Good router for security?

[MythicFrost]

Thanks again to everyone for the wealth of information, it is much appreciated!

Not exactly.

The Asus router does not support VLANs.

Lot's of ways to go about it. The goal is to isolate your cameras from having access to the internet and you can only see them when at home on your network. When away from home, you hit the OpenVPN app on your phone, it makes a connection to your home router, and then you have access to whatever app you are using to view your cameras like you are at home.

Look at this thread to get a better understanding of what it is.

Asus routers and VPN

From what little I've read, Open VPN is more secure than PPTP. For any of you using Open VPN especially as it may relate with an Asus router, are there any recommendations or special considerations when setting up the various parameters? I just managed to get the thing working with my ATT...

ipcamtalk.com

I'm going through that post, very helpful!

So, essentially the OpenVPN allows an encrypted tunnel from other devices (say phone) to the router (i.e., home network)?

By setting it up, I can essentially pretend to be on my home network even I'm not?

Isolating the cameras/NVR from accessing the internet is done with the firewall on the router, correct?

So, is PFSense basically turning a small computer into a router? Or do you still have a router as well?

Yes.

PFSense is free software that will run on any computer with 2 or more network interfaces.

Or do you still have a router as well?

Not needed with PFSense.

A typically provided for rent ISP SOHO "router" today is a combination:
1 - modem
2 - router
3 - switch
4 - wireless access point (today mostly with two radios)

#1 Modem piece is typically a separate router by itself. When the modem boots up it does a TFTP to an ISP server which looks up your modem mac address and associates your speed tier to your connection which it saves on your modem. Typically the ISP only lets you view some of the configuration and stats but nothing else.


Do you guys run everything on the network through OpenVPN, or just insecure stuff like cams or IoT devices?

I only utilize OpenVPN client on my tablet, laptop or phone when I am not at home and want to manage my network, watch my CCTV or play with my automation. I have not had to open ports on my firewall for many many years now.

Relating to iOT devices many folks separate them from main house networks using an autonomous WAPs, VLANs or networks.

Really with this stuff you either accept and use it or not.

IE: I have been tinkering with WiFi switches which I turn into devices not dependant on the cloud by replacing the firmware on these devices to Tasmota or Espurna.

Recently installed a wireless doorbell. First time I have used wireless for a camera. First thing I did with it was disable the cloud app.

Interesting. I feel like the easier solution right now is maybe to go with a router, but I am interested in PFSense but feel it may have a large learning curve -- and perhaps with my lack of knowledge may be insecure the way I set it up?

Is it able to run on a Raspberry Pi 4 out of curiosity? Is that kind of hardware suitable or is it better to use an Intel/AMD system with 4-8 cores with PFSense?

Yeah, I'd ideally like to have a VLAN which isolates the IoT devices and cameras, and then another for my usual devices.
How do wireless devices connect to the VLAN? I sort of get the idea of having a switch with ethernet ports and plugging those in, but not sure hoe it works with WiFi.

Do you think a guest network is suitable for isolating IoT devices and cams from the main network, or is that not a very secure solution?

 

[wittaj]

Thanks again to everyone for the wealth of information, it is much appreciated!

So, essentially the OpenVPN allows an encrypted tunnel from other devices (say phone) to the router (i.e., home network)?

By setting it up, I can essentially pretend to be on my home network even I'm not?

Isolating the cameras/NVR from accessing the internet is done with the firewall on the router, correct?

Do you think a guest network is suitable for isolating IoT devices and cams from the main network, or is that not a very secure solution?

Now you got it figured out! Yes, it is like pretending you are on your home network.

Many of us use the guest network for isolating IoT things. It is somewhat secure as long as you don't allow it access to other stuff (some routers allow that) and a VLAN would be safer but takes some knowledge to set up. Guest network would be better than nothing. But you don't want wifi cams!

 

[MythicFrost]

Now you got it figured out! Yes, it is like pretending you are on your home network.

Many of us use the guest network for isolating IoT things. It is somewhat secure as long as you don't allow it access to other stuff (some routers allow that) and a VLAN would be safer but takes some knowledge to set up. Guest network would be better than nothing. But you don't want wifi cams!

Great! It's a big learning curve but very interesting stuff! So glad I found this forum.

I see. Yeah, I think the guest network is probably the easiest option but I do want to learn how to setup VLANs.

If the router doesn't support VLANs, can you buy a managed switch that does, connect that to the router, and then your cams to the switch?

 

[wittaj]

That is certainly something that can be done and many do just that and leave the router to being a wifi access point and run only one ethernet to it and connect everything else to a switch.

 

[MythicFrost]

That is certainly something that can be done and many do just that and leave the router to being a wifi access point and run only one ethernet to it and connect everything else to a switch.

Interesting... so essentially all your home devices connect to the router as usual via WiFi or ethernet, but then just plug in the stuff you want to isolate on the switch?
Or does the router act just as a WAP and then the switch manages what goes where for both ethernet and wireless devices?

 

[wittaj]

Both LOL - lot's of different ways to go about it. Or you put the vlan switch ahead of the wifi router.

This one is a goto vlan router and someone was nice enough to detail out directions on how to set it up:

Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks

Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks (This topic began as an inquiry regarding interest. Enough desire was shown to proceed. Main content is later in this thread) Main content begins at Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks...

ipcamtalk.com

 

[weigle2]

Thanks again to everyone for the wealth of information, it is much appreciated!


I'm going through that post, very helpful!

So, essentially the OpenVPN allows an encrypted tunnel from other devices (say phone) to the router (i.e., home network)?

By setting it up, I can essentially pretend to be on my home network even I'm not?

Isolating the cameras/NVR from accessing the internet is done with the firewall on the router, correct?


Interesting. I feel like the easier solution right now is maybe to go with a router, but I am interested in PFSense but feel it may have a large learning curve -- and perhaps with my lack of knowledge may be insecure the way I set it up?

Is it able to run on a Raspberry Pi 4 out of curiosity? Is that kind of hardware suitable or is it better to use an Intel/AMD system with 4-8 cores with PFSense?

Yeah, I'd ideally like to have a VLAN which isolates the IoT devices and cameras, and then another for my usual devices.
How do wireless devices connect to the VLAN? I sort of get the idea of having a switch with ethernet ports and plugging those in, but not sure hoe it works with WiFi.

Do you think a guest network is suitable for isolating IoT devices and cams from the main network, or is that not a very secure solution?

PFSense is so robust with what you can do, it puts consumer grade routers to shame. But yes, it does have a huge learning curve if you are not familiar with firewalls and other router settings. It's graphical user interface is excellent. I am running PFSense on a $100 PC with an Celeron processor with 8GB of RAM and a 128GB SSD. I have added a 4-port NIC, also, to allow for other subnets. If you really want excellent home network security, PFSense or one of the other many linux firewalls, is the way to go. Even with a Celeron processor, it has been able to handle just about anything, including an Intrusion Prevention package and Ad Blocking, without any sort of slowdown. Best of all, the PFSense software is free, and open source. Also, OpenVPN was pretty easy to set up.

 

[MythicFrost]

Both LOL - lot's of different ways to go about it. Or you put the vlan switch ahead of the wifi router.

This one is a goto vlan router and someone was nice enough to detail out directions on how to set it up:

Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks

Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks (This topic began as an inquiry regarding interest. Enough desire was shown to proceed. Main content is later in this thread) Main content begins at Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks...

ipcamtalk.com

That looks interesting!
If I understand correctly, that is solely a router (and a switch?). It is not a wireless access point?

So the order would look like this:
Modem -> ISP Router (as the WAP) -> Edge Router X.

Can I assign wireless devices to a VLAN as well or can I only assign devices connected via ethernet?

PFSense is so robust with what you can do, it puts consumer grade routers to shame. But yes, it does have a huge learning curve if you are not familiar with firewalls and other router settings. It's graphical user interface is excellent. I am running PFSense on a $100 PC with an Celeron processor with 8GB of RAM and a 128GB SSD. I have added a 4-port NIC, also, to allow for other subnets. If you really want excellent home network security, PFSense or one of the other many linux firewalls, is the way to go. Even with a Celeron processor, it has been able to handle just about anything, including an Intrusion Prevention package and Ad Blocking, without any sort of slowdown. Best of all, the PFSense software is free, and open source. Also, OpenVPN was pretty easy to set up.

So if I go the PFSense route, it goes in this order?
Modem -> ISP Router (WAP) -> PFSense box?

If I built my own, it's looking to cost me around $500 AUD which is a touch pricey. Are there tiny PCs you know of that are made for this sort of thing?

 

[weigle2]

That looks interesting!
If I understand correctly, that is solely a router (and a switch?). It is not a wireless access point?

So the order would look like this:
Modem -> ISP Router (as the WAP) -> Edge Router X.

Can I assign wireless devices to a VLAN as well or can I only assign devices connected via ethernet?


So if I go the PFSense route, it goes in this order?
Modem -> ISP Router (WAP) -> PFSense box?

If I built my own, it's looking to cost me around $500 AUD which is a touch pricey. Are there tiny PCs you know of that are made for this sort of thing?

You can, but PFSense does everything so you really should eliminate the ISP router. Or, if you can get into the ISP Router to change it's settings you would then use it as a WAP only. The smart thing to do is eliminate any device from your ISP, and go with your own gear. The setup then would be Modem > PFSense Box > WAP or something similar. The PFSense box does routing/firewall eliminating the need for an ISP Router.

 

[MythicFrost]

You can, but PFSense does everything so you really should eliminate the ISP router. Or, if you can get into the ISP Router to change it's settings you would then use it as a WAP only. The smart thing to do is eliminate any device from your ISP, and go with your own gear. The setup then would be Modem > PFSense Box > WAP or something similar. The PFSense box does routing/firewall eliminating the need for an ISP Router.

Yeah, I was thinking of using it solely as a WAP.

Oh, so if I did Modem > PFSense Box > WAP.
Is this enough equipment to setup two VLANs -- one for home stuff and one for cameras?

Or, do I still need to incorporate a switch (managed, unmanaged?) somewhere in that chain?

 

[weigle2]

Yeah, I was thinking of using it solely as a WAP.

Oh, so if I did Modem > PFSense Box > WAP.

Is this enough equipment to setup two VLANs -- one for home stuff and one for cameras?

Or, do I still need to incorporate a switch (managed, unmanaged?) somewhere in that chain?

Yes, it definitely will do VLANS. With a device, either all-in-one or PC, with a 4 or 6 port NIC, you can set up 3 to 5 subnets if you want. Keep in mind, if you do VLANS in the PfSense device, all your network traffic is going through it. If you do VLAN's in a separate Managed Switch, that traffic can be limited if you want to the switch.

 

[MythicFrost]

Yes, it definitely will do VLANS. With a device, either all-in-one or PC, with a 4 or 6 port NIC, you can set up 3 to 5 subnets if you want. Keep in mind, if you do VLANS in the PfSense device, all your network traffic is going through it. If you do VLAN's in a separate Managed Switch, that traffic can be limited if you want to the switch.

Thanks a lot for your help - I am learning!

I do like the idea of the VLANs in a separate managed switch. But how does the managed switch handle devices connected by WiFi?
I.E., in my head, it seems like WiFi devices would go straight to the WAP, into the PFSenseBox (or Router) and then be handled, and only the cams plugged into the switch would be managed? Is that how it would work?

How would you segregate WiFi devices? Do you need two different WAPs hanging off two separate switches?

On another note:
What is your opinion on this for a PFSense Box?

https://www.mwave.com.au/product/msi-cubi-n-8gl037bau-barebone-mini-pc-celeron-n4000-black-ac34097

 

[weigle2]

Thanks a lot for your help - I am learning!

I do like the idea of the VLANs in a separate managed switch. But how does the managed switch handle devices connected by WiFi?
I.E., in my head, it seems like WiFi devices would go straight to the WAP, into the PFSenseBox (or Router) and then be handled, and only the cams plugged into the switch would be managed? Is that how it would work?

How would you segregate WiFi devices? Do you need two different WAPs hanging off two separate switches?

On another note:
What is your opinion on this for a PFSense Box?

https://www.mwave.com.au/product/msi-cubi-n-8gl037bau-barebone-mini-pc-celeron-n4000-black-ac34097

The PFSense box needs to have a minimum of 2 Network ports, but 4 is better if you want subnets as well as your WAP connected to it. I have my IoT WiFi devices segregrated using a different subnet, So, I have 2 different WAP's both on differenct networks so to speak. My main WiFi setup for home and guest users is on it's own subnet. You will need to delve into basic networking, network masks, etc. to learn how all this works. Like I said, the learning curve with a PFSense router/firewall can be pretty steep. Look at many of the YouTube videos from Lawrence Systems to get a really good intro into PFSense, it's setup, and harware that can be used.

If you want to keep things much simpler, and stick with your existing modem, router and WAP then definitely go with a good quality managed switch. But, you will need to learn about subnets, subnet masks, etc. in order to get everything set up.

 

[pete_c]

The computer shown would work.

Google PFSense firewall on Ebay.

I picked up a micro PC J1900 CPU with 2 network ports for house #2 for $70 USD new old stock.

Built a PFSense box using a micro dual NIC i5 computer that I purchased used for $60 on Ebay. Prices do get inflated when PFSense is mentioned.
A used PC is a used PC.

Here I am a time person and have a serially connected GPS with PPS connected to both PFSense firewalls. Way better time than the internet.
Only a serial port will work with a GPS / PPS (not a USB port). Originally had the GPS mounted in the attic with a long cat5e cable with RS-232 baluns on it.



There are modded HP refurbs (SFF) with 6 NICs on Ebay for $88 USD.

Literally any PC with an Intel / AMD CPU with 4 Gb or more will run circles around ANY SOHO router.

Here went from Ubiquiti WAPs to Ruckus WAPs in two homes. Very happy camper.

Both set ups are identical now.

ISP modem (purchased Arris SB6190's) ==> PFSense box ==> managed L2 switches ==> Ruckus WAPs.

 

[MythicFrost]

Thanks guys for all your help!

The PFSense box needs to have a minimum of 2 Network ports, but 4 is better if you want subnets as well as your WAP connected to it. I have my IoT WiFi devices segregrated using a different subnet, So, I have 2 different WAP's both on differenct networks so to speak. My main WiFi setup for home and guest users is on it's own subnet. You will need to delve into basic networking, network masks, etc. to learn how all this works. Like I said, the learning curve with a PFSense router/firewall can be pretty steep. Look at many of the YouTube videos from Lawrence Systems to get a really good intro into PFSense, it's setup, and harware that can be used.

If you want to keep things much simpler, and stick with your existing modem, router and WAP then definitely go with a good quality managed switch. But, you will need to learn about subnets, subnet masks, etc. in order to get everything set up.

I think I've decided on a good solution.

EdgeRouter X (5-port)
WAN (ETH0) -> Modem
ETH1 -> Netgear Managed Switch 1
-> Home devices (ETH)
-> TP-Link WAP -> Home devices (WiFi)
ETH2 -> Netgear Managed Switch 2 -> NVR/BlueIris Box -> EdgeSwitch 8 port Managed PoE+ (150W) -> 7x Cams

Think that seems all right? I've tried to use that page as a guide.

I think I'll be able to set up the EdgeRouter with the instructions provided in that thread.
This setup is also not too expensive. Maybe one day I'll go for the PFSense Box, but a bit out of my league for now.
Baby steps, I think!

The computer shown would work.

Google PFSense firewall on Ebay.

I picked up a micro PC J1900 CPU with 2 network ports for house #2 for $70 USD new old stock.

Built a PFSense box using a micro dual NIC i5 computer that I purchased used for $60 on Ebay. Prices do get inflated when PFSense is mentioned.
A used PC is a used PC.

Here I am a time person and have a serially connected GPS with PPS connected to both PFSense firewalls. Way better time than the internet.
Only a serial port will work with a GPS / PPS (not a USB port). Originally had the GPS mounted in the attic with a long cat5e cable with RS-232 baluns on it.

View attachment 82605

There are modded HP refurbs (SFF) with 6 NICs on Ebay for $88 USD.

Literally any PC with an Intel / AMD CPU with 4 Gb or more will run circles around ANY SOHO router.

Here went from Ubiquiti WAPs to Ruckus WAPs in two homes. Very happy camper.

Both set ups are identical now.

ISP modem (purchased Arris SB6190's) ==> PFSense box ==> managed L2 switches ==> Ruckus WAPs.

I had a look around but unfortunately everything seems to be minimum $400-500 AUD.
I think I'll leave PFSense until I'm a bit more experienced. I think the EdgeRouter X + couple managed switches + WAP + EdgeSwitch PoE+ will help me get into it and learn a bit as well.

 

[pete_c]

The Edgerouter is a bit limited...

You might like this one better:

MikroTik hEX S Gigabit Ethernet Router with SFP Port (RB760iGS) for $72.78 (Amazon) would be a bit nicer...

On Ebay I see:

HP T620 Plus 4GB-RAM 16GB-SSD 5x1GbE PSU Rev B Stand pfSense firewall router for some $200 USD or so.

You can purchase an HP T620 these days for $50 USD and just add a 4 port NIC card to it keeping it under $100 for a nice PFSense firewall.

My first PFSense firewall was using a dual NIC BCM dual nic motherboard dual an old dual core Intel chipset.

I built a PFSense box using a refurbished Datto mini nuc style pc last year for a buddy of mine. The Datto pc has two built in NIC such that it is a Zotac with two NICs.

These were selling for over $400 at one time.

Check this one on Ebay for $50. Last year these were being dumped on Ebay for next to nothing.

Zotac ZBOX NANO DATTO-1000 GX-415 Barebones Mini PC Desktop NO RAM NO Storage $49.99

Here originally went with 3 small footprint TP-Link L2 Easy switches that I paid some $200 each. Today you can purchase TP-Link L2-L3 managed switches for less than $200 each.
I liked these cuz they were fanless and they fit inside of my Leviton 42" media panel.

House #1 has a tad under 128 network devices on it while House #2 has around 20 network devices.

For house #2 purchased a TP-Link managed POE switch which is doing fine. I connected the Ring hub via POE along with the Ruckus WAP on it.

 

[MythicFrost]

Thanks!

The reason I like the EdgeRouter is because there is a guide here + config file to set it all up. That'll make it quite easy for me to get it going.

Unfortunately after shipping to Australia that HP T620 works out at $410 AUD, which is a bit more than I was wanting to spend.
Also the Zotac works out at about $150 AUD after shipping but also has important taxes, and I'd need to get RAM and storage for it.

I think I'll leave PFSense for another time, though I might keep an eye out for a budget rig that may be suitable for it.

 

[mikeynags]

The Mikrotik is rated at 470 Megabits Per Second data transfer rate and the Edge Router X is rated at 1 Gigabits Per Second - if one were just looking at that, the answer would be easy, go with the ER-X

 

[Fufel]

Hi there. I can share my experience in using a home security system. I should mention the brand I use. It is ajax. Have you heard about it? I've noticed it becomes more and more popular among modern users. This system does not require any wi-fi connection. So, you do not need to pick up a good router to provide a qualitative connection. The Ajax system works with the help of a sim card. So, when I leave for a while, I do not worry about that. Also, it has unique brand batteries that have a six-year working period. It is the best system for those who do not want to think about system maintenance.

 

[MythicFrost]

Thanks everyone for your comments/help!

I ended up going with the Edge Router X, 2x Netgear GS305E switches and a Ubiquity WiFi6 AC Lite WAP.
Probs won't get to me until next week, but going to set it all up then! Then my network is ready for the cams.