Is this router also a modem? ie: Does it provide xDSL service? or do you have a fibre termination device?
If you need the TP-Link for it’s DSL capabilities, then I would suggest setting it up so that it is in “bridge mode” and getting another router behind that. In this configuration your TP-Link is turned into a “dumb modem”. The routing is done by the router behind that, as is all the firewalling. The external IP address from your ISP is associated with one of the interfaces on your new router.
As for options there. The offering from Turris is often talked about as is GL.iNet. I have not used either of these as I personally have one of the OPNsense appliances. In this other thread we were talking about Firewalla, which could be okay, as long as you don’t load the device up to be some kind of “mini server”.
There’s two ways I can think of doing it. The first and likely easiest is to have Adguard running on a standalone device, like a raspberry pi, or something like that. What would happen then is your router would issue out the IP address of your local DNS resolver to the clients on your network.
Some of the above routers suggested may have packages that help you set this up.
- Adblock [Turris wiki]
- AdGuardHome on GL routers - Technical Support for Routers - GL.iNet
- AdGuard Home setup guide
If you’re using ProtonVPN or Mullvad use their DNS servers. ProtonVPN has their NetShield which includes many of these lists, as does do the Mullvad apps.
As for securing, I’ve changed passwords for admin console and the router, and I give out guest wifi to the other people in the house which I don’t believe have the best privacy setup. What else can I do?
It may be that this “guest” feature automatically segregates the network into separate VLANs but hides that from the operator (in this case you). The older TP-Link devices I have don’t have this option.
VLANs are a common networking feature, that allows you to segregate networks by a tagging packets as they enter a switch, or exit a computer’s network interface. With these tags you can apply firewall rules that prevent devices on one network, accessing those on another.
Typically we would use a VLAN to segregate, wifi guests, IoT devices, and if we’re routing over a VPN maybe certain clients are routed out via a VPN selectively.
I’m planning on writing an OPNsense guide for Setting up PIA VPN on pfSense for your whole network and Configuring Selective Routing - Lawrence Technology Services at some point.
The reason being is because we often do not want to use a VPN all the time. On my network, depending on the network switch port, or WiFi network you connect to, the router decides whether to route you over the VPN or not.
It’s all good, we’re always learning, and we welcome new people to our community.