Router recommendation?

H

Haole Boy

Active Member
Reaction score
190
Aloha. A while back I had ethernet cable strung around my house. I'm finally getting around to actually connecting all those ethernet cables to my LAN, and am trying to find a suitable router. I'm looking for an 8 port gigabit device. My internet service is fiber optic and has 500 Mbps down / 300 Mbs up speeds. My ISP provides a "Gateway" which is currently a Pace 5168NV-110 and provides NAT and DHCP services so I don't necessarily "need" to have a router, but I just like the idea of having a newer and (hopefully) updated device between me and the big, bad Internet.

So, a question for all your networking gurus out there: do you have any recommendations on an 8 port router suitable for residential use? I really don't know if I need or want QoS or VPN. Please note: wifi is done with a separate mesh system, so I don't need a wifi router.

Mahalo!

Harry Z
 
Build a linux based firewall. Sounds like you want a UTM, perhaps something like Untangle Lite.
If you just get another router off the shelf...you'll end up just creating double NAT, and...there's no added protection from regular home grade routers...NAT is NAT...is NAT. One NAT router isn't providing any more protection than that ISP provided gateway already doing NAT.

A UTM however, something with multiple modules of additional security services.....web filtering, threat blockers, IPS, antivirus scanning engines, they can help add a good layer of protection.

Or..just use a secure DNS filtering service, like...Quad9. It's free too! Can be more effective than a UTM these days, since...UTMs really only help if they're doing SSL/HTTPS inspection....which is hard to set up on every client device.
 
I’ve very few routers with more than 4 LAN ports. A lot of them are now coming with three. Just get a switch. I like the Netgear models that have the blue metal case with LEDs on each port. I’d go ahead and get a 16 port model.
 
8 port routers exist but you need to know that the good ones can configure each to do anything, WAN or LAN. That flexibility comes with a price.

If you want to get your hands dirty, as the saying goes, then you really want to get a router with a separate switch. @YeOldeStonecat mentioned Untangle Lite which is a great way to get into routing. You get 30 days of the full product then it kicks back to the free license which still has plenty of features. It's a Linux distro and you can load it on any Wintel hardware. Use an old desktop, slap in an additional NIC card, small SSD and you're good to go. Check with your ISP but I'm sure you can just turn off DHCP, DNS etc and put it into bridge mode.

If you still want to use the ISP's DHCP, DNS, etc then you don't need or want a second router. The point of having a router is to do those tasks. Doing it a second time means double NATing which is another way of spelling PITA. So if sticking with the ISP for those services then you need a layer 2 or layer 3 switch if want to do something else fancier.
 
Mahalo for all the replies. It appears that I know even less than what I thought I knew. No idea what UTM, Layer 2, or Layer 3 are. Gotta do some research. :)

fincoder said:
If it's this model it looks OK to me, has gigabit WAN/LAN ports and SPI firewall feature:
Just get a gigabit switch.
Click to expand...
@fincoder My main concern is that if there is an issue that requires a firmware update to resolve, I don't know if my ISP will update the Gateway in a timely manner. Or if ARRIS (who purchased Pace) will even issue firmware updates for this device.

Markverhyden said:
8 port routers exist but you need to know that the good ones can configure each to do anything, WAN or LAN. That flexibility comes with a price.

If you want to get your hands dirty, as the saying goes, then you really want to get a router with a separate switch. @YeOldeStonecat mentioned Untangle Lite which is a great way to get into routing. You get 30 days of the full product then it kicks back to the free license which still has plenty of features. It's a Linux distro and you can load it on any Wintel hardware. Use an old desktop, slap in an additional NIC card, small SSD and you're good to go. Check with your ISP but I'm sure you can just turn off DHCP, DNS etc and put it into bridge mode.

If you still want to use the ISP's DHCP, DNS, etc then you don't need or want a second router. The point of having a router is to do those tasks. Doing it a second time means double NATing which is another way of spelling PITA. So if sticking with the ISP for those services then you need a layer 2 or layer 3 switch if want to do something else fancier.
Click to expand...
@Markverhyden Thanks for yet another very complete response.

I'm leaning towards getting a switch. Thanx again for the replies!
 
Haole Boy said:
Mahalo for all the replies. It appears that I know even less than what I thought I knew. No idea what UTM, Layer 2, or Layer 3 are. Gotta do some research. :)
Click to expand...

UTM firewall = Unified Threat Management.....it's a type of firewall that stacks layers of modules that inspect traffic closely. You'll have at least one antivirus scanning engine, a threat blocker engine, a content filtering module, a more robust firewall module, an intrusion detection/prevention module, SSL inspection, often SPAM/Phish protection modules, etc. All of this...on top of the basic NAT...Network Address Translation.

Some examples, Untangle, Sonicwall, Watchguard, Fortinet, Sophos, Juniper, Palo Alto, Checkpoint, etc.

Now...for basic NAT routers.

NAT = Network Address Translation...which is a very basic firewall, prevents unknown/unasked for traffic from coming in, and lets everything out. Basically it just runs on stateful packet inspection. Think of it like a boat scupper. It's a 1x way very basic dumb firewall. Yeah some may run a minimal IDS/IPS...but...it's not worth much. NAT is used by routers that run in gateway mode, in basic form...taking the single public IP address (or in some cases multiple public IPs), and translating that into multiple internal IP addresses typically on a class C subnet behind the router. aka your home/work network, that 192.168.0.0/24 network, or 10.1.10.0/24 network, etc.

Your ISP provided gateway...is running NAT.

If you go to the store and purchase an off the shelf router....like a Linksys, DLink, Netgear, TPLink, Asus, Eerio, Belkin, Google Mesh, whatever....they're still just....NAT. They have zero security advantage over any other NAT router...NAT is NAT.
 
And NAT is effective! But it's certainly not everything.

I'll echo support for Untangle NGFW. The reporting tools it provides grants visibility unlike any other platform. It will teach you what you need to know as you use it. No other UTM can even come close, and you get this for FREE, you don't need a subscription for it.
 
Haole Boy said:
@fincoder My main concern is that if there is an issue that requires a firmware update to resolve, I don't know if my ISP will update the Gateway in a timely manner. Or if ARRIS (who purchased Pace) will even issue firmware updates for this device.
Click to expand...
This is actually a very important item. Operationally NAT allows no traffic from the outside unless it's part of a ongoing outbound session. What has happened in the past is black hats have developed attack vectors for these ISP supplied and/or retail modem/routers. Which means all they need is access to the WAN side which is always available.

The point for users is they need to pay attention to their ISP's announcements. If they say you need to upgrade then it's highly probable that updates will not longer be supplied to address security and operational problems.
 
fincoder said:
Does a NAT router with SPI firewall (as the OP's has) have any extra security?
Click to expand...
Not really.
NAT itself is a basic SPI....SPI is really just examining incoming traffic to see if it was requested from an internal IP....and it (depending on vendor) can have some very primitive/basic blocking of things like DoS prevention and perhaps some very rudimentary network attacks from the 90's. Consumer grade routers will just have the most basic SPI....some might advertise "deep SPI''...but...yeah, they're not a UTM or anything like that.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Torn between gateways for an ultra simple office setup.
Replies
5
Views
325
thecomputerguy
thecomputerguy
NETWizz
Access Lists
Replies
0
Views
820
NETWizz
NETWizz
LordX
Access point suggestions for personal use - Can two APs have the same wifi name and password?
2
Replies
29
Views
2K
HCHTech
HCHTech
HCHTech
Comcast Business Service - What am I looking at?
Replies
4
Views
446
Markverhyden
Markverhyden
mikeroq
Smart plug for router power cycle
Replies
9
Views
1K
YeOldeStonecat
YeOldeStonecat
Back
Top