Full disclosure: I work in the wired and wireless networking industry, mostly focused on technical proof of concept demos of enterprise wired, wireless, and network access security (802.1x, RADIUS, NAC, etc.).
I am seeing an industry problem with home internet. I am looking for any advice and hoping that this thread will be beneficial to other power users out there.
Situation: Home internet is now as fast (or faster) as business internet. I upgraded to gigabit because I needed faster upload speeds for uploading files for work. I really hate that I had to go to gigabit to get something over 10Mbps upload speed.
Problem: There does not appear to be any "home" network security appliances (e.g. NextGen Firewall, aka NGFW, Unified Threat Management, aka UTM, Intrusion Detection System, aka IDS, or Intrusion Protection System, aka IPS) that can handle the speed of home internet.
The only devices that I can find that can support gigabit speeds for UTM/IDS/IPS cost thousands of dollars because they are designed for businesses with hundreds of users connected. I recently downloaded an app called Little Snitch, which does a great job of telling me where all my traffic is going. Let me tell you, it was no fun to see cookie readers connecting into Chrome from China, when I didn't have any websites open!
Am I just being overly paranoid? What are others out there doing? I have way too many IoT devices on my network to rely on software installed on my computers. I currently have about 64 devices on my network (wired and wireless). Over 50% of those are IoT devices (Alexa, security cameras, thermostats, TVs, AppleTVs, and other home automation devices.
Solved! Go to Solution.
I went back to my Apple Airport Extreme 6th Gen, because for some reason this router doesn't seem to be as vulnerable to the more recent series of exploits (especially the DNS rebinding and spoofing ones). I don't have any issues getting gigabit speeds on my Ethernet either.
At some point I might segment my LAN by putting the IoT devices into their own subnet (thereby keeping my more sensitive devices out of reach of my more vulnerable IoT ones) but right now I don't see the need to.
What about customized firmware like DD-WRT or Tomato? I know those boost the capabilities of some consumer grade routers, but I'm not an expert so I can't say for sure.
Unfortunately, Tomato, DD-WRT, nor OpenWRT actually perform UTM/IDS/IPS duties.
<rant>It really grinds my gears that our consumer industry and ISPs have completely confused the public into thinking that router=wifi. Doing searches for Firewall Throughput for home, results in wifi throughput tests. </rant>
That's too bad, I thought maybe one of them would have that option.
Then again, most people can't tell the difference between modem, router, and gateway either.
I think I am just going to have to deal with PFSense. I'm going to put it on an older Intel NUC that I have. I found some USB Ethernet adapters (USB 3.0 gigabit) that reviewers say work with PF and FreeBSD. Grabbed 2 and will LACP them to my switch, using the internal ethernet on the NUC for the connection to the modem. Hopefully that will solve the boot up issues. Management and filtering will still be a pain though.
To be fair to pfSense, if you're not getting the throughput you'd like for a given config (lots of firewall rules, IDS/IPS like Suricata or Snort, proxies, etc.) you're likely not running on sufficient hardware. Running on an old NUC, especially using USB NICs, will certainly not be enough to achieve gigabit throughput. Idk what you're budget is, but Supermicro makes boards that are suitable or just buy a device directly from Netgate.
Just to close out this thread, I went with the Synology RT2600AC. Once you add a fast USB3 thumb drive to the side (not rear) USB3 port, you can format it (EXT4) and enable their Threat Prevention.
I went with the Patriot Supersonic Rage 2 USB3.
This system has no problem with gig speeds even with Threat Prevention turned on. The automatic classification seems to work well, but you can also manually classify the things that it finds.
Year old dead thread now being closed.