user539 A protectli box with coreboot firmware if you want new stuff and also possibility to do other things on it. If you do not have any special demands regarding speed and have a tight budget, even an older TP-link Archer does just fine. Just check around on OpenWrt table of hardware for any router, check reviews etc and what fit your needs. Then check if you need special installation methods. Any consumer router with the latest OpenWrt version will be way better than most consumer or ISP provided boxes. Keep it updated by using Attended Sysupgrade.

I too vouch for OpenWRT. I use it with portectli with coreboot. I just hope that 2.5Gbits ports will be enough long term as it seems like solid device. This is my only concern with protectli.

In terms of openwrt, its not that difficult to use. Just allocate a day or two for setup for reading docs and you are good. I had no problems with it. I managed to setup adblocking and vpn on router itself.

  • Use WPA3 and disable everything else if possible
  • Keep AP (or router patched)
  • keep connected clients patched (WIFI driver and firmware etc.)
  • Don't connect IOT devices to your network, They let the bad guys in
  • [deleted]

TheGodfather

Just adding to this that from checking if you are looking on Amazon.com GLinet has a direct website for those of us who prefer not to support Amazon and prefer to buy directly from the manufacturer the URL for their homepage is:

https://store.gl-inet.com/

task210 Do you guys have some suggestions for better Wifi security?

I just want to take the opportunity to present a possible other perspective, which may or may not make sense to you and your use case.

I treat my home Wifi as being part of the untrusted internet, and take no action to protect it at all. Heck, I have the router I got from my ISP and totally assume they spy on all traffic passing it. My security boundary does not start with my home network, but on my devices. Everything outside my devices is untrusted.

    ryrona I treat my home Wifi as being part of the untrusted internet, and take no action to protect it at all. Heck, I have the router I got from my ISP and totally assume they spy on all traffic passing it. My security boundary does not start with my home network, but on my devices. Everything outside my devices is untrusted.

    This only works for some device types, for example smartphones and laptops and even then it makes sense to have an additional layer of protection. For example Fedora Workstation used to have (still has?) a default firewall zone, which allowed incoming traffic on all ports above 1024, and that's something users might not realize early enough to change it. If you have IoT devices, like smart TVs, robot vacuum cleaners and network printers, these often can't get properly locked down and might not get security updates anymore. In this case it makes a lot of sense, to try to keep your home network safe, with different firewall zones to isolate these devices as much as possible.

    Hello,
    I would like to follow the general advice of setting a specific VLAN for IoT devices, ... but how should I do ? How do you set up that VLAN ? I can connect the wireless IoT on the guest LAN, and that is fine, but my TV is wired and I want to keep it that way since I often turn off the wifi for power saving (wifi is a huge power consumer).
    I have a consumer ISP router and a server with AdGuardHome acting as DHCP. How would you guys go for setting up the VLAN ? Do you have any tutorial to recommend ?

      Eirikr70 your router has to support it in the first place. You should look through the settings to find out if there is any reference to VLAN, if it's an ISP router, chances are it doesn't offer such functionality.

        splattergames No, it doesn't. I suppose that it is feasable on my Debian server, but I don't know how-to. Gonna look if I find a good tutorial.
        EDIT : my router has a DMZ. Is that where I should put the IoT ?

          Eirikr70 your router needs to support VLAN, in your case I would suggest to use your ISP router as a modem only and get yourself a capable router, besr case something running OpenWRT (or capable of running it). The Debian server can't take over such functionality. The DMZ won't really help with IoT devices, it's really designed for public facing servers. I suggest you read up on network technology, because I see a looot of questions coming that have already been answered by much more competent people than me 😄

            splattergames I would suggest to use your ISP router as a modem only

            @Eirikr70
            In case it's possible to access the modem's configuration, I strongly suggest not only ignoring the ISP wifi, but actually disabling it. Even better, if it's possible, set the modem to bridge-only mode.

            For the VLAN, you need a smart or managed switch. Some wifi devices have integrated switches. Openwrt even has builds for some standalone switches, but only a limited number of them.

            task210 OpenWRT looks great! Instead of sourcing a mini PC to for OPNsense, I just buy a router and flash it.

            Networking is already technically hard, and when you include cost considerations it's really difficult to chose.

            In terms of hardware, keep in mind that you get what you pay for. So if you want to have a VPN set up right in the router, for example, you won't achieve great speeds with most wifi routers out there (Glinet has a table on their sites for VPN speeds if you want to compare models).

            Also, some routers don't even have enough space/processing power to host AdGuardHome/pihole locally.

            For VLANs most routers don't have a switch, so adding a switch might be still another cost.

            Truthfully? It's hard to decide.
            For just replacing an ISP router, a wifi router with openwrt is definitely the best option.
            But as we go down the rabbit hole, I'm not sure a Protecli with opnsense is such a bad idea, even though it might seem more expensive at first.

              Hb1hf Also, some routers don't even have enough space/processing power to host AdGuardHome/pihole locally.

              Which might not be the best idea anyway. Keeping your router lean.

              Hb1hf For just replacing an ISP router, a wifi router with openwrt is definitely the best option.

              But as we go down the rabbit hole, I'm not sure a Protecli with opnsense is such a bad idea, even though it might seem more expensive at first.

              Agreed. And this is all very far from putting GrapheneOS on whichever phone is sitting around and declaring it to be a router. In a sufficiently abstract sense, phone hardware can do that job (likewise a Raspberry Pi). But once you want both lots of packets per second so one client can do well on speed tests and the ability to support 10 clients each getting 1/10 of the ISP's quoted line rate and rich per-device access policies and it should run flat-out eight hours in a row every day, the situation changes. Some people who pay more for router hardware are buying actual value.

              One thing to consider when using Opnsense or OpenWRT is the increased number of devices you need. Depending on your needs you quickly end up with 4 devices (modem, router/firewall, access point (wifi), SIP telephony). With a bit of luck you can unify the first three with OpenWRT on a suitable device, but with Opnsense you likely end up with all four. All of these cost money, both in terms of buying, but also electricity cost. All need to be kept up-to-date, understood and debugged in case something breaks. So I would try to keep device numbers low as a beginner and search for a device which offers the first three mentioned functionalities, and that's something you won't succeed with with Opnsense.