ASUS RT-AX88U vs Dedicated Firewall (pfSense, OPNsense)

[essence]

Hi all. I'm aware that there probably are some previous discussions on this topic, but if possible I would really appreciate advice geared for my particular interest and skill level.

I currently have the ASUS RT-AX88U running vanilla Asuswrt-Merlin install. I'm interested in securing my home network up to some "reasonably sufficient" level. I am relatively new to networks, though I am quite good with computers in general. Furthermore, to be perfectly frank, I want to spend as little time as possible on configuring my network. I'm not planning on making network building a "hobby", nor do I want to spend excessive amount of times optimizing security & privacy beyond what could be considered "Pareto efficient".

I have been considering purchasing a dedicated hardware firewall to run pfSense or OPNSense – based on the advice I've read on this forum. However, there are also a number of posts that suggest that the benefits and costs of getting something like pfSense to work well, make it not really worth it for the average consumer, and that you're fine as a typical home user running Asuswrt-Merlin, perhaps with some additional scripts. I would love to hear your opinion on what I should do.

Here is basically what I had in mind:

• Running OpenVPN or Wireguard with a general VPN service provider on the edge device. I get ~90/90 Mbps from my provider when running OpenVPN on a single computer (haven't tried Merlin OpenVPN performance yet onboard RT-AX88U). My ISP connection is 100/100 Mbps. I don't have any plans on increasing ISP speeds currently, so I'm cautious whether it's relevant to have a dedicated hardware firewall, even when connecting multiple devices onto the VPN connection simultaneously. I want to max out 100/100 in total for the devices, which is adequate.
  
  
• IDS/IPS. I'm currently using Trend Micro AiProtection – but as I understand it, it won't work if I'm going to encrypt all data with OpenVPN on the RT-AX88U. I would also prefer something better for privacy over AiProtection – like Snort or Suricata – but I'm not sure how those work with VPN encrypted data. Plus that apparently, they can't scan generally encrypted communications anyway. I am rather apprehensive about spending a huge amount of time on creating good IPS rules. However, I am rather concerned about applications and IOT devices "phoning" elsewhere from within the network.
  
  
• Ad-blocking, various IP blacklisting, etc.
  
  
• Anything else that should be considered "basic security" that is "good enough".
  
  
• I don't intend to do port forwarding or opening anything in the firewall.

So a few posts seems to suggest that you can get by adequately, by simply running Asuswrt-Merlin and packages like: Skynet, Diversion… if you care to make suggestions?

However, if you really do suggest that I get a pfSense or OPNSense solution, because consumer-grade routers simply aren't secure enough, then I definitely am open to buying a hardware firewall and spending a few days on configuring it. I don't object to the idea or costs incurred per se. I am however having difficulties understanding what is really a rational cost-benefit analysis here, especially with regards to IDS/IPS.

I do appreciate that everyone's mileage may vary, and that preferences, skill levels, etc, are different. I would call myself more advanced than the average computer user, but just not so advanced that I'm not concerned I may screw something up in something like pfSense, which apparently has a relatively steep learning curve.

Thank you for your advice!

 

[Tech9]

Do you have any experience with pfSense/OPNSense firewalls? If not, this is an entire router OS and you'll need time to learn how to configure it. Since you already have AX88U, you're familiar with Asuswrt UI and your ISP is 100/100Mbps, I would recommend keeping AX88U. Keep AiProtection enabled, set DNS filtering servers like Quad9/OpenDNS/Cloudflare/Cleanbrowsing with optional DoT, set DNSFilter to Router. You should be safe enough. IDS/IPS can't do anything about encrypted VPN traffic, no matter what software you run. I wouldn't run VPN clients or Ad-blocking on the router.

 

[essence]

Do you have any experience with pfSense/OPNSense firewalls? If not, this is an entire router OS and you'll need time to learn how to configure it. Since you already have AX88U, you're familiar with Asuswrt UI and your ISP is 100/100Mbps, I would recommend keeping AX88U. Keep AiProtection enabled, set DNS filtering servers like Quad9/OpenDNS/Cloudflare/Cleanbrowsing with optional DoT, set DNSFilter to Router. You should be safe enough. IDS/IPS can't do anything about encrypted VPN traffic, no matter what software you run. I wouldn't run VPN clients or Ad-blocking on the router.

Thank you for your reply.

No experience with pfSense/OPNSense. I could probably learn it over the run of some days, but yes, I question the added benefit of doing so. But if Sense is basically "good to go" out of the box, and doesn't require altering default "bad settings", then it should be quite easy to learn it in chunks? The added risks of misconfiguring something in Sense must also be weighted vs. the risks of running an ordinary consumer-grade router that may be more easily compromised.

Curious as to why you wouldn't run VPN clients or ad-blocking on the router? Is this in the case of ASUS, or any router including Sense?

 

[Tech9]

I could probably learn it over the run of some days

Plan some months, it's not that easy. Install it on a PC and see if it works for you before you buy dedicated firewall hardware. It comes pre-configured with WAN and LAN interfaces, bare bones. You have to tell them what to do. Keep your network alive using your current router during the learning process.

Curious as to why you wouldn't run VPN clients or ad-blocking on the router?

Experience. Less configuration flexibility with VPN and issues with community supported block lists. I run VPN on devices when I need it and uBlock in browsers, when needed. That gives my family members a choice what they prefer to have. I don't want to enforce anything on my firewall, except security.

 

[jeff3820]

There are MANY videos with step-by-step videos showing setup of Pfsense. I watched a 17 min video twice and then setup a Pfsense firewall how I wanted it for me. It wasn't hard at all. Over time I explored various advanced features...it was all very straightforward. Again, lots of videos are available.

FYI, It's very hard to setup "wrong". By default, Pfsense passes no traffic. You create the rules to make it work so security is maintained.

 

[Tech9]

Yes, Lawrence Systems have good videos on YouTube explaining how things work. I would start with pfSense, better support and more information available online.

 

[coxhaus]

Experience. Less configuration flexibility with VPN and issues with community supported block lists. I run VPN on devices when I need it and uBlock in browsers, when needed. That gives my family members a choice what they prefer to have. I don't want to enforce anything on my firewall, except security.

I agree with Tech9. Plus I would trust VPN ISPs less than local big ISPs plus you get much better performance not using VPN. If you need VPN for work so, be it. You should trust your work.

I used ublock for a while back a year ago. Now I like using QUAD9 and Microsoft store. I set my Windows 10 PC to only load software from Microsoft store and I use QUAD9 as it blocks bad sites. I think the 2 are good enough together. I don't mind the ads as long as they are not malware sites. If I get hit with bad stuff then I will go back to using uBlock. So far all is good. I have been running about a year this way.

 

[Tech9]

I used ublock for a while back a year ago. Now I like using QUAD9

You're perhaps confusing uBlock with something else. uBlock Origin as a browser extension ad-blocker.

 

[coxhaus]

No, I did not. I know what uBlock is. I ran uBlock to stop malware sneaking through ads. I don't mind ads. As I said the 2 together give me the results I need. I don't need uBlock now. I think a lot of web pages look stupid without the ads.
You left off limiting software installs to Microsoft only.

If you don't understand think about it for a while.

 

[Tech9]

I think a lot of web pages look stupid without the ads.

Mmm... uBlock Origin re-arranges the pages and you don't even know there were ads there. You may have to try it again. It uses stealth technique and doesn't trigger most of ad-block detectors. It also blocks successfully most of YouTube ads. You can't replace it with Quad9. They do different things. With most modern browsers you don't even need Quad9 as DNS filtering service. Firefox, Chrome, Microsoft Edge - they all use Safe Browsing engine.

 

[coxhaus]

Not all web pages when I ran it. And it is no faster on my laptop than running the ads. Of course, my Intel multi-core CPU is very fast. If you want to read about my laptop there is a thread on it on this site just look under my user's name.

I only use Edge for my browser with all the latest Microsoft patches using Windows 10.

 

[essence]

set DNS filtering servers like Quad9/OpenDNS/Cloudflare/Cleanbrowsing with optional DoT, set DNSFilter to Router. You should be safe enough. IDS/IPS can't do anything about encrypted VPN traffic, no matter what software you run. I wouldn't run VPN clients or Ad-blocking on the router.

Learning about DNS filtering services just now, thanks. Do they interact negatively with VPN privacy in any way if the VPN client is run either on computer or router? I presume not, but best to check.

What are pros and cons of using DoT (DNS over TLS) and what would be the alternative?

 

[essence]

Additionally, what do you all think about running Skynet on Merlin?

It appears to provide Malware Lists, and ability to block (detect?) Phoning Home, Country Blocking, etc. Interested in your opinions, also with regards to necessity and maintenance considerations.

 

[Tech9]

Do they interact negatively with VPN privacy in any way if the VPN client is run either on computer or router?

In general - no. Most commercial VPN services use/provide their own DNS. It also depends on how you configure your VPN client.

Additionally, what do you all think about running Skynet on Merlin?

In my opinion, it may add some value if:
- run on outbound traffic only, if no ports are open (to prevent you from accessing blacklisted IPs)
- run on inbound/outbound traffic, if there are open ports (the above + to prevent blacklisted IPs trying to connect to you)
You have to rely on community supported blacklists and there will be false positives - potentially extra maintenance for you. I don't like the fact custom scripts run off USB stick. USB sticks are not very reliable storage media. I would get an external USB enclosure with a small SSD inside.

 

[esfu]

optional DoT, set DNSFilter to Router. You should be safe enough

I was already using OpenDNS as normal DNS servers and it was working fine.

However, when I used it with DoT as follows (OpenDNS supports DoT as per https://umbrella.cisco.com/blog/enhancing-support-dns-encryption-with-dns-over-https )

We can now handle TLS connections and support DNS over TLS natively in the core resolvers. We’re thrilled to announce that, as of January 28, 2022, support for DoT is live on all Umbrella resolvers globally.

and tested it with https://tenta.com/test/ the TLS enabled shows as false.

If I use https://welcome.opendns.com/ to see if OpenDNS is used, it shows it is still working.

What am I doing wrongly for DoT not working with OpenDNS as stated in their blog ?

Finally, how do I set DNSFilter to Router?

Thanks and Regards,

 

[Crimliar]

Sometimes you need to remember "Don't believe the hype". So when you see the results from DNS leak tests, look at precisely what they are telling you! In many cases, they're going to be telling you that there is the possibility of a leak because you are not running a tunnel (VPN) between your network and the DNS server that you connect to, or that they believe your DNS server collects your queries.
For most of us using DoT isn't strictly necessary, it's a bonus, and you have to consider if the VPN service providers have their own motivations!

As for setting DNS filter to the router, once it's enabled you'll see pretty quickly - though a DNS filter cribsheet would be useful as it does seem to be often misunderstood - and do you actually need it?

 

[Tech9]

What am I doing wrongly for DoT not working with OpenDNS as stated in their blog ?

The test you use above is not working. When OpenDNS is set with DoT my firewall is logging DNS requests on port 853.

Finally, how do I set DNSFilter to Router?

 

[bdub76]

There is a learning curve. I'd start simple and get a dedicated device that you can play with for now. Maybe setup your own unbound DNS cache as a start and then add to it as you learn more. My own local DNS cache has had the biggest impact on my network performance, so I'd start there. I get much faster load times for websites, and for some reason, I get faster starts with HULU.

For me, the most difficult bit starting out was doing all of this over putty. My first device was an old Soekris box.

 

[omninmo]

Good evening, im sorry to piggy back off of your thread but i find myself in a similar predicament while planning my new home network! I have an ax88u and a home built omv NAS (phenom ii x4, 4gb ram, no IOMMU sadly) currently being used for smb, dockered plex, nextcloud and some home media automation *arrs

I intend to expose plex and openvpn server, rest will probably use cloudflare zero trust tunnels to access

Option 1 - just setup skynet/diversion + aiprotection, keep upnp disabled and continue to use ax88u as router

Option 2 - get an extra dual nic intel pcie card for my current nas, and try to virtualize pfsense over kvm passing the extra nics via macvtap and demote the ax88u to ap duty?

I know all in one nas/router is generally frowned upon but atm i have no budget to further invest in a dedicated pfsense machine xD so for now i need to stick mostly to what i already have ^^ thx in advance for any feedback you might have for me!

* Note that im a home user and NAS is mostly for media and family photos, no real sensitive information

 

[Tech9]

and try to virtualize pfsense

If you are after security and reliability - pfSense on dedicated hardware. Running 10x services on a single machine means single hardware failure brings down everything - including your entire network in this case. Your computer is >10 years old already. Do you really want this to happen?

so for now i need to stick mostly to what i already have

Use your Asus RT-AX88U router. It's a good home router and secure enough for home network.