Question Network upgrade suggestions

[jawsthemeswimming428]

I'm starting to research a replacement for a D-Link DIR 890L at my home. We have 100Mb cable internet. It's a pretty simple setup. The cable modem is connected to the DLink. The DLink has 3 devices wired to it (QNAP NAS, eufy security hub, and a pi-hole). Then there's probably 20-30 wireless devices including laptops, tablets, smart speakers, smart outlets, phones, etc. My home is just under 2000sqft and has 2 floors. I currently use a TP-Link wireless extender for the 2nd floor and have had no issues. As my children are getting older (6 and 8), I'm looking for something that has decent parental controls and filtering (on top of the pihole). The 2 options I am most interested in so far are:

1. Firewalla Gold with an AP
2. Synology RT6600ax

Some questions/points:

1. Will there be a noticeable difference in data visibility and/or control? I'm not looking to do anything intense but would like decent parental control and configurability. Also would like the ability to easily control/make changes when away from home.
2. I work in IT, so have a little networking knowledge but it is not my strong point. I'd like something solid that once set up just runs and I can make changes as needed.
3. Need advice on a good, non-cloud connected, AP that won't break the bank. Probably sub $150. I realize the Firewall Gold/AP option is more expensive but am willing to pay it for a solution that better meets my needs (if it does).
4. Is the Firewalla overkill for my needs and I just want it because it looks/sounds great?
5. Would like the ability to boot a device off the network easily both at home and remote.

Appreciate any information/experiences provided!

 

[bill001g]

I am unfamiliar with either of those products but both seem like overkill.

A AP is a really simple device all it does is connect a router to a remote set of wifi antenna via ethernet. You could likely use your current dlink as the AP if you replace the router.

Most firewalls and parental control are pretty much useless now days. They still talk about stupid stuff like "deep packet inspection". That is impossible now that almost 100% of web traffic is encrypted. They can't "inspect" anything other than the packet headers.

The last way to try to snoop on traffic is what pihole is doing but that too is almost completely dead. Pihole is mostly a DNS server but almost all new device are going to a encrypted DNS solution. As well as keeping other bad actors and the ISP from snooping on the traffic it also prevents you from seeing the traffic also. DNS encryption is not on by default in windows...yet. It can be set both in the OS as well as in most browsers. Some phones and tablets have it on by default.

This is actually a good thing but it does make a parents job harder.

You can still block access by time and to some small extent you can block by IP address. Even IP addresses mean little lately everything is cloud based and all the IP tend to go back to cloudflare, google, amazon...etc. Severs can have many addresses and even share addresses with other sites.

In general you would only need a firewall if you were trying to protect a server from attack. In a home install just the simple NAT function protects your internal devices since the router is too stupid to know which to send the attacking traffic to and just drops it. When you have a server it is intentionally exposed and needs some extra protection.

 

[jawsthemeswimming428]

Appreciate your opinion and advice. I’m a little confused though. If parental controls and filtering using these methods don’t work anymore how are they selling and using them for this?

Any recommendations on alternate solutions?

 

[kanewolf]

Appreciate your opinion and advice. I’m a little confused though. If parental controls and filtering using these methods don’t work anymore how are they selling and using them for this?

Any recommendations on alternate solutions?

Selling them and actually doing what you want are two VERY different things. Family friendly DNS can help, but kids older than 10 can work around.

 

[bill001g]

Pretty much the encryption has put them out of business they just want to get as much money as possible before the general user figures it out. Most of what they say is lots of techno babble designed for the uneducated consumer that says if it sounds complex and I don't understand it must be good . Encrypted DNS is still not the default option on many devices unlike HTTPS so they can pretend the issue does not exist.

Firewalls have become a much narrower use case. Before things were encrypted there was a lot of demand from say a company that wanted to prevent or monitor their employee usage of the internet. That is pretty much impossible. Even things like proxy servers that companies used can no longer be used because of HTTPS end to end encryption. A proxy would be detected as a man in the middle attack. Firewalls are now mostly used to protect against attacks against servers.

All this pretty much came about because edward snowden exposed the US government spying on everyone along with the help of the largest ISP. All the encryption is done to prevent the ISP and the governments from doing it again.
If the government can't snoop on your traffic no home router is going to be able to do it.

The only filtering that work yet is apps loaded on the end device that get to the data before it is encrypted. Unless you really lock the device down it does not take much to uninstall anything you install.

Not sure what to suggest kids are smart. I have seen kids as young as 9 or 10 talking about bypassing the schools content restrictions with vpn software.

 

[kanewolf]

Pretty much the encryption has put them out of business they just want to get as much money as possible before the general user figures it out. Most of what they say is lots of techno babble designed for the uneducated consumer that says if it sounds complex and I don't understand it must be good . Encrypted DNS is still not the default option on many devices unlike HTTPS so they can pretend the issue does not exist.

Firewalls have become a much narrower use case. Before things were encrypted there was a lot of demand from say a company that wanted to prevent or monitor their employee usage of the internet. That is pretty much impossible. Even things like proxy servers that companies used can no longer be used because of HTTPS end to end encryption. A proxy would be detected as a man in the middle attack. Firewalls are now mostly used to protect against attacks against servers.

All this pretty much came about because edward snowden exposed the US government spying on everyone along with the help of the largest ISP. All the encryption is done to prevent the ISP and the governments from doing it again.
If the government can't snoop on your traffic no home router is going to be able to do it.

The only filtering that work yet is apps loaded on the end device that get to the data before it is encrypted. Unless you really lock the device down it does not take much to uninstall anything you install.

Not sure what to suggest kids are smart. I have seen kids as young as 9 or 10 talking about bypassing the schools content restrictions with vpn software.

Enterprise organizations with firewalls can force their users to encrypt the traffic with a key that their firewalls can decrypt before reencrypting and forwarding to the internet. Home users can't do that easily.

 

[Ralston18]

Per @bill001g :

"Not sure what to suggest kids are smart. I have seen kids as young as 9 or 10 talking about bypassing the schools content restrictions with vpn software."

And I will add that kids also know about and talk about "other things" that they have heard or learned(?) in any number of ways.

All too easy to sometimes hear and figure out, without direct eavesdropping, what all the giggling etc. is about.....

No one wants kids, grandkids exposed to the dark side of the web. Unfortunately if younger ones are curious about "something" they can and will find a way to see what they want online.

Or know someone who can. Maybe the kids ask an AI - think about that....

Many pre-teens and almost all teens already know far, far more than some books, movies, etc. simply intimate. Just watch how kids react to TV commercials, shows, news stories, and "talking head" discussions that once were very taboo. Kids either do not care or they probably already know....

Firewalls and parental controls are helpful - but only to a point. That is the barrier approach and very appropriate and applicable yet still limited in effectiveness.

Movie ratings are a classic example - just a guide but actually not truly blockable any more. Kids can find almost any movie (or more likely a "selected" movie segment) online with little or no effort via some streaming source.

What then becomes necessary is the "communications approach" which means that adults and children can have open and honest conversations. Especially when the kids ask the uncomfortable questions.

Awkward for sure and lots of discretion and forethought is necessary. If time allows for forethought .

You know your own kids and can adjust as necessary. Some pre-emptive strike when warranted.

Getting through that awkwardness can go a long way in establishing family communications, comfort, and trust.

Rendering what are generally useless and moot technical protections to simply being a limited form of guardrail.