Does anyone use multiple GL-iNet routers for layered defense at home? In the example below, anything that has incoming connections hangs off Router 1 so even if one of those items get compromised it can't easily get access to devices behind Router 2. If your willing to share your setup/use case, I'd just be interested in seeing where people get creative.
Internet <--> Router 1 (Outer) <--> Router 2 (Inner)
Router 1
Devices that might need to be reached from the outside (such as a game console that needs inbound connection or a server you are running)
Devices at home that don't need to access anything on your "internal" network (for example a smart tv that just needs internet)
Doesn't make sense, since the firewall on the GL isn't anything special - just stateful inspection, which does not provide any special security capabilities.
Going with Guest network or VLAN will do the same thing and saves you 1 router
Always done that way, professional (data center) setup, and at home or for private spaces.
But avoiding single brand chains.
At home budget is limited so one brand will do, but still first router (ISP router/gateway) splits DMZ from home network. DMZ has only vpn server as reachable VPN hub (no access to home network). Home network has edge routers (failover). That home network is split in multiple VLAN
All routers do NAT and have FW set, blocking all WAN initiated connections, except VPN to VPN hub. A GL-iNet router is only an (untagged) client device in some VLAN of the home network.
Some discussion about how to protect lan alone. Everything from restrictions on IP and names to using vlans.
A large building might be using vlans where they might have blue team on vlan101 and red on 102 for example using encryption.
If router gets compromised then all that work is moot.
If you like the idea of a physical separated DMZ zone I guess.
I wasn’t using my old AR750S Slate router for anything, so am currently using it as an outside border router since it has gigabit Ethernet ports and only needs less than 6w of power which most any USB port can provide instead of using a power brick. My MT6000 Flint 2 is behind it as my inside router.
I just needed one more Ethernet port for an additional home security system since I was out of Ethernet ports on my Flint 2 for my other primary home devices, and the managed mini-switch with its power brick that I had the security system’s Ethernet connected to was costing me too much UPS power during power outages compared to using the AR750S connected to the Flint 2’s USB port for power instead.
the question is why do you want a layered defense of dual NAT/firewall?
Won't that complicate things more?
You can use vlans but this is not supported by gl ui, but you can do that however in luci depending on the router and it's firmware either the router uses swconfig or DSA but it cannot have both this can be checked if you go to luci -> network -> if there is a switch tab, and under luci->network->interfaces-> if there is a devices tab, if both exists then it might become problematic.
I took note of a few firmwares having this on the Flint 1 for example, on that one I'm afraid you will get issues, but it might be possible with DSA as I have done this in the past, don't bother with the swconfig.
one of the benefits under vlans is:
encapisulation, to be more precise: you could indeed have a complicate setup with multiple NAT firewalls (i.e routers), but sometimes you want such device on your main but that is not possible due to area limitations, vlans do push your device like it was on your first router and can be managed like that, and this can also take away a dual nat scenario
In my use case I have one wire of 20 meter, with multiple vlans and I use a managed switch to propogate the vlans more in my areas of my flat, all devices can be managed via this router connected on the 20 meter wire and I use firewall zones isolated from each other, kinda like small isolated islands per device brand/type , I also use proxmox on a nuc which virtualize vm's on a proxmox vlan and proxmox_vpn vlan as a dhcp client, so these vms appear also like it are real psysical devices
of course one could complain about the one point of failure, but that is what a proffessional would do I just didn't want to make more holes in the walls since it is a rented appartment.
I just didn't want to make more holes in the walls since it is a rented appartment.