Question Hardware firewalls? What are the better and affordable options?

[sidpost]

I am running Internet fiber at home and need to add some protection to my network besides unplugging my NAS when I don't need it as I am starting to travel more than during COVID. I have reasonable protection on each of my 'main hardware devices' but, with the proliferation of IOT and other stuff, it is time to up my control of inbound and outbound traffic and threats.

I am leery of running old corporate HW firewalls of various types commonly seen on eBay and other places, and I don't want to get into heavy 'service' contracts.

What are my better options?

TIA,
Sid

 

[bill001g]

So one of the more common ways to do this in a home network is to just a use a second router. The simple NAT function pretty much protects you because it is stupid.

What you would do is put all the stuff you don't care about on the main network that has the internet router. Then take a second router and plug the WAN port into the main router. You would then place everything you want secure behind the second router. You could still for example take a pc that is behind the second router and print to a printer on the main network but a device on the main network can not talk to your stuff on your second network for the same reason someone on the internet can not get to your home servers.

The main issue you are going to have with any firewall is the massive amount of cpu power it takes when you have a very fast internet connection. If you read the specs on commercial firewalls most tell you the maximum data rates based on what you are doing. There is say a huge difference running say vpn than just blocking lists of ip addresses.

Consumer routers had this issue just passing traffic on large internet connection because of the small cpu. Almost all routers now use a hardware NAT function that bypasses the cpu. The downside is any function that needs to see the cpu chip to see the data, like a firewall filter, now causes this hardware to be disabled. You will cap speed out on most router about 300mbps just for turning on the firewall with no rules.

Commercial firewalls also have various forms of hardware accelerators some for example do encryption.

You can look at using a small pc with one of the many unix based firewall options.

What I would do first is try to find a way break your devices into different network behind different routers. You are going to in effect have to do that anyway with a firewall.

 

[Eximo]

Agreed. For the home user with some experience a PC running a software based firewall makes more sense. Then you also have the option for putting that PC on a schedule or what have you to meet your needs.

 

[Aeacus]

Today, i happened to come across this article that can be helpful as well,
article: https://www.malwarebytes.com/blog/n...rom-ransomware-attacks-this-labor-day-weekend

And while the article focuses more on ransomware attacks during holidays, same protections can be used at any time. E.g when you're outside of home.