Hardware Firewall for secure home network

[Marco_63]

Hello everybody

I have the following situation
- FritzBox 7490 (from my internet provider)
- Old customized firmware from my provider, no upgrade planned
- No option to buy a new router I could use to connect into the internet (provider specific changes)
- Other internet providers in Switzerland have also their own customized routers
- I have configured my home network with several computer, printer and some other devices (all based on FritzBox)
- I use also WLAN from the FritzBox, additionally I have coupled a NetGear router to enhance the WLAN

Because of the (in my opinion) unacceptable situation, that I am forced to use old firmware, I think about changing my hardware setup. I am looking for a payable hardware router which allows me, to setup my home network and with regular updates.
I cannot remove FritzBox but I can add the firewall between the router and my network. I had a look to Fortinet and Zyxel router, but it seems they all have yearly costs which are quite expensive for personal use.

Any ideas or recommendations?

Thanks for some help
Best Regards
Marco

 

[bill001g]

Why do you need a firewall in the first place. That will determine what type you need and the features.

Simple NAT that is on every consumer router will prevent any attack against your internal machines just because nat is stupid. Pretty much you only need a firewall if you have a server exposed to the internet that you wish to provide more security for. The only other use is if you needed to somehow restrict the internal machines from accessing the internet. Things like content filter subscription are kinda expensive.

 

[Marco_63]

Let's say this way: I have seen that FritzBox has meanwhile several security updates and none of them is installed of my router, because my provider does not support it (updates are blocked). In general I agree that nearly each of the router should prevent you against attacks, but it's also no secret that a lot of them are reacting slow to security issues and maybe with some luck, you get the updates 1 year later.
In my situation I cannot even install it. I have contacted my provider and asked if they are aware of the fact, that the firmware is that old... they don't care. FritzBox is bringing out regular updates, would be enough for me. I also asked what happens if I buy my own FritzBox:
Buying other routers on my own risk, possible that I cannot connect to internet.

Thats the story why I don't won't to wait to any updates, I get from my provider. That's also the reason, why I don't trust the security of common routers.
To answer your question: I don't have a server here in my home network to protect.

I have researched more because of suitable hardware. What is the opinion about pfsense?
Have found here a list of supported hardware: https://www.pfsense.org/products/

 

[bill001g]

Pfsense will work fine but making things overly complex actually decreases the security in some ways. You have many more places to make a mistake in your configuration.

NAT is so simple you are not going to find bugs in it. If you do not port forward any port then no all traffic is blocked except traffic that is returning to machines that requested it from inside your network. This is the same as block all ip traffic rule in a firewall, you can't get much more secure.

But if it makes you feel more secure then I support you can put in a actual firewall just make sure you disable all the extra features you are not using.

 

[Marco_63]

Do you know an alternative to Pfsense which is easier to configure? In fact I have an IT background, but I am not a firewall expert, my focus is software. So at least I know the concepts and consequences and if I don't know something, I can learn it quickly and close the gap.

I am open for any solutions, but I prefer a hardware firewall instead of a computer variation. I have seen also some article around Raspery PI and Intel Nuc devices, but it didn't convince me.