I've been using BitDefender Box for a while. It works well, but it a little dumbed down for consumers and doesn't give me the granular control to block domains, see traffic, or whatever. I'd like a little more control. I'm planning to use OpenDNS (and/or PiHole) unless someone has more up-to-date recommendations. In short, I want to take total control and responsibility for my network after sleeping for a few years and assuming BitDefender will take good care of me.

Thanks all!

Personally, the only products I've found that offer the kind of full control you note are enterprise or commercial products.

 
Mikrotik makes nice (and inexpensive) routers that so configurable it will make your head spin. The big issue is having to learn their "language" if you are going to use the CLI. Fortunately, there is a GUI that makes configuring a lot easier, but you still need to learn their logic. You can home-roll a firewall to beat the band.
 
I've been using their RB450G model (5 gigabit ports) for a dozen years now. No wi-fi in this model, as I use access points for all of my wi-fi, and still would, even if the router was a combo with wi-fi. Before wi-fi came along, routers were dedicated routers, and did that job well. I am a firm believer in dedicated devices to do one job and do it well. A router for routing, and access point for wi-fi. I used to even run separate DNS and DHCP servers on FreeBSD, but now use those functions on the Mikrotik, (trying to simplify a bit in case something happens to me and my wife has to maintain the network).

I'm no longer much a fan of Ubiquiti, save for one product line: Their EdgeMax line of small routers.

I've been running an Ubiquiti Edgerouter Lite 3 (ERLite-3) for my Internet border router since 2015. I've yet to have seen anything that can beat it for my needs.

Another vote for Mikrotik. I also have separate devices for wired router and wireless AP. My router is an RB750Gr3, commonly called a Hex. It's been absolutely stable and it's more capable than I will ever use. Of course it provides DNS and DHCP for my entire network. (It's also amazingly cheap for what it can do. The value proposition is remarkable.)

Mikrotik has their own way of doing things and there is definitely a learning curve, but if you want control you will *get* control. Note that their management interface has 3 'levels'. There's a wizard-type interface for essentially one click setup for very basic scenarios. Meh. Then there's the full GUI that lets you, and expects you to, access and configure most everything. Then there's a CLI that gives you *everything* - similar to the full GUI but with much much more fine control.

You need to understand the MT way of doing things to get satisfactory results with the full GUI or the CLI but once you do the GUI is easy and the CLI is straightforward just has its own fussy syntax.

For wireless, you get the same stability, control and good value. Problem is their software is several years behind in what wireless standards they support. That bothers me not at all. YMMV. My AP has an excruciating model name but is commonly known as a hAP ac2.

One side note, their software being, honestly, somewhat old means they don't have the latest tools for dealing with buffetbloat built in. But it's not difficult to mitigate using existing functionality that IS built in to their software (called RouterOS, which is built on an older Linux kernel).

Take a look at Sophos. It is a commercial grade firewall / UTM that is free for home use.
Free for 50 IP , all you need to do is run it on an old pc , or atom based server . I used to use this when I needed content management etc.

Now I'm using Synology as my wireless router , with the synology mesh. I also have a synology NAS box and I run Adguard on that in docker container. Point the DNS that the synology router gives out in the DHCP leases to the adguard instance and most bad stuff is blocked.

Perhaps you could elaborate on your existing network structure and how you would like it to be?

The reason I ask I see a lot of answers from my colleagues here for wired firewall perimeter routers and I agree that many of those are good.

I also see in your title you mention "Wi-Fi Router" ~ how does Wi-Fi come into you decision?

How is your Bitdefender installed as it seems as this is not a traditional "Router/Firewall" as most here have been recommending?


I agree on much of the wired-only devices and generally applaud anyone wanting to properly design a network infrastructure albeit home or business but is this the device you desire? You have an additional "router" upstream from the BitDefender- correct?

Sorry just trying to narrow the scope down.

quote:

Originally posted by ensigmatic:
I'm no longer much a fan of Ubiquiti, save for one product line: Their EdgeMax line of small routers.

I've been running an Ubiquiti Edgerouter Lite 3 (ERLite-3) for my Internet border router since 2015. I've yet to have seen anything that can beat it for my needs.

With Ubiquiti they have many products in both wireless and wired ~ all good products.
They have the UniFi products and the Edge Products.

Unifi has the the Unified Controller that benefits someone controlling a lot of devices and a larger environment.

The Edge line ~ switching and routers are more controllable and more configurable but much of it requires CLI to accomplish although there is a GUI on the Edge Products that has developed over the years to be quite usable.
EdgeRouters and EdgeSwitches are what I use too.

The UniFi Wi-Fi while performing quite well the control and configuration was not ideal.

That is why I left UniFi for EnGenius (in WI-Fi) and have been very satisfied with EnGenius WiFi.
At least at the SMB level it works better for me and my clients and I am sure the UniFi lineup would do well in more Enterprise scenarios ~ maybe or maybe not better but the individual requirements would dictate what to use.

Regardless, I love the EdgeRouters except for their VPN setup especially OpenVPN.
For that I like using Untangle on a built mini-computer or device.
Untangle btw is a great firewall too.
To the OP ~ Untangle sends me a detailed report by email daily of all kinds of activity and it is highly configurable.
You can get started for free with Untangle but you need your own hardware and minimum 2 NICs.

Also many have mentioned Mikrotik and Sophos ~ I haven't used them but do know about them (you can only support so much) and they are great contenders in this space the OP is interested in.

Here is a guy I follow on YouTube:

quote:

Originally posted by smschulz:
EdgeRouters and EdgeSwitches are what I use too.

I don't use EdgeSwitches. I'm using EnGenius' switches. So far I'm liking them.

quote:

Originally posted by smschulz:
The UniFi Wi-Fi while performing quite well the control and configuration was not ideal.

That is why I left UniFi for EnGenius (in WI-Fi) and have been very satisfied with EnGenius WiFi.

Same here. Went EnGenius upon your repeated recommendations, here.

quote:

Originally posted by smschulz:
Regardless, I love the EdgeRouters except for their VPN setup especially OpenVPN.

For that I'll be using Wireguard on my ERLite-3. (When I get around to it, someday...)

quote:

Originally posted by smschulz:
Also many have mentioned Mikrotik and Sophos ~ I haven't used them...

I've never used Sophos, but I did use a Mikotik router at work for the guest WiFi network. I found it "just ok." I like EdgeRouters better.

I'm waiting on a 4 port gigabit card to be delivered and then I'm switching to pfsense for my router and firewall.

quote:

Originally posted by ensigmatic:

quote:

Originally posted by smschulz:
EdgeRouters and EdgeSwitches are what I use too.

I don't use EdgeSwitches. I'm using EnGenius' switches. So far I'm liking them.

I'm versatile on switches, depends on the situation.
The only thing I don't like about EnGenius switches is that they are very noisy.

quote:

Originally posted by smschulz:
Perhaps you could elaborate on your existing network structure and how you would like it to be? The reason I ask I see a lot of answers from my colleagues here for wired firewall perimeter routers and I agree that many of those are good.

I also see in your title you mention "Wi-Fi Router" ~ how does Wi-Fi come into you decision?

How is your Bitdefender installed as it seems as this is not a traditional "Router/Firewall" as most here have been recommending?

I agree on much of the wired-only devices and generally applaud anyone wanting to properly design a network infrastructure albeit home or business but is this the device you desire? You have an additional "router" upstream from the BitDefender- correct?

Sorry just trying to narrow the scope down.

Thank you! You're absolutely right, I think I need to provide more detail.

Current State: The entire network is a single internal subnet routed by the BitDefender Box. We are 100% WiFi based inside. The Box is also (supposed to be) a cloud/AI powered physical firewall/IDS. I pay a subscription for this assurance of magic smarts to watch what is going on and prevent bad stuff. It also comes with unlimited copies of their AV for any devices that visits my network. It's supposed to watch all my smart stuff (plugs etc) to make sure they don't get pwned and start doing bad stuff. The problem is I cannot "really" see what is going on, and cannot apply content blocks very effectively, (though OpenDNS is helping with that, albeit blocking URLs is not the most elegant thing anymore with the complex Internet services these days.

What I'd like: I'm really open to hearing what others are doing. I was sort of thinking VLANS inside that keep the smart devices separated from the information/compute network. I'd love a lights-out time limits by device capability. I'd love a web content by device capability. I think I "need" a web content visibility by device. Open DNS shows what is blocked, but not what occurs. I guess if I build their rules well, I can/should assume that what is occurring is ok.

NOTE: I'm also looking at parental control apps for mobile devices (another subject entirely). I'm finding these vary in functionality by platform. So I may end up moving the kids to Android based devices to get the functionality I want. Apple prevents the visibility I feel I need to protect them.

Thanks all!

Rogue, It seems that your BitDefender Box it double-natted that is between your ISP Firewall/Router and you not in a Bridge mode.
How is your Wi-Fi configured?
If so wouldn't your Wi-FI clients be bypassing the device?

It sounds like you need more control of the outbound traffic as it appears you are not forwarding to specific ports, servers, computers or clients?

It also appears what you most want is called a "Content Control Filter" by many which specifies what or what cannot be let through per your policies.


A lot of these devices in routers are called UTM's ( Ultimate Threat Management ) devices and it is built in.
They can get pricey, and sometimes complicated to configure.
Some of those are SonicWall, Barracuda, WatchGuard, Cisco, and just about every business networking hardware company has a version.

Also most of the "routers" mentioned before do not have this function natively built in without complication.

A couple of software driven versions that might serve you better could be Untangle or Sophos.
I haven't used Sophos but have heard some good things but have used Untangle.

They can be purchased on a device they (the mfr) provides or what could let you sample it is to download the software for FREE and install on your own device.
It is a Linux product and (Untangle) it has a lot of FREE components but you can also subscribe a la carte to apps like CONTENT CONTROL, AV and a bunch of other components for a fee.
You can also try these apps FREE for 14 days on Untangle ~ don't know what Sophos offers.
You will need to supply your own hardware ~ jut about any PC will do but must have 2 NICs, no OS required as it will overwrite everything on install.

One other thing, if you have a Windows 10 Pro machine with enough resources and recent you could create a Virtual Machine with Hyper-V and test it out.
A little more complicated and not something I would put on a laptop but there are other Virtual Programs that can also do but I normally do MS Hyper-V so others can chime in on that part if that interests you.

What I'm doing many, or even most, people would not find tolerable.

First of all: Rather than run the most commonly-used and commonly-vulnerable stuff I, for the most part, take the roads less traveled. In particular: I avoid software known to be commonly-exploited. I simply do not use it. (E.g.: Adobe Flash has never been installed on a single device I've ever owned or used. Or, if it was, it was promptly eradicated.)

I use very little in the way of typical consumer-/homeowner-grade hardware. Nearly all network gear is business-/commercial-grade--or at least prosumer-grade.

I never use "all in one" network devices. (This is more a performance and reliability issue than a security one.) Routers to route. Network switches to switch. WiFi access points to supply WiFi.

I never depend upon my ISP's router for my border security. I use my own router, configured as I want it, and over which only I have control.

The Internet border router runs as "that which is not explicitly allowed, is denied." Aka: "Default deny." I don't try to block what is known or thought to be bad, but instead only allow only that which is known or thought to be safe--or relatively safe.

I have extensive ingress and egress rules on the border router. (I.e.: Only devices that should need to make outgoing connections to a given port are allowed to do so.)

The IoT stuff is probably my networks biggest threat. All that stuff is explicitly prohibited from communicating over the Internet. (Exception: Certain devices must, for the purpose of access outside the house. [E.g.: The alarm and surveillance systems.] They are carefully excepted on a case-by-case basis.)

Now that all my LAN switches support it, I'll probably further-isolate IoT stuff by putting it on its own VLANs.

I make extensive use of SSL/TLS even w/in my own, allegedly secure, network.

I run my own mail server. Among other things: It simply rejects incoming email with known, commonly-exploited attachment types. I don't mean tries to threat-check them. It outright rejects them. Period.

Just as I did when I was the network admin at work: I educate my users (which consists of one: My wife) on safe computing in an unfriendly Internet age. Put simply: She doesn't do st00pid stuph. She is at least as cautious as I, if not more so. You see: In the battle between technology and stupidity, stupidity will win every single time. And, just like my end-users at work used to do: If she sees or experiences something she even remotely thinks is not right, she stops and comes to get me to check it out.

That's what I do.