Privacy and security oriented router?

Hello community,
while I was watching Naomi Brokwells video addressing routers I was introduced to https://eu.protectli.com/. The company producdes a product called the Vault which is a small form factor PC built for use as a firewall / router. The one downside of the product is the pricing tag it carries vs an average user how’s not willing to spend that much. Which router would you recommed for use with the already recommended router firmware ? What kind of network setup would be best depending on each threat model ? What are the features a newbie should be looking for, when purchasing a router?
These questions seem to be unaswered in the privacy guides so why not address them all.
Tnx

We’re evaluating some options regarding this. It’s come up in Securing Home Network - Questions - Privacy Guides previously. I’ve also written about it in Investigate router platforms · Issue #1864 · privacyguides/privacyguides.org · GitHub.

Currently I have an OPNSense appliance.

If I’m being honest, I’m not really a fan of this. I think users should not run persistent services, or store private data on a border firewall device.

I have heard of Protectli before, and we could add it to our evaluation listing.

1 Like

Not sure I follow you on this. Said protectli devices can be used as a general purpose PC, but their use is marketed as being dedicated devices for routing & firewall.

I have the Protectli FW6D, and they are kinda expensive, but I think they are worth the price.

It runs coreboot firmware, you can use then with pfSense, OPNsense, or IPFire. It’s also able to run the ESXi hypervisor out-of-the-box, which give you a lot of options to use it as a firewall+router+server combo.

If you want a cheaper option, then you can get APU2 from PC Engines. It also runs coreboot and can use the same firewall software, but the cheaper price also means less powerful hardware.

I was using the APU2 before I upgraded to the FW6D, when I upgraded my internet connection to 1gbps the APU2 really started to struggle.

1 Like

The point is if they were being responsible they would not market those devices with that featureset.

I do not suggest this for security reasons. Software always has bugs and works unexpectedly.

The idea of a hypervisor, (docker, libvirtd, esxi, etc) all modify iptables to do NATing between VMs/containers. Modifying the rules that manage global external access to your network is a terrible idea.

While I recognize saving money might be something you may wish to do, this isn’t one of the places where you would do that.

Use two distinct devices, a firewall, at your border, and a device (server) behind that is the best model.

It will make networking a lot easier to secure (and comprehend) and a lot less complex, with less risk for mistakes, especially if you start throwing VLANs in there to break up the network and segregate portions of it.

It also means should you have some problems with your server, that won’t bring down your entire network, preventing you from searching for solutions.

That’s not how it works, and you are not running pfSense in a docker container.

Running pfSense in ESXi as the edge firewall is pretty standard, and there is no security issue with doing that.

There is no difference better doing this virtually and doing it bare-metal.

It’s not about it being run in bare metal, it’s about encouraging users to run containers or VMs that do other things in addition to that on a security appliance.

The reason these appliances market running ESXi, or VMs or containers, is not because of security, but rather convenience. There is little benefit to running the firewall in a hypervisor. If you look at any of their docs, its all about running some crappy media center on it too.

Unless the firewall is there is always a risk there may be direct access to one of the guests. You could probably get away with it internally on your network, as a second firewall. I wouldn’t personally do it where you’ve got globally unique addressable space. Mistakes do happen.

Don’t really know what to say, it sounds like you don’t understand the difference between type 1 and type 2 hypervisors.

There is a difference between using docker containers and running virtual server infrastructure.

I know the difference between a type 1 hypervisor, like xen, esxi, kvm and container tech like docker. My point is they don’t belong on a border firewall. The only reason people and these companies encourage it is because they are trying to turn them into some sort of small mini-server as opposed to having distinctly different devices, with different network boundaries.

What I’m saying is there’s basically minimal benefit in running a firewall on bare metal as opposed to virtualizing it. (One could argue there might even be a performance hit). At the end of the day packets go through the host anyway. The Firewalla device specifically using docker on it which is a terrible idea, as things like docker, kvm, etc have a habit of automatically modifying your firewall rulesets.

You may think certain parts of your network are closed, and then they are suddenly not.

It’s only when you throw other services that have no place being on a border security device that you increase the surface area and therefore increase the need for that kind of separation. All in all, it makes the job of the appliance more complex.

I’m specifically saying it’s possible to run ESXi, a type 1 hypervisor.

You keep brining up type 2 hypervisors, talking about the attack surface of services running in the firewall.

I’m talking about multiple isolated hosts running on the same CPU, you are talking about multiple containers running in the same Linux system.

Because that is typically what these “consumer grade” router products tout as a feature (which is what was mentioned in this thread), when OP mentioned the Vault.

Well KVM isn’t a container, the point is those things do modify the host’s rulesets anyway, that’s how guest NATing, is achieved.

Installing something like ESXi on the router also means the processor and RAM requirements need to be needlessly overkill for the bandwidth that is actually being processed, which drives up cost. Still better off having two separate devices, a router, (sized appropriately for the load) and a server (which can be expanded and include appropriate data storage etc).

About the only place that makes sense to virtualize a router, is when you’re building an entire virtual network, or using it remotely in a datacentre or something like that.

Then there’s options like “Forbidden Router”, in the below series. Nobody said that was a good idea in practice.

You clearly have no idea how overkill something like the FW6D, which I specifically mentioned was the model I own, is for most home networks.

I run 2 tor relays, transmission server, plus a lot of other services, the firewall throughput is on average around 500mbps with around 35000 concurrent connections.

The CPU is rarely above 25% and that is with running Suricata on some of my networks.

For around $1000 you can get it with 32 GB memory and 1 TB SSD storage, install ESXi and run pfSense virtually with a couple of servers, and there is zero security risk in doing this.

People do this because it save them money by not having to buy a second server, and it also saves you money on electricity.

It’s not going to replace a homelab server, but it’s more than enough if you just want to run something like a private Nextcloud, etc.

It also costs a fair bit more than it needs to as OP mentioned.

My point was more about human error in configuration. People make mistakes.

If you’re genuinely interested in self hosting things, then you should be interested in doing it in a way where you’re not building a single failure point to your whole network. Any issues are likely to annoy anyone else in your household, in addition to that be an annoyance when you least want them to be.

Self hosting will always be an enthusiast area. From a economics point of view, its always going to be cheaper to pay someone else to do it, and share that cost with other customers. If the product supports E2EE (or an alternative can be found that does) then there’s little to gain from self hosting it, on top of that you’ll get high availability which is quite costly for a non-professional user.

It will certainly cost you more in time when something goes wrong and you have to “fix it”.

You could always use an old computer for your server, (if you have one) which would technically mean you wouldn’t be “buying a server”.

1 Like