I'd like explore making a small ecosystem of open security plugins built on top of OpenWrt.
The goal is to make firewalling and controlling network traffic really easy.
The UI should be so easy a parent could perform difficult tasks such as limiting an iot devices traffic to local net or maybe just one ip using just an app.
Or detecting unusual patterns of traffic from a device or IP addresses.
The apis exist I can't think of many barriers to entry.
It seems obvious that this should be developed, but to take it a step further it would be great if consumers could purchase something that gave them access to these plugins without needing to know how to setup OpenWRT. This will be challenging because most ISPs provide the router and firmware for the majority of their customers.
ISPs will have to start requiring the OEMs to offer some form of ongoing software maintenance, rather than just the rare bug fix on a distribution that otherwise dates to when the SoC inside first taped out. I can't imagine the OEMs or the SoC vendors being willing to do that kind of maintenance in-house, but the large ISPs certainly have enough leverage to require upstream support in OpenWRT.
Where the ISP forces use of their modem (like mine does), you can still set it up as a gateway and make it a pure modem, using a second router for your local network.
It's what I've done for years and it works fine. I have a Pi-hole off my ISP modem, and the Pi-hole does DHCP, DNS, VPN, and more for our network at the same time as doing it's normal filtering job.
I'd love a better device where my Pi-hole is though, which I can configure easier, set up for my friends and family then they can manage it themselves, etc. There's definitely a market for this at least from me!
Why did not they add the features to OpenWrt trying to make it better?
Almost all the forks of OpenWrt die in months. Some lasted only few years. I am afraid that it is a wasted effort.
I think mainline openwrt runs on turris hardware now. From what I remember, the main feature of their fork is/was snapshot management through btrfs. Updates are quite lacking in general on openwrt, so I think it's good that they are doing something about it. Ideally, I would like to run a full distro on routers, and manage it through standard distro tools, now that we have reasonably powerful hardware (like the Turris).
The biggest barrier to entry I've found with this stuff is the hardware, I can't walk into a store and buy something with OpenWrt pre installed and for various reasons online isn't a a good option. I've looked at various possibilities and the whole scene is a mess similar to phone ROMs where you have to trawl through random forums, pull down random ROMs, trawl through more forums to find out why x doesn't work in $country with $ISP.
It's impenetrable to anyone that doesn't want to invest months into the scene and develop expertise in it. Much like phones we really need a PC equivalent in this space.
> I've looked at various possibilities and the whole scene is a mess similar to phone ROMs where you have to trawl through random forums, pull down random ROMs, trawl through more forums to find out why x doesn't work in $country with $ISP.
That's describing pretty much all the alternative firmware distributions, except OpenWRT, which is actually well-organized and delivers real stable releases. If you're digging through forums to find forks and builds made by some anonymous individual, it's almost certainly because you got fooled into buying hardware that requires closed-source drivers. (Or else you bought something that is just too new and not yet supported by OpenWRT.)
> it's almost certainly because you got fooled into buying hardware that requires closed-source drivers.
Bingo, that seems to be about all that's available. I'm looking at off the shelf hardware I can purchase locally, hardware I know works with local ISP's, I have no idea if we use the same standards as America for this stuff, what connections and adapters I'll need, etc. Buying locally eliminates these variables.
If there's a happy path by all means share. I only looked into this stuff in the first place so I could get set up a home server and my current modem/router is woefully out of date and has a very suspect definition of DMZ.
Your ISP is irrelevant, unless you're shopping for an integrated modem+router. Rule number 1 is don't do that, and keep your modem separate and just a modem. Then your router only needs the universal standard Ethernet port as its WAN interface, and at worst you might have to configure PPPoE instead of just using DHCP to get your public IP.
> Rule number 1 is don't do that, and keep your modem separate and just a modem
I think I'm going to have to go down this path, I was just hoping to avoid it. It means having another device to configure, another set of blinking lights, another weird shaped plug to try and squeeze into the power board and learning whatever PPPoE is just to transform Ethernet packets into the ADSL equivalent.
It also possibly means a more complicated setup controlling outbound connections so that a compromised server cannot reach the modem.
Most modems do not usually have much to configure if anything at all. Most management pages for these devices will have line quality metrics and other network debugging tools and have zero user configurable settings. PPPoE settings are usually all configured by the router/gateway.
I think the problem is that it already is really easy. I feel like it'd be hard to simplify the interface of something like UniFi's AP series and still keep the number of knobs it gives you. And you almost certainly will never simplify it to the point that people will stop making youtube bandicam free edition tutorials on how to port forward your minecraft server.
The UniFi range is very easy. The Edge series (such as EdgeMAX) is slightly less easy, but also more powerful.
Easy and secure are not always a good match though. Take UPnP for example. Disabled by default on my ER-L, it can be enabled, but its ultimately insecure. And ultimately, HTTP over SSL could download payloads.
We would like to build a captive portal using OpenWRT, to implement social networks running on a LAN. Anyone who is interested in this kind of stuff and has some experience, please contact me at greg+captive @ at @ qbix.com
I agree with Steven Gibson. The biggest defense we can have on this is autoupdating routers. At a minimum, just restart at some fixed time after an update is downloaded. More fancy would be dynamically calculating a low usage day and time to restart.
But this would also involve the router manufacturer keeping it up-to-date as well.
Which gets me thinking... Does a SOHO (or any) device exist that effectively runs two firmware instances at once to allow minimal downtime as it switches over to new firmware? I imagine larger routers do, or at least, two identical physical routers accomplishes as much.
You will probably need more complex hardware to accommodate this and it will be much more complex to implement correctly. For SOHO it is better to simply optimize for quicker boot process. For homes it doesn't even matter, just reboot the thing automatically on schedule during night. My expensive router does this and it is not hard or expensive to implement in all new models, regardless of their price.
With a current kernel and updated userland? the no-password root ssh after flashing is vulnerable to others in your local network yes, keep it offline until pubkey-only auth is configured. To save against dropbear exploits, bind ssh to the internal-ethernet interface and if installed, access uhttpd/LuCI only via this tunnel. Other than that it seems equal to other default distribution installs. Apparmor/selinux steps up ubuntus/fedoras game yes, I don't know how much of this has been a concern yet in OpenWrt, a recent talk touches shortly on it. It seems to be a clean, easy-to-configure distribution that is alive and well after the remerge that just got a recent stable-release. Secondary vectors like package-system are a factor. But despite being reliant on the vendor, it buildable by the end-user. I applaud their efforts.
One thing I hated about ddwrt was how hard it was to get a TLS download and/or hash. Like seriously, if I'm putting this on my router I don't want it coming down by http!
>.. Does a SOHO (or any) device exist that effectively runs two firmware instances at once to allow minimal downtime as it switches over to new firmware? I imagine larger routers do, or at least, two identical physical routers accomplishes as much.
Quite likely that google-wifi (chromeos) does, or at least is capabale of doing that given good enough hardware. All of google's products have moved to this sort of A/B layout.
Unlike with Windows I seriously doubt that. Windows reboot is unpredictable and a) can break your work flow and b) can possible corrupt your unsaved data, calculations etc.
Router reboot is simply a network outage for 2-3 minutes and routers that can do auto-update also always support configuration it. E.g. Reboot at 3am in the night, only on Monday and only if there had been new firmware in the last week. I can assure you that it is neither disrupting nor noticeable at all. Router boots neither break work flows nor corrupt your data (in SOHO segment).
> Does a SOHO (or any) device exist that effectively runs two firmware instances at once to allow minimal downtime as it switches over to new firmware?
There are plenty of routers that have two OS partitions so that a new version can be installed without interrupting the currently-running version, but you still need a full reboot to switch to running the new OS.
The way I do things, is to treat the cable modem as already compromised and connect it to a router 100% under my control (running Linux) that will perform additional firewalling and/or act as a wireless AP. I will never let a border device have any sort of direct access into my internal network.
There is no point in spending lots of time & effort trying to secure half-baked half-open devices that are not under my full control. I will do what I can [or what I'm allowed to do by the usually severely restricted configuration modem panel] but I know the game, there, is already lost. Moreover, the ISP can remotely administer the cable modem and flash anything to it.
A second perimeter that is based on infrastructure I fully configure/control/administer is where I still have a chance.
There's a worrying trend (I'm looking especially at you, UPC), where the ISP insists that the CPE device must be in router mode, and not in bridge mode. The UPC's current excuse is, that their devices come preconfigured for DS-Lite and that most customers would be unable to configure their own routers for that.
Together with the fact, that you are getting a single /64, it means that you cannot place another router behind their router.
(And for IPv4 part of the DS-Lite, no, they don't support PCP).
Telling that the summary advice is “change the default password”, even if some of the other ideas are deployed user involvement is near zero if not completely zero. I wonder how impactful it would be to roll out a totally read-only router, or if the necessity of updates and maintenance would generate too much headache for the user
I think this is one of the awesome things about Google Wifi (aka: OnHub). It's fully managed from a phone app (via "the cloud"), so you get the authentication tied to your gmail account. It's also based on ChromeOs (chromebook OS), and follows a similar auto-update that Chromebooks get. So you are always running the latest firmware.
(There are obviously downsides to Google Wifi, my primary issue being that it doesn't have many of the advanced features that something like UniFi has. But for most people, it works well.).
While your points are valid, it is a bit disconcerting to have the world's largest data monetizer watch all of a home's traffic. Google's promised benevolence may be temporary
Even more than that; I left Google (as a user, never employee) because I was scared of being banned. Seeing stories of users on Amazon / Google getting their account banned due to something related to a business concern, made me realize that if someone flagged a google app I had my whole life could come to a grinding halt. Phone, phone number, email, storage, internet access! All that because maybe I got reports on a phone app I wrote (hypothetical).
I'm doing nothing illegal or unethical, nothing wrong. Nevertheless, I ran from Google asap due to that reason alone. Google represented a massive single point of failure to my digital life.
I now use separate products for just about everything I own. While it's not as convenient as Google, I feel far more secure.
Similar concerns, I recently used Google Express for a purchase, it worked fine, and then I deleted it. My Google account is my main email, and every new Google service is another opportunity for my whole account to get irreversibly banned.
Using Google with their famous lack of customer service to make purchases that I could conceivably need to put a chargeback on felt uncomfortably risky.
Tie my home internet connection to that? How do I know I won't get locked out of the cloud-integrated admin app? Why would I want it connected to anything Google?
The "one account everywhere" thing is convenient and great for their branding, but it's not great for my peace of mind.
Agree on lack of support. I have an account that is blocked. I forgot the password since it was always logged in. When I try to recover the password, it asks me a bunch of questions that I am pretty sure I am answering correctly. At the end it just tells me that the account cannot be recovered... even if I had the second factor authenticator still working and I punched in the right code. I searched high and low online but since they do not have any kind of support I have no way out. It is depressing.
To be honest, if someone doesn’t know my password, doesn’t have my 2-factor code, and can’t answer the security questions, I don’t want them to be able to call up customer service and social engineer an account takeover. I don’t think there’s any amount of proof that I could provide but an adversary targeting me couldnt’t fake to convince a call center employee.
What I’m more worried about is their “You violated the TOS. We can’t tell you how you violated the TOS. We can’t unban your account.” If you don’t know someone at Google, you’re out of luck.
Google also remotely wiped a bunch of its customers' routers, driving them off line and causing all sorts of problems.
Which isn't to say that home customers would have necessarily done better, but most people don't have random maintenance bring them down at random times.
One nice thing with Google WiFi being based on CROS, is that it's mostly open source (about the same level as Android, where there are some binary blob board support packages). With that, there is custom firmware you can load know Google Wifis: https://github.com/marcosscriven/galeforce
I think there is a pretty big distinction wrt routers, in that an end-user cannot build it. That link states as much under the, "Why not just build Chromium OS from source" section. Has anything changed ? With android at least, google distributes the blobs. This probably (?) explains why openwrt hasn't been ported to any of the google routers, although the availability of chromiumOS source would make you think that it would be straightforward.
While it's amusing to consider that someone cares, the fact is that if someone wanted to specifically surveil you the most likely way to do so would be to crack into your computers and network devices. That's the real threat model. You want the device with the best functional security. I don't think you should rule out any candidates based on imaginary privacy issues.
Perhaps it's just because I'm not in the target demographic, but this is exactly the reason that Google Wifi is completely out of consideration if I ever need to buy a new router.
Give me local ssh and WebUI. No cloud, no phone apps.
Wow, really? Am i reading that right, that without an active WAN connection, the internal LAN connections don't work on Google WiFi hardware? That sounds more like an "Internet appliance" than it does a router.
UniFi products also work from the cloud, if you enable that (it is optional) and you're not tied into the system of one of the largest data gatherers in the world.
Microsoft with Windows 10 uses machine learning to figure out when its most convenient for the user to update (latest Insider build has this function). Either way, Windows has come a long way from 9x randomly crashing and every other piece of software requiring a reboot.
It’s useful but not necessary. It’s hard to offer the simplicity described above while keeping the control in your hands, but some folks working on wireless mesh are working on it:
"Simplicity" can be a negative indicator of security. If it's simpler for you, it might also be simpler for an attacker.
Manual steps with the physical hardware, or even requiring a local wifi/ethernet connection, are always going to be more secure than an internet-accessible god mode.
Could you be more specific regarding why it's "hard"? I reject the premise that such a limited feature set can be "hard" to support without "cloud". Seems like some combination of NFC/QR codes, WPS and Android/iOS ought to be able to do the job. Mesh set-ups are known to work just fine on-prem. Moreover, a fully local system will almost certainly be more reliable, and will last longer. Certainly beyond the date when Google inevitably cancels the project on their end.
AT&T and a few others currently deal with this problem by having a random password assigned for the admin user printed on a sticker on the side of their Modem/Router combo boxes. It seems to work pretty well.
Got a new netgear router the other day and it used this. Default admin and default wpa2 key were randomly-generated at the factory and printed on the back of the router. If/when my parents need a new router I'm going to have them get one of these and never have to guide them through the security gui again.
While I do like the idea, att boxes are very low quality and drop wifi connections constantly. I've always installed a ubuqiti router and AP. Apparently it's impossible to disable the firewall on the att box also. I've actually called att and had the conversation: "can you enable some ports". CSR, which ones? Tcp and udp 1-65,535...
For most users, this really isn't a problem. I never had many problems using the ATT stock boxes for routing, but like you have moved on to better solutions. But we also understand how to secure our devices. Even newer consumer routers are following this same strategy of printed admin passwords, so if a consumer is deciding to replace it with a newer device it still works! :)
This is what my ISP does for their router/cable modem combo. There's a sticker that tells you the SSID, the password for the SSID, the URL for the web interface along with the user ID and password. The passwords are both randomly generated.
They will also put it into bridge mode for you where none of that stuff applies.
Yeah, mine as well, until recently they figured out that the passwords weren't so randomly generated as they were derived from the SSID. Great entropy...
I recommend to use a mnemonic password [1] and just print out the WiFi password (without using Google Cloud...) and use some adhesive tape to attach it on the bottom of the router. The downside is that someone who has physical access to the router can see the password within seconds. Someone's who's plumbing your drain or when you are on the toilet.
That they put it into bridge mode when you request is due to EU regulations where EU civilians have free choice of router.
Only reason I would be concerned about using that specific generator in particular would be the fact that it severely limits your passwords to the "kid-friendly" set.
If you have to create pw you want use one time and tell it to someone over the phone or use it for "Guest WiFi" network, I don't see why I got downvoted.
It is not like I am going to use it for my main email account.
The only con I can think to that is the initial influx of support questions. I have no idea why this is not the default now, its simple, user friendly, and way more secure
Cox (Orange County) and Verizon Fios (Los Angeles) delivered routers with good-looking, seemingly randomly generated passwords printed on a label. It's been this way with Cox for at least six years.
Exactly. That’s because FiOS routers allow tech support and their website to acquire information about your network, including your WPA passphrase, devices connected on your local network and more.
For that reason alone it’s best to have your own equipment not tied to the ISP, IMO. The ISP can already see all of my plaintext traffic, DNS requests, and MITM all my sessions if they wish. I’d rather not give them full access to my private network on top of that.
The idea of a completely read-only router is really interesting. I used to buy hardware that would only work with open firmware -- I used to love to constantly update and mess with DD-WRT. But in more recent years I've just started buying high-performing hardware and skipping the customization beyond SSID and passwords. With faster connections, UPNP, and decent default QoS policies I pretty much never have to configure my access points or routers anymore. I'm pretty sure the average consumer has no desire to configure anything.
I don’t know how it’s possible to be read only. It needs to update things like routes and arp tables. That’s exactly the type of stuff that gets poisoned when attacked.
The best advice I can offer for people who know what they are doing (eg: HN readers), for their homes and home offices, is to separate the functions of modem, router and wifi.
Have a DOCSIS3 / DOCSIS3.1 modem that is a dumb L2 bridge. TP-Link makes decent ones that are compatible with Comcast. You can find them and their reviews on Amazon.
Use something like a Ubiquiti ER-X (Edgerouter X) for your WAN-to-LAN interface and NAT. The Ubiquiti EdgeOS is developed by a team of people they hired away from vyattta when vyatta was sold to Brocade. It's a fork of Vyatta with a decent UI on top of it, and full SSH access. Which is of course based on Debian.
Have no wifi functions in your router!!!
And then something like a set of ubiquiti UAP-AC-LITE or UAP-AC-PRO access point(s), as needed. You can set up the ubiquiti unifi controller inside of a debian VM in virtualbox. The controller does not need to run persistently , just once to provision the APs, if you're doing basic WPA2-presharedkey authentication for your home. Bring up the VM again in the future on your laptop if you need to make changes.
This is a pretty low budget but highly effective solution ($65 cablemodem + $48 router + $78 wifi AP).
If you prefer Mikrotik to ubnt, there are a lot of small, similarly sized things you could replace the ER-X with that are in the $45 to $80 price range that will perform similarly.
Separating the ISP-controlled modem from the router is certainly good advice, but I can't see any strong reason to recommend separating the AP from the router. If you know your AP needs to be located far from the router in order to provide decent coverage, then it makes sense. Otherwise, there's no technological or economic justification for putting three exclamation marks on that point. You just make your setup a lot more complicated (a whole extra VM for the admin tools?!)
The Venn diagram overlap of routers that have serious admin features and routers that have wifi built in is not very large. Separating the wifi allows you to replace or change wifi without bringing down services to local hardwired home servers.
What do you mean by "serious admin features" for a router? They run Linux and any third-party firmware will give you ssh access. What's missing? And swapping out WiFi radios is something that you only need to do once every few years, so it's nothing that should weigh on the decision about what to use in the meantime—especially since new APs can be added to the network without requiring you to physically decommission the WiFi capabilities of your primary router.
I'll take this opportunity to ask the community, what is a recommend router?
It's going to be me and my roommate only (with friends and family over) and I would like to get something secure and also reliable (and preferably on the cheaper side)
Any suggestions? I believe we have Cox if that is any factor....
Ubiquiti makes great prosumer stuff, if you're willing to pay ~$120 for the 'router', and then another ~$100 for the wireless access point. That's not 'cheap', but it's about on par what you'd pay for a fancy consumer router that looks like a spaceship.
You'll get a great interface, frequent firmware updates with new features and security fixes, and you'll have a good strong signal at your neighbour's house if you're going for a visit.
You can get the EdgeRouter X for ~$50 and that will scale to symmetric gigabit connections, if your needs are simple (ie. you're just doing basic routing & firewalling, not trying to do traffic shaping, etc). Budget AP option then is a UAP-AC-Lite which you can buy off Amazon for ~$80, bringing your total to $130 all said and done.
That's cheaper than most all-in-one routers, and while you won't get the best single-client bandwidth, you will get much better management/configuration options.
It really isn't. There are plenty of consumer router+AP combos in the $75-90 range that offer equal or better performance to the ER-X + UAP-AC-Lite combination.
I explicitly mentioned that you could beat single stream performance with high end all-in-one routers.
However, no router in that price point gives you the ability to easily expand past one AP, RADIUS VLAN support, the Unifi web interface and so forth.
My last setup was an ASUS N66 dedicated as the router with an Archer C7 as the WAP. Good performance but the configurability and stability (even with ddwrt on the asus) doesn’t compare to the ubiquiti combo I run now.
> However, no router in that price point gives you the ability to easily expand past one AP, RADIUS VLAN support, the Unifi web interface and so forth.
You must be assuming that the user insists on sticking with broken vendor software, instead of switching to OpenWRT. The only software benefit that you don't get just as easily from OpenWRT is centralized management of multiple APs. Adding and configuring APs one at a time is very easy and since home networks never require more than 2-3 APs the lack of centralized management is not a significant issue. RADIUS and VLANs are fully supported by OpenWRT, and the web interface is fine except for the aforementioned limitation that you're only managing one AP at a time.
I suspect your stability issues with the ASUS router were a consequence of you using DD-WRT hobbled by proprietary WiFi drivers, instead of an OpenWRT-supported router. The DD-WRT "project" is a mess compared to OpenWRT, which actually puts out stable releases and operates more like a proper Linux distribution. Third-party firmware distributions aren't all the same.
As far as I can tell, you can’t do dynamically assigned VLANs on wireless via RADIUS on ddwrt, at least not when I looked a few years ago.
I used Merlin ddwrt which was supposed to be dedicated to ASUS hardware. At some point fiddling with wrt takes more time than the nonexistent price difference with the ubiquiti equipment :)
I still can't speak directly to your problems with the ASUS router, because I deliberately avoid devices that require Broadcom's proprietary drivers that often prevent you from using a recent kernel, and I don't use DD-WRT when I have the option of using OpenWRT instead. But from what I can tell, the feature you're looking for has been in OpenWRT for years, though I've never bothered to use it myself: https://wiki.openwrt.org/doc/howto/wireless.security.8021x#x...
I didn’t use the ASUS for WiFi, just routing. My instability had to do with ipv6 issues - it would stop broadcasting RAs if I remember correctly causing intermittent connectivity issues. I would have to cycle power every so often (month or so?)
No such issues with the edgerouter. I’m sure OpenWRT works great for folks, I just found it wasn’t the right fit for me.
Not OP, but I've been very happy with a $60 Buffalo N300, running since 2015 with no issues. I run DD-WRT on it, 200 Mbit symmetric fiber uplink, 3 devices connected via ethernet and the rest via wifi covering the whole (wooden) house, and I have port forwards for ssh and https to the server in the garage. Does everything I need and more.
I've been looking for an excuse to go down the Ubiquiti route, but I really can't find one.
The TP-Link Archer C7 has long been one of the best choices for an 802.11ac-capable wireless router, due to being well-supported by OpenWRT. It's currently $75. The only downside is that the CPU is a bit slower than the EdgeRouter X (though faster than the other EdgeRouters), so I looked on WikiDevi [1] for something with the same CPU as the ER-X. Out of the dozens of options, I picked a recent mid-range D-Link and found it listed for $89.99 on Amazon, though I didn't check for OpenWRT support.
I'm personally using a TP-Link Archer C2600 that was on sale for $70 from Newegg in January.
In the end mucking with open source firmware, while interesting, just wasn’t worth it. I found the ubiquiti solution stable and the UniFi management software (especially their iOS app) are excellent for my needs. Plus mounting my AP in the ceiling means I can cover the entire house from one AP and at the same time keep the rest of my networking equipment stored away in the basement.
I'm ashamed by this Networking 101 question, but what prevents you from connecting the UAP-AC-Lite directly to the ISP's device? (Assuming you don't want a physical ethernet connection at all). Is it for DHCP and assigning IPs to the clients?
Nothing. I do this. I think the AC-Lite even has it's own DHCP, but I'm using the ISP router for that personally.
Usually the ISP router just sucks at wifi, but I have seen ISP routers which have only 100mbit/s uplink ports when the internet connection is higher. In that case you'd want a custom router also. Or if they ship some router with some features you dislike that you can't disable (like public hotspots, unpatchable insecure config interfaces, etc.)
ER-Lite has a really weak CPU, and can only get close to 1Gbps using its hardware offloads, which limit what you can do to the traffic passing through the router. ER-X has a faster CPU and can get reasonably close to 1Gbps with software packet forwarding for simple rules, and can handle traffic shaping at far higher speeds than the ER-Lite (though neither can shape anywhere close to 1Gbps).
Another +1 for Ubiquiti. Had a bunch of high end prosumer stuff, ddwrt/tomato, etc. It really is fantastic stuff at least on part with ddwrt and well matched hardware to boot.
Their cloud management stuff is solid(and free with spare PC!) which is great if you help your family set anything up.
Ars did a great deep-dive a whole back[1], it's a pretty good read.
Can I use Ubiquiti devices with some kind of slave or WDS mode with my ISP's wifi AP/router?
I just want to extend the range without monkeying with the existing router or running cables. Ideally configuring the slaves to use the existing SSID/WPS config if that's possible.
I don't care (much) about the impact to latency or throughput, it seems like there's excess capacity now.
EDIT: downvoters please join the discussion, seems like an innocuous question to me.
I've been very particular about using my own router and/or wifi in the past, installing one of openwrt/dd-wrt/tomato and tweaking to my heart's content. I would create a DMZ for one or more servers, do the dynamic DHCP, the whole bit.
But now, the ISP provides a single device that is where they terminate the DOCSIS connection and originate the Wifi router. And casual investigation leads me to believe that I "can't" replace this device. I don't want/need a DMZ or my own public servers. Also, I have less patience for tracking down my own breakage these days. The ISP's device works and performs spectacularly. I know of no public vulnerabilities for the provided router.
So IMO no I don't "really want to get rid of any kind of ISP provided router and Wifi".
You can purchase a modem as a separate device that you could then use with any router. It could save you some money depending on whether or not your ISP charges you for renting their hardware.
Hmm, no idea for your ISP, but most of the ISPs I've used had the option to switch their equipment to so-called "bridge mode", where it just did the DOCSIS/DSL thing, gave you one unfirewalled external IP and let your router do NAT etc.
In particular, recommendations for consumer routers would be welcome. Last time this came up, the line seemed to be "consumer routers are trash, if you want security you have to use an enterprise router." There might be some truth in this, but it isn't helpful. Surely not all consumer routers are equally bad?
So there are two main issues with consumer routers. The first is that the hardware is garbage. This isn't universally true, but it's a strong general rule, and models get released and discontinued all the time so the short list of models that aren't garbage changes every year.
The main security issue is that the vendors stop issuing security updates after they stop selling the router even though people are still using it, and the software that comes on it is usually crap to begin with. The solution to this is to get one you can install OpenWRT or Debian or whatever you prefer on it, do that as soon as you buy it and then it doesn't matter what the vendor does. But note that not all routers are supported by the software you want to use.
Also remember that a router is just a computer with multiple network ports on it. Adding another network port to your old laptop is a time-honored tradition. The hardware will be faster, the drivers are usually better, it has a built-in battery to survive power bumps, etc.
My first firewall was a Thinkpad 750Cs. ;) I can't recall the distro I was running at the time - likely Debian or Slackware. At one point I returned from vacation to find that the hard drive had failed a couple days earlier. Since the firewalling was in the kernel, all I lost was logging. IIRC the last log message was that it was remounting the root filesystem readonly. It continued operating for a couple more weeks until I could arrange to replace it.
I've always wanted to just use an old junk PC as a router instead of paying for what is basically an overpriced Pi with a 4 jack ethernet card attached. But the problem then is that getting enough ethernet ports in the thing to equal the average router is price prohibitive.
I wish there were $20-$30 PCI-E bridge cards of >2 1Gbit ethernet jacks but they don't exist.
> But the problem then is that getting enough ethernet ports in the thing to equal the average router is price prohibitive.
Unless you actually need the ports to do some kind of network segmentation, one solution is to just plug the inside port into a five port switch (~$15). Which is how a lot of the consumer grade routers are implemented internally anyway.
I've found the ASUS RT-AC series to be pretty good (both 56U and 66U can route my gigabit internet connection and provide about 400Mbit worth of wifi). But for a bit more you can get a Ubiquiti router + AP for an even better experience.
Are Ubiquiti decent? It looks like they have a consumer line (AmpliFi).
Cost is not a primary concern, within reason. Wanting a consumer focused router is more about wanting to minimize set-up time and maintainence. Frankly, I’m not sure I have the time or trust myself to set up OpenWRT correctly/make sure it’s updating regularly/I’m installing the correct version etc.
> Frankly, I’m not sure I have the time or trust myself to set up OpenWRT correctly/make sure it’s updating regularly/I’m installing the correct version etc.
As long as you're not going out of your way to install a nightly build of OpenWRT and you just stick with the stable releases, it's no more difficult than installing new firmware from the manufacturer and configuring it. The web interface for configuring OpenWRT is comparable to what most consumer routers provide, except that OpenWRT's UI is shared across all hardware platforms instead of being laden with vendor-specific branding and snake oil features.
Yes, the AmpliFi line is excellent on the wireless side. I use a MictoTik wired router in conjunction with the AmpliFi to provide add'l features and security. Works well.
Yes, I was surprised that my 1st gen 66U (which is now quite a few years old) is still getting security updates. The fact that it runs ddWRT by default also means that I don't have to flash it at all.
> consumer routers are trash, if you want security you have to use an enterprise router
These are trash too, full of closed code with backdoors. Buying small x86 mini PC and flashing it with OPNsense will take an hour. You get open source with GUI on FreeBSD, bulletproof.
Albeit a bit expensive, Turris Omnia is fully open source down to schematics level. It's also pretty beefy with dual-core ARM CPU at 1.6 GHz and 1 GB DDR3.
Its documentation is however a bit lacking unfortunately.
Been running a home network with over ten devices and a fast internet connection with an Omnia Turris for almost two years now. It gets regular updates automatically, is fast and the UI is nice. Fixing things like bufferbloat was easy with the community instructions.
Oh and it's openwrt under the hood, with lxc containers for things such as grafana.
Careful if you started using lxc like I did before they added warnings not to use them with the internal flash storage. You need to have added additional storage via the mSATA slot, and designate that as your storage location before using lxc. Otherwise according to Turris you will burn through your internal memory very quickly.
I did something slightly different: I was donated various low-power, low-noise PC parts from a friend, one of which was a motherboard with two ethernet ports. Chucked FreeBSD on it, configured one port as WAN and the other LAN, connected LAN to cheap-ish switch and from there also to wifi bridge.
Never had a better setup.
It blows any consumer router I've used out of the water in terms of stability, performance, flexibility, security, and user experience.
Getting emails for potential security issues, custom DNS domain for local network, fail2ban bruteforce prevention, QoS, alerting when WAN goes down, and so on, has all been a breeze to set up.
With this setup, the router only does _routing_, so you also need a Wireless Access Point (WAP). Connect it like so: Modem->Router->Switch->WAP.
Install pfSense on the router, configure the Unifi using Ubiquiti's Java app, and you're done. It's about $250 all together which _is_ more expensive than consumer routers, but IMHO it's worth the superior quality. The APU board is well-documented (PCEngines provides schematics!) and the firmware is based on Coreboot. The processor supports AES acceleration for faster encryption (great if you use VPNs!) PfSense is an enterprise-grade router/firewall with scads of graphs and features. And the Unifi has a great antenna with excellent range. Not to mention this setup leaves you with six spare ethernet ports on the switch.
I have always used consumer routers and they worked great. I finally got persuaded by the "consumer routers are garbage" attitude and bought an Ubiquiti edgerouter and instantly regretted it. Yes I can now do very complex configurations and control lots of things I couldn't before. But I really dont want to do that and I can't notice the difference in performance so it was a bit of a waste.
My guess the if you get a wireless router, wifi signal strength is most important part, aside from that any mainstream router is probably OK.
> and I can't notice the difference in performance so it was a bit of a waste.
That's because Ubiquiti Edgerouters and APs use the same processors and radios as consumer routers. If there's any truth to the memes about hardware quality, then the differences lie in things like the power supplies. Most of the perceived improvement in stability that Ubiquiti Edgerouters offer comes from having software that is actively maintained and not stuck on decade-old software branches. You can get all the same software benefits (more, really) by running OpenWRT on consumer hardware.
I've had my Google OnHub for three years now and it works flawlessly, regularly updating itself without any detectable downtime. It is by far the longest that I've had any wifi access point, and it is the only one I haven't had to personally check and update for security issues.
I used to use Apple routers. They were pricey but reliable and very easy to configure, especially from inside the apple ecosystem. Now? I have no idea what I’ll upgrade to when the time comes.
I'm actually pretty happy with my Netgear Velop mesh system. I had a Netgear Nighthawk X8, but when I moved it was great for the new house. The Velop mesh has been seamless.
I use one is the ASUS ones and like it. But from my understanding is that security wise, all consumer routers are bad. I have nothing to back up that claim with. I keep mine as updated as possible.
I have an Asus router too. (RT-AC68W - W => white) It used to provide my security and as near as I can tell it did a reasonably good job of it. Things that lead me to believe it rates as above average:
- Does not enable management on the WAN port by default.
- Reasonably frequent updates
- Not named as often as some other brands when security problems are publicized.
- I think it made me enter a management password when I first set it up, but it's been a while and I can't be certain about that.
OTOH I just searched "RT-AC68W security problems" and there seems to be no shortage of problems. :(
Some time ago I decided to get a little more serious about security and put a mini-PC running pfsense between my home LAN and the Internet. Hopefully that is more secure though a similar search wouldn't prove that. Perusing some of the critical vulnerabilities at cvedetails.com seems to show that the only critical vulnerability for either of these is for versions of the software older than what I'm running. And I also see the flashing yellow "!" on the Asus management page that indicates an update is available.
That latter part is really a concern. I don't get a notification for an update unless I go look for it. Logging to either is not something I do every day.
I would have said that too based on our RT-AC68U right up until I read this post and thought "time to update that router" and when I did so, for the first time in many updates I was presented with a license agreement allowing ASUS to send basically every bit of data to a 3rd party (Trend Micro) for features I didn't ask for. I should have captured it but the data they described was basically every bit of data you can imagine not wanting to share with a 3rd party. I had to agree to get into the router management portal and at least they had a way to withdraw that agreement (which also turns off those features).
I can't believe ASUS even considered this idea in this era of privacy concerns but I'm definitely going to research that before I buy another router.
Raising the security bar of routers is indeed a priority of many ISPs, organizations and consumers. But IMHO, securing the router isn't enough, because once you close the huge security and privacy hole created by vulnerable and outdated home routers, IoT devices like IP cameras will take the router's place as the weakest link in terms of a home network's security, so the problem of malware targeting embedded devices with no security software is still there. (Also, if any guest who connects to a WiFi network can guess admin:admin or admin:12345678 and infect IoT devices, NAT is not enough to provide a reasonable level of security in many home networks. In addition, having open-source firmware or reputable open-source components is not enough to assert that a certain device is secure by design, because most home routers run outdated and vulnerable versions of Linux/uClibc/whatever, often with network stack patches and proprietary drivers from the SoC manufacturer's BSP that make it impossible to upgrade to recent, stable versions of everything; this also applies to the router manufacturers that fork OpenWRT and don't pull changes. Moreover, completely separate from the question of how to develop security updates, the problem of testing and deploying them in time on customer premises, without user intervention, still remains and detracts from the ISP's motivation to provide security: it's very expensive). A copy-paste-based software development lifecycle, unsafe C code, the cost of built-in security and the risks & costs of deploying updates in scale are here to stay for the foreseeable future. A more radical solution is needed to protect today's devices against today's and future threats: that's why in https://www.securingsam.com, we're putting a security-as-a-service umbrella on the existing, consumer-grade router which hardens and protects the router and all devices connected to it using DPI, traffic anomaly detection, auto-updated (independently of the router firmware) vulnerability mitigation patches and much much more.
PFSense was the bane of my existence for a time, I regret ever installing it in the handful of businesses I put it in. When it'd fall over (usually from the 2nd WAN port disappearing after a reboot), I'd have to drive out and swap in another router while debugging it. Minor, custom changes to prevent PFSense from blocking boot due to a USB ethernet interface disappearing? Overwritten on upgrade without warning.
They also have recently made it a PITA to use PFSense with IPTV, as UDP Multicast forwarding has been deprecated w/o warning. Like everything with PFSense, it just disappeared one update without so much as a warning :P
I have a friend who uses Debian as his core router, its not bad. I've gone to OpenWRT since its got the fit and finish, plus it will boot and be debugable no matter what happens.
The most important thing is to go into your BIOS and boot loaders and turn off any delaying options. The second most important thing is to boot from a SATA SSD.
You should be able to tune it from there to get a reboot under 30 seconds.
I mostly blame cable and docsis for this state of things, on top of the router manufacturers. Which is why I am happy to hear of increasing fiber rollouts.
Docsis gives the ISP the ability to control the router, but they are very bad at it and even if they aren't it's often the manufacturers who are the problem. So I always have bought my own cable modems instead of renting from the ISP. The last time I did this I went with a good Motorola, but come to find out arris has bought them out, I did some scans, notice it's vulnerable and needs and update, so I go to the arris website. Can't find the update anywhere. End up calling them and get told, even though I own the equipment, they only release updates to ISPs or "partners" and no I can't have it! Wtf!?
Docsis, even 3, is a shitty spec that needs to die.
So really the best thing you can do and what I suggest to people is to put the cable modem in bridge/passthrough mode after checking all settings, and then hit your own router.
Except most people, as the article states, just go get some crappy linksys (cisco owned), netgear, Asus, belkin, etc, which have their own set of problems. It's better with openwrt/ddwrt/tomato but there is a better way.
Cynical take on the situation from a consumer POV: Keeping your ISP-provided CPE box but viewing it as the bug-ridden vulnerability christmastree that it is keeps you from lulling yourself into the "secure internal network" fallacy, while maybe keeping the liability on the ISP side.
Just install OPNSense (or its less modern forebear: PFSense). It works great, has a ton of features (e.g. packet filter from FreeBSD, OpenVPN, etc, etc), and it gets security updates. I run mine in a VM, with the WAN adapter passed through to it to make it unavailable to the host.
I don't know why technical people bother with anything else these days, TBH. You don't even need a separate server for it: just use a separate network card in an existing machine. And even if one decides to buy a separate machine, it's still much cheaper than a router with comparable capabilities. And the existing router can often be reused as a dumb access point. It's a no-brainer.
Just do it at the same time you do the router upgrade. Updates are released every couple of weeks. You don't have to install all of them, and not all of them require a reboot, but you could totally do it was I describe. I do have a separate machine for the router (the machine also runs the Kubernetes master), but that's more due to how my house is wired, not because I need it.
The goal is to make firewalling and controlling network traffic really easy.
The UI should be so easy a parent could perform difficult tasks such as limiting an iot devices traffic to local net or maybe just one ip using just an app.
Or detecting unusual patterns of traffic from a device or IP addresses.
The apis exist I can't think of many barriers to entry.