Some firewall allow upnp to be enabled for specific devices / IP addresses.
Look, security is something that makes us feel better at night. Like locks on our doors. It's not going to stop someone from breaking in via a window but bricking up the window blocks the view. Is that a builder problem? No.
Enjoy the view, have your hub lock the doors at night and rest easy you are miles ahead of most.
Nash's principle of equilibrium is in full effect. Don't make yourself the weakest target but also don't pretend to be Fort Knox.
In a previous life I had a client that did security testing so they built a fence around an empty piece of property and pointed cameras at the center. You'd be shocked at how many people tried to breach the fence. Just to get in.
Install IDS and get alerts when potentially malicious activity is going on. Even block it.
Or set up a Honeypot subnet that is easy to get in but leaves the real stuff hidden.
It's like leaving amazon boxes on your front porch filled with junk you want to get rid off. Eventually someone will come along and take it. (Seriously, don't do this, they get angry, know where you live)
The fact that there is no truly secure consumer network means it's about your comfort level. Your peace of mind.
Most people add a security system after they have a break in. Yet, security systems are really good at false alarms. The sign in the front yard is far more effective.
I have almost 20 water sensors around the house because I had one massive leak in a spot I didn't plan for. I know I missed some. And it's painful having to replace batteries every year or so. But it's peace of mind when I get a notification of water under my daughter's sink. Granted she was cleaning. But still. Peace of mind.
Again, I could set up flow monitoring, auto valve shut off, leak detection and more and probably will someday. But thanks to a $3 float valve my pool kept filling itself to the tune of $2k+ water bills. Simple fix, fill the pool when it gets low.
I really like Ubiquiti, their UniFi wireless is really good, take a look a this article:
I use 3 UAP-AC-PRO and a UAP-AC-Lite at home for my wireless mesh, with wired uplinks to one of their PoE Gigabit switches, its rock solid and quite fast and their controller is really good, love the level of insight on my network... For what's suggested above you'll need an UniFi Gateway, thats the only thing that's not Ubiquiti in my network but I have a similar solution using a Watchguard XTMv virtual appliance with a dedicated IoT VLAN and SSID...
Sorry, but they should not be configuring AVAHI internally to reflect mDNS packets to the WAN... This is simply BAD security - arguably worse than what they are protecting against in the first place...
Interesting, didn't notice that, fully agree. Why would they mirror into the WAN? That does not make sense... As mentioned I don't use the USG, the Watchguard is a lot more configurable so I have full control over where to send those packets...
Guys my mesh network is Orbi. Not going to buy another mesh system The other half would burn me alive lol
But is really interesting for who owns those systems or thinking in acquiring one.
Granted it's in the box in the closet, it's is a nice system, though. I need to sell it - it isn't typical for me to horde (my excuse is that it's in the closet so I don't see it).
I tried many of these mesh systems including Orbi, Plume, Google WiFi, Linksys Velo, etc. All went back as I could not find one that would give me the level of configurability I wanted, mainly with wired uplinks and my own firewall... Orbi was really nice though but focused on the wireless uplink, great for people who can't use wire but not for me...
The other half would burn me alive lol
