Good router for security?

MythicFrost

Young grasshopper
Joined
Feb 11, 2021
Messages
58
Reaction score
18
Location
192.168.0.1
Hi,

I'm interested in a home security system.
I've been reading the IPCam cliff notes and it discusses a bit of network/vpn/router/cam security.

I'm currently using a modem-router provided by my ISP. I assume it is probably not the most secure.
Are there any recommendations for well respected brands/models of routers that handle security well?
I'd like to learn more about this as well (potential attacks on a network) so if you know of any good resources, I'd appreciate a link!

Cheers
 
Last edited:

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,448
Reaction score
47,572
Location
USA
A lot of people here go with the ASUS brand as it has OpenVPN as part of it.

You will want to use OpenVPN to VPN back into your system when wanting to view your system from outside the home.

Do not port forward, uPnP, or P2P and isolate your cameras from the internet.

View the wikis here on how not to get hacked.
 

iwanttosee

Pulling my weight
Joined
Dec 27, 2020
Messages
203
Reaction score
186
Location
US
I'm currently using a modem-router provided by my ISP. I assume it is probably not the most secure.
You need to setup firewall/website block/ports blocking/etc on whatever router you have.
 

MythicFrost

Young grasshopper
Joined
Feb 11, 2021
Messages
58
Reaction score
18
Location
192.168.0.1
A lot of people here go with the ASUS brand as it has OpenVPN as part of it.

You will want to use OpenVPN to VPN back into your system when wanting to view your system from outside the home.

Do not port forward, uPnP, or P2P and isolate your cameras from the internet.

View the wikis here on how not to get hacked.
I see I see. Is it not possible to use another VPN or is OpenVPN specifically needed?

You need to setup firewall/website block/ports blocking/etc on whatever router you have.
I see I see. Thanks.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
Plenty of VPN methods exist. OpenVPN isn't specifically needed. It is just commonly supported and doesn't use any uncommon network protocols which makes it a bit more foolproof to get working. Some older standard VPN types like "PPTP" in particular have known vulnerabilities. I would avoid PPTP, even though it is also a commonly available VPN method.

Wireguard is an up-and-coming favorite with an emphasis on speed and simplicity but you may have trouble finding a router with built-in support.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,448
Reaction score
47,572
Location
USA
You need a VPN that VPNs into your system. A paid VPN is routing your internet usage into some unknown place to hide your IP and look at porn or illegal Netflix lol.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
I use an ASUS router that supports OpenVPN. I have an Xfinity / comcast modem/router. I set set the ISP modem/router to bypass/ pass-though/ bridge mode so it is only a modem.
========================================
My general VPN post

There are two types of VPN, do not get them confused.
The type depends on where the traffic conversation (traffic) originates

1) origination: local home network, destination the internet.
This type of VPN is purpose to hides your activity from the internet, it is outbound, it normally costs a monthly fee to use. Direction is from your home PC to the internet, going to your bank, google, porn sites,,,, this not what you want. This VPN uses a VPN server that is in the middle of your communications.

2) Origination: the internet world wide web, destination: your home network.
This VPN type is used to provide a secure connection onto your local network, in bound to you local home network, from your office computer, your cell phone in your car, tablet at the coffee shop.. This is what you want, it does not have a monthly fee and is normally completely free. OpenVPN is this type of VPN.

If you home internet provider is a cellular network, then DDNS (dynamic Domain Name System) may not work, the DDNS is needed for most Inbound VPN services (OpenVpn) to get your home IP address (it is not static) so OpenVPN may not work for you.

A video on the paid VPN.
------------------------------------------------------
Hacked VPNs
-----------------------------------------------------
 

pete_c

Getting comfortable
Joined
Jul 30, 2019
Messages
617
Reaction score
689
Location
Time
Here utilize a PFSense box a la carte with a purchased Arris Surfboard modem.

I run IPSec and OpenVPN servers on PFSense. I use a VPN service for my Kodi boxes.

Suggesting you go with separate hardware you own.

PFSense runs circles around any of SOHO router.
 
Last edited:

MythicFrost

Young grasshopper
Joined
Feb 11, 2021
Messages
58
Reaction score
18
Location
192.168.0.1
What is this rabbit hole that I have delved into? :lmao::lmao:
I foresee a big learning curve ahead!

First of all, thank you all for your responses!

Plenty of VPN methods exist. OpenVPN isn't specifically needed. It is just commonly supported and doesn't use any uncommon network protocols which makes it a bit more foolproof to get working. Some older standard VPN types like "PPTP" in particular have known vulnerabilities. I would avoid PPTP, even though it is also a commonly available VPN method.

Wireguard is an up-and-coming favorite with an emphasis on speed and simplicity but you may have trouble finding a router with built-in support.
Oh, I see. Interesting!
I have used Wireguard in the PIA VPN but did not know it can be set up on its own.

You need a VPN that VPNs into your system. A paid VPN is routing your internet usage into some unknown place to hide your IP and look at porn or illegal Netflix lol.
Ahhh roger, that makes sense.
I use an ASUS router that supports OpenVPN. I have an Xfinity / comcast modem/router. I set set the ISP modem/router to bypass/ pass-though/ bridge mode so it is only a modem.
I'm looking at getting an ASUS router or a Netgear router that supports OpenVPN but also supports proper VLANs for segmenting the network.
========================================
My general VPN post

There are two types of VPN, do not get them confused.
The type depends on where the traffic conversation (traffic) originates

1) origination: local home network, destination the internet.
This type of VPN is purpose to hides your activity from the internet, it is outbound, it normally costs a monthly fee to use. Direction is from your home PC to the internet, going to your bank, google, porn sites,,,, this not what you want. This VPN uses a VPN server that is in the middle of your communications.

2) Origination: the internet world wide web, destination: your home network.
This VPN type is used to provide a secure connection onto your local network, in bound to you local home network, from your office computer, your cell phone in your car, tablet at the coffee shop.. This is what you want, it does not have a monthly fee and is normally completely free. OpenVPN is this type of VPN.

If you home internet provider is a cellular network, then DDNS (dynamic Domain Name System) may not work, the DDNS is needed for most Inbound VPN services (OpenVpn) to get your home IP address (it is not static) so OpenVPN may not work for you.

A video on the paid VPN.
------------------------------------------------------
Hacked VPNs
-----------------------------------------------------
Yeah, I've heard many are dodgy and don't do what they say. I've been using PIA, and am pretty happy with them so far.

The explanation between the two different types helped a lot!

The ISP is cable, but it does have backup cellular but I don't think that'll work at the point I'm plugging in another router anyway.

Here utilize a PFSense box a la carte with a purchased Arris Surfboard modem.

I run IPSec and OpenVPN servers on PFSense. I use a VPN service for my Kodi boxes.

Suggesting you go with separate hardware you own.

PFSense runs circles around any of
I had to Google almost all of those things. So is PFSense physical hardware you purchase or is it software that runs on a computer?
Does it handle routing and like a router or...?
 

pete_c

Getting comfortable
Joined
Jul 30, 2019
Messages
617
Reaction score
689
Location
Time
PFSense is a BSD OS that will run on any hardware with 2 or more network interfaces. Today run it on a box with 6 Intel Gb interfaces. 2 WAN and 4 LAN.

I use PIA mostly for Kodi media.

I also have configured a TOR (Onionskin) OpenWRT WAP router for some web surfing.
 

pete_c

Getting comfortable
Joined
Jul 30, 2019
Messages
617
Reaction score
689
Location
Time
Just purchased a new LTE CPE backup router which is plugged in to the PFSense box. It has an RJ11 telephone port. Everything works fine and getting 30-40 Mbps up/downloads on it. Really it is only used as a failover to the XFinity connection.

Upgraded the CPE from an Ericcson W25 CPE that has worked for years now.

I am using the phone line in my Panasonic multiple line stuff at home.

The Amazon Alexa boxes will soon be talking to each other via their own wireless network. It is difficult to keep up with this stuff. No sense in losing sleep over it.

Just got an email from Google thanking me about keeping tracking on my phone and this was accompanied by a map and places I have been to last month. I do keep my cell phones off when in the house and utilize GV to forward calls to my house phones.



Go baby steps with your endeavor a bit at a time.
 
Joined
Dec 6, 2014
Messages
3,554
Reaction score
14,738
Location
South Dakota
OMG--- I literally was going to post about this very thing, and as always the IPC community comes through.

I am one of those who was lucky NOT to get deeply hacked, running a port-forwarding setup for years. I turned all that off and tried to set up OpenVPN on my old Netgear router with DD-WRT on it--- but the setup process stumped me. I needed to copy code into certain boxes on the router setup from the OpenVPN config tool---- and the boxes just did not have the same names-- no way to know exactly what the hell should go where. No updates to that DD-WRT firmware either, so I gave up that effort and have lived without remote access to my cams. Time for that to change....

So--- I am looking at ASUS routers. I do NOT need the latest & greatest wifi speeds or a box with fifteen antennas attached to it. I have two Ubiquiti AP's (about 6 years old now) that do what I need them to do. What I DO need is something with a good PROCESSOR and enough RAM and storage to do a good job with processing the OpenVPN connection encrypting and decrypting workload. I have read about some routers just not having the hardware needed to do a good job with this, and crappy connections that fail becomes the result.

SO---- WHICH Asus router meets the criteria above and will run reliably for a long time?
 

pete_c

Getting comfortable
Joined
Jul 30, 2019
Messages
617
Reaction score
689
Location
Time
The Asus RT-AC86U is a highly rated combo router/firewall and WAP with a fast CPU / good amount of RAM. That said it is a combo SOHO box with antennas priced around $160. The issue with SOHO routers is that the firmware is seldom updated or slow unless you install OpenWRT on the same said box.

OpenWRT has continued development and always updated. (not like DD-WRT). Here using a micro travel router inside of my alarm can with OpenWRT. Expanded the OS on it using a USB stick and running Python 3 and Paho-MQTT scripts on it these days. The micro travel router is powered by the panel is is around 2" X 1" in size. (NeXX 3020). I have the WAP off inside of the panel and using it as a firewall. You can utilize it for an out of band management console plugged in to a USB CPE.

Code:
BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
-----------------------------------------------------
OpenWrt 19.07.5, r11257-5090152ae3
-----------------------------------------------------
root@ICS-HAI:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 2.5M      2.5M         0 100% /rom
tmpfs                    29.3M      1.1M     28.2M   4% /tmp
/dev/sda1                28.1G     69.5M     26.6G   0% /overlay
overlayfs:/overlay       28.1G     69.5M     26.6G   0% /
tmpfs                   512.0K         0    512.0K   0% /dev
/dev/mtdblock6            3.9M      1.8M      2.0M  47% /rwm
OpenWRT-OpenVPN.jpg

Here is the PFSense OpenVPN GUI - Easy peasey stuff - plug n play

PFSenseOpenVPN.jpg


You are currently using Ubiquiti APs. You are happy with Ubiquiti.

Get a single function Ubiquiti firewall like their Edgerouter product (It is similar to PFSense, Sophos, Microtek, et al).
 
Joined
Dec 6, 2014
Messages
3,554
Reaction score
14,738
Location
South Dakota
The Asus RT-AC86U is a highly rated combo router/firewall and WAP with a fast CPU / good amount of RAM. That said it is a combo SOHO box with antennas priced around $160. The issue with SOHO routers is that the firmware is seldom updated or slow unless you install OpenWRT on the same said box.

OpenWRT has continued development and always updated. (not like DD-WRT). Here using a micro travel router inside of my alarm can with OpenWRT. Expanded the OS on it using a USB stick and running Python 3 and Paho-MQTT scripts on it these days. The micro travel router is powered by the panel is is around 2" X 1" in size. (NeXX 3020). I have the WAP off inside of the panel and using it as a firewall. You can utilize it for an out of band management console plugged in to a USB CPE.

Code:
BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
-----------------------------------------------------
OpenWrt 19.07.5, r11257-5090152ae3
-----------------------------------------------------
root@ICS-HAI:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 2.5M      2.5M         0 100% /rom
tmpfs                    29.3M      1.1M     28.2M   4% /tmp
/dev/sda1                28.1G     69.5M     26.6G   0% /overlay
overlayfs:/overlay       28.1G     69.5M     26.6G   0% /
tmpfs                   512.0K         0    512.0K   0% /dev
/dev/mtdblock6            3.9M      1.8M      2.0M  47% /rwm
View attachment 82567

Here is the PFSense OpenVPN GUI - Easy peasey stuff - plug n play

View attachment 82573


You are currently using Ubiquiti APs. You are happy with Ubiquiti.

Get a single function Ubiquiti firewall like their Edgerouter product (It is similar to PFSense, Sophos, Microtek, et al).
On my Netgear, I tried Tomato and DD-WRT. I don't think OpenWRT had a solution for that particular router though.

I have to add..... I am a CHEAP ASS!! :cool: I want to get by with as little money out of pocket as possible needed for a fast and reliable solution. I will look at the 68u on eBay.... let's see what's out there.
 

MythicFrost

Young grasshopper
Joined
Feb 11, 2021
Messages
58
Reaction score
18
Location
192.168.0.1
So, is PFSense basically turning a small computer into a router? Or do you still have a router as well?

Do you guys run everything on the network through OpenVPN, or just insecure stuff like cams or IoT devices?
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,448
Reaction score
47,572
Location
USA
You use OpenVPN when you are away from your home and want to VPN in to your system like you are sitting on your couch and take a look at your cameras.
 

MythicFrost

Young grasshopper
Joined
Feb 11, 2021
Messages
58
Reaction score
18
Location
192.168.0.1
You use OpenVPN when you are away from your home and want to VPN in to your system like you are sitting on your couch and take a look at your cameras.
Right, so I should set it up only for the cameras and leave the other devices on the network out of it?

Is the idea to setup a VLAN with OpenVPN on that, and then connect the devices to that VLAN that you want to use OpenVPN with?

----------

I like the look of that ASUS RT-AC86U. Does it support wireless isolation and have support for setting up multiple VLANs?
I would like to have all the cameras connect to the NVR (or PoE switch) and then that into an ethernet port that is separated from the rest of the network.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,448
Reaction score
47,572
Location
USA
Not exactly.

The Asus router does not support VLANs.

Lot's of ways to go about it. The goal is to isolate your cameras from having access to the internet and you can only see them when at home on your network. When away from home, you hit the OpenVPN app on your phone, it makes a connection to your home router, and then you have access to whatever app you are using to view your cameras like you are at home.

Look at this thread to get a better understanding of what it is.

 

pete_c

Getting comfortable
Joined
Jul 30, 2019
Messages
617
Reaction score
689
Location
Time
So, is PFSense basically turning a small computer into a router? Or do you still have a router as well?

Yes.

PFSense is free software that will run on any computer with 2 or more network interfaces.

Or do you still have a router as well?

Not needed with PFSense.

A typically provided for rent ISP SOHO "router" today is a combination:
1 - modem
2 - router
3 - switch
4 - wireless access point (today mostly with two radios)

#1 Modem piece is typically a separate router by itself. When the modem boots up it does a TFTP to an ISP server which looks up your modem mac address and associates your speed tier to your connection which it saves on your modem. Typically the ISP only lets you view some of the configuration and stats but nothing else.


Do you guys run everything on the network through OpenVPN, or just insecure stuff like cams or IoT devices?

I only utilize OpenVPN client on my tablet, laptop or phone when I am not at home and want to manage my network, watch my CCTV or play with my automation. I have not had to open ports on my firewall for many many years now.

Relating to iOT devices many folks separate them from main house networks using an autonomous WAPs, VLANs or networks.

Really with this stuff you either accept and use it or not.

IE: I have been tinkering with WiFi switches which I turn into devices not dependant on the cloud by replacing the firmware on these devices to Tasmota or Espurna.

Recently installed a wireless doorbell. First time I have used wireless for a camera. First thing I did with it was disable the cloud app.
 
Top