What router do you use?

[Wuerstchenhund]

What is everyone using?

Currently I use a FortiNet FWF-80CM which is under full support. Not only is the hardware rock-solid, it's fast enough for most high-speed lines, and it gives me much better protection with sophisticated Intrusion Detection, anti-malware scanning and such. It's also a modern NGW firewall which works at the application level and not one of the old stupid SPI firewalls (which is what consumer routers and firewall distros such as pfSense and IPFire are).

Someone said that all consumer routers are more or less shit. I can nothing but agree. Some of these routers may be better, but at the end of the day they are all very poor. And installing something like OpenWRT/DD-WRT doesn't help much when the low-performance hardware is made for the lowest price point possible. And no matter what you put on top of such a POS it's still a plain old stupid SPI firewall.

Depending on how much comfort you want (i.e. router acting as media server, NAS or other gimmicks) and how important security is for you there are various options:

1. Roll Your Own
Get some decent(!) reliable low-power hardware and install one of the free firewall distros on it for example:
- pfSense: reliable, doesn't need much ressources. Negatives are that even in the current 2.2 beta the support for 11n WiFi sucks donkey balls. It's also an SPI Firewall and the IDS and anti-malware options are very basic and pretty poor
- IPFire: simple router distro which does other things as well. No WiFi AP support as far as I know, 32bit only, and like all the other firewall distros a simple SPI firewall.
- Untangle: free version of the commercial UTM firewall variant, bit awkward GUI, and the free UTM apps are overall pretty basic.
- Sophos UTM: former Astaro ASG, this is a professional UTM firewall that is free for home use. One of the best products on the market which provides very good IDS and antimalware protection.  If you roll your own then I'd strongly recommmend Sophos over the alternatives.

2. Get a real Firewall
These days you can get decent second hand firewalls (i.e. Watchguard XTM2 Series) for little money on ebay. With Watchguard you can create a free account and have the device ownership transferred to that account, and you can download firmware updates even without support contract (although they can only be installed with a little trick). You can get some cheap FortiGate/FortiWifis as well, firmware for those is also available.

Whatever you do however, don't buy anything where you can't get regular firmware updates. "Just works" isn't enough, there's a lot of stuff going on even on consumer routers, and without good firmware support you make yourself vulnerable. If you buy a "real" firewall then make sure that the device is still supported through updates.

[SteveyG]

1. Roll Your Own
Get some decent(!) reliable low-power hardware and install one of the free firewall distros on it for example:
- pfSense: reliable, doesn't need much ressources. Negatives are that even in the current 2.2 beta the support for 11n WiFi sucks donkey balls. It's also an SPI Firewall and the IDS and anti-malware options are very basic and pretty poor
- IPFire: simple router distro which does other things as well. No WiFi AP support as far as I know, 32bit only, and like all the other firewall distros a simple SPI firewall.
- Untangle: free version of the commercial UTM firewall variant, bit awkward GUI, and the free UTM apps are overall pretty basic.
- Sophos UTM: former Astaro ASG, this is a professional UTM firewall that is free for home use. One of the best products on the market which provides very good IDS and antimalware protection.  If you roll your own then I'd strongly recommmend Sophos over the alternatives.

You missed off ClearOS which is also a great solution.

[Wuerstchenhund]

You missed off ClearOS which is also a great solution.

ClearOS isn't really a router/firewall distro, it's meant as a server distro. It can do routing and firewalling (as any Linux distro can) but it's a bit oversized for that, and still only offers a plain old SPI firewall and snort IDS.

ClearOS nice if you need a file/mail/groupware server but none of these servers should really run on the firewall hardware.

[Red Squirrel]

Maybe overkill but I have a 1U server I put pfsense on and use as my router/firewall.  It does vlans too. I have a Unifi AP for the wireless and a few wireless networks that are on different vlans.  Works great and it has tons of configuration options compared to the crappy consumer grade ones.

[extide]

I wouldn't go so far as to say SPI firewalls are old and stupid. Snort is a perfectly good IDS but you need to pay money to get the latest definitions, and for web browsing at least you can set up squid with ClamAV and then you can even use caching which can be nice on some connections.

[LEDAero]

Router Name dd-wrt v24
Router Model Linksys E4200

It's got USB, 2.4GHz and 5GHz. 

Get great coverage all over our (large, brick, concrete floor) house.

I paid about $50 for it and it took about 20 minutes to reflash and configure with DD-WRT.

[SL4P]

... routers get _really_ expensive at that point (400 EUR and above for example ZyXEL ZyWall 110)

At my old office (last year), I was using Extreme Networks switches, routers and access points... but just the switches were north of $25K each.  Sigh.

[SteveyG]

You missed off ClearOS which is also a great solution.

ClearOS isn't really a router/firewall distro, it's meant as a server distro. It can do routing and firewalling (as any Linux distro can) but it's a bit oversized for that, and still only offers a plain old SPI firewall and snort IDS.

ClearOS nice if you need a file/mail/groupware server but none of these servers should really run on the firewall hardware.

Maybe on the old versions, but from 6 onwards it can be set up for whatever you want. File server, web server, mail/printer server, firewall or a router or any combo of the above. The virus and firewall subscriptions make it no worse than any other device on the market.

[madires]

Whatever you choose, make sure it has a proper IPv6 support. Not just routing and filtering, but also address assignment and prefix delegation.

[Wuerstchenhund]

ClearOS isn't really a router/firewall distro, it's meant as a server distro. It can do routing and firewalling (as any Linux distro can) but it's a bit oversized for that, and still only offers a plain old SPI firewall and snort IDS.

ClearOS nice if you need a file/mail/groupware server but none of these servers should really run on the firewall hardware.

Maybe on the old versions, but from 6 onwards it can be set up for whatever you want. File server, web server, mail/printer server, firewall or a router or any combo of the above.

It's all fine and great that all these functions can be set up on one box, this doesn't mean it's a good idea. Server services should never ever run on the firewall.

The virus and firewall subscriptions make it no worse than any other device on the market.

Only if you don't know what else is on the market. ClearOS is certainly a great all-in-one package but even the paid-for options are nowhere near the protection you can expect from a NGFW like a WatchGuard, Fortinet, SonicWall or Sophos UTM. The latter also runs on PC hardware and is free for home use.

As a simple SPI firewall it's overladen, something like pfSense is a much better option for such a case, which I would also trust much more to address safety issues promptly than ClearOS.

[Wuerstchenhund]

I wouldn't go so far as to say SPI firewalls are old and stupid.

They *are* stupid. SPI firewalls are application agnostic, which means they can't see what application is going to communicate. SPI firewalls act by communication states, but that's about it.

Oh, and they are definitely old, SPI firewalls exist since the 90's.

Snort is a perfectly good IDS but you need to pay money to get the latest definitions

Exactly, but then the question arises why not invest in something which offers a bit more sophisticated IDS. Or if it's for home use why not use something like Sophos UTM which is free for home use and does a much better job as a firewall?

and for web browsing at least you can set up squid with ClamAV and then you can even use caching which can be nice on some connections.

Yuck, ClamAV. You know that this is by far the worst and most useless antivirus scanner ever invented? It's effectiveness against malware is roughly the same as Holy Water.

[extide]

Just because SPI firewalls have been around since the 90's doesn't mean they aren't effective. Protocol-inspecting firewalls can have some advantages, but it takes significantly more horsepower to run one of those at high throughput, and not everyone likes to have all of your packets messed with that much. Coming out so blatantly against something that is perfectly fine for 100% of home users, kind of makes you look a bit arrogant, ya know?

[TSL]

I'm surprised about the barking on about SPI firewalls when , fundamentally , SOFOS UTM is an SPI with other things stuck on top.

After all its just the Astaro linux distro firewall with commercial support and nicer antivirus like McAffee rather than ClamAV.

Fundamentally the end user needs to ask ...

"Am I happy with the TrendMicro|McAfee|Avaste|etc protecting my PC ?"

if the answer is yes then an SPI firewall  is all that's needed plus whatever additional features you might require like IPv6 support, OpenVPN, logging etc - which 99% of top ten distro's provide.

If you're trying to protect an number of desktops, or small business, where you might not have direct control over the configuration of those desktops or end hosts, then yes a UTM firewall is probably what you need.

Any security is a layered approach, how many, what they are, and where you want to implement those layers should be an output of your risk assessment.

regards

Tim

[SteveyG]

ClearOS isn't really a router/firewall distro, it's meant as a server distro. It can do routing and firewalling (as any Linux distro can) but it's a bit oversized for that, and still only offers a plain old SPI firewall and snort IDS.

ClearOS nice if you need a file/mail/groupware server but none of these servers should really run on the firewall hardware.

Maybe on the old versions, but from 6 onwards it can be set up for whatever you want. File server, web server, mail/printer server, firewall or a router or any combo of the above.

It's all fine and great that all these functions can be set up on one box, this doesn't mean it's a good idea. Server services should never ever run on the firewall.

You're missing the point. You can use it as a plain firewall, or a firewall and router. Nothing says you have to use the web or file servers 

The firewall subscriptions are as good as any other offering. I had a Watchguard firewall before I turned it into a pfSense box, but the differences as minimal.

[Zucca]

https://blog.pfsense.org/?p=1546

pfSense 2.2-RELEASE Now Available!
January 23rd, 2015 by Chris Buechler

I’m happy to announce the release of pfSense® software version 2.2! This release brings improvements in performance and hardware support from the FreeBSD 10.1 base, as well as enhancements we’ve added such as AES-GCM with AES-NI acceleration, among a number of other new features and bug fixes. Jim Thompson posted an overview of the significant changes previously.

In the process of reaching release, we’ve closed out 392 total tickets (this number includes 55 features or tasks), fixed 135 bugs affecting 2.1.5 and prior versions, fixed another 202 bugs introduced in 2.2 by advancing the base OS version from FreeBSD 8.3 to 10.1, changing IPsec keying daemons from racoon to strongSwan, upgrading the PHP backend to version 5.5 and switching it from FastCGI to PHP-FPM, and adding the Unbound DNS Resolver, and many smaller changes.

[madires]

I'm surprised about the barking on about SPI firewalls when , fundamentally , SOFOS UTM is an SPI with other things stuck on top.

I think he wants an ALG. But that's going to be too expensive for SOHO users.