Need SSH-customizable security-oriented router with strong firmware, drivers, and kernel support

[SDF07S]

Hi,

I need a security-oriented WiFi 6E/7 router with 1/2.5/10Gbps Ethernet ports for home that meets the following criteria:
- Capable of creating Layer-2-Isolated VLAN's for 4+ LAN clients
- Capable of creating Layer-2-Isolated VLAN's for 4+ WLAN clients
- Allows for SSH-based cusotmizations, such as wiriting, saving, and applying custom IPTables, EBTables, and/or ARPTables
- Allows for SSH-based customizations to execute on boot via a script with assumption there is some guidance on how to do that
- Allows for disablement of sending any and all telemetry to router maker/manufacturer or whichever 3rd party, which should be each to accomplish with custom IPTables
- No in-bound traffic is to be allowed onto the router itself from WAN, which should be easy to accomplish with custom IPTables
- Continued strong support from router makers in regards to firmware, hardware drivers, and kernel
- Allow application of router firmware updates and router application updates manually via SSH
- Preferably follows strict secure design where each internal application runs in user mode and in its own container/sandbox
- Preferably can run DNSCrypt-Proxy, and/or OpenVPN, and/or WireGuard for all clients

I don't care for AI features, meshes, throughput-improveming traffic schedulers, and intrusion prevision systems because none of the clients host for LAN or WAN and each client exclusively uses OpenVPN and/or WireGuard VPN.

My threat model involves those who are able to get past any SNORT and/or SURICATA based intrusion system and prefer to exploit hardware via drivers and other low level methods, with which I am not familiar. That is why "Continued strong support from router makers in regards to hardware drivers and kernel" is very important to me.

 

[ColinTaylor]

Your question is phrased in such a way that it sounds like you're viewing this from an Asus owner's point of view, and you've posted it in the Asus forum. No Asus router will provide you with what you want. You should be looking at Linux/BSD based solutions (e.g. OPNsense, pfSense, etc. ) for the router together with separate access points for Wi-Fi.

 

[Tech9]

I need a security-oriented WiFi 6E router

Posting this in ASUS Wireless forum - I'm afraid none from Asus, unless you want to play beta tester with Wi-Fi 7 products.

RT-AXE7800 - weak hardware, weak 2x2 Wi-Fi 6E radio, no Asuswrt 5.0 support, no 3rd party firmware support
GT-AXE11000 - old hardware, no Asuswrt 5.0 support, Asuswrt-Merlin on Asuswrt 4.0 base, will get EOL perhaps first
GT-AXE16000 - expensive with slow firmware support, no Asuswrt 5.0 support yet, Asuswrt-Merlin on Asuswrt 4.0 base
ZenWiFi Pro ET12 - expensive with slow firmware support, no Asuswrt 5.0 support yet, no 3rd party firmware support yet

With such requirements I would look at x86 hardware running pfSense with switching and access point whatever you prefer.

 

[Tech9]

My threat model involves those who are able to get past any SNORT and/or SURICATA based intrusion system

It's basically anything encrypted Snort/Suricata can't see. Includes all HTTPS and VPN traffic. If you want to inspect SSL you need a proxy like Squid, but some surprises are waiting along the way. No home router can do it for Gigabit with the processing power and RAM available even in high-end models. It has to be fast enough x86 core CPU or multicore IPS/IDS on more power-efficient options. It won't be very user friendly nor cheap solution.

 

[SDF07S]

Yes, I thought ASUS could do the trick with some of their newer routers and ASUS Merlin firwmare support.

When I look at DD-WRT and OpenWRT, I see poor support in terms of drivers and firmware because router manufacturers are the ones holding keys to all the closed-source hardware components and unless they release firmware, projects like DD-WRT and OpenWRT are still mostly software-oriented. I thought it would be different with ASUS.

 

[SDF07S]

And hardware still needs to be selected for pfSense and I am at a loss in that regard at well...

 

[Tech9]

Asuswrt is also mostly closed source firmware with integrated proprietary components. Quite a few advertised firmware features require data sharing agreement with Trend Micro as well as Asus themselves for automatic firmware updates and built-in security features. About pfSense/OPNsense - hardware selection is the least problem. If you have no experience with either router OS - it will be steep learning curve. Your "pro" requirements suggest somewhat "pro" knowledge and experience. If this is not the case - your choices are limited to whatever is available on the consumer market.

 

[Tech9]

I need a security-oriented WiFi 6E/7 router with 1/2.5/10Gbps Ethernet ports for home

With updated requirements:
One of Asuswrt-Merlin supported expensive "spider" models and... it is what it is. RT-BE96U or GT-BE98U Pro. There will be bugs, there will be beta testing period. Common for all new consumer products. Whatever is buggy in closed source components will stay this way until fixed by Asus upstream.

 

[sfx2000]

How interesting - a list of demands

- Capable of creating Layer-2-Isolated VLAN's for 4+ LAN clients
- Capable of creating Layer-2-Isolated VLAN's for 4+ WLAN clients

Reasonable ask - Challenge here is how to make is accessible and user friendly...

Maybe also ask for a dedicated IoT 2.4GHz WiFi radio with it's own SSID/VLAN - and there you could add Thread/Matter support along with BLE and LORA even... heck we could even add 802.11ah (WiFi HaLow) and Z-wave support and cover everything useful in the IoT space

- Allows for SSH-based cusotmizations, such as wiriting, saving, and applying custom IPTables, EBTables, and/or ARPTables
- Allows for SSH-based customizations to execute on boot via a script with assumption there is some guidance on how to do that

I would suggest no - there isn't really any reason to have an interactive shell...

- Allows for disablement of sending any and all telemetry to router maker/manufacturer or whichever 3rd party, which should be each to accomplish with custom IPTables

To be honest, that's an impossible task these days - just being pragmatic here...

- No in-bound traffic is to be allowed onto the router itself from WAN, which should be easy to accomplish with custom IPTables

This one is easy, it's already there by default - and if one doesn't enable miniupnp...

- Continued strong support from router makers in regards to firmware, hardware drivers, and kernel

good luck with that - most of the router vendors either (a) work with their own BSP and port in the vendor SDK's, or (b) wrap a skin around the chipset vendors SDK/BSP

- Allow application of router firmware updates and router application updates manually via SSH

See comment above about SSH - if the vendor can do this, so can the bad guys...

- Preferably follows strict secure design where each internal application runs in user mode and in its own container/sandbox

This one is easy - enable signed SW - most folks won't like that in certain communities...

- Preferably can run DNSCrypt-Proxy, and/or OpenVPN, and/or WireGuard for all clients

DNSCrypt-Proxy - erm, no... dnsscrypt is non-standard, and proxy configuration is a hot mess there...

WG support is ok, and I would add tailscale here as well...

Zerotier is getting more interesting these days, esp with CGNAT and Filtered IPV6 inbound connections.

OpenVPN - I'm not the biggest fan of OpenVPN due to performance issues, but ok, that's manageable via client config files downloaded...

If wishes were fishes, we'd all cast nets - that being said, it's marketing research for the next round of devices...

 

[sfx2000]

When I look at DD-WRT and OpenWRT, I see poor support in terms of drivers and firmware because router manufacturers are the ones holding keys to all the closed-source hardware components and unless they release firmware, projects like DD-WRT and OpenWRT are still mostly software-oriented. I thought it would be different with ASUS.

Well - the router vendors have little say here...

Mediatek and Qualcomm at least base their SDK's on OpenWRT, so doing ports is a lot less work

Broadcom has always been a challenge with how they've implemented the kernel drivers - it's not bad or good, just different, and as such OpenWRT is generally off the table.

AsusWRT has a basis on Tomato, and a distant connection to the ancient WRT54G builds, much like DD-WRT - the distance between OpenWRT and AsusWRT is a long way away, each having gone on their own path...

 

[sfx2000]

And hardware still needs to be selected for pfSense and I am at a loss in that regard at well...

That's basically a losing cause... There is the existing ARM port for pfSense, which was sponsored by Netgate directly, That port is for Netgate HW only - which is basically a HW fork of two Marvell hardware platforms.

Anyways, at a residential BW scale - OpenWRT can handle this just as well as pfSense...

 

[SDF07S]

I take it custom ASUS router firmware isn't as open-source as pfSense, OpenWRT, and/or DD-WRT and doesn't allow to run custom scripts that disable (preferably remove) telemetry process and/or services?

I consider hardware a problem because I don't know what hardware to even select to meet my requirements of having consistent firmware, kernel, and driver updates for at least several years. I obviously don't need powerful hardware for a small network I describe, but inexpensive slow hardware doesn't get frequent firmware, kernel, and driver updates.

Another way to summarize is I want router hardware and software that follows principles of GrapheneOS for Android. If anyone is familiar with it, then they'd understand what I mean by it.

 

[SDF07S]

You can block all ASUS telemetry if you set WAN DNS servers to public black holes, such as 192.175.48.6 and 192.175.48.42.

 

[ColinTaylor]

You can block all ASUS telemetry if you set WAN DNS servers to public black holes, such as 192.175.48.6 and 192.175.48.42.

You would then not have any working DNS. Those blackhole servers are solely for reverse DNS lookups of private addresses. They do not provide the usual "forward" DNS lookups. If you don't want Asus telemetry, then don't enable any of those features.

 

[SDF07S]

You would then not have any working DNS. Those blackhole servers are solely for reverse DNS lookups of private addresses. They do not provide the usual "forward" DNS lookups. If you don't want Asus telemetry, then don't enable any of those features.

Not true. Blackholing global DNS only stops the router itself from resolving domains for itself as a host. It breaks sending telemetry, but of course breaks DNS lookup, ASUS firmware updating, TrendMicro, etc., but does not prevent clients from resolving domain.

Blackhole servers I suggest are simply the best choices for blackholing domain resolution in cases when router does not allow setting global DNS to 0.0.0.0 or 127.0.0.1. You can actually use any public IP that is a DNS server, but IANA blackholes make the most sense for such situations.

 

[ColinTaylor]

Not true. Blackholing global DNS only stops the router itself from resolving domains for itself as a host. It breaks sending telemetry, but of course breaks DNS lookup, ASUS firmware updating, TrendMicro, etc., but does not prevent clients from resolving domain.

Sorry, but this was not clear in your initial post. You implied this would only block Asus telemetry. Now you're saying it would block all DNS lookups by the router, which is what I was pointing out.

You say it "does not prevent clients from resolving domain". But this is not true in the most common default router configuration. By default clients will be using the router as their DNS server. In turn that server forwards non-local requests to the DNS servers specified in the WAN settings. If you set these to blackhole servers as you suggest the clients will not be able to resolve non-local requests.

 

[SDF07S]

Yes, clients must set their own DNS server addresses for such cases or use their own VPN clients with direct IP connection, but I think normally routers forward requests to LAN DNS settings, not global WAN DNS settings. Not sure if ASUS routers do that. I wish ASUS allowed for set global DNS to 0.0.0.0. That way queries aren't made over WAN at all. Public blackhole is a half-baked solution because it doesn't prevent queries from being made over WAN. It only prevents responses from those public holes.

 

[ColinTaylor]

but I think normally routers forward requests to LAN DNS settings, not global WAN DNS settings. Not sure if ASUS routers do that.

If you don't specify a DNS server override in the LAN settings then DHCP clients will use the router as their DNS server. This is the default configuration. As I said above, the router's DNS server will then forward clients' non-local requests upstream to the servers specified in the WAN DNS settings.