I would like some advice about what hardware/firmware combination I should consider to strengthen the privacy and security of my home network. I have also posted this question on the Techlore forum, but am keen to get a wide variety of thoughts from here, too.
My threat model is to protect myself and my household from opportunistic attacks (i.e., I don’t expect to be targeted, but I’d like my devices to not end up part of a botnet). I’d also like to protect myself from the router firmware provider knowing behavioural information about me (e.g. browsing metadata).
I am aware that OpenWRT is a good option that is largely hardware agnostic, but that it may be tricky for someone non-technical (like me) to set up and maintain properly. I also have concerns about how to pick out a good piece of hardware for this (what I should look for). Personally, I don’t feel confident I’ll do a good enough job of it to be secure.
I am aware of pfsense and OPNsense, too, but they seem more targeted at power users and I share the same concerns about implementing them poorly as with OpenWRT.
However, I’m also aware of Firewalla, which looks like the macOS to OpenWRT’s Linux, in that it’s an all in one purchase that looks very easy to use. I see it was discussed at one point on this forum, but I don’t see it widely recommended by the privacy community. I imagine that’s for a reason, but I’m not sure what the privacy issues of it are.
More specific questions:
Are there other options I have not considered?
Is there other hardware I should consider for OpenWRT?
Does anyone have experience with Firewalla? Pros and cons?
I have a Firewalla Gold, and I’m going to set up a second network location with a Firewalla Purple SE next month.
Pros:
Everything “just works.”
I have had no downtime or other issues related to the box since installing it nearly a year ago.
Everything is dead simple to manage with their app.
It’s fast enough to handle my symmetrical Gigabit connection.
It’s open-source
You can’t really configure it insecurely. I wasn’t going to lol, but it makes it easy to recommend to non-technical people.
Unlike a lot of new network equipment, you don’t need a “Firewalla account” in the cloud. The app on your phone connects directly to the box with public key cryptography instead of a password, very secure
Cons:
Despite being open-source, it’s not really self-hostable
You have to use the mobile app. This is the biggest drawback to me.
There is a web interface, but you log into it by scanning a QR code with the mobile app, and it has far less functionality. I’ve never really used it outside of looking at it once.
It does use cloud functionality, and I don’t think you can disable it. The data sent to their servers is almost entirely end-to-end encrypted, and the reason it’s done is to make connecting to the box from the app (and sending notifications from the box to the app) much more reliable, so I get it, but… Definitely worth reading https://help.firewalla.com/hc/en-us/articles/360012760073-Questions-related-to-privacy-and-data-visibility
On another note, having used Open-WRT and OPNsense, I actually suspect OPNsense might be a bit easier to use. The web control panel will definitely look overwhelming at first glance, but the flip side is that you can do everything via the GUI, which is nice. I feel like Open-WRT requires a lot more “Linux experience” with the command line. I like both Open-WRT and OPNsense a lot, but if I were buying new hardware I would probably choose to use OPNsense, and I would use Open-WRT for retrofitting old/existing routers.
An option you perhaps haven’t considered is the Turris Omnia, and maybe @anon30510143 could be interested in chiming in a bit more about that. It’s Open-WRT, but they’ve also built their own web interface that makes management easier, and the company that makes it is a legit networking organization, so I don’t think they’re messing around.
Don’t have much to say about it other than it’s very set-and-forget and it has a simplified interface and the classic openWRT interface depending on what you want. It has some interesting features, like setting up a honeypot that lets you see what tries to connect to you. I just really like how easy it is, you could give it to your grandma and not have to worry about it.
Thank you both a lot for your commentary! This has really helped narrow down the direction I should go. Really appreciate your work here (and, more broadly, on the excellent PG site).