Don't Trust Consumer Routers 3
Another example of why you shouldn’t trust consumer routers. d-link
It isn’t just this specific d-link router. We’ve seen the same issues over and over and over with pretty much every non-enterprise vendor.
Plus we don’t want our devices used by crackers to DDoS Brian Krebs anymore, right?
We are Linux people. We CAN do this ourselves.
My recommendations (not that anyone cares):
Get yourself a nice BSD or Linux-based distro and add the routing/firewall stuff you want – ubuntu minimal is fine. pfSense and OpenSense are good too. Make certain the distro is actively maintained – some of the most famous *WRT distros are not. Do the homework. Be certain.
You’ll probably want/need a low power x86 computer for this. DO NOT USE SHARED/Virtual HW. Routers need to be separate, special-purpose devices. Considering it will be running for the next 10 yrs and supports GigE throughput, is spending $150 asking too much?
Stay Patched
Keep patched. I patch weekly. pfSense patches come out approximately quarterly. They have the upgrade method down pat. It is amazing. With normal Linux distros, this is easy. sudo apt update && sudo apt upgrade
WiFi – Keep the wifi AP separate
There are many reasons for this – mainly does your wifi/router actually sit in the best place for wifi-coverage of the house? My router is 30+ ft away from where the WAP sits (in the center of the house). PoE is a wonderful thing. Also, wifi standards are changing faster than routers need to. Are you running G? N300/N600? AC? 1.2-gig AC? If upgrading the wifi was as easy as swapping out 1 device that isn’t on the edge of your network providing protection for everything, perhaps it would be easier? I know it is for me. I’m actually using an old, insecure router as a WAP. Need 2 APs to cover your mansion? That isn’t hard either.
We are Linux people. We CAN do this ourselves and better than cheap vendors.
“You’ll probably want/need a low power x86 computer for this. DO NOT USE SHARED/Virtual HW. Routers need to be separate, special-purpose devices. Considering it will be running for the next 10 yrs and supports GigE throughput, is spending $150 asking too much?”
Can I ask for more info on why you recommend not using shared or virtual HW?
If I have a decent vmhost with separate ethernet adapters for the VM is that not good enough?
https://superuser.com/questions/727486/is-it-recommended-to-run-a-firewall-router-on-a-virtual-machine
KISS. Complex setups tend to fail. For interior routing, fine. For the edge router, I don’t want a tiny mis-configuration screwing the security for an entire network. When a HW router fails, it breaks. That is a good thing.
Hypervisors are complicated. If we (humans) can’t make secure OSes, what makes anyone believe we can make a virtual machine running on an insecure OS inside an insecure VM using complex virtual network drivers in a hypervisor secure?
I like VMs. Use them a bunch, but not for edge routing. I do use VMs for internal routing, but that is a completely different issue than protecting a perimeter.
Thanks, those are good points.
“When a HW router fails, it breaks. That is a good thing.”
I really like this point – I’ve never thought about forcing a service to completely fail if it breaks.