the $250-$350 range, but I haven't really set myself a budget for this yet.

If I can safely use my existing Linksys units as WIFI access points to a PFsense router built using an old desktop or laptop with some new network cards and/or switches, then perhaps I could still be in that ballpark?

How big a place do you have and what type of construction?
I am assuming you already have drops to where your current router/ap are at?

An intel two port gigabit nic, 2 unifi ac pro plus a used pc ought to do.

 

[mxnerd]

Protectli: Trusted Firewall Appliances with Firmware Protection

Secure your network with a trusted Protectli Firewall Appliance! Fully compatible with open-source software. US-based support, warranty and repairs.

protectli.com

Protectli Vault appliances for pfsense

Protectli: 4 Port Vault

More ways to customize: Ideal for small teams & companies.

www.amazon.com

 

[PowerEngineer]

How big a place do you have and what type of construction?
I am assuming you already have drops to where your current router/ap are at?

An intel two port gigabit nic, 2 unifi ac pro plus a used pc ought to do.

Typical two-story house with around 3500 square feet of living space, and I have drops for the router and access points at opposite ends of the house.

The unifi ac pro plus access point sounds a bit daunting.

 

[sdifox]

Typical two-story house with around 3500 square feet of living space, and I have drops for the router and access points at opposite ends of the house.

The unifi ac pro plus access point sounds a bit daunting.

What do you mean by daunting?

 

[Scarpozzi]

Typical two-story house with around 3500 square feet of living space, and I have drops for the router and access points at opposite ends of the house.

The unifi ac pro plus access point sounds a bit daunting.

I have 2900 sq ft on my first floor and another 750 upstairs over the garage. I ended up have serious trouble with coverage and grabbed a refurbished Linksys Velop mesh system from woot.

I wired my Internet router up in the kitchen next to my primary node and the others are wireless in a closet and a hallway on the main floor. I may eventually run cat6 between them, but performance is decent enough until everyone starts streaming 4k in the house.