Firewall / Router recommendations

Many moons ago my home / lab network was vastly complicated .... all sorts of separate subnets / vlans / proxies and firewalls.

Secure, but became a bit of a nightmare to manage ongoing, for example every time the kids wanted some new app / game on their devices it was hassle trying to figure out why it wouldn't work. So a couple of years ago I simplified it and flattened to one subnet, no vlans, and just the firewall / content filter from a Draytek router.

Been happy with that as everything just works, albeit not as secure as it was before.

Roll forward to today and I want to get some security back in place, primarily just to track (and block if needed) certain devices from internet access when required. I don't need the complexity of subnets and vlans again, not really looking for isolation, etc. DNS based blocking won't cut it, I want to track and block at the protocol level.

For this I'd like to simply add a second firewall / router to the existing setup. I can then point (either by DHCP options or statically) specific devices to use that firewall / router instead of the existing one.

Ideally I'd like some sort of live logging so I can see what device is accessing what IP address externally, what protocol / port and if http / https based the full url being accessed.

The ability to block by default (i.e. nothing out) on a device IP basis would be useful. As would the ability to simply click block / allow as appropriate from that live logging ..... would rather not get back into having to handcraft rules again if possible!

Any recommendations for what to use, prefer a hardware off-the-shelf solution but not opposed to rolling an RPi based thing if needed.

Doesn't need to be some hugely powerful piece of hardware, I'm only looking at maybe a dozen or so devices that will route through it - cameras, hubitats, other iOT devices, etc.

Any thoughts?

OPNsense Firewall works great for me..

https://opnsense.org/

Interesting, I used to use pfSense ~ 10 years ago .... a complicated headache at the time.

Does OPNsense cover the things I mentioned?

Would be great if I can literally click a button next to a live "event" to just deny / allow i.e. automatically creating the rule(s) as needed.

You know the answer is probably not everything you want. It's always a trade off between ease of use/setup, features, and cost.

OPNsense is a great all around firewall that can do a lot of things and has a bunch of addons.

Ubiquiti hardware is really good for getting a picture of your overall network and managing things. Love the interface. Have to buy the equipment - but do research because there are a lot of different capabilities. I understand TPLink has something similar.

If you REALLY want to go down the rabbit hole with features then check out PacketFence:

https://packetfence.org

This is a hardcore Network Access Controller - lots of features but maybe not trivial to implement + you need some compatible hardware to run.

edit: There are other firewall appliances/sw that would be good as well but come with licensing fees etc... something that I try to avoid if possible.

PacketFence is NOT a firewall. (I manage a PF cluster as a small part of my pay check.)

Ubiquiti's USG firewall hardware does not have a stellar reputation, but does provide a baseline if you are already in that ecosystem. I personally would not buy one otherwise.....

Thanks, was kinda hoping that in the time since I last dabbled something relatively simple would have come out (either software or hardware).

I did take a look at Ubiquiti but it seems more like you need to go all-in on their kit which would be a bit overkill for me I think. Their USG looked interesting, like it would work standalone, but I couldn't tell if it had the live-logging / click to enable / disable capability.

Not opposed to something that needs a bit of configuration / ongoing management, but I have too many grey hairs already to venture too far in that direction! Getting flashbacks now to SmoothWall, IPCop, etc, etc

You might want to check the third-party home router firmware options, to see if any of them have click-to-enable as a feature.....

Yep PF is a NAC not a firewall - apologies for not being clear on that point. It seems some of @martyn's requirements do fall under NAC capabilities though which is why I mentioned it. Of course that kind of filtering seems non-trivial without specialized hardware. Especially now that devices like phones randomize their MACs by default these days...

I like and use the non-cloud based ubiquiti stuff.. just a POE switch and Wifi APs, decided against UDM/UDM Pros fortunately and kept my OPNSense firewall.

Happy to take a look at any recommendations really, I've been a long time out of this type of thing so not sure what's possible now.

Previously used all sorts of stuff though, pfSense, Smoothwall, IPCop, ZyWall, Microsoft's various solutions (proxy, ISA, TMG, etc). Overall recollection of all of that was that it was a complicated headache!

Hopefully there's something point-and-click out there ......

Yeah I loved IPCop but it could be a pain and became dated rather quickly. Switched to PFSense for a while too but then NetGate said new versions would require AES-NI which my "server" did not have at the time so I switched to OPNSense. The seemingly never ending NG drama has kept me with OPNSense.

@martyn, I mentioned TP-Link - check this out:

I have no experience with this though...

I use OPNsense, too. Currently subscribing to Sensei, as well, but may drop that when my 1st year is up due to them only allowing 2 user customizable profiles for rules (I need more than that).

I use a Watchguard t35 (though for most a t15 would more than suffice) Incredibly granular if you want it to be. For my wifi I use unifi ap ac-pro's. The interface can either be via web or via console or their own manager.

My trusty WRT-1200AC loaded with DD-WRT has never let me down, and has a plethora of monitoring and security add-ons from which to choose.

That said, even the stock Linksys firmware for the WRT-1200AC had a "parental control" page where devices could be denied any WAN access at all, or individual domains and subdomains could be blocked.

What are the logging / monitoring / management capabilities with all these though?

What I'd like to be able to do for example is:

1. block a specific device IP from any outbound access by default
2. view a live log of what that device IP is trying to do - protocol / port / target IP ..... including any domain and url if it's http / https
3. (ideally) from that live log be able to click a button that automagically creates an allow rule e.g. "allow this IP full outbound access", "allow this IP outbound access using this protocol / port", "allow this IP outbound access to this target IP", etc

I'm sure any / all of them can achieve the end result, but it's the simpler management side in getting to that end result that I'm really looking for.

The Unifi USG looked reasonable, but seems there's like zero UI for logging / reporting of what's going through the device.

Too many hours lost in the past in trawling log files by hand, carefully crafting IP tables rules and / dansguardian / blocklists / whitelists / etc.

Am I asking too much?

Asus AXE11000 has parental controls that lets you filter web & apps by client name or mac, has infected device prevention and blocking, two-way ips, malicious site blocking, and such. Also has a traffic analyzer per device or app. Web history provides a list of the sites visited by which devices. Most of the setup required 0 brain cells to configure. If you're not looking to overcomplicate things this one has been pretty good for me.

On OPNsense I would use the Firewall Live Logs for that.

If the traffic I want isn't already logging I would put a pass rule for the specific IP, set it to log, and see what it is doing. Can't easily block it from there though - have to back out and go make a rule for it.

If subscribing to the Sensei add-on, could also block it there by IP, category, destination, etc.

Is it all pretty much point-and-click nowadays? I don't have fond memories of pfSense from ~ 10 years ago (which it seems OPNsense is derived from) ....... incredibly powerful but not exactly a dream to manage!

Out of interest what hardware are you running it on? I don't really want to go back into running big-■■■ servers again if I can help it, having spent the last 7 years or so trying to downsize!

Not really. It is still more work than it should be in my opinion if you don't need that level of flexibility.

Untangle is pretty simple, I used that for years. But their current licensing changes didn't work out for me price-wise.

I use a fanless Qotom box for mine. Can get on eBay or Amazon.