Security Advisories from router vendors
Emulators - kick the tires on a routers web interface top
- Peplink has a demo of the web interface for a Balance 710 router, a high end model with 7 Ethernet WAN ports and an AP controller. Peplink also has a demo of the web interface of the Pepwave MAX HD4, a high end cellular router.
- A pcWRT demo is available at demo.pcwrt.com
- Ubiquiti has a demo of their high end UniFi system
- The simplified administration interface for Turris routers (Omnia and Mox) is called Foris and a demo is available at https://demo.turris.cz
- The Asus RT-AX88U is a newer model, while the
Asus RT-AC66U is older.
- DrayTek has online demos of their entire product line. here and here. For example, you can kick the tires on the Vigor 2926
series and on the Vigor 2133 series.
- Linksys has an index of the routers available to demo. Some examples: the
WRT610N running firmware v2, the
WRT1200AC running firmware 126.96.36.199464 and the
EA8500 running firmware 188.8.131.52984
- Cisco Small Business Online Device Emulators
- MikroTik software, RouterOS, has multiple interfaces. One is Telnet, another is a Windows application, WinBox 3.0. A demo of the web UI is at demo.mt.lv. Its v6.38 as of Jan. 2017. You can also download an ISO for free, burn it to a CD, boot from the CD and run RouterOS for 24 hours.
- D-Link does not have one comprehensive list of their available emulators. To see if one is available for a particular router, search for the model number in tech support
section of the D-Link site. That said, some D-Link emulators are listed here
and others are here. Examples:
DIR 825 rev. B,
DIR 818 LW,
DIR 615 rev. C,
- TRENDnet Product emulators. One example, the
- TP-LINK emulators
- There don't seem to be any Netgear emulators
- This list of Router UI Emulators has links to Asus, Belkin, Cisco, D-Link, DrayTek, Linksys, Mikrotik, Netgear, Peplink, TP-Link, TRENDnet, DD-WRT, Gargoyle, OpenWRT Luci and Tomato.
My blogs about routers top
- A firewall rule can help block ransomware August 29, 2021
- Hiding on a Wi-Fi network August 4, 2021
- A second router can make working from home much more secure Sept 25, 2020
- Two things about Eero routers having nothing to do with Amazon February 18, 2019
- Reporting a UPnP quirk in a Netgear router February 16, 2019
- Debunking the New York Times on Router Security and VPNFilter Lots of errors in an article. June 17, 2018
- VPNFilter router malware - just the bad stuff June 4, 2018
- Routers are constantly being probed - An examination of a firewall log March 19, 2018
- Some routers can force their DNS servers onto all devices and why you should care both at home and while traveling. March 5, 2018
- Using a Ubiquiti AmpliFi Mesh Point to extend a non-AmpliFi Wi-Fi network February 27, 2018
- The Best Security for Wireless Networks October 17, 2017 at eSecurity Planet. A thorough revision of an introductory article that stood the test of time.
- WifiInfoView is a great Wi-Fi utility for Windows Now with extra data. September 18, 2017
- Testing an AmpliFy mesh point as a Wi-Fi extender Initial setup mostly. August 7, 2017
- 7 mistakes Google made updating my Google Wifi router May 8, 2017
- Asus router warnings on privacy and security May 5, 2017
- How seven mesh routers deal with WPS April 28, 2017. Updated Aug 12, 2017 to note that AmpliFi now does WPS and can't turn it off.
- The Netgear router flaw post mortem -- plenty of blame to go around December 24, 2016
- Updates and more on the Netgear router vulnerability December 17, 2016
exploited Netgear router flaw discovered December 10, 2016
- Blame the ISPs rather than the routers December 3, 2016
- Getting started with the Ubiquiti AmpliFi mesh router November 23, 2016
- Another HNAP flaw in D-Link routers November 11, 2016
- What the Ubiquiti AmpliFi mesh router is missing October 1, 2016
- A Defensive Computing term paper on privacy: VPNs, Tor and VPN routers September 18, 2016
- A router security cheat sheet
August 16, 2016
- TP-LINK lost control of two domains used to configure routers and Wi-Fi extenders July 4, 2016
- Router Security done wrong February 29, 2016
- Poor Wi-Fi security - my visit to the dentist
February 3, 2016
- To share or not to share - a look at Guest Wi-Fi networks December 13, 2015
- The D-Link DIR860L router - how secure can it get? November 20, 2015
- How secure can your router get? November 10, 2015
- Wi-Fi at DEF CON -
dealing with the worlds most dangerous network August 23, 2015
- A look at the security of Wi-Fi on a
plane August 6, 2015
- Linksys Smart WiFi makes a stupid Guest
network June 25, 2015. Guest networks are a great security feature, but (at least some) Linksys Smart Wi-Fi routers implement Guest networks poorly. They use a captive portal, for no obvious reason and do not offer over-the-air encryption (WEP, WPA or WPA2).
- In June 2015 I blogged twice about the NetUSB router flaw: What most people don't know about the NetUSB router flaw - Part 1 and The NetUSB router flaw Part 2 - Detection and Mitigation.
- Using a router to block a modem. This was a follow-up to a previous blog about how some modems can be attacked. February 23, 2015
- Wi-Fi security vs. government spies November 3, 2014
- A router firmware update goes bad (and, what to do about it) October 6, 2014
- I blogged, in September 2013, that Google knows nearly
every Wi-Fi password in the world. Soon thereafter, Leo Laporte discussed this on his radio show, The Tech
Guy. I would bet that Apple also knows your WiFi password, just my opinion.
- I spoke on Securing a Home Router
at the HOPE conference back in July 2014. A PDF of the presentation is available
at box.net (last updated Oct. 4, 2014). Audio is available
at x.hope.net (thanks to 2600). An article about my talk appeared in Toms Guide.
- I blogged on how to find the IP address of your home router
- I hope to review some routers ...
Self-updating Routers top
Since many router owners do not update the firmware, a router that self-updates is, almost always, a good thing. Not that it doesn't leave other problems, but one less is one less. This list is, no doubt, incomplete. And, the view that self-updating is always good is overly simplistic. The Security Checklist page has the details on what to look for. The Routers with Self Updating Firmware page has details on how some vendors compare to this checklist.
- Google Wifi and their previous OnHub line. Beware though, Google Wifi likes to reboot itself in the middle of the afternoon.
- The Eero mesh router system
- According to CNET, the Linksys Hydra Pro 6 offers " automatic overnight firmware updates".
- The Verizon FIOS G3100 router. Note: the router is made and programmed by Arcadyan.
- The Turris Omnia is fully open source, both the hardware and software. They maintain a change log so you can verify that the automatic updates are being installed. As of June 2018, it was available all over Europe and is expected to be approved by the FCC for sale in the US by Oct. 2018. I have a page devoted to the Turris Omnia router.
- All three Synology routers are probably king of this hill. I say probably because I have not used them personally, but a demo indicated they update like Synology NAS devices. The first was the RT1900ac. The second, released Dec. 2016, is the RT2600ac. Synology claims "SRM can automatically perform upgrades on a schedule for maximum convenience." Release notes for the RT1900ac and RT2600ac are reasonably detailed. Download manuals for the RT2600ac here.
- The Linksys Velop mesh router system. See SNB review.
- Based on my reading, the Linksys EA7500, EA8500 and EA6900 can update their firmware automatically. So too can the Linksys WRT1900ACS according to page 67 of its manual. In addition, I am told by someone at Linksys that all of their "Smart-Wifi" branded routers can self-update. These devices usually have model numbers starting with EA or WRT.
- The Nokia mesh routers self-update
- On the Plume mesh Wi-Fi router system, software updates are managed automatically for you.
- The Luma mesh router system. See their pledge.
- According to this article the Netgear Orbi mesh router system does self-update. However, the Orbi WiFi System User Manual dated August 2019 says nothing about automatic firmware updates. Someone I know who owns an Orbi said that, by default, it does not auto-update itself but that it can do so.
- The Starry Station
- The Almond3 by Securify
- The F-Secure Sense router "regularly and automatically updates its software in a secure manner."
- FRITZ!Box home routers, popular in Germany and Australia, can not only self-update but they (or the ISP or the manufacturer, its not clear) can send email notification of newly updated firmware.
- Avira Safe Things is router firmware. Its website says: "It will constantly be up to date."
- If you build your own router, as per this article The Ars guide to building a Linux router from scratch by Jim Salter (April 2016), then Ubuntu server can be configured to self-update.
- According to Gryphon their Software and Protection updates occur automatically. Gryphon routers were first shipped in Feb. 2018.
- Untangle, which is high end router software, can self-update
- According to this article the Motorola devices used by AT&T UVERSE automatically update whenever the AT&T management platform rolls out an upgrade.
- As of April 2018, The Mercku M2 mesh router system is on Indiegogo and its expected to ship in July 2018. This article about it says "Updates are made automatically over the air to keep the M2 up to date in both its features and security" but the Indiegogo page says nothing about self-updating.
- According to a Feb. 2018 article, someone from Netgear claimed that from 2017 onward, Netgear routers have had the automatic update function built in. The Netgear R6400 router can self-update. This was a new feature added around May 2018, give or take.
Consumer Router Alternatives top
- My recommended router is the $200 Peplink/Pepwave Surf SOHO. Its a huge step up from consumer routers. See what Peplink has to say about it. My only relationship with Peplink is as a customer.
- Many of the options below can run on generic fairly low end hardware. But, there are many such choices. Jim Salter (an expert) strongly recommends Qotom mini-PCs for these home-built routers. Website. They are cheap, available at Amazon, have a low power draw and lots of ports. He says that a Celeron J1900 or better is fine.
- pfSense is recommended by many, but I have no personal experience with it. On the Oct. 20, 2015 episode of the Security Now podcast Steve Gibson, a pfSense user, described why he
likes it: there are lots of features, very flexible NAT translation including dynamic mapping, great flow control, and it includes both an OpenVPN client and server.
The software, based on FreeBSD, can be downloaded for free and installed on an old computer as long as it has two Ethernet adapters. Gibson initially used a box from SOEKRIS to build his. On a later podcast, he also recommended pcengines.ch for buying hardware that supports pdSense. It is also sold by Netgate as a hardware appliance. The cheapest appliances all have a single LAN port and no Wi-Fi. In the old days, the cheapest model, was the $300 SG-2220. Then for a couple years the cheapest model was the $150 SG-1000. Sometime in 2018, the SG-1000 was discontinued, replaced by the $150 SG-1100 which claims gigabit throughput. On the Feb. 12, 2019 edition of Security Now, Gibson was told by a listener with questions about configuring pfSense
that Netgate charges a minimum of $900 for support. His response: Google is your friend. The Netgate tech support page shows the cheapest support option is $1,044 for 36 months. On this site, I have setup instructions for the Pepwave/Peplink Surf SOHO. See also You should be running a pfSense firewall in InfoWorld Dec. 2014.
- OPNsense is a fork of pfSense based on FreeBSD. In a January 2020 podcast, Jim Salter felt that the user interface for OPNsense was much better than pfSense. He also felt the Netgate appliances were under-powered.
- The Sophos XG Firewall Home Edition is a fully-equipped software version of the Sophos XG firewall, available at no cost for home users. It needs to be installed on your computer, something like the Qotom and PC Engines devices noted above. It offers malware protection, web security and URL filtering, application control, IPS, traffic shaping, VPN, reporting and monitoring, and much more.
- MikroTik routers have been recommended by techies. I have no experience with them. They run a Linux system
called RouterOS which is available for free and runs on many computers. They offer a number of routers for under $100 but the majority of their line is high end. Their hardware is sold at routerboard.com. The $50 MicroTik RB750GR3 hEX Router was reviewed by Doug Reid at SmallNetBuilder September 25, 2017. He found it a very powerful, cheap router that may drive you crazy trying to configure it.
- Ubiquiti Networks normally deals with techies, but in May 2016 they announced a new line, AmpliFi, targeted at consumers. The
first AmpliFi product is a router
sold with two pre-matched Wi-Fi extenders (not a mesh). It is expected to ship in the summer of 2016. There will be three models, priced at $200, $300 and $350. No idea yet about router security but at least the company has a long history making router firmware. It will allow a single guest network with a maximum number of guests, each of which can be time limited. First look.
- I have no personal experience with DrayTek but they seem to be a business class vendor and I have heard good things about them (second hand). Their routers, however, are barely available in the US. As of June 2018, I saw the Vigor-2925n for $260, the Vigor 2926n for $250 (dual WAN, /Wi-Fi only 2.4GHz), the Vigor 2926ac for $300 (Dual-WAN, Wi-Fi ac). Cheaper was the
Vigor 2912 for $115 (no Wi-Fi, Dual WAN, can connect a 4G modem to the USB port as backup net access). See a demo of the web interface for the Vigor 2926 series.
- DNSthingy is a service ($8/month as of July 2017) for controlling everything about DNS for devices on a LAN. Parental control on steroids, if you will, with adblocking thrown in too. For Asus routers, it is customized firmware with the addition of the DNSthingy service. Or, they will sell you a few Asus routers with their firmware pre-installed. For pfSense, it installs as a service. Or, they will sell you a pfSense box with their service pre-installed. clearOS is also supported. For their Asus firmware, my big question would be if they mirror Asus bug fixes into their firmware. Are they trustworthy? I have no experience with it, but their FAQ says "DNSthingy provides all of the security of a VPN connection" which is clearly not true. Their site offers no details about the company offering the service.
- Cradlepoint makes business routers and they have a couple low end models priced around $200 or so. They seem to specialize
in 3G/4G Internet access. The specs of one router say it supports WiFi as WAN but
someone at Amazon said they do not support it.
I have been very successful with WiFi as WAN on my Pepwave Surf SOHO when my wired Internet access failed, so I consider it an important feature.
The cost of tech support is also a concern. I have no first-hand experience with this but people at Amazon have said that you have to pay for tech
support even with a new router (here and
The Cradlepoint website does not show the cost of tech support.
According to 3G Store its about $28/year for their consumer routers.
- Security Router from Halon Security is based on OpenBSD, with the main differentiator being the single, revision-managed, clear-text configuration file with soft re-configuration and documented security architecture. It competes with Cisco IOS and Juniper Junos. Its free and runs from a USB flash drive or as a virtual machine.
- While I suggest stepping up from consumer routers, you can step too high. Examples of this would be either a device or software billed as UTM (Unified
Threat Management) or NGF (Next Generation Firewall). Sophos offers a Next Gen Firewall both as a hardware device and a software download. For their 2015 explanation of
what it does see Firewall for dummies
- or, what do we mean by a next-generation firewall?. CheckPoint, Sonicwall, Fortinet and Watchguard. offer these high end devices. Both UTM and NGF do a lot, require a techie to setup and maintain, are expensive to buy and require ongoing paid software maintenance.
- Darren Kitchen of Hak5 recommends making your own router using a spare PC and Untangle. You can also buy a Firewall Appliance with Untangle pre-installed. As of March 2021, the zSeries Appliances for the Untangle NG Firewall start at $300 without Wi-Fi and $330 with Wi-Fi. The eSeries Appliances for the Untangle SD-WAN Router start at $200 without Wi-Fi and $250 with Wi-Fi.
The is an online demo available for Untangle.
- Smoothwall was used at home by
Lee Hutchinson of Ars Technica (Sept. 2015) and liked by Darren Kitchen.
- Jim Salter, writing for Ars Technica, argued in Jan. 2016 that you should build your own router, assuming you are very familiar with Linux and iptables. In April 2016, he followed this up: The Ars guide to building a Linux
router from scratch. In June 2016, he pointed out the limitations:
"... setting up your own router from a generic server distro isn't a project for everyone. It certainly isn't user-friendly, both during the build process and once it's finished ... it's definitely arcane, with absolutely no hand holding along the way. If you aren't already very experienced with Linux, you'll likely do a lot of puzzled head scratching (and maybe a little cursing). You won't get a super feature-rich build once you're done, either ... you won't have fancy quality of service features, usage graphs, or much of anything else...".
- SmallWall bills itself as a small and lean firewall. It is an outgrowth of m0n0wall, its based on FreeBSD and runs on low end
x86 hardware. You can download it for free (the ISO is only 23MB) or buy it pre-installed in a box for as low as $250. At that price, Wi-Fi is not included, but a supported Wi-Fi card can be
installed into the box.
- IPFire is an Open Source Linux Firewall available both as software only or as a hardware appliance.
IPFire was designed to be modular an flexible. The primary objective of IPFire is security. Updates are digitally signed and encrypted and can be automatically installed by Pakfire. Users are notified by mail of updates. IPFire is not based on any other Linux distribution, it is compiled from the sources of every included package.
- Just for the sake of completeness, I mention the BSD Router Project. BSDRP is only available as software. It is
a free open source router distribution based on FreeBSD with Quagga and Bird. The main goal of BSDRP is not firewalling but routing. If you are looking for
a firewall, or for sharing Internet access, the developers of BSDRP suggest m0n0wall or pfSense instead. BSDRP does not have a Web interface,
it is configured from a command line. BSDRP is not intended for home use.
- Article: Review:
5 open-source alternatives for routers/firewalls By Eric Geier Sept. 2016. A review of ClearOS, DD-WRT, pfSense, Untangle and ZeroShell.
- Another UTM version of Linux is ClearOS. The website says "ClearOS is an operating system for your Server, Network, and Gateway systems. It is designed for homes, small to medium businesses, and distributed environments. ClearOS is commonly known as the Next Generation Small Business Server, while including indispensable Gateway and Networking functionality." There is a free community edition, a rented home edition,
a rented Business edition and a virtual version. It is also available on hardware devices starting at $1,200 without WiFi.
- Slightly off topic are the Xclaim access points from Ruckus Wireless. I say off-topic because they are not
routers, just access points (they have a single Ethernet port). That said, if you need great WiFi, Ruckus should be on the short list. I have owned a Ruckus
router (don't think they make routers any more) and was impressed with its WiFi. Introduced in November 2014, Xclaim is a new product line for Ruckus.
It's their cheapest line. For $90 you get a single band N device, concurrent dual-band N is $200 (see a review).
Stepping up to ac WiFi (see a review)
costs $250. They are configured either via the cloud or a smartphone app, there is no web interface.
Third Party Firmware top
One way to avoid consumer router firmware is to install alternate, third-party firmware.
- The website PrivacyTools.io recommends three Open Source router firmwares: OpenWrt,
pfSense and LibreCMC.
- Best free Linux router and firewall distributions of 2020 at TekLager.se (updated Aug 2020). Author is not a fan of
DD-WRT or Tomato. Recommendations: OPNsense, pfSense and OpenWRT.
- OpenWRT is a Linux distribution for embedded devices such as routers. It offers a writable filesystem with package management. See the
User guide for OpenWrt/LEDE. It is intended for techies. This July 2021 article, A Review of OpenWRT on a Raspberry Pi 3, says the "documentation is fairly comprehensive while still managing to be spectacularly useless to the average consumer. It is written using high-level technical jargon that ... will be extremely frustrating to the average person who just wants to use an OpenWRT router on his home network ... I consider the OpenWRT documentation to be the single largest failure of OpenWRT. While the average Linux user should be able to set up OpenWRT on the Raspberry Pi to serve as a router for accessing the Internet, doing anything more is problematic ... Most Linux users who need anything more complicated than a simple connection to the Internet should avoid OpenWRT."
- DD-WRT is a Linux based alternative OpenSource firmware suitable for a great variety of routers. In March 2021, John Hagensieker wrote "DD-WRT used to work on tons of hardware and it still does but it only actually works great on a few pieces of hardware these days. This is due to manufacturers using proprietary drivers, combining hardware devices and playing around flash memory layout. Makes it hard for the community to keep up ... The two or three darlings of the DD-WRT world right now are Netgear R7000, R7800, and R9000. Again, lots of other routers work but these are the best supported and most stable."
- myopenrouter.com is devoted to open source router firmware on Netgear devices. According to Jim Salter, writing in
Ars Technica in May 2017:
"Netgear directly runs myopenrouter.com, where they actually collaborate with open source developers who are adapting builds of open source firmware for installation on Netgear routers. This is extremely cool, not least because it means that you can install firmware from myopenrouter directly onto a supported Netgear router using the router's own Web-based interface. It's certainly possible to install DD-WRT or OpenWRT on a non-Netgear consumer router, but it's generally a giant pain in the ass and a good way to potentially brick your router. "
- In The Router rumble:
Ars DIY build faces better tests, tougher competition (Sept. 2016) Jim Salter wanted to test the x86 build of DD-WRT, but found that it hasn't had a stable release for 8 years, the last stable version wouldn't boot and the newest beta was mind-blowingly awful, both in terms of performance and
bugs. He also tested DD-WRT on a Netgear Nighthawk X6 where someone named Kong curates the builds. The Kong builds were good, the raw beta
builds were buggy as heck. The Kong builds also install easily and safely and did well in performance tests. But, Salter notes "you're depending on some semi-anonymous person named after a movie gorilla to keep up with vulnerabilities, comb the bugs out of your firmware, and resist the urge to sell you out to the NSA."
- How to Choose the Best Firmware to
Supercharge Your Wi-Fi Router offers an overview of available firmwares. By Alan Henry April 1, 2015. There are two approaches to using alternate firmware: install it yourself or buy a router with it pre-installed. The article notes that Buffalo sells routers with DD-WRT pre-installed. So to, some VPN providers
sell routers with open firmware and client software for their VPN.
- Note however, the title of the article above, it refers to supercharging a router, not making it more secure.
Craig Young of Tripwire, an expert on the subject, said in April 2015:
"... alternative open firmware ... is not necessarily ... any more secure or even more frequently updated than commercial router firmware. Back in 2012 I submitted a report to DD-WRT while testing a D-Link device running DD-WRT v24-sp2. The bug report is still open 2.5 years later. The advantages for an advanced user include the ability to have enterprise style features on consumer hardware as well as to fix bugs for themselves, remove unwanted services, and truly lock down the router. For the non-technical user however the benefits are far more limited and the difficulty to configure the system is far greater."
- In a December 2012 article at SmallNetBuilder, ASUSWRT-Merlin
Reviewed, Scott DeLeeuw wrote: "The dirty little secret of alternative firmware is that the open source drivers it must use aren't always the best. This is particularly true of wireless drivers, where chip manufacturers work closely with their customers to squash bugs and tweak performance ... DD-WRT and Tomato add a wealth of features, they usually introduce problems of their own along with potentially lower performance." For ASUS routers, he much preferred ASUSWRT-Merlin firmware by Eric Sauvageau.
- Someone with a supported Asus router is probably better off using the Asus Merlin firmware. This article offers a good introduction: Merlin Firmware: What It Is and How Select Asus Wi-Fi Routers Get Extra Magic by Dong Ngo (Oct. 2022).
While it adds many features and thus increases the attack surface, software from a single good programmer will always be better than software developed by a group. Some of the security features that the Merlin firmware adds are: secure DNS, TOR support, DNS based filtering and split tunneling for OpenVPN clients. Old school insecure DNS servers can be forced on all users or applied to just selected clients. Cool.
- As of June 2020, Fresh Tomato is actively maintained by pedro. The latest stable version was released in May 2020.
It is open source firmware for Broadcom based routers. It claims to have a friendly interface and that inexperienced users can easily work with it. It supports 106 different routers. See a detailed Change Log.
- Tomato was replacement firmware for the Linksys WRT54G/GL/GS, Buffalo WHR-G54S/WHR-HP-G54 and other Broadcom-based routers. The last release was in June 2010. See WikiPedia.
- Tomato by Shibby is from Michal Rupental
- AdvancedTomato adds a new user interface to Tomato by Shibby. It supports 26 routers as of Feb. 2016.
- In May 2016, the LEDE project formed as a spin-off of OpenWRT. It too, is an embedded Linux distribution that makes it easy to build and customize software for wireless routers. LEDE stands for Linux Embedded Development Environment. See Router hackers reach for the fork: LEDE splits from
OpenWRT. However, as of January 2018, the LEDE project has been amicably merged with OpenWrt under the OpenWrt
TOR and VPN Client Routers top
- Dec 18, 2020: The Beryl (GL-MT1300) from GL.iNet was introduced in December 2020. It is a small travel router that runs OpenWRT and sells for $70. It is in this category because it supports both Tor and VPNs. The company says its an advanced version of their Slate (GL-AR750S). It has great VPN support, offering both OpenVPN and WireGuard. Running WireGuard, it works with Mullvad and Azirevpn. Running OpenVPN it works with around 30 providers including Nord, ProtonVPN and ExpressVPN. On Ethernet, the OpenVPN speed is up to 21Mbps, the WireGuard speed is up to 91Mbps. Wi-Fi is dual band and IPv6 is supported. There is one Ethernet WAN port and two LAN ports. It has a USB port that an be used with a 3G/4G USB modem. There is a memory card slot. GL.iNet claims that it can support up to 40 wireless devices. Wi-Fi supports WPA3 and OpenWRT lets you install applications on the device. A feature I would love to try is support for NextDNS, a great service that does ad blocking and tracker blocking. In addition to being a router, it can function as a repeater, and an AP. More here and here.
- July 15, 2020: The Brume-W GL-MV1000W from GL.iNet is expected to be available in September 2020 for about $140. It runs OpenWrt and replaces the GL-MV1000. Tor is pre-installed along with over 30 VPN providers. It supports AdGuard to remove ads and encrypted DNS from Cloudflare and NextDNS. It is a very small router that can also function as an Access Point or a Wi-Fi repeater. It has one WAN port and two LAN ports. Wi-Fi is only 2.4GHz but it supports external USB antennas. One nifty feature seems to be the ability to flip a hardware switch to enable/disable Tor or a VPN. It is configured both with a web interface and a mobile app.
- InvizBox, based in Dublin, Ireland, offers two routers, the InvizBox 2 and the InvizBox Go. Documentation from the company is very simplistic and, to a techie, useless. They promise all good stuff without any details on what it actually does.
- First generation: called InvizBox has been discontinued. It supported Tor rather than a VPN. It was based on OpenWRT and was first released in March 2015. It used Ethernet for Internet access and had a second Ethernet port. It was reviewed by Daniel Aleksandersen in Feb. 2016: InvizBox review: Tor anonymity in a box (last updated Sept. 2017). It was open source.
In March 2015 it cost $39. In Jan. 2016, it was $49 or $99 with a year of VPN service. On April 19, 2016, it was $139 with 12 months of VPN service from an unknown provider. On Aug. 14, 2016 it was $109 with a year of still-mystery VPN service. In Jan. 2016 it was expected to ship Feb. 2016. On April 19, 2016, it was to ship in April 2016. On May 8, 2016 it was expected to ship in May 2016. On Aug. 14, 2016 it was expected to ship in early July 2016. On Sept 16, 2017 it sold for $49 with just Tor. By March 2018, it was gone.
- Second generation: The InvizBox Go is a portable VPN router that also features ad blocking, can act as a Wi-Fi extender and a power bank. It does not seem to do Ethernet. The website says it also supports Tor. In Sept 2017 and Dec 2020 it cost $139 with one year of VPN service. In March 2018 it cost $160 with one year of VPN service from IP Vanish. It was on Kickstarter.
- There was a Kickstarter for the third generation, called InvizBox 2 that was to end Oct 17, 2017 with estimated delivery of April 2018.
- The Invizbox 2 is a dual-band Wi-Fi router with one Ethernet WAN port and one LAN port. It can act as both a VPN client and a Tor client. Rather than be the only router, it is meant as a secondary router. I agree with the concept, I think the best use for any dedicated VPN device is as a secondary router. Sometimes you want a VPN, sometimes you don't. As of December 2020, it costs $129. The software is open source and based on OpenWRT. The hardware is made in China but the firmware is flashed in their offices in Ireland and the box is sealed before it ships to you. The firmware self updates using a Tor hidden service. You can buy it using their VPN service or you can use it with a number of other VPN providers such as ExpressVPN, NordVPN or IPVanish. Their VPN service is provided by Windscribe (more
here and here). InvizBox also has a partnership with ProtonVPN. It can create multiple Wi-Fi networks (I have seen both 4 and 8) and each SSID can be assigned to a different VPN server. Or, a network can be assigned to use Tor. If you want speed, use a VPN server that is near you. If you want more privacy, use one in a country with good privacy laws. You can assign an SSID to a specific VPN server or let it chose any server in a particular country. Wi-Fi networks can isolate devices connected to them, so that they can not see each other (a great option to have). It does parental controls, blocks some known bad websites, does ad blocking and has a kill switch (no Internet access if the VPN fails). It is administered with a web interface but there is also a mobile app. The Invizbox 2 was reviewed by Ars Technica Sept. 2019 but the review was short.
In his InvizBox 2 Review Christopher Seward of VPN Compare (Aug 2019, revised Dec 2020) points out that a benefit of using the included VPN subscription is that Windscribe does not know who you are. You are an InvizBox 2 customer, rather than a Windscribe customer.
- The original Anonabox was a Tor router. Its security was shown to be an inexcusable disgrace in April 2015. See
Anonabox Recalls 350 'Privacy' Routers for Security Flaws and Anonabox Analysis. According to the Ars article below, it has no user interface at
all, you can never change the password and you can not update the firmware. As of April 2015, it sold for $99.
Anonabox or InvizBox, which Tor router better anonymizes online life? Ars Technica April 8, 2015.
I would rule out the first Anonabox as per the articles linked to above. Take this as a review of InvizBox.
- April 2016: There are now four models of Anonabox. The high end model is the Anonabox Pro and it sells for $100 on Amazon. It uses 2.4GHz Wi-Fi for both input
and output (5GHz is not supported). It also has a WAN Ethernet port and a single LAN Ethernet port. It runs, or is based, on OpenWRT (not clear). It can be
powered from a USB port, its not clear if it has an internal battery. The included VPN service is HideMyAss which has been shown, multiple times, to do logging.
(almost) anonymous on the Internet with Anonabox by Roger A. Grimes April 19, 2016. The initial setup described here is very insecure, which is troubling for a
device selling security. In addition to being a TOR client, you can also set yourself up as a TOR exit node or even run your own .onion website.
Review: Anonabox Pro Tor And VPN Router Review by Josh Norem. April 29, 2016. He tested the top of the line Pro model. "...all of the issues we've seen brought up in other reviews have been fixed or addressed in the most current form of the Anonabox." The VPN service is free for 30 days. Can use it as a secondary router by plugging an ethernet cable into a LAN port on your router and the WAN port on the Anonabox. Then, use the LAN port on Anonabox for a computer. Anonabox also does WiFi N. The instructions may not be completely clear to users with minimal networking experience. Local administration is HTTP. A single click connects to TOR. User interface is for techies. Tech support is good.
- The Tiny Hardware Firewall was endorsed by Leo Laporte,
a.k.a. The Tech Guy. There are three models, sold by the vendor for $30 or $35. The smallest model has no Ethernet ports (its too small), the other two models have an Ethernet WAN port and an Ethernet LAN port. A big limitation is that it works with only one VPN provider, HotSpotVPN. Purchases come with one year of VPN service. Expect to pay about $91 for the second year of service. Laporte warns that it can take 5 minutes to boot up. He also claims that it can engage both the VPN and TOR at the same time. These are low end devices, Ethernet is 100Mbps, WiFi is G and N.
VPN Client Routers top
When many consumers encounter a VPN router, they are dealing with a router that can function as a VPN server. This allow access to your home devices while traveling. It can also be used as a free VPN, in that you can funnel your Internet access through your home router while traveling. More interesting, to me, are routers that can function as VPN clients. That is, the software necessary to connect to a VPN server, is built into the firmware of the router. In the old days, very few routers could function as a VPN client, but that has changed over time.
Note that there are different types of VPNs. For a long time, the most popular type was OpenVPN, but it has a big drawback - it takes a lot of computing horsepower. OpenVPN on a router is likely to be very slow. The newer WireGuard flavor of VPNs requires much less computing horsepower so, it should be faster.
If you need to know more about VPNs, see the VPN page on my DefensiveComputingChecklist.com website.
OLD: An excellent article on the subject (best I have seen) is VPN Router – Ultimate Guide (Setup, Tests, Best VPN Routers) by Sven Taylor of RestorePrivacy.com (Dec. 2017).
- The pcWRT router is as full featured as VPNs get. It supports VPN clients for WireGuard, OpenVPN and IKEv2 (strongSwan IPsec). Each VPN client supports Split Tunneling which lets you decide which traffic uses the VPN and which does not, based on domains or IP addresses. In addition, it also supports VPN servers for all three flavors. As of January 2022, it costs $129 US. See more about pcWRT here on this site.
- On the low end is the GL.iNet GL-AR750 router that comes with OpenWRT and an OpenVPN client. It is sold as a travel router and its pretty small. It is dual band, with three 100Mbps Ethernet ports, a USB 2.0 port and a MicroSD slot. It is powered by Micro USB and can run off the USB port of a computer. An Amazon user felt the hardware was not powerful enough to run a VPN through it with reasonable speed. It has a WISP mode, which seems to be analogous to what Peplink calls Wi-Fi as WAN. Simply put, it can use a Wi-Fi network as its Internet connection and still provide a Wi-Fi network for your devices to use. See the User Guide from June or Nov. 2017.
In April 2018, Amazon was selling it for $45.
- The GL.iNet AR750 was replaced with the AR750s Slate which sells for about $70. It can connect to the Internet FOUR ways: via Ethernet, Wi-Fi, tethering to a smartphone via a USB cable, or a USB based 3G/4G antenna. Its small and light weight, good for traveling with. It can be both an OpenVPN client and server. The client is compatible with 25 commercial VPN providers. Also comes with a Wireguard client pre-installed. It runs OpenWRt. Dual band Wi-Fi N (not ac). Two GB Ethernet LAN ports. File sharing via a MicroSD slot that has a 128GB capacity. If you are not using a VPN, then it does Cloudflare DNS over TLS. There are two 2dBi antennas that can not be detached. No internal battery. Its not clear if it can be powered from the USB port of a laptop. There is no default password for configuring the router, you have to choose your own at first use. This would be great on a public Wi-Fi network. It would connect to the network, offering a firewall in front of your laptop. Then you could connect to it via Ethernet, letting you disable Wi-Fi on your laptop, making it even more secure. Then, when you add a VPN client connection, your laptop is a secure as possible.
- All three Synology routers can function as VPN clients for OpenVPN, L2TP/IPsec and PPTP. That said, I really disliked Synology and found their OpenVPN client to be dreadfully slow.
- Running Asus firmware, many Asus routers can function as a VPN client. Asus supports the three most popular VPN flavors: PPTP, L2TP and OpenVPN.
- FlashRouters.com sells many standard consumer routers that have been flashed to run either DD-WRT or Tomato. You pay a premium for this service. They have documentation on configuring their routers to work with many VPN providers and they offer "3 months of basic Internet and VPN setup support from our knowledgeable staff" for free. They support OpenVPN and L2TP type VPNs. Non-techies can provide their VPN provider username and password and the router should be ready to use out of the box. This review, FlashRouters VPN router review: VPN privacy for the whole home by Gary Sims of Android Authority (June 2019) says nothing about the speed hit, so take it with a grain of salt.
- RouterSource.com is much like FlashRouters in that they offer consumer routers flashed to run DD-WRT. In addition, they offer
their own router firmware called SABAI OS which was derived from Tomato. They claim SABAI is simple enough for non-techies (I have never used it). Both of their firmwares support PPTP and OpenVPN, they do not seem to support L2TP/IPsec. Their free tech support is for one year. They have a working relationship with 15 VPN providers and 11 others are known to be compatible with their routers.
- VPN provider Windscribe partnered with Invizbox to sell a customized edition of Invizbox for $129 (price verified Dec. 2019). It runs IKEv2 which Windscribe claims is faster than OpenVPN.
- ExpressVPN sells their own routers and they offer setup guides for using their service on routers from
10 different companies.
- VPN provider Witopia sells a CloakBox VPN Router that works with their service.
- VPN provider BlackVPN used to sell routers that work with their service, but they no longer do. However, they do still support routers running DD-WRT, OpenWRT, pfSense and anything that supports OpenVPN.
- VPN provider TorGurad also sells DD-WRT routers pre-configured to work with their service.
- VPN provider StrongVPN sells routers that work with their service.
- VPN provider VyperVPN has their own app that can be installed on routers running Tomato.
- Vilfo, from VPN provider OVPN, costs $399 US dollars as of September 2021. It works with any VPN provider that supports OpenVPN, but
25 VPN providers are pre-integrated and can be activated with a single click. It supports a very robust implementation of split-tunneling which allows you to: configure which devices use the VPN and which do not, specify some websites to not go through the VPN, specify websites that must always use the VPN and (this is amazing) connect to multiple VPN servers at the same time. It does network monitoring with push notifications for important events, real-time bandwidth info, an event history and a bandwidth history per device. It offers Parental Controls, 802.11ac Wi-Fi and has 3 LAN ports. More at Indiegogo. In March 2018, it was harshly reviewed by Daniel Aleksandersen. The company responded by making 9 changes. In August 2020 it was reviewed by Heinrich Long.
- ThinkPenguin sells TPE-R1100 Wireless-N Mini VPN Router for $50. The price has been the same from July 2016 to Dec. 2019. It has a single LAN side Ethernet port and the Wi-Fi tops out at N. It runs LibreCMC which is based on the Linux-libre kernel and a stripped down version of OpenWRT without the non-free bits.
TOR Routers top
A word of warning about running Tor on a router from Matt Casperson: "Tor is only as secure as those applications whose data it is transferring, and one of the benefits of the Tor bundle is a browser that has disabled a number of plugins that are known to leak identifiable information."
- Asus routers, running the Merlin firmware can connect to Tor. According to Matt Casperson, they can route some connected devices through Tor while ignoring others.
- Onion Pi is a Raspberry Pi-based TOR router that sells for about $70. You have to install TOR yourself.
- Article: How to Anonymize Your Browsing with a Tor-Powered Raspberry Pi Hotspot by Thorin Klosowski March 2017. First you turn a Raspberry Pi running Raspbian into a Wi-Fi hotspot, then you install Tor on it so all the traffic that goes through the Pi is anonymized.
- Privacy On Top is based on OpenWRT and from a company called Open Netware. It creates two Wi-Fi networks, one of which goes through Tor. It can be purchased pre-installed on a handful of routers.
- The Personal Onion Router To Assure Liberty (PORTAL) is a build it yourself TOR router. It is not a hardware product that you can buy, rather, it is software that needs to be installed on a limited number of supported routers. See A portable router that
conceals your Internet traffic at Ars Technica Aug. 2014. An updated product release was expected at the end of April 2015 but as of
the end of May 2015, there has been no sign of it.
- The PogoPlug Safeplug is also a TOR router. Consumer Reports liked it, but a more trustworthy source (which I have lost track of) said the security it uses stinks.
- The Cloak router was to be a cheap router with two networks: one that is normal and one that sends all traffic through the TOR network. It will run a modified version of OpenWrt. This could be a great solution, but the website (as of May 26, 2015) says nothing about whether it is now available or when it may become available. Update Oct 22, 2015: the website has not been updated in months, it seems the project has been abandoned.
Just Released Routers top
Hot off the router presses.
- The Portal router is hard to classify. Its main claim to fame is improved use of the 5GHz frequency band. By adding new hardware and software, the router will offer additional channels in the 5GHz band, which should come in very handy in areas with many Wi-Fi networks. I mention it here because this new device was also touted as having some interesting security features: intrusion detection (not explained anywhere yet), 2 factor authentication for the web GUI, and a new take on Guest network security. Later documentation on the security is incomprehensible to me:
-- Portal combines the security and privacy capabilities of iOS or Android devices with those of WiFi
-- Portal protects your family’s privacy with things like continual intrusion detection, geo-fencing and ID obfuscation
-- Cloud-based authentication provides Portal users with improved security, including dynamic, adaptive guest virtual access.
-- It creates virtual networks for individual guest users
Too soon to tell if this is miserable documentation or if they are selling snake oil. As of Oct 14, 2016, the page on their website that is supposed to explain how it works is non-existent. The firmware for this router is very new, from their website it seems that the
ability to create a Guest Network was rolled out Oct 1, 2016. The firmware is based on OpenWRT and setup is done via a mobile app and bluetooth. Any early review appears to be a press release in disguise. It says the router is pretty and that it creates a mesh network, despite being a single device. Now thats a trick! Photos show that the LAN ports don't have LED lights, which I take as a bad sign. The antennas are internal (to make it pretty). It was expected to ship in late summer 2016 but actually shipped in early Oct. 2016. As of Oct 14, 2016, it cost $200 at the only available outlet, Amazon.com, which said it usually ships in 1 to 2 months. portalwifi.com
- Most of the press around Luma has to do with its mesh network, but, the company is also touting security. They claim to constantly monitor "for viruses that try to infiltrate your network". Another
security claim is: "Luma alerts on unknown devices that attempt to join your network and can be configured to block them". No details however are provided. It should also have parental control that can monitor network devices in "real time" and set per-user Internet use limits and content level policies. Finally, it claims to: "identify if there are devices onyour network with weak passwords and can alert you if it detects that a computer is infected with malicious software". We'll see. There is no web interface, just a smartphone app (iOS, Android). As of March 13, 2016 it was scheduled to ship in Spring 2016. It actually shipped around July 2016. As of Aug. 2016 a set of three is $350 and a single one is $150. The SNB review at the end of July 2016 said the price for a three-pack was $400. Early reviews say its not fully baked. When doing initial setup from a smartphone app, they require location services to be enabled on the phone. Not good. If the router is off-line
it can not be configured. As of late July 2016 the router does not report its own firmware release number. WPS is not supported. The only supported WiFi encryption is WPA2-AES PSK.
- NetSequre (formerly Genie) is a router from Open Netware focused on security. For example, it creates two WiFi networks, one for adults and one for children. It also offers phishing and malware site protection, Online Child Safety, ad blocking and anti-tracking. And, it self-updates. Initially, it was a single WiFi N router sold in India. Now, the firmware is available for over 200 routers including models from TP-Link, D-Link, Netgear, Linksys, Belkin, Asus and more. There are two versions, one for low end hardware with fewer features and one for faster hardware with more features. Downloading and installing the firmware is free. The yearly cost of ownership is $18/year and $23/year with a free trial of 3 months.
Coming soon. Maybe. top
A number of security devices are planned. Some are routers, others sit between your router and modem and yet others can plug into a router. These upcoming security devices are getting some press attention. See These Devices Are Trying To Secure The Internet of (Hackable) Things by Lorenzo Franceschi-Biccheirai (Jan. 8, 2016 at Motherboard). This list is in no particular sequence.
- The Avira SafeThings is router firmware "which vendors can integrate into their products or that consumers can purchase as a complete offering from us directly." Its chock full of sexy buzzwords, Avira calls it " an ecosystem: a platform as a service solution installed on the router, an AI-driven behavioral threat intelligence cloud platform, together with a user interface that enables users easily know what is going on within their home network ... a disruptive technology in an exceptionally easy-to-use package to secure the smart home." It will automatically discover and profile connected smart home devices and identify normal behavior for each device so that it can flag anomalies. It does cloud too which means it phones home with info about your network. A router with it is scheduled to be released later in 2018 and Avira is trying to get ISPs to pre-install it. We have already seen McAfee and Trend Micro embed security software in routers. See Avira SafeThingsTM WiFi Router will provide comprehensive protection for smart homes against cyber threats by Avira February 22, 2018. As of Jan 2019, the router had not yet been released, but you can pre-register. Pricing: 179€.
- OLD: The Flter router plans on offering Tor, its own VPN service and VPN client software for use with any VPN provider. It is a
Kickstarter project that was launched in February 2017 and is expected to be released in June 2017. It will also block malicious ads. Its VPN client wil support OpenVPN, OpenConnect and L2TP/IPsec. Fltr is a 4-person company founded in 2015. This has been replaced by Beam, see below.
- Beam is a second generation secure router from the Brooklyn, New York company that started with Flter (above). The company is now (June 2018) called Passel and has 5 employees. They also have their own VPN service called Forcefield. Beam is an IndieGoGo project set to expire June 30, 2018. As of a week beforehand, they had raised $256,000. Their goal was only $30,000. Beam is a VPN client router using, by default, their own Forcefield VPN. It should work with other VPN services too. Their VPN service can be used on your devices when traveling. The Beam router supports VLANs, access point isolation, MAC address spoofing and it can force all devices to use its configured DNS servers. You can let some devices bypass the VPN in the router. It will also offer Tor and they say it will self-update. Beam will scan your network for vulnerabilities and alert you on how to fix them. It shares intrusion attempts with other Beam routers. It can block IP addresses and even block entire countries. It also blocks ads and lets you disable IPV6. As of June 2018, estimated delivery is October 2018. See also Beam: An Advanced Home Router with Security and Privacy Features from Encrypt The Planet (June 8, 2018).
- Originally expected to ship in Jan. 2017, the Betterspot router was supposed to support Tor and a single VPN provider. It is from a Canadian VPN provider, Betternet. It is designed to be a second router, that is, to plug into a LAN port on an existing router. It will only work with their VPN as it uses a proprietary protocol. The VPN service is $5/month or $30/year. The box is $100. They claim it will self-update. A prototype was reviewed Sept. 19, 2016 by Simon Hill of Digital Trends. It can only be configured with an iOS app, but Android and web interface are planned. Note that the Betternet VPN service was dinged for miserable security in January 2017. See
here. As of early August 2017, it had moved from KickStarter to IndieGoGo and the expected ship date was August
2017. As of March 2018 it is not available, but judging by Amazon.com comments, it was available.
- German made eBlocker offers ad blocking and tracker blocking. Quoting their website: "eBlocker is a smart device that anonymizes your online behavior. It blocks all ads, stops all trackers, hides your IP - and lets you surf truly anonymously - on ALL your devices.". It is not clear how they hide your public IP address. They mention TOR in their FAQ, but the description makes no sense to me. Initially it only worked with HTTP websites, now it also supports HTTPS, which may be a bad thing, I could not find a detailed explanation of how they intercept TLS. Rather than putting eBlocker in front of your router, you plug it into a LAN port. This means it must be doing ARP spoofing on your LAN to pretend to be your router. There are two versions of the product, Pro and Family. Pro is the simpler version; the Family version supports parental controls and different users, each with their own profile. This requires each person to logon to the eBlocker using a personal PIN. It self-updates its list of bad stuff daily. It started as a Kickstarter project. In Jan. 2016, the product was estimated to ship in the second quarter of 2016. In Aug. 2016 the Pro version without Wi-Fi was available for $179 and the Family version was $199. Wi-Fi enabled versions of each were expected at the end of Aug. 2016. It came to the U.S. in 2017 and may now only protect Wi-Fi devices (not clear). As of July 2017, the Pro is $219, the Family is $249. After a year, updates are $59/year for Pro, $99/year for Family. You can also download the software for free and install it on a Raspberry Pi or Banana Pi. In Oct. 2018, David Strom said the default menus are in German and you need to know some German to change it to English. He also had trouble getting a new public IP address using it.
- ArmorVPN is a Kickstarter project that ends Sept 20, 2017. It is both a VPN and Tor box that sits between a modem and router. There are two Ethernet ports but it is also portable, an internal battery is claimed to last 8 hours. You can buy it without any VPN service, or it has deals with TorGuard and PureVPN. Any OpenVPN VPN provider should be compatible. Some configuration can be done with a touchscreen. It is expected to cost $70 with an estimated ship date of Jan. 2018. The software that runs on this device is planned to be released as open source once a patent is secured on the hardware. See This VPN box makes privacy and security a doddle from Sept 8, 2017.
- Keezel is a portable VPN device. The output is a secure WiFi network that your devices talk to. The input is another WiFi network, perhaps
a public one, perhaps your home WiFi. The device makes a VPN connection over the input WiFi network, giving attached devices access to the VPN. There is no Ethernet port but they claim you can use a USB-to-Ethernet adapter. It is powered either by its internal battery or a USB port. Keezel says they use three different VPN providers but they refuse to identify them. They claim their VPN usage is more secure than normal because their mystery VPN providers don't know the identity of Keezel customers. In turn, since Keezel does not run the VPN, they state that they can't spy on their users. Original design was WiFi G, now it also does WiFi N on the 5 GHz band. For $99 you have to use your own VPN. With one year of VPN service, it costs $129, for two years $169. Shipping was initially scheduled for March 2016. As of April 2016, it had been pushed back to June 2016. As of Sept 1, 2016, an article said October 2016 but their website said Sept. 2016. As of Oct 15, 2016, the
estimated ship date on their website was Sept. 2016. I heard nothing about Keezel for two years, then in June 2018, an advertisement disguised as an article showed up on Mashable written by "Team Commerce". This scam article says the thing regularly sells for $600 but is on sale for $450. It includes a lifetime VPN subscription (always a bad idea) to something called Premium VPN. No thanks.
- On Aug. 1, 2017, Karma Mobility announced a new product, Karma Black, that they say will provide "anonymous browsing through Tor, an integrated VPN, black listing, and ad blocking." The announcement said nothing else; nothing on pricing or which VPNs it will support. Availability is planned for September 2017.
- Fortigis does not exist. It is/was an IndieGoGo project from Yiannis Giokas that did not meet its goal. It is/was an ambitious security device that works alongside an existing router.
It controls and manages who connects to your Wi-Fi network and alerts you when someone is trying to connect. It includes a VPN client, Firewall, Intrusion Prevention System, Antivirus, and Anti-malware. Maybe it has died? There was no activity on their Twitter feed in May and June 2018. For more see Fortigis - Home Network Security Device from April 2018.
- NOTE: Itus Networks is gone. || Another company front-ending your router is ITUS Networks. In August 2014 they were planning on releasing a product called iGuardian by Feb. 2015. As of Nov. 2015, there was no more iGuardian. The idea was to run Snort, an Intrusion Prevention System (IPS) on top of OpenWRT. It too, did every good thing in the world, protecting against: viruses, phishing scams, malicious websites, Java, browser, and file exploits. It would also block drive-by-downloads, watering-hole attacks, botnets, data-theft, remote access Trojans, and key-loggers. And, if a computer on the LAN tried to contact a known bad server, that too would be blocked. The product line had 4 devices, as of Nov. 2015, only the WiFi Shield was shipping. There was no date for when the Shield Pro would ship. The Shield Mobile was said to be coming soon. The ITUS Pro was scheduled for release in early 2016.
Default Router Passwords top
Other Router Security Advice top
This topic was moved on January 1, 2018 to the new Other Router Security Advice page.
Adding a router to a gateway top
Add-on Security Devices top
Many devices are sold that claim to add security to an existing network. Note these issues with this class of device: (1) A VPN running on a device on your LAN should be able to bypass whatever restrictions and/or protections the add-on box offers. (2) These devices play in the sandbox of a single LAN or VLAN. (3) If you are trying to block children from doing stuff, they can use the 4G/LTE Internet connection on their phone to bypass restrictions on your LAN. (4) All these devices will slow down your Internet connection. This slowdown may or may not be noticeable. (5) Most of these devices only protect your Wi-Fi devices, they do not protect Ethernet connected devices. (6) I always wonder what data these devices are sending back to their manufacturers? (7) If a device requires an ongoing subscription, be sure to check if it becomes a paper weight if you don't renew the subscription.
The Fingbox is networking device that you plug into a LAN port on your router. For it to babysit all the devices connected to the router, it is abusing ARP and making itself appear as the default gateway. If you use VLANs, you would need one for each VLAN. It is limited to monitoring a single Wi-Fi SSID. Some routers block some features. It collects data about your network activity and sends it to Fing/Domotz. So, people who want security get more surveillance. Features: block kids from using the Internet during dinner time, notify you of new devices on your network, block new devices by default, notify when a device leaves the network, block any device from accessing the Internet, it detects any nearby WiFi device, even those not on your network (is Billie home yet?), bandwidth analysis, Wi-Fi signal strength analysis, test Wi-Fi and wired speeds, detect evil twin networks and report on WAN side open ports in router. Notifications are by an alert on a mobile device running the Fingbox app and/or by email. No texts. It also has a network vulnerability test. It can detect whether UPnP or NAT-PMP are enabled in the router, and, if so, it reports on the ports that were opened by UPnP and can also close these ports. It was discussed on Episode 745 of the Mac Geek Gab Podcast (Jan. 21, 2019).
See the June 2018 User Guide and the March 2018 User Guide.
History: It first became available in October 2017. It was reviewed in Dec. 2017 by Doug Reid for SmallNetBuilder.com. As of May 2020 it cost $99. In Jan. 2019, it was also $99, in Dec. 2017 it cost $129.
Perhaps the first such home network security appliance was the Bitdender box. David Strom reviewed it in June 2015. At the time it cost $199 to purchase and $99/year to own. In August 2017, it was reviewed by Doug Reid at SmallNetBuilder.com. The box has two 100Mbps Ethernet ports and 2.4GHz Wi-Fi and includes a Bitdefender software subscription. However, it only inspects outbound traffic and is hard to install. It needs to be the DHCP server for the LAN and it sets itself as the default gateway, even when working with an existing router. Outbound connections are checked by the Bitdefender cloud. If a URL is considered malicious, it is blocked and a message appears in the mobile app. It also scans the LAN for devices with security flaws. The box does not detect DoS attacks either incoming or outgoing. At the time, it sold for $130.
Sometime in 2018 they released a second generation, the Bitdefender BOX 2, that sold for $180 to $200 with a 1 year subscription ($99/year afterwards). In Feb. 2020 the price was $130, in October 2020 it was $150. The company offers 24/7 Setup and Tech Support for free at 800-804-4602. You must create a Bitdefender account. It includes their antivirus/security software for an unlimited number of Windows, MacOS, Android and iOS devices. Also includes Bitdefender VPN to use on Windows, Android, macOS and iOS. The free vpn offers 200MB of daily traffic per device. They sell a higher end VPN product for an additional fee. Three configurations are supported: with an ISP-supplied gateway, with a modem and an existing router, or, with just a modem, in which case the Box functions as the only router. They prefer using it with a modem and existing router in which case the Box does DHCP. It works with most routers, not all. It will notify in the mobile app when a new device connects to the LAN and it can control what that device can do. It self-updatess and re-boots in the middle of the night to install new firmware. It offers Parental Controls, blocks bad URLs, scans for network security flaws and alerts about malicious activity. A May 2019 review by Sam Cook gave it an overall rating of Poor. The home page of their website touts reviews with excerpts from the reviews, but, it does not link to the actual review, which is always a bad sign.
Firewalla is from a relatively new company started by former executives at Cisco. There are now five Firewalla devices. The first two (Red and Blue) plug into a router LAN port via Ethernet to offer security, monitoring, ad-blocking (based on ad serving domain names) and parental controls. Then came Blue Plus ($189 as of March 2022), Purple and finally the $478 (as of March 2022) Gold model. Only the Gold model can function as a stand-alone wired (no Wi-Fi) router. See their documentation of the model differences. In March 2022, this documentation said the Purple was in Beta and would start shipping in Jan. 2021, so clearly, documentation is not their thing. There are no monthly fees. It claims to protect your network from viruses and malware, and if so, is a rare product offering that for free. It can notify you when a new device joins the network and the notice lets you block the new device. It can also notify you when an offline device it has seen before comes back on-line, or when a currently on-line devices goes off-line. It does intrusion prevention, both IDS and IPS. It does both internal and external vulnerability scans and self-updates. It runs a full Linux distribution and includes an OpenVPN server. It looks for unusual uploading behavior and has hourly, daily and monthly bandwidth usage reports (for each device?). It can track bandwidth by domain. It can show every single IP connection for a monitored device. It offers outbound firewall rules. You can squeeze some more performance out of it by picking which devices are monitored. There is both an OpenVPN and WireGuard VPN client however the setup instructions are only for OpenVPN (as of March 2022) which strikes me as sloppy. It supports site to site VPN connections. As for privacy, it continuously monitors your network and phones home about what is going on: Quoting: "Firewalla uses deep insight and cloud-based behavior analytics engines to actively detect and automatically block problems as they arise." Parental controls show what kids are doing, lets parents cut off all net access, or block just gaming or social networks. It can block adult websites. It uses either ARP poisoning or DHCP to intercept Traffic and thus is not compatible with all routers. I am reasonably sure that it can only do what it does within a single LAN/VLAN. It is administered with a mobile app. There is a web interface in beta testing. I found that picking a model was just too hard, the documentation on the pros/cons of each is useless.
November 2022: There are already too many Firewalla models for me to keep track of. Now they are planning yet another model, the Purple SE, a cheaper version of the Purple. The big differences between the Purple SE and the Purple are that the SE will be slower (max speed 500Mbps) and not have Wi-Fi. The expected cost will be $230 - $250 US compared to $330 for the Purple. As of January 2023, the Purple SE is $220 US. Note that the Purple has "Short-range and low-power Wi-Fi" so it is not really comparable to other routers. On the upside, the Purple can connect to the Internet by connecting to an existing Wi-Fi network. Peplink calls this feature Wi-Fi as WAN. Combined with its small size, this might make the Purple a good travel router. That said, the Pepwave Surf SOHO has full Wi-Fi and is much cheaper (although bigger). The software functionality of the SE will be the same as the Purple. The SE is expected to ship in early 2023. See announcement info here and here.
Reviews and more:
- Reviewed in July 2019 by Kevin C. Tofel
- Reviewed in Nov. 2019 by Rita El Khoury of Android Police. This shows some very interesting network related reports. Pretty sophisticated stuff for a cheap device.
- Reviewed in March 2019 by Neil J. Rubenking for PC Magazine
- Reviewed in May 2020 by Jason Cipriani for ZDNet. He had initial setup problems when used with a mesh router.
- See the history of firmware releases
- In June 2020 I added a section on the third generation Firewalla, the Gold model, to the Secure Routers page.
- The Firewalla Blue Plus was reviewed in Dec. 2020 by Dong
Ngo. It was $200 then and the price is the same as of June 2021. Speed is up to 500 Mbps. You must have an account with Firewalla. Ugh. It collects quite a bit of information.
- In March 2021, Kevin Tofel wrote: Don't audit your smart home devices with a router. Use this instead. Both Blue and Gold models monitor the devices on your LAN and tell you where data is being sent by server and/or country. You can see which devices are the most chatty.
- In March 2022, Glenn Fleishman reviewed the Gold model for PC World. He felt it best not to use it as a router, but to position it between a modem and a router.
- In April 2022 the Purple was reviewed by Wired magazine. The review was lame as the author did not have the necessary technical background. At the time, it sold for $319 US. It can either be installed between the router and modem, or, it can act as a router, or it can connect to an Ethernet port of the router. It does Wi-Fi but just barely. Using it requires some technical skill.
- Questions related to privacy and data visibility by Firewalla
Syfer was going to compete with Firewalla. It too sat between a modem and a router. The website said in Dec. 2019 that shipping would start in April 2019. It started on Indiegogo. Initially it cost $200 with a one-year subscription, as of April 2020, it was down to $180. Afterwards, it costs $10/month. It does not work with gateway devices, which are a combination modem and router. You must have a separate modem and router to use it. It is configured with a mobile app. It provides a VPN but you must use their VPN service. It offers parental controls and, of course, protects your home from all bad stuff including ads and trackers. It also claims to be a next-Gen Smart Firewall and to offer Smart Home and IoT Protection, whatever that means. The company is near Atlanta, GA but there is no physical address for it. As of April 2020, the last blog on their website was from Nov. 2018. As of October 2021 there is no blog at all and it is no longer sold to consumers, instead it is being sold to ISPs.
They explain the data they collect here.
The Trend Micro Home Network Security box was first introduced laste in 2016. It plugs into your router via its single Ethernet port. In 2019 and April 2020 it cost $110 with a one year subscription. Starting in year two, it costs $60/year. If you don’t purchase renewals the device will simply stop working. Trend says it "provides protection against cyber-attacks for every Internet-connected device in your home" which is not true as it does not protect Ethernet-connected devices. It is configured with a mobile app. Features: Intrusion Prevention (IPS), Dangerous Site and File Blocking, Remote Access Protection, Profile-based Management, Website Filtering, Inappropriate App Used, Time Limits, connected at Home notifications, network dashboard, Smart Protection and ad blocking. It checks for default device passwords. It can disconnect unwanted devices from your Wi-Fi network. It can tell you when the kids are home. As of Jan. 2017 it assumed all HTTPS websites were safe.
You need to have a Trend Micro account to use the thing, so there is a potential privacy issue.
A Dec. 2016 review said it does not scan incoming email attachments for malware, does not filter out spam and does not check for malicious web links in real time. It does not work with all routers. It does not work with Peplink, my preferred router company.
An Oct. 2017 review noted that you can not use port forwarding with it.
A Feb. 2020 review by Dong Ngo said that you can get the same protection for free with an Asus router via the Asus AiProtection feature. He liked the Parental Controls but pointed out that the Ethernet port is the relatively slow 100Mbps rather than the standard Gigabit speed. Read more from Trend: You are In Safe Hands with Trend Micro Home Network Security (Dec. 2019). In a May 2020 review for PC Magazine, Neil J. Rubenking was not impressed at all.
Cujo sits between your router and modem (logically or physically) and offers security protection (but no privacy protection). It is billed as a smart firewall. The original plan was for it to offer firewall, anti-malware, antivirus, deep-packet inspection and machine learning protection. Only some of these features were in the first release. Steve Gibson pointed out in July 2016 that it can run in either Gateway mode or Bridge mode. The new mode lets it plug into a LAN port of your router. So, how does it then intercept LAN traffic? It does an ARP spoofing attack on your LAN. Quoting the company "We send packet header data (but not full packets) to our cloud to analyze device behavior, compare your traffic to commercial threat intelligence feeds, and to make sure that unauthorized IP's do not connect to your network." And, this: "CUJO analyzes your local network traffic data locally and in real time. It then sends statistics on that data to the cloud for further analysis ... we don't send the contents of those packets to the cloud. If a threat or suspicious activity is detected, CUJO will tell the cloud what it has blocked so you can receive a notification on your mobile app to confirm it." The pre-order price was $99 and the first models were expected to ship in March 2016. Then May 2016. The devices actually shipped in July 2016 for $99 with 6 months of service included. Afterwards, service is $9/month. SmallNetBuilder first reviewed it in Sept 2016, then again June 2017. See CUJO Smart Internet Firewall - Second Look by Doug Reid. In the cloud CUJO keeps tracks of bad IP address. It is also aware of normal device behavior. It has been reported that Spectrum will start using Cujo sometime in 2019. In March 2019, Talos found 11 bugs in the device.
Dojo plugs into your router and watches your network for security
issues. There is a companion smartphone app, of course. Dojo is a rock/pebble looking thing that glows different colors to indicate current status. On June 1, 2017, TechCrunch wrote: "All traffic on a home network has to be routed via the Dojo for it to be able to see what's going on ... and perform its anomaly detection function ... You'll also need to be comfortable providing a third party company with data stream visibility of your home network."
History: Pre-orders started Nov. 2015 for $99 with a year of service. The estimated price then was $199 with a year of service. The first devices were expected in March 2016. As of May 8, 2016 there was no expected ship date. In August 2016, Dojo Labs was purchased by BullGuard.
On Oct 15, 2016, Amazon.com said it was unavailable.
In January 2017 it was reported that Dojo would be available in the US in mid-April 2017.
By May 2017, there was a new Amazon page that on Jan 21, 2019 was selling it for $99.
On May 31, 2017 Wired did a puff piece about it saying it went on sale that day for $200 (including the first year of service). The ongoing charge, after the first year, will be $99/year. As of Jan 21, 2019 it was being sold by Bullguard for $200 with a free lifetime subscription service.
Recon Sentinel is a small box that plugs into a router and "automatically finds everything that is connected to your network." Their press release: Cigent Announces Availability of Recon Sentinel, Allowing Small Office and Home Office Users to Fight Back Against Cyber Attacks (June 11, 2018) is all fluff. It begins: it "adds a layer of detection and defense above and beyond traditional antivirus, antimalware, and firewall solutions ... adds endpoint security that keeps users from losing their data once a breach does occur ... detects and block nefarious behavior ... constantly looking for signs of intrusion or other cybercriminal activities ... uses sophisticated deception technology to identify hacking activity." Its costs $150 for the first year and $100/year thereafter. It is only available directly from the company.
Add-on Security via Router Firmware top
In January 2018, Netgear announced a forthcoming security subscription service for their routers called Armor. Basically, it is Bitdefender antivirus running in the router. There is a 90 day free trial, thereafter it will cost $70/year. As of July 31, 2018, it was available for only two Netgear routers, the R7000P and the R6900P. As of Jan. 2019, it was slated to "soon" be available on the Orbi AC3000 model RBK50 and the Orbi Voice AC3000 model RBK50V. The number of features is long, perhaps too long. My favorite feature is that it dings the router administrator when a new device joins the network and lets the admin block the new device. It also claims to block viruses, spyware, spam, phishing and bad websites. Netgear claims it will scan your LAN and report on connected devices with vulnerabilities and weak passwords. We'll see. The subscription lets you install Bitdefender security software on your Android, iOS, Windows, and Mac devices. Your network can be remotely managed at armor.netgear.com. I have not seen a single review of the service. Note that a similar service from Trend Micro and used inside Asus routers had been found to spy on you.
Owners of the Eero mesh router system can pay an extra $10/month for added security called Eero Plus. They have partnered with a few companies to offer assorted security features. From Zscaler they get a database of threats to protect you from malicious websites with viruses, phishing scams, and more.
It claims to block everything bad: ransomware, malware, viruses and ads. It also watches out for unknown or suspicious domains. It lets you download Malwarebytes on up to 3 devices. It can control what your kids can access. They partnered with the 1Password password manager. Paying for the service gets you VIP tech support from Eero. Finally, it lets you install the encrypt.me VPN (formerly known as Cloak) on your devices (it does not run in the router). Eero Plus costs $99/year the same price as the VPN service by itself (assuming unlimited bandwidth).
Press release: D-Link Wi-Fi Router Powered by McAfee Will Automatically Protect Connected Home Devices January 8, 2018. The D-Link AC2600 router is expected to be released in the second half of 2018 at an unknown price. It will feature security by the McAfee Secure Home Platform that will monitor the network for malicious activity, whatever that means. It will also monitors the network activity of individual devices for threats such as visits to malicious sites. It will notify you when a device on your network does not have antivirus software installed. It will have parental controls that can restrict activities by device, including the types of websites visited and times of day that Internet access is allowed. Parents can monitor their kids' online activities.
Some Asus routers include security software from Trend Micro. I wrote Asus router warnings on privacy and security on May 5, 2017. This was based on Review: ASUSWRT router firmware by Daniel Aleksandersen (created in May 2017, last updated: Nov. 2017). It focuses on the data leakage to Trend Micro by their software running in Asus routers.
Likewise, some TP-Link routers also include Trend Micro software, marketed under the name HomeCare. The software adds antivirus and malware protection, and malicious site blocking to the firmware. It was initially released for the Deco M5 mesh system and the Archer C5400, C3150 and C2300. They also claim it will quarantine a previously infected device that joins the network.
Securifi's Almond Routers Get Subscription-based IoT Device Security Service by Ganesh T S at AnandTech Jan 4, 2017. A subscription-based cybersecurity thing for routers that focuses more on traffic rather than viruses. It claims to report on connected devices with ports open to the Internet (nothing new here) and/or weak login credentials. Also claims to analyze the traffic pattern of connected devices to ensure that popular IoT devices are communicating only with their vendors' servers. It should detect devices whose traffic pattern is indicative of being a botnet member. I can also monitor the websites browsed by selected devices (parents watching kids). My favorite feature: notifications when a new device joins your network. An issue with all these systems is data leakage and the article says: "It must be noted that some of the above captured data is stored in Securifi's servers because they need to send push notifications to the user's smartphone even if it is away from the primary network." After a free trial, price will be from $4 to $10/month.
Millions of Routers are about to Get a Lot More Secure a Press Release. May 9, 2018. Many IoT devices lack basic security and privacy protection capabilities. F-Secure is trying to secure them by offering its F-Secure SENSE product directly to router makers and operators as software. They call it their Connected Home Security solution. It is said to integrate network and cloud security, router security and endpoint protection into a single experience for end users.
Minum, in their own words, "is an IoT platform that enables and secures a better connected home." They will offer an add-on to router firmware that they hope to get ISPs and router vendors to incorporate. Quoting again: "Minim’s self-learning platform employs Quantum Fingerprinting and behavioral models to detect threats before they become problems." They are also partnering with IoT device manufacturers.
Dovado, a router manufacturer based in the United Arab Emirates has integrated a SafeDNS filtering module in
one of its routers.
For the most part, I avoid Parental Controls on this site, but what the heck. Netgear has partnered with Circle to include Circle's parental control software in some NETGEAR routers. Specifically, Circle is available in the Orbi line and 7 different Nighthawk routers (see here and here). You create profiles for each family member and then assign devices to each person. For free you can pause the Internet for specific people, filter what is and is not allowed and view a history of visited websites for each profile. Premium features cost $50/year (as of Jan. 2019) or $5/month. This lets you set time limits, create OffTimes when the Internet is blocked and offers more detailed usage statistics. Circle has to be activated first, then it is managed with a mobile app. They claim all data is kept locally, that nothing is sent back to Circle. It is also available as a stand-alone device. Jim Salter reviewed Circle for Ars Technica in July 2019.
Router/Network software top
- NetworkConnectLog repeatedly scans your local area network (Using ARP and Netbios protocols) and adds a new log line every time that a new device connects to your network, and when a device disconnects from your network. By Nir Sofer. It is free and portable. Only for Windows. Be sure to check the scan options.
- RouterPassView can recover a lost password from a router configuration backup file, for a limited number of routers. By Nir Sofer. It is free and portable. Only for Windows. It might be able to recover an ISP user name/password, the login password of the router, and wireless network passwords.
- See all of Sofer's network related software.
Assorted Resources top