Most Secure Router?

[ChrisKC]

I need a new wireless router. I'm mostly concerned with security. There's only a couple of laptops, two or three phones, and maybe one streaming tv. Here's what I was told to look for:

* Automatic firmware updates or at least notifications
* No WPS
* Guest network ability
* Firmware rollback option
* Able to disable remote admin access - ethernet only access
* Can disable (or stealth) PING, Telnet, SSH, UPnP, and HNAP
* OpenDNS
* VPN
* Dual-band would be preferable

Do you prefer particular brands or models in terms of security or their ability to quickly distribute patches?

I've done a lot of looking online and talking to people here locally, but some things on this list aren't "listed on the box".

Thanks for your suggestions.

Chris

 

[EXCellR8]

I think a custom Untangle box would be perfect for all that. (or pfSense)

Essentially you assemble a small computer, install the Untangle OS, and then load it up with whatever security features you fancy. Very secure...

 

[Rifter]

Pfsense box would be my recommendation as well.

 

[JackMDS]

"I'm mostly concerned with security" and, "Automatic firmware updates or at least notifications"

The above is Oxymoron, many time the connection to the firmware server and the Updates content is what comprising Security.

What you are looking for is None assistance in sub $500 consumers Wireless Routers.

 

[ChrisKC]

"I'm mostly concerned with security" and, "Automatic firmware updates or at least notifications"

The above is Oxymoron, many time the connection to the firmware server and the Updates content is what comprising Security.

What you are looking for is None assistance in sub $500 consumers Wireless Routers.

Okay. That's good to know. So Wireless Router > $500 that doesn't update automatically. What would you suggest that meets the criteria?

 

[Red Squirrel]

I would go with pfsense + managed switch + Unifi APs. With managed switch you can do vlans, then split stuff up based on risk. Pfsense will do the inter-vlan routing/filtering. So for example, wifi would be on it's own vlan, another guest SSID on another vlan. These vlans should be setup so they only need access to bare minimum such as the internet, and not each other.

Unifi APs can also support vlans so you set the link to the AP as a trunk port and allow it to access only the vlans you choose then configure a few SSIDs.

Also for overall network security avoid cloud based stuff like IoT home automation stuff. These devices are basically designed to spy on you. Also avoid windows 10. If you have to use windows 10, put it on a separate vlan so it can't access the rest of the network.

 

[Genx87]

Sophos UTM 9 home + whatever AP you want imo.

 

[mv2devnull]

Sophos UTM 9 home + whatever AP you want imo.

The key point in that is that router and AP are two distinct functions and devices. Each a "best" of its kind. No all-in-one consumer device can get even remotely close.

 

[MtnMan]

Synology RT2600ac meets all you requirements, plus you can install optional packages such as Intrusion Prevention, which also automatically updates. There is also a VPN Plus Server package you can install, again free.
https://www.synology.com/en-global/products/RT2600ac#specs

if your ISP is supporting IPV6, and you enable it on the router, IPv6 OpenDNS is still in the experimental stage,

 

[JackMDS]

Synology RT2600ac meets all you requirements, plus you can install optional packages such as Intrusion Prevention, which also automatically updates.

That said, there is numerous reports that once you install and use the intrusion prevention package the performance of the Router goes Down steep Hill.

 

[MtnMan]

That said, there is numerous reports that once you install and use the intrusion prevention package the performance of the Router goes Down steep Hill.

I heard that was a problem on the 1900 model, but I have not experienced any slow down or performance issue with the 2600, which has a much beefer dual-core CPU and more RAM.

I have 60/5 plan with charter, and get 65/6 on speed tests, for both wired and wireless devices and router is configured as dual-stack.

 

[dave_the_nerd]

I need a new wireless router. I'm mostly concerned with security. There's only a couple of laptops, two or three phones, and maybe one streaming tv. Here's what I was told to look for:

* Automatic firmware updates or at least notifications

Most routers have notifications in the webUI now, I think.

* No WPS

Easy to disable on any router that has it.

* Guest network ability

Most higher-end consumer routers have this now.

* Firmware rollback option

Most routers will let you flash an older FW version, but a proper rollback (it keeps around both the current and previous firmware, and falls back to the old one if there's a problem) is a pretty enterprise-ey; I wouldn't expect a consumer router to have this. It's standard on rack-mounted Cisco gear and the like.

I suppose you could buy some used enterprise equipment, but then you'd need a separate WAP for wifi.

If you're not a network geek, that's a terrible idea.

* Able to disable remote admin access - ethernet only access

Remote management is off by default on every router I've ever used.

* Can disable (or stealth) PING, Telnet, SSH, UPnP, and HNAP

This is configurable on every router I've ever used. If all else fails, the firewall settings can be used to turn these off.

* OpenDNS

DNS server is configurable on every router I've ever used.

* VPN

Specifically, you want OpenVPN compatibility.

* Dual-band would be preferable

Pretty much standard these days.

I'd be looking at an open source router firmware like Tomato or DD-WRT (which have all that stuff), and buy the hardware that is recommended by those communities.

Higher-end ASUS consumer routers have firmware that is based heavily on... umm... Merlin, I think? Maybe. I don't remember. Anyway, they do all that out of the box.

The above solutions and recommendations are not wrong, but they are crazy-overkill.

 

[VirtualLarry]

I'm using an Asus AC68R (same hardware as AC68U), running Tomato firmware. Runs pretty decently. Only have 75/75 and 10/1 connections running through it, so I haven't tested the limits of the router with a gigabit Internet connection.)

 

[dave_the_nerd]

I'm using an Asus AC68R (same hardware as AC68U), running Tomato firmware. Runs pretty decently. Only have 75/75 and 10/1 connections running through it, so I haven't tested the limits of the router with a gigabit Internet connection.)

Do you torrent? Because that will test the limits of a router regardless of your connection.

 

[ChrisKC]

Thanks guys. I really appreciate all the feedback.

 

[pcslookout]

Do you torrent? Because that will test the limits of a router regardless of your connection.

What tests the limits of a router more torrenting or uploading to cloud storage ?

 

[dave_the_nerd]

What tests the limits of a router more torrenting or uploading to cloud storage ?

Torrenting as part of a big swarm, probably.

Handling a few hundred simultaneous connections, even if none of those individual connections is itself consuming a lot of bandwidth, is a lot more CPU- and RAM-intensive than doing one full-speed upload to a single server.

You could also set up some kind of synthetic benchmark, I suppose.

 

[pcslookout]

Torrenting as part of a big swarm, probably.

Handling a few hundred simultaneous connections, even if none of those individual connections is itself consuming a lot of bandwidth, is a lot more CPU- and RAM-intensive than doing one full-speed upload to a single server.

You could also set up some kind of synthetic benchmark, I suppose.

How to set up a synthetic benchmark please ?

Right now I am testing 3 wireless devices and 1 wired device on my router all doing something at once. 3 devices streaming video (Netflix, Directv Now) and my one wired connection pc downloading on Newsgroups with a upload to dropbox for a test only.

All with no streaming buffering or lag.

 

[dave_the_nerd]

How to set up a synthetic benchmark please ?

Dunno myself - other people do that. I usually just trust smallnetbuilder. They've outlined their methodology here:

https://www.smallnetbuilder.com/lanwan/lanwan-howto/33097-snb-s-router-test-gets-tougher-a-preview

Right now I am testing 3 wireless devices and 1 wired device on my router all doing something at once. 3 devices streaming video (Netflix, Directv Now) and my one wired connection pc downloading on Newsgroups with a upload to dropbox for a test only.

All with no streaming buffering or lag.

I wouldn't expect load that minimal to be problematic on anything relatively recent.

 

[pcslookout]

Dunno myself - other people do that. I usually just trust smallnetbuilder. They've outlined their methodology here:

https://www.smallnetbuilder.com/lanwan/lanwan-howto/33097-snb-s-router-test-gets-tougher-a-preview



I wouldn't expect load that minimal to be problematic on anything relatively recent.

That is minimal ? What is heavy load then or maximum with a breaking point ? I have a Asus AC RT-5300

 

[sdifox]

What tests the limits of a router more torrenting or uploading to cloud storage ?

Cloud uploading is not that hard on routers

 

[sdifox]

I wouldn't expect load that minimal to be problematic on anything relatively recent.

Unless you have my Netgear R6700V2 :awe:

 

[dave_the_nerd]

That is minimal ? What is heavy load then or maximum with a breaking point ? I have a Asus AC RT-5300

Like, a couple dozen clients maybe?

 

[Red Squirrel]

Yeah torrents is a pretty good way to test a router. Anything with lot of small connections.

I wrote a program once that generated millions of connections and transfered bits of data, never occurred to me it could be turned into a benchmarking app as I don't think anything like it exists. I had written it to test a tcp/ip class I wrote and not so much to test the network.

 

[ChrisKC]

I think a custom Untangle box would be perfect for all that. (or pfSense)

Essentially you assemble a small computer, install the Untangle OS, and then load it up with whatever security features you fancy. Very secure...

Pfsense box would be my recommendation as well.

So if I go this route, what specific hardware should I use? I've reviewed the hardware requirements. I know Netgate sells their own boxes and I found several options on FirewallHardware.it among other sites. I do plan on running OpenVPN and TOR, as well as packages.