How to secure my router / network as much as possible? (Or do I need to use pfSense?)

I’m trying to setup a homelab to self host, and I keep hearing about people recommending pfSense for security. I thought my AX1800 is a pretty good router already, do I really need to upgrade to a pfSense? What can I do achieve maximum security without having to buy another piece of hardware to run pfSense?

(Side note, I’m building a box using the N5105 board anyway. Could I slap pfSense on there? If so, will the AX1800 become nothing but a WiFi radio?)

What kind of security do you have in mind?

If your home have many devices like children or teens using devices then yes you need pfsense. Image you are making self host like school or library. But your router will be access mode which not control in router.

Hmm well your router should be super secure :+1:

Well sort off, the flint uses either qsdk (qualcom sdk a very old fork of OpenWrt) which uses a very old kernel but with the exception gl-inet also backports security patches, or openwifi sdk which is more updated which is since gl firmware 4.x.x came out.

When it comes down to security you have to wonder what you imply for Security :+1:

The firewall is very secure, like any firewall it only allows traffic from source to destination, this automaticly allows the destination to talk back on the same line.

The firewall does not allow the destination to talk first only if you portforwarded it, this means its very secure.

For wireless i think this is also secure, because OpenWrt also adds also a few cisco stuff into it, and some minor fixes for eapol frames its often more higher standard vs normal routers, please google 802.11W, but wifi is never foolproof in security this means the protocol can still be unsafe.

From my experience alot of these OEM routers run even older aged firmware like qsdk, i’d rather call these insecure. :wink:

A router is a router, not a next-gen firewall.
In my opinion, the router should be “secure” in that it cannot be accessed from outside and SSH has been secured with a key.

All the rest is a gimmick.
Yes, you can protect DNS with various options, yes you can use a VPN. But that’s all just an “add-on”.

If you want to be secure, there’s no getting around a real firewall. (And instead of pfSense, you should use opnSense - at least it doesn’t look like it’s from the 80s) - security comes from good planning, the sensible use of features and, above all, expertise.

Edit: A firewall is only a part of it security. You need hardened systems as well. And antivirus (at least if you use Windows) and and and…

1 Like

This is true, if the appliance was for pure firewalling which a router cannot do like using big systems like snort which require more powerfull hardware, i would recommend pfsense too.

But if OP question was if OpenWrt is secure in just a router setting with a basic firewall, it can be fine aswell.

It really depends the direction the OP wants :wink:

I use pfSense on a Protectli mini pc appliance with a Deco mesh WiFi system for my main location, and a Slate AXT1800 at another location. Both are configured to run an openvpn server and for Adguard DNS over DOH. Both are secure. Neither were straightforward to install dnscrypt for DoH. Slate was easier to configure out of the box especially due to the gl-iNet admin interface. IMO openwrt is optimized for WiFi appliances and pfSense is optimized to run in virtual machines and PCs. Google will show a lot of comparisons. AFAIK pfSense does not support newer WiFi specs so you almost have to use separate WiFi Access Point for decent WiFi.

1 Like

It’s totally fine to run opnSense on VMs or PCs. Did it often, even in business environments.

What in the good Hell are you talking about? pfSense isn’t needed for SOHO.

FYI: OpenWrt hs selinux enabled packages so really I’d think your question is really along the lines of how secure to you want it?

I’d heavily consider flashing ‘pure’/stock OWRT for full access to their feeds/ecosystem. The Slate AX has a near fully stock OWRT image/build by @solidus1983. It’ll save you aggravation in the long run. You can always flash back to GL GUI regardless.

Don’t think of your Slate AX as a mere Wi-Fi enable router; use it for what it is: an embedded Linux system running ARM instead of x86.

GL firmware 4.4.6-r1 vs stock:

root@slateax:~# cat /etc/openwrt_release | head -n 2
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='21.02-SNAPSHOT'
root@slateax:~# uname -a
Linux slateax 4.4.60 #0 SMP PREEMPT Fri Sep 8 06:17:16 2023 armv7l GNU/Linux
root@owrt-23-05-x64-vm:~# cat /etc/openwrt_release | head -n 2
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='23.05.2'
root@owrt-23-05-x64-vm:~# uname -a
Linux owrt-23-05-x64-vm 5.15.137 #0 SMP Tue Nov 14 13:38:11 2023 x86_64 GNU/Linux
root@owrt-23-05-x64-vm:~# opkg list | grep selinux | head -n 5
busybox-selinux - 1.36.1-1 - Core utilities for embedded Linux with SELinux support
f2fs-tools-selinux - 1.16.0-1 - Tools for Flash-Friendly File System (F2FS) with SELinux support
f2fsck-selinux - 1.16.0-1 - Utility for checking/repairing a Flash-Friendly File System (F2FS) with SELinux support
libdevmapper-selinux - 1.02.196 - The device-mapper is a component of the 2.6 linux kernel that supports logical volume management. It is required by LVM2 and EVMS. This variant supports SELinux
libf2fs-selinux6 - 1.16.0-1 - Library for Flash-Friendly File System (F2FS) tools with SELinux support

1 Like

GL’s builds have a dated version in their feeds & their GUI is built around it. I’ve been on their case about DOT, DOH, ODOH needing updating/expanded capabilities. We’ll have to see & wait if we ever get dnscrypt-proxy2 without dropping to SSH.

OWRT devices can support onboard NVME drives & people use it as a bare metal host for Docker.

You can also run OWRT in a VM.

1 Like