Looking for Router/Gateway with Greater Security than traditional consumer equipment

[silekonn]

I have tried the rest now the best? A few other people had various recommendations and nothing hit home. I currently utilize an off the shelf Netgear router (flashed to DD-WRT). I am hoping to move to something with better security. Higher grade hardware has geo blocking, IDS and IPS among other security features.

I am not a network administrator. I do have technology expertise. I recently set up an Ubiquiti Unified Security Gateway (USG) and it cost less than $110. The streamlined interface made the experience straight-forward. In the future it should be easy to explain how to correct a problem and have a user that is not technically inclined accomplish things, e. g. a firmware update or whitelisting a blocked website/game.

It leads me to believe consumer equipment should and can be bested and without paying for something astronomical (e. g. an $1x00 yearly Meraki subscription, before the price of the hardware). The city's connectivity starts at 200Mbps down and options for 1Gbps exist, meaning Meraki was not an option in any feasible sense if future expansion is planned. Can anyone recommend something that will be a step up?

Some research shows options are numbered: Sophos, Sonicwall, Untangle, pfSense, Fortinet and Watchguard among the up and coming consumer offerings, Norton Core, Cujo (terrible reviews), BitDefender Box, etcetera. My budget is up to $1,000 and if necessary $250 for a yearly subscription. Others have consistently recommended pfSense and my only problem with that is the lack of definitions or any type of regular and automated updates to support the protection.

Thank you in advance.

 

[abailey]

I use Untangle and have been extremely happy with it. For home use it is $50 a year. There are videos to help you set it up and a very active forum to ask questions. Untangle employees are on the forums also and answer questions. Telephone support can be had but it is an additional charge. I have never found it necessary. The big drawback for Untangle is that it really is not IPV6 ready. I have no problem with that as I don't use IPV6 yet but if you do then there are probably better options available.

Here is a demo to look at: http://demo.untangle.com/admin/index.do
It may look complicated but its not bad once you get the hang of it.

 

[System Error Message]

you can set up a linux OS and turn it into a router and security gateway, thats the most flexible and performance option in the cheapest way, otherwise you're looking at more complicated options.

 

[mtganzer]

you can set up a linux OS and turn it into a router and security gateway, thats the most flexible and performance option in the cheapest way, otherwise you're looking at more complicated options.

...or pfSense, OPNsense, etc. BTW I have not set up a BARE Linux box as a router/firewall since...oh...probably 2000! Unless you are (or want to be) a wizard with raw iptables, best to find a distribution that has simple router/firewall front end (anyone remember Mandrake Single Network Firewall?).

pfSense with pfBlockerNG and Snort plugins checks off the items you mentioned. I am really not all that enthralled with other "Unified Threat Management" options anymore now that most traffic runs over SSL/TLS. You can install a "man in the middle" break/inspecton on the UTM boxes, but it is not trivially easy to do (have to create trusted certificates and push them out to all systems on your network). Easier for me at home just to make sure to keep the antivirus and ant-malware updated on the end hosts.

Re: "subscriptions" for updating signatures - pfBlockerNG updates from an extensive number of mostly-free published lists to set up DNS Block Lists and IP Block lists, and also does your GeoIP blocking. The Snort plugin uses standard Snort signature sets. The paid "Emerging Threats" lists is ~$30 year for personal use, or free of you are ok with the VDL list (basically a delayed release of the paid list).

Be advised that if you really want to do IDP and IPS (or VPN) you will need MUCH more CPU power, especially as speeds get up to gigabit range. You said you had set up a Ubiquiti USG - I had an Edgerourer Lite, which was the unmanaged version of that device. For basically NAT firewall, it works quite well (I tested it to 900+ Mbps when I recently installed ATT Gigabit Fiber). And there are add-in scripts in the community to set up DNSBL (DNS Black List). But no GeoIP blocking, and none of the Ubiquiti hardware to date has the CPU horsepower to do IDPS. I am currently running pfSense in a VM on my Xeon Ubuntu server, but $1000 would easily get one of Netgate's pfSense appliances - the SG-5100 at $800 would more than handle what you are likely to throw at it. Nice thing is if you want to "kick the tires", you can easily set up pfSense in a spare PC - just throw in an extra NIC (Intel chipset preferred).

 

[lovan6]

For $600 you can build a decent Pfsense box with Intel server Nic + $600 for Ubiquiti Unifi 8 port POE switch with 3 AC pro access points and cloud key. This combination works well. or you can buy Netgate XG-7100 for $899 and comes with warranty.

Pfblockerng for geo ip block and Suricata inline for IDS/IPS. Pfblockerng can be set to auto update every hour. Suricata use Proofpoint/Emerging threats and gets updated every month. Snort update is free but you can buy a subscription to get the latest updates.

If you were able to flash and tinker with DDWRT and was able to configure a USG, I think you can do that also with Pfsense. I started doing the same thing buying consumer router and flashing with 3rd party firmware but as my devices grew in number and gets complicated I have to look elsewhere.

They have a large community for noobs and no experience with networking. You can also download the PFsense book for free but I would advice to read it first before you decide.

https://www.netgate.com/docs/pfsense/book/

 

[System Error Message]

...or pfSense, OPNsense, etc. BTW I have not set up a BARE Linux box as a router/firewall since...oh...probably 2000! Unless you are (or want to be) a wizard with raw iptables, best to find a distribution that has simple router/firewall front end (anyone remember Mandrake Single Network Firewall?).

pfSense with pfBlockerNG and Snort plugins checks off the items you mentioned. I am really not all that enthralled with other "Unified Threat Management" options anymore now that most traffic runs over SSL/TLS. You can install a "man in the middle" break/inspecton on the UTM boxes, but it is not trivially easy to do (have to create trusted certificates and push them out to all systems on your network). Easier for me at home just to make sure to keep the antivirus and ant-malware updated on the end hosts.

Re: "subscriptions" for updating signatures - pfBlockerNG updates from an extensive number of mostly-free published lists to set up DNS Block Lists and IP Block lists, and also does your GeoIP blocking. The Snort plugin uses standard Snort signature sets. The paid "Emerging Threats" lists is ~$30 year for personal use, or free of you are ok with the VDL list (basically a delayed release of the paid list).

Be advised that if you really want to do IDP and IPS (or VPN) you will need MUCH more CPU power, especially as speeds get up to gigabit range. You said you had set up a Ubiquiti USG - I had an Edgerourer Lite, which was the unmanaged version of that device. For basically NAT firewall, it works quite well (I tested it to 900+ Mbps when I recently installed ATT Gigabit Fiber). And there are add-in scripts in the community to set up DNSBL (DNS Black List). But no GeoIP blocking, and none of the Ubiquiti hardware to date has the CPU horsepower to do IDPS. I am currently running pfSense in a VM on my Xeon Ubuntu server, but $1000 would easily get one of Netgate's pfSense appliances - the SG-5100 at $800 would more than handle what you are likely to throw at it. Nice thing is if you want to "kick the tires", you can easily set up pfSense in a spare PC - just throw in an extra NIC (Intel chipset preferred).

pfsense and other such distributions have limitations. They are simpler to set up (not simple), but they limit what you can do too to some extent as its not a full blown OS that lets you install and use every feature you want. A normal linux OS like debian, BSD, SUSE can become an all in one router which is something pfsense cant (you cant use pfsense as a file server, on the network side, you cant create an applications cache (see steam and OS update cache as example) with pfsense as that requires installing software that these distributions wont allow or work with). Not even pro cisco can do it, and it really depends on what you're looking from a router. The most flexible router is still done by using a regular linux server OS rather than specialised, but if your needs arent as big than going specialised would be the way otherwise if you want everything for cheaper then the only way is to use a linux/unix server OS (not ubuntu) and spending all the effort and having the knowledge. You gotta pay somehow, if its not with money, its with skill.

If you use RMerlin's firmware for asus routers you will be dealing with raw iptables, and you are outdated, in opensuse i can set up iptables and plenty of things via their GUI based networking utility which can even work over TTYL in such a pretty and intuitive way. However if you have the skill to properly configure a configurable router, you will find terminals and editing text files to be just as intuitive if not less restrictive in feel over GUI.

 

[mtganzer]

A couple nits. First, pfSense is built on FreeBSD, and you can install any of the available FreeBSD packages. But yes it's FreeBSD not Linux.
But also if you are advocating running firewall + file server + app cache + whatever on a single OS instance, I have to ask WHY? Management and security-wise it's a nightmare unless you use virtualization to provide some logical separation of the processes. I prefer to keep a single slimmed down OS with VM's and Containers to abstract the apps from the underlying OS. pfSense 2.4 runs fine in a VM on Ubuntu or other Linux OS. Or it could be Untangled, Sophos UTM, OpenWRT as your firewall software of choice.

 

[Testscript]

OpenVPN Client speed:

OK, problem solved.

I have built a pfSense box with a SuperMicro i3-7100U, the NordVPN download speed increased from 30Mb (rt-ac87u) to 900Mb (pfSense), 30 times faster!!!

The download speed without VPN is around 950Mb (I using xfinity giga)

Buy a "Mini PC" for install "pfSense or Untangle or Sophos''

The next level of Router, Access Point and Firmware above ASUS, Netgear, Tomato, Asuswrt-Merlin, DD-WRT and OpenWRT is Ubiquiti.

And the next level of Router and Firmware above Ubiquiti is a pfSense. (OpenVPN 1GB of upload and download)

Intel "7th" Generation:

1. https://www.aliexpress.com/item/QOT...-i7-7500U-6-Gigabit-NICs-COM/32920921042.html
2. https://www.aliexpress.com/item/KAN...-Gigabit-NIC-Router-Firewall/32925996930.html
3. https://www.aliexpress.com/item/MIN...port-AES-NI-PFsense-Firewall/32926430140.html

Intel "6th" Generation:

1. https://www.aliexpress.com/item/QOT...r-pfSense-core-i5-6200U-core/32889249066.html
2. https://www.aliexpress.com/item/Kan...ss-router-firewall-pfsense-6/32922546156.html
3. https://www.aliexpress.com/item/QOT...ewall-industrial-home-router/32888176745.html

Intel "5th" Generation:

1. https://www.aliexpress.com/store/pr...i-Computer-X86-Router/108231_32799048185.html
2. https://www.aliexpress.com/store/pr...Pfsense-Firewall-Mini/108231_32800603727.html
3. https://www.aliexpress.com/item/4-L...ni-Computer-Windows-10-Linux/32924362408.html

 

[joegreat]

I have tried the rest now the best? A few other people had various recommendations and nothing hit home. I currently utilize an off the shelf Netgear router (flashed to DD-WRT). I am hoping to move to something with better security. Higher grade hardware has geo blocking, IDS and IPS among other security features.

I think you should have a look to the 'Omnia' router from Turris: it's open source AND secure - also the new modular router 'MOX' is on the way (also outlined in this forum thread).

On the security side the most important topic is the Distributed Adaptive Firewall (replaces the need for a seperate pfSense box): Distributed adaptive firewall is made out of a set of tools, which together form a protection system capable of reacting to new security threats.

 

[Testscript]

My recommendation:

If you use "VPN" and/or want an "IDPS" (i.e Snort or Suricatta): Buy a "Mini PC" for install "pfSense or Untangle or Sophos'' (Any Mini PC from the previous post)​

........../
Router
..........\

If you will not use any feature above: EdgeRouter 4 or USG Pro 4 (In a few months Ubiquiti will release a new USG router and will use the same or better hardware than the EdgeRouter 4)​

Switch: UniFi PoE+ Switch 150W or higher (Need UniFi SDN Controller)

AP: UniFi nanoHD or UniFi In-Wall HD (Need UniFi SDN Controller)

Cameras: UniFi Video Camera G3 Micro or UniFi Video Camera G3 Dome or UniFi Video Camera G3 or UniFi Video Camera G3 PRO (Need UniFi Video or UniFi Protect)

Other: Raspberry Pi 3 Model B+ (Only if you buy the EdgeRouter 4 or USG Pro 4 to install Pi-hole)


Remote Management and Access:

UniFi SDN Controller: UniFi Cloud Key Gen2 or Gen2 Plus

UniFi Protect: UniFi Cloud Key Gen2 Plus (Link with information)

UniFi Protect is an evolution of UniFi Video. We built UniFi Protect from the ground-up for the best video viewing and reviewing experience possible.

The UniFi Protect product line is designed for users who don't need or want to maintain their own servers. We've had overwhelmingly positive response to the UCK-G2-PLUS already for this reason: It's plug-and-play, self-contained, pre-loaded with Protect and SDN software, and most importantly: You don't need to do any system administration work to make the most of it.

UniFi Protect is designed to be the most robust, plug-and-play surveillance platfrom on the market. The UCK-G2-PLUS allows anyone to quickly set up and use a Ubiquiti camera system. No Linux server administration knowledge is required.

The UCK-G2-PLUS is a performance value at $199, with an 8-core 2.0GHz CPU, 3GB of RAM, a front-panel display for system status, PoE power, user-upgradeable hard drive with a tool-free tray, and built-in battery backup so you don't even need an extra UPS system. For users looking to get started with plug-and-play video surveillance with 1-20 cameras and no monthly fees, you can't beat the UCK-G2-PLUS and UniFi Protect.

The all-new UniFi Protect mobile apps include easy Bluetooth setup so everyone can get up and running straight from their mobile phone without even opening a laptop. Our goal was to make video surveillance accesible to everyone, and the UCK-G2-PLUS is the perfect platform for delivering on that promise. That said, the UCK-G2-PLUS is just the start and we will continue to grow the platform to meet more and more use cases.

At this point, the UCK-G2-PLUS is the hardware to buy. UVC-NVR sales will be discontinued in the coming months and we will only retain UVC-NVR inventory for warranty replacements for existing customers.

Something like this:

Off-topic
- Stories - Ubiquiti Networks Community

Spoiler: Cable Management

Beautiful Cable Management

 

[MichaelCG]

I have been running pfSense for many years...and m0n0wall for many years prior to that. My current box is a $75 off-lease business desktop with an additional 2-port Gig card thrown in. Handles my 1Gbps connection just fine. I run a filtering proxy on the box, but its overall effectiveness is limited since as others have stated, most traffic is TLS now so it cannot be easily scanned.

I have been testing a SophosXG box for the past couple of months. Overall, it probably can do what you are after. It for sure offers way more flexibility and features and can do traffic filtering even on TLS. It cannot easily scan TLS without doing intercept, but even without intercept it can still somewhat classify the type of traffic and FW rules can be applied.

It is unlikely I will move forward with it though for my personal use. The OpenVPN performance seems to be a bit lacking....although it can still seem to get around 100Mbps so it isn't horrible...it just should be higher considering the hardware it is running on. I really like the simple interface of pfSense. The firewall rules are zone based and very clear at what flows are permitted. The FW rules within Sophos can be zone based, but presentation is not zone based and not always clear at what rules are permitting what flows. This is just personal preferences on how the FW rules are presented.

 

[Marica Calma]

Hi, I am also running pfSense for a couple of years and so far I am satisfied in its' features. It was easy to install in a physical computer or in a virtual machine to make a router for a network. See the link below to know more about its' features:
https://www.pfsense.org/about-pfsense/features.html

 

[Testscript]

After buying what you are going to buy, organize the cable in this way, so that it looks good:
- Fixing the dodgy Home Wi-Fi, and going slighty overboard in the process - Ubiquiti Networks Community

Spoiler: Cable Management

Beautiful Cable Management

 

[mtganzer]

My recommendation:

If you use VPN: Buy a "Mini PC" for install "pfSense or Untangle or Sophos'' (Any Mini PC from the previous post)​

........../
Router
..........\

If you do not use VPN: EdgeRouter 4 or USG Pro 4 (In a few months Ubiquiti will release a new USG router and will use the same hardware or better than the EdgeRouter 4)​

Nicely described, though I Would change 1st option to: If you use VPN and/or want an IDPS (i.e Snort or Suricatta)

 

[loveleeyoungae]

My recommendation:

If you use "VPN" and/or want an "IDPS" (i.e Snort or Suricatta): Buy a "Mini PC" for install "pfSense or Untangle or Sophos'' (Any Mini PC from the previous post)​

........../
Router
..........\

If you will not use any feature above: EdgeRouter 4 or USG Pro 4 (In a few months Ubiquiti will release a new USG router and will use the same or better hardware than the EdgeRouter 4)​

Switch: UniFi PoE+ Switch 150W or higher (Need UniFi SDN Controller)

AP: UniFi nanoHD or UniFi In-Wall HD (Need UniFi SDN Controller)

Cameras: UniFi Video Camera G3 Micro or UniFi Video Camera G3 Dome or UniFi Video Camera G3 or UniFi Video Camera G3 PRO (Need UniFi Video or UniFi Protect)

Other: Raspberry Pi 3 Model B+ (Only if you buy the EdgeRouter 4 or USG Pro 4 to install Pi-hole)


Remote Management and Access:

UniFi SDN Controller: UniFi Cloud Key Gen2 or Gen2 Plus

UniFi Protect: UniFi Cloud Key Gen2 Plus (Link with information)



Something like this:

Off-topic
- Stories - Ubiquiti Networks Community

I'm thinking of a setup like this:
Asus AC68U - Router, i.e. do all router functions: dhcp, dns, firewall etc..., but TURN OFF WIRELESS
||
|| (both connecting via LAN ports)
||
some Ubiquiti gear to do only one thing: MESH WIRELESS NETWORK for devices in the house

I mean, in Asus routers, default mode is Router. And if we change the mode to "Access Point", it would disable all router function, and will only broadcast wifi. I don't know if Ubiquiti gears can be set like that?

In summary, I'd like to have devices connecting to wireless radio by Ubiquiti, but everything is routed, belongs to the same subnet 192.168.5.0/24 and is managed by the Asus router.

Thanks.

 

[MichaelCG]

...
some Ubiquiti gear to do only one thing: MESH WIRELESS NETWORK for devices in the house

I mean, in Asus routers, default mode is Router. And if we change the mode to "Access Point", it would disable all router function, and will only broadcast wifi. I don't know if Ubiquiti gears can be set like that?

In summary, I'd like to have devices connecting to wireless radio by Ubiquiti, but everything is routed, belongs to the same subnet 192.168.5.0/24 and is managed by the Asus router.

Thanks.

If the Ubiquiti gear you are talking about is the UniFi APs.....they are just APs, no routing functions built in. If you are talking about the Ubiquiti Amplify gear, they are different and do have routing built in. All depends on what your goals are regarding management, price, and connectivity options.

 

[gattaca]

I've considered Ubiquiti gear ever since Hunt did his write up. At that time, I studied their web site, other write ups and other forums. I almost pulled the trigger but at the last minute I asked some harder questions in these areas:

1. what I already had in hand, and what is available today
2. Merlin's and this forums excellent support for ASUS,
3. Platform stability, integration, reliability, ease of use, market penetration,
4. Platform/unit resale-ability,
5. Platform operations, updates, firmware revs (how frequent), complexity, maintenance,
6. My families use patterns,
7. costs, scale, platform security (layering) as well as the company's attention to patching,
8. "sure it would have been a cool project" factor
9. KISS
10. and probably more things I cannot remember now.

FWIW, here's what I've done which works well for us. I'm in the KISS boat along with trying to follow the repeated conclusions by not only the SNB staff and reports but many of the SMEs in these forums. Always, YMMV.

1. Have multiple ASUS in a combo of AP and Router mode for 5+ years for full coverage in my home. What I learned from several SNB articles is those big routers simply could not keep up between the kids stuff, work stuff and Apple this and that. They also were a SPOF for the wireless workloads.
2. Signals do not penetrate far outside or inside b/c of the wall construction. (That was what was attractive about Ubiquiti's (in wall) APs.
3. My approach is to only buy new ASUS units when the SNB community agrees it's time to do so.
4. I typically install the new unit to the "hottest" point and then waterfall the other ASUS units from there.
5. Today I have 2 x APs - an RT-AC88U (newest) and an RT-AC1900P at opposite ends of the home.
6. The main routers are an RT-AC1900P + N56U in the basement mostly in just router mode. I usually turn the wireless off or do not broadcast so as not to confuse the family.
7. This approach also subdivides the primary wireless workload and provides a backup AP if I'm upgrading the firmware or one of the main AP decides to flake out. I've taught the family to just simply switch to the other AP.
8. The AP/SSID are NOT the same names (see above)
9. I set/lock the units channels, trying not to overlap after seeing the wifi-map I share with the neighbors. I know some of that single vs multiple SSID is controversial but I always want to know what AP I'm actually connecting to.. so I know if there is a problem.
10. My "main" routers (RT-AC1900P/RT-N56U) live the basement as the internet facing units. I use 2 routers b/c I need to layer some of the "IOT" traffic closer to the internet and prefer to keep it off the more "inner" core.
11. I also have Untangle sitting on a old laptop right behind the modem so it takes the brunt of the scans, probes and also has ad-blocking active. Via that laptop, I also get a quick view of the modem's stats b/c I can just open another browser page, hit the modem's IP and see what each channel signals look like. Sometimes they are hot, sometimes they are not so I can adjust the in-line attenuators to keep the signal in the optimal range for the modem to operate. (You would not believe the variances in signals, especially when it rains.) I can also use this to perform the DLS Reports performance tests as there's nothing between this point but the modem..
12. I use Merlin's production code base exclusively and perform firmware updates about ever 1-2 months, rolling thru the ASUS units. I used to have a Netgear in the mix but then decided I did not want to deal with yet another set of firmware updates.
13. I rarely hear complaints from the natives! The setup is screaming fast as as secure as I can make from that POV.
14. At some point, the 1900P units will waterfall out and then I'll sell them on eBay. I've concluded from reading SNB, the next unit I'll buy with the awesome RT-86U but not sure when. Yesterday there were tempting deals but my 1900Ps are barely breaking a sweat and it's rock solid stable.. (very important for family tranquility).
15. I also have a couple of well reviewed (VLANable) Dell commercial switches I got off ebay for like $25 each. These are just acting as normal switches handling all the in-room physical connections. I decided to just use separate switches instead of trying to complicate the setup with multiple VLANs. (KISS again). This also works well with my layering.
16. This seems to be the most cost effective approach I've found to date. It's been 3+ years now since I brought the 88U and I do not remember how old the 1900P's are at this point what 5+? All have been rock solid.
17. BTW, I've tried MANY other router brands and after my last round of crappy failures 5+ years ago, when I spent days trying to decipher and fix, I threw all that crap in a box and decided I'm sticking with ASUS + Merlin....at least until they give me a reason not to!
18. YMMV

Later.

 

[loveleeyoungae]

Thank you @MichaelCG, and @gattaca for your great write up!

@gattaca, could you tell more about the reason you ditched the MANY routers in point 17? I used to have some experience using Linksys routers with DD-WRT, Tomato, and after I got Asus routers I thought they got the best custom firmware by Merlin. But I think my experience is still limited, and wonder if there are other unpopular-but-still-great brands.

That being said, I still feel normal brand routers are somewhat limited, and am thinking of some higher end router like Mikrotik, or even something hardcore like pfsense or untangle. Still don't know if pfsense/untangle are actually greater than for example RouterOS by Mikrotik or they're just popular due to free/open source. Guess there will be a lot of homework for me to do. I also found another thread giving some insights about Mikrotik, Ubiquiti vs enterprise brand. I especially want something that can be easy to setup an ad-blocking system more power than Diversion/pi-hole, can report more detailed traffic of devices in the house.

 

[System Error Message]

A couple nits. First, pfSense is built on FreeBSD, and you can install any of the available FreeBSD packages. But yes it's FreeBSD not Linux.
But also if you are advocating running firewall + file server + app cache + whatever on a single OS instance, I have to ask WHY? Management and security-wise it's a nightmare unless you use virtualization to provide some logical separation of the processes. I prefer to keep a single slimmed down OS with VM's and Containers to abstract the apps from the underlying OS. pfSense 2.4 runs fine in a VM on Ubuntu or other Linux OS. Or it could be Untangled, Sophos UTM, OpenWRT as your firewall software of choice.

There are a couple of reasons why sometimes one would advocate an all in one, not always but first is typically for homes you have 1 person to manage the entire network. To set up a fully redundant setup would require so much effort and money (lots of different devices), that it simply isnt worth it to the home user.

Whenever a device uses a NAT, that connection can be exploited, so it really makes no difference whether or not the device is the router or a server behind a router. To use my router as an example, i only run some services on LAN and not on every interface so if i need to access it remote, i use VPN. In a NAT, some sort of mapping is done and as proof, another server can respond to the original request. Some routers allow you to set how strict the routing is and you can even use a bank like blacklist which would even blacklist google because almost every website or server will back track you nowadays, responding with another server or changing your traffic. Your ISP can actually use routing as a manner of blocking sites, or just filter your traffic based on the domain requests (even if not to them) as one example and redirecting you based on that (or even inject ads). Major services like google have multiple servers that respond do you and also exploit to get more information as no NAT will secure the device behind it making the connection, to say that a NAT is safe that devices behind it arent exposed is a poor excuse to not secure your devices. If this were not true you would not find all in ones as they would be discouraged then. All in one devices do make sense and actually arent different from separate servers and devices in a redundant config (or each one doing a separate thing) but its much easier to secure one server than it is to secure 10 different ones.

Theres a lot to consider. If you were setting up a business network, my recommendation would be very different from a home network because whether a custom built all in one to 10 different servers, are actually the same in security as long as you set it up right. In a business however you will want redundancy and performance a single device cannot provide whereas at home, at most having a spare is fine as you arent hosting a connection for many people to do work or anything critical so a bit of downtime is acceptable. Setting up and maintaining a separate device per service/server is labour intensive as well.

 

[gattaca]

Thank you @MichaelCG, and @gattaca for your great write up!

@gattaca, could you tell more about the reason you ditched the MANY routers in point 17?

Yes, I've used gear from: Dlink, Netgear, Nexland (Brought by Sonicwall I think many, many years ago), Cisco, ASUS, TPLink, Linksys, Norton Core, ...
The main reasons I dropped the last player before ASUS were reliability, reliability, reliability then security (as in patching vulnerabilities promptly with frequent updates), costs, simplicity to setup (KISS), learning curve is not too steep and time-to-maintain is not crazy.. and in general feeling of an active, engaged community around the platform. I've toyed with going hard core like Mikrotik or Sophos XG or UTM... but as I got into that research, one or more of the above reasons always got in the way. Some of the more commercial players are offering "home" licenses with limits on either the number of devices or a limit on the CPU/RAM of the products - Sophos is an example. Untangle offers an attractive $50/yr home-only license as well.

BTW, I just invested a few hours examining OPNSense. Sadly, it does not come with an out-of-box easy-to-configure/use ad-blocking setup - so game over there. I did locate posts where people have "added" it to the platform but I'm not ready to spend hours digging into yet another router with something not supported by the community at-large. My bottom line is I'm not considering anything that does not offer ad-blocking out-of-box now. Hence, back to the original posting. Later.