[9712263]

So, what is the most secured option for the moment? Buy a x86 box and turn it into a router? But it consumes more power than a low-power router, and buying more network adapter is not that cheap.

I am currently using the open source tomato firmware. However, since there is a bug/feature in the router so that I cannot flash an image too large, or otherwise it would not work. Also, the configuration is limited to 32 KB, if configure too much, then the configuration file will become gibberish and some random feature in the router would be missing, and required a factory reset to fix. So, I am stuck with an older version of tomato which guarantee some kind of vulnerability is not fixed.

Not sure what I can get in the form size of a router. Raspberry pi may work but too few ports available. I heard that the CPU would get hot for intense network traffic.

[walrus01]

For something really small the ubiquiti edgerouter devices which run their EdgeOS are a good choice. If there's a serious security vulnerability on the WAN-facing interface it will be patched. They run a fork of Vyatta. Ubiquiti employs most of the old Vyatta development team, who did not go to Brocade when Vyatta was acquired.

Or build a really small low power x86 system with a few Intel gigabit NICs in it and run open source VyOS.

[eikenberry]

So the ERLite-3?

https://www.ubnt.com/edgemax/edgerouter-lite/

[walrus01]

the $48 ER-X is much faster than 99% of peoples' residential last mile broadband connections, it's good for up to about 750 Mbps of NAT and default route outbound to a gateway.

[eikenberry]

I have a gigabit fiber line with no PoE from the fiber box. Between the 2 I think the ERLite-3 should work better.

[ropiku]

I have no problems with a gigabit symmetrical line on ERLite-3. UniFi Security Gateway is the same hardware but in a nicer interface that works with UniFi APs & Switches if you want to go that route but you have to also host a controller. You can also upgrade to a ER-4 for a much faster CPU but I don't think you need to.

[weinzierl]

fli4l [1] on an ALIX board [2] (for example) is an option.

ALIX boards are reasonably energy efficient. fli4l can run from read-only media. This is no panacea (see fileless malware) but at least you can be sure that after a reboot your system is clean. Security is a primary goal [3] of the fli4l project and they maintain a public Security Archive.

[1] http://www.fli4l.de/en

[2] https://www.pcengines.ch/alix.htm

[3] http://www.fli4l.de/en/home/security/

[varjag]

Find a not too old Cisco integrated services router, set it up to drop everything coming from outside, and run DHCP network(s) on the inside. Use WiFi routers in bridge/access point mode.

Drawback is they tend to be noisy, but if you have a basement/closet..

[DanBlake]

I think its been around 7 years since a public exploit has been dropped for the apple airport extreme. YMMV though, as Apple has stopped selling them which means support is likely going to be minimal in the future if something does pop up. Alot of it is likely security through obscurity though as obviously the code is closed source and it uses a custom management interface vs web-access.

If you want to go the modern (better) route, enterprise equipment such as ubiquity or cisco with strict rules are likely your best bet. The budget option being a openwrt install with one of their recommended routers

[stordoff]

> Buy a x86 box and turn it into a router? But it consumes more power than a low-power router, and buying more network adapter is not that cheap.

If you want to go this route, used Intel NICs are cheap. I recently picked up a 4-port gigabit NIC (PCI-E) for £13.99. I'm running on a machine that would be on anyway, so the power usage is negligible.

[jsjohnst]

I highly recommend looking into pfSense. I’ve been running it for years and it’s been solid.

[NullPrefix]

You only need two network adapters, other devices could be connected by a switch.