Suggested secure routers - RouterSecurity.org

Configuring a router for security can only take you so far. You also need to chose the right router initially.

Many people use the device given them by their Internet Service Provider (ISP), which I think is the least secure option for a number of reasons. Understandably, many non-techies prefer this because they can call their ISP when things go wrong.

Slightly more secure, would be a consumer router, but that is not the best option either. To bolster this opinion, see the page on router bugs. It is not an exhaustive list of bugs, but it illustrates the poor state of software on consumer routers.

As for high end routers, such as Fortinet, Sonicwall, Cisco and Aruba, they have had more than their fair share of critical security flaws.

CUT TO THE CHASE: I recommend Peplink routers. In the 12 years I have followed Peplink and routers in general, Peplink has not had one critical security flaw. No headline grabbing bugs. Their software has bugs, of course, but never the critical security flaws that everyone else has. Peplink routers are business/enterprise class, yet still reasonably easy to configure. My only relationship with Peplink is that of a customer.

I used to recommend the $200 US Pepwave Surf SOHO router, which was their cheapest Wi-Fi router, but production of it stopped in October 2022. During 2023, the cheapest Peplink router (with Wi-Fi) was the Balance 20x for $450 US. As of February 2024, the cheapest Peplink model (with Wi-Fi) is the newly introduced B One for $300. That's what I would suggest. Like the Surf SOHO, it is the cheapest Peplink router.

The Peplink user interface is, in my opinion, simpler than that of other techie oriented routers. You can see for yourself, by kicking the tires of a much higher end Peplink router here. This site also offers a peek at their user interface, see the page on initial configuration of the Surf SOHO.

Quick takes:

Peplink is my first choice
A low end secure option is pcWRT. More below.
pfSense should be secure, but the user interface may be a bit too techie for many people. Also, it is not available in a box with Wi-Fi, so you have to add your own Access Points and that means two user interfaces to deal with. Lots of techies use pfSense but this March 2021 article by Jim Salter for Ars Technica has to make anyone wonder if the company behind it (Netgate) is really trustworthy. I have not used pfSense.
If you want something free and open source, I have heard good things about OPNsense from a trusted source. I have not used it. It is said to be easier to use than pfSense, but still, the target audience is techies. For example, you can download it and install it on many computers, but just to download it requires a bit of techie know-how as there are many different editions. I am not aware of an on-line demo of the User Interface, so it is impossible to judge if the user interface is too "techie" for you. In May 2021,Lawrence Systems did a video comparing pfSense and OPNSense.
The cheapest way to get a box with OPNsense pre-installed is to buy a small fan-less Protectli computer. Their marketing could not be worse, as their website hides the fact that they will pre-install OPNsense. They don't say it anywhere. And, when you start to order one of their computers, OPNsense is not shown as an option. But, after you configure a computer with sufficient RAM and hard drive space to run OPNsense, then, magically, the option to have it pre-installed appears. Their cheapest usable model is about $200 (as of March 2024) but that is with a single LAN port and no Wi-Fi. Gotcha: Protectli computers do not support on-board Wi-Fi when OPNsense is installed on them. So, like pfSense, you would need to add your own Access Point(s).
Ubiquiti is not recommended. More on why below.
My distaste for consumer routers means avoiding TP-Link, Netgear, D-Link, Belkin, Buffalo, Linksys and the like. That said, the best of the lot is probably Asus running Merlin firmware. Which Asus model? Eric/Merlin himself likes the RT-AX86U (new) and the RT-AC68U (old). See 2021 State of the router.
Many people rave about Eero for its great Wi-Fi performance. However, Eero is owned by Amazon, and as far as I am concerned, that is a reason to avoid them. I would also avoid any router from Google for the same basic reason - the company wants to know (and does know) so much about us. Worse, I have used Google Wi-Fi and it stinks as a router, having nothing to do with security. Keep in mind that the router sees the unique MAC address of your devices which enables assorted tracking.
Synology also has many great reviews, but I both hated it and found it not secure at all.
There is every reason to expect the Turris Omnia to be very secure. However, I hated the user interface and found it very hard to use. It seemed like it was from a prior century.
F-Secure used to sell a router called SENSE, that stressed security, but as of October 2020 it has been discontinued. Symantec also used to sell a secure router (called Core) but no more.
Scalys in The Netherlands has a web page devoted to their Trustbox home router which is focused on security. It is not clear if the router is actually for sale. If the routers exist, there is a chance they are not made in China, but its just not clear from the lone web page. The firmware is based on OpenWRT.
The Wire Cutter reviews everything. Do not take their advice on routers. They focus on speed, speed and speed; completely ignoring security. And, if the router is not sold at Best Buy, they never heard of it, which means they have not reviewed anything on my short list.

NOTE: Any router can only be made as secure as its included features allow. For a list of router security features see my Security Checklist.

NOTE: Buying a used router from a stranger (think eBay) can be dangerous, as the firmware may have been maliciously modified. To protect against that, download new firmware using a different router. If possible, switch the firmware entirely, that is, if it came with stock firmware, try switching to DD-WRT, OpenWRT or anything else. Asus owners can switch from Asus firmware to that offered by Merlin.

NOTE: Jim Salter is a trusted techie expert and in the September 12, 2024 episode of his 2.5 Admins podcast he recommended some routers. However, his focus IS NOT ON SECURITY. That said, he likes the Netgear Nighthawk line of routers and the professional level TP-Link Omada devices (which sort of requires a controller). He suggested avoiding the consumer level TP-Link Archer and Deco mesh devices.

What makes a router secure?

The lack of software bugs or, more importantly, the lack of big huge security flaws
The prompt fixing of bugs
Secure defaults
Securely configured (as seen on the home page of this site)
Can the router be used without an account from the hardware vendor? Without the cloud service from the hardware vendor? Privacy is one reason for this, but you also do not want to be dependent on a cloud service that might fail or get hacked.
Privacy - does the router spy on you? Does it send data to the hardware manufacturer?
Tech support that is competent and provided for a long time
Outbound firewall support

By "privacy" I am referring to a router not spying on you. In the old days, no routers spied on the network they governed. Now, this is getting harder and harder to find. It is now the rule, rather than the exception, that customers must have an account with the router manufacturer. If the router is in contact with a cloud service from the manufacturer, there is always the chance the someone from the manufacturer can get into the router. Plume is perhaps the ultimate example of monitoring your network and they are forming partnerships with ISPs.

Then too there is passive spying; many routers phone home with data about the activity on the LAN they control. The last router that I took a serious look at, the Synology RT2600ac was disgraceful in this respect. It phoned home to Synology all the time, there is no way to stop it and Synology can not be bothered documenting what data is being transferred or why. For details, in my Synology review see the section Spying On The Router. In March 2020, I confirmed my earlier tests that Peplink routers do not spy on you at all. You also do not need to have an account with Peplink to use their routers.

Cisco is perhaps the poster boy for Point 1, it seems as if new critical security flaws are found in Cisco router software every month. So many that I have given up even including them in the News page. And these are huge flaws, the type that let remote attackers take full control over vulnerable devices.

Initially, I did not include outbound firewall rules in this list. However, with the January 2020 release of the Cable Haunt vulnerability in Broadcom cable modems, it has become much more important. For my take on Cable Haunt see the Bugs page. In short, if a device on your LAN can access a vulnerable cable modem, then it can attack the modem. If the modem is part of a gateway (combination router/modem) that makes the danger even worse. In the US, we can not update the firmware on our cable modems, our ISP must do this. Since most ISPs are virtual monopolies, they have no motivation to bother with something that will cost them time and money and that few customers are aware of. So, this vulnerability is likely to remain with us for decades.

The only defense is blocking LAN side access to the modem (it is usually available at IP address 192.168.100.1). There are two ways to do this. The hard way is defining a custom route in the router, something many routers do not support. The easier way is to block IP address 192.168.100.1 with an outbound firewall rule. Again, many routers do not offer outbound firewall rules. The Pepwave Surf SOHO, that I recommend, does support outbound firewall rules and configuring it to block modem access looks like this. I blogged about this back in 2015: Talk to your modem and Using a router to block a modem.

The need for outbound firewall rules was again illustrated in November 2022 when cameras made by Eufy were found to be phoning home, despite assurances that all data was kept local. See Eufy caught lying about local-only security cameras with footage sent to cloud, accessible in unencrypted streams by Ben Schoon (Nov. 29, 2022). A router with outbound firewall rules can both detect and block devices that try to phone home. Peplink can even schedule firewall rules. My NAS is controlled by a scheduled firewall rule. It can only make outbound connections to the Internet during the half hour that it runs a scheduled task to make off-site backups. The rest of the time, a firewall rule blocks it from the Internet.

Then too, consider the many stories about how apps are spying on us by sending data to huge number of third party marketing companies. Here is one such report from January 2020. The report lists some of the common tracker domains used by the apps they examined: ads.mopub.com, sdk-android.ad.smaato.net, googleads.g.doubleclick.net, api.pubnative.net, my.mobfox.com and more. The only way to block apps from spying on you, at least at home, is to have a router than can block domains like this. The Pepwave Surf SOHO can block all access to one sub-domain, by setting DNS to an invalid IP address, or, block web access to an entire domain (all sub-domains) with its Content Blocking feature. Or, both.

Some people only trust Open Source router firmware. For example, at PrivacyTools.io, they recommend OpenWrt, pfSense and LibreCMC. However, they offer no explanation for why these three systems are more secure than anything else. I do not think that all open source is good and all closed source is bad.

Secure defaults are needed because most routers are owned by people with no understanding of networking and these people should be secure by default. UPnP is an excellent example, it is insecure and enabled by default on every consumer router. WPS should be disabled by default, or better yet, not even available. Wi-Fi encryption should default to WPA2-AES. Etc. etc.

On a related point, if you need to open a port, perhaps to allow for remote control, a router than can limit access to said port by source IP address is almost a necessity.

Three Governments Rate Security

In April 2023, I was made aware of the Cyber Security Agency of Singapore and their Cybersecurity Labelling Scheme (CLS). CLS rates assorted smart devices according to their levels of cybersecurity provisions. This lets consumers identify products with better cybersecurity. It is also a way that manufacturers stand out from their competitors and be incentivised to develop more secure products.

You can research the products they have rated here: Cybersecurity Labelling Scheme Product List. As of April 2023, they have rated 143 Wi-Fi routers, with Level 1 being the worst, and Level 4 being the best. They also show when tech support for the device ends. The only routers that scored the highest were a few from Asus. They have not reviewed any device from Peplink or Pepwave. They have only reviewed three mesh systems (all rated poorly).

Singapore has agreed with the Transport and Communications Agency of Finland (Traficom) to honor a similar system in Finland called the innish Cybersecurity Label.

And, Singapore has also agreed with the Federal Office for Information Security of Germany (BSI) to likewise honor Germany’s IT Security Label.

FYI: pcWRT

NOTE: I wrote the below not having used a pcWRT router. As of January 2022, I have started to test pcWRT router. Far from finished.

The pcWRT router was initially sold for its Parental Controls rather than security (the "pc" in the name is for Parental Control). That said, it has had many security features added since it was first released back in 2015. The system is based on OpenWRT and there is an online demo of the router interface.

Right off the bat, I like the fact that you do not need to have an account with pcWRT to use the router. You also do not need a mobile app, the router is configured with a web interface.

There is currently (January 2022) a single model that sells for $129. An older model with less horsepower has been discontinued. It has dual band Wifi AC (aka Wi-Fi 5) with 4 GB Ethernet LAN ports. The software is also supported on a handful of other routers such as the TP-Link Archer C7 (v2) and the Linksys WRT1900ACS. A LITE version of the firmware for use on other routers is free, the full featured firmware, (referred to as pcWRT Premium) for use on other routers, sells for $49 with a 90 day money back guarantee. Download their firmware at pcwrt.com/downloads.

Privacy is great, no account is needed with the vendor and they say the router does not phone home at all. Support for VPNs is excellent. As per this blog post, A router that talks three VPN protocols, pcWRT supports OpenVPN, IKEv2 and WireGuard, both as a server and a client.

pcWRT comes with 5 pre-configured VLANs. Each VLAN can be assigned to one or more LAN ports and one or two wireless networks. If you assign every VLAN to an SSID that transmits on both radio frequency bands, then it can create 5 SSIDs. If, you assign each VLAN to two SSIDs, one on each frequency band, then it can create 10 SSIDs. It can also send different VLANs through different VPN connections (or no VPN). Wow.

There is an option to "Enable WiFi client isolation" which prevents wireless devices on an SSID from communicating with each other. The availability of WiFi networks can be scheduled.

It also does ad blocking using the same technology as Pi-hole. To enable ad-blocking network-wide, just check "Enable Ad Block". You can enable it for some or all profiles. There is a white listing feature for the inevitable over-rides, such as when a website will not load without ads being displayed.

A number of DNS providers are pre-set, you can easily chose amongst them or specify anything of your choice. You have a lot of flexibility in controlling traffic: you can allow or block a URL, a subdomain, a domain, a certain port on a domain, a port, or a port for a specific protocol. More here: How to allow or block web sites on the router. Devices using the router can be assigned to profiles and each profile can use different DNS servers and have a custom black or white list of domains. It seems that you could define a profile for a child with a white list that only allows them access to a small number of approved domains. It can even block just a section of one website. They example they give is
http://www.yahoo.com/block/this/path
It logs the blocked domains and also has a summary report of blockage.

The router lets you create a backup of the current configuration to a file. You can be emailed when new firmware is available. Interesting blog from the company, How to use your router to block smart TV snooping talks about the VLAN feature and watching the domains a smart TV talks to and then limiting the domains it is allowed to communicate with. The routers offer their own, free DDNS service that provides you with a hostname on the pcwrt.net domain.

Like many other routers, it can block Pings from the WAN side. It also has a stealth mode and I am not clear what that is/does.

The website says nothing about who created the router, and there is no Contact Us page either. All communication is via a Forum. Documentation is mostly in the blog on the website. There is also a 5 page pcWRT Parental Control Router User's Guide. One Parental Control feature is the ability to block YouTube videos that are not child-safe. They have good release notes and a history of firmware releases.

Maybe GL.iNet

Another company to consider is GL.iNet. I have not used their products, but they are cheap and the company has a focus on security.

Their routers run OpenWRT and include an OpenVPN client, a WireGuard client, Tor and encrypted DNS from either Cloudflare or NextDNS. The Slate (GL-AR750S-Ext) was released in 2019 and sells for about $55 (as of Feb. 2021). The Beryl (GL-MT1300) is newer and sells for about $70. They have many other models too.

GL.iNet routers, on Android, are configured with the GL.iNet app. The app was analyzed by Exodus on Feb 13, 2020 (app version 1.0.17) and found to contain no trackers. Also, it only requested 3 Android permissions. As of March 2021, the latest version of the app is 1.0.23, released January 2021.

At these prices, we can't expect great speeds or for the routers to handle too many attached devices. As for VPN speeds, when running the OpenVPN client, the company says to expect about 20Mbps with each model. When running the WireGuard client, expect roughly 70Mbps with the Slate and 90Mbps with the Beryl. Rather than your main router, they may be a better fit for a secondary router.

Maybe Turris Shield? Maybe?

In September 2020, Turris released a new device, the Turris Shield. As I write this, very little is known about it, there are no reviews of the Shield and even the documentation page on the Turris website is skimpy. It is sold as a firewall rather than a router and is meant to sit between the modem and the router. People who have a single Internet device (a combination modem and router), can place the Shield behind it, rather than in front. This, however, will only protect Ethernet devices as the Shield does not do Wi-Fi. If nothing else, the Shield deserves a look because it is made in the Czech Republic rather than China.

On the upside, the software (TurrisOS based on OpenWRT) is open source and Turris says it self-updates, both the OS itself and updates to defend against new attacks. I am confused about the term "attack". Any router purchased at retail should have a firewall with no open WAN side ports and thus defend the LAN behind it. So the purpose of the Shield firewall is unclear to me. The Shield is described as a "unique firewall" and a "unique security system" but there is no explanation of what makes it unique. Turris says it respond to threats within seconds, but it is not clear to me what types of threats it is responding to or how it is responding.

Turris says that it can be used by non-technical of people, that all you need to do is pick a password and the device does everything else on its own. Too good to be true? Time will tell. It is administered via a web interface.

The Shield can be both an OpenVPN server and client. VPN servers in routers serve two purposes. One allows you to login to the device when you are traveling and use it as a free VPN to avoid paying for a commercial service such as ProtonVPN, Mullvad or TunnelBear. The available documentation does not say it can do this. The other purpose is to provide access to files and devices on the LAN when you are traveling. I would expect this to be blocked by any router as the router firewall would see this as an unsolicited incoming connection. Using the Shield as a VPN client puts all your eggs in one basket and gives you no flexibility. Individual devices can not be excluded from the VPN tunnel and if there is a problem with the VPN connection, all your devices are knocked off-line. If the VPN is slow, all your devices are slow. My personal preference is for a VPN box that connects to the LAN side of a router rather than the WAN side.

Some missing information: what is its maximum throughput with and without a VPN? Does it support inbound or outbound firewall rules? If it does support rules then not mentioning this is negligent documentation. If it does not support firewall rules, then, again, just what does it do?

As of early September 2020, the Shield was available for purchase in Germany, Great Britain, Spain, France, Italy and the Czech Republic. Alza was selling it for 104 British pounds, which was roughly equal to $138 US dollars.

FYI: Firewalla

As a company, Firewalla seems very much focused on security. However, Wi-Fi is not their thing. Most of their routers do not do Wi-Fi. This page, of theirs, How to Choose between Different Firewalla Products does not even list Wi-Fi as an attribute of any of their current (as of Aug. 2023) devices. The page points out that there is no subscription fee for their routers, but also that the web interface is secondary, their devices are meant to be managed with a mobile app. As of Aug. 2023, the last update about a web interface was July 2020 and it was in beta back then.

The Firewalla Gold router first shipped to customers in November 2020. It costs $485 (as of Aug. 2023) and does not do Wi-Fi. It is listed here as an FYI, I have no experience with it. The first two generations of Firewalla (Gold is their third) were add-on devices that plugged into a LAN port of your router. The Gold model can function that way too, but it is included here because it can also be a stand-alone router. There is more information on their other devices on the Resources page.

Quoting the company: "Unlike a traditional router, Firewalla's focus is ... on the greater ability to control network traffic. This include controlling device access, blocking categories of traffic, and managing what your digital things can do. Rules applied to your system can get complex. " The target audience are techies, I get the impression that Firewalla is a bit much for a non technical audience.

Firewalla Gold is based on Ubuntu Linux and offers full access to the operating system via SSH. If it ships with an open port for SSH, that is a security issue. You can install your own "packages" including Pi Hole for ad/tracker blocking.

Features: It supports VLANs for network segmentation. It can be both a VPN server and client for both OpenVPN and WireGuard. It supports site-to-site VPN connections (as does the Pepwave Surf SOHO). It supports multiple Ethernet WAN connections, though I am not sure if it load balances or only offers fail-over. It supports GEO-IP filtering which lets you block entire countries. It does ad blocking and can notify you of a spike in bandwidth usage. It does encrypted DNS using DNS over HTTPS (DoH). It runs vulnerability scans and automatically blocks malicious web sites. It does Intrusion Prevention and when that fails, it does Intrusion Detection. It is not clear if it offers outbound firewall rules. It does offer Parental Controls. There are no ongoing subscription fees.

My concerns: It is not clear what, if any data, the device sends to the company. Also, you have to have an account with Firewalla to use the thing, which is a privacy risk. And, it is not clear if you are at all dependent on a cloud service of theirs. The device has a console port. Why? They don't say. The speed is a concern. They promote it as having 3Gbps speed which I am sure is not true. I suspect they are adding up the speed from three gigabit Ethernet ports. Fudging the numbers like this does not promote trust. Still, it is likely to support Internet speeds around 900Mbps.

Without Wi-Fi from a router, any Access Point that you add to it, has its own user interface. This means that owners of the Firewalla Gold have to learn to deal with both its UI and that of the Acess Point. Then too, there is the chance that devices connected to the AP may not be individually governable by Firewalla. The user manual is a mish-mash of all three Firewall devices. They do not offer a manual dedicated to the Gold model. There is also a FAQ.

In September 2020, Kevin C. Tofel liked the Gold model. He points out that it can run Docker containers, can block devices from the network at the touch of a button and can block social networking apps. It also notifies you when a new device joins the network. He says it can show minute details of network traffic but does not explain this in detail.

Dong Ngo reviewed the Gold in Jan. 2021 and said " ... it's best used as a souped-up version of the Firewalla Blue Plus ... you should consider it an add-on firewall / online-protection device of an existing network, rather than a router that hosts a network of its own, where it makes things a bit too complicated for home users.". Full review: Firewalla Gold Review: An Expensive but Totally-a-Keeper Add-on Firewall.

FIREWALLA PURPLE: Firewalla Purple was released in January 2022 for $320. In Aug. 2023 it was $340. In July 2024, it was $360. While it can function as a router, be aware that it has but one LAN port. It can also be installed between a modem and a router, but in that mode, there is nothing it can do about VPN or Tor connections. Finally, it can be plugged into the LAN port of an existing router, but in that mode, it does not work with all routers. As a router, the Wi-Fi is short-range, there are no external Wi-Fi antennas. Many will need to add an Access Point or a normal router for the Wi-Fi. But, this would occupy the lone LAN port, so you would also need a switch. And, while it brags about VLAN support, that requires an external smart switch, one that supports VLANs. So, things get complicated fast. And, while it is marketed as being easy, some users will need to deal with three different devices with three different user interfaces. Not so easy.

FIREWALLA PURPLE SE: Perhaps realizing that the Purple was somewhat expensive for a device with only one LAN port and poor Wi-Fi, Firewalla released the cheaper Purple SE for $230 (as of July 2024). It does not have Wi-Fi and the maximum wired speed is 500mbps.

By way of comparison, a pcWRT router does VLANs all by itself, no external switch needed. pcWRT also does normal Wi-Fi with four external antennas. And it costs $129 and can be used without sending any data to the company. Firewalla requires a mobile app for configuration, so there is no way to know what data is sent to the company. Both do parental controls and ad blocking. Both support a maximum of 5 VLANs. Firewalla can be an OpenVPN client, pcWRT also includes IKEv2 and WireGuard client software. Both can make a site-to-site connection with themselves. However, Firewalla only supports the much slower OpenVPN for site-to-site connections.

Some articles said the Firewalla Purple can be a travel router because it can connect to the Wi-Fi network in a hotel or coffee shop. However, it is not battery powered.

Note: There is more about Firewalla on the Resources page in the section for Add-on Security Devices.

DrayTek

I have no hands-on experience using routers from DrayTek. Their products are business class, not intended for consumer use.

As of October 2024, I am tempted to remove them from this page. A research report from Forescout Research, Vedere Labs (Dray:Break Breaking into DrayTek routers before the threat actors do it again) found 14 new bugs in their routers. Yes, all software has bugs but 14 found by a single company seems extreme. And, these bugs came on the heel of many others. In fairness, DrayTek fixed all the bugs, even those in EoL models, but how many bugs is too many? Anyone considering DrayTek should read the report. Here are some quotes from it:

In 2024, routers are a primary target for cybercriminals and state-sponsored attackers - and are the riskiest device category on networks. With this knowledge, we investigated one vendor with a history of security flaws to help it address its issues and prevent new attacks...
On Sept. 18, 2024, the Federal Bureau of Investigation announced it had taken down a botnet exploiting three CVEs on DrayTek assets (CVE-2023-242290, CVE-2020-15415 and CVE-2020-8515). Note: the bugs exploited by the botnet, are not related to the bugs found by Vedere Labs.
According to the National Vulnerability Database (NVD) the first reported vulnerability for DrayTek routers appeared in 2013 ... there has been a significant increase in critical vulnerabilities affecting these products over the past four years, with at least 18 issues allowing for remote code or command execution. These vulnerabilities were discovered by different researchers suggesting the vendor did not perform variant analysis after receiving individual vulnerability reports and producing patches. Additionally, the presence of similar issues in different parts of the functionality indicates a lack of "post-mortem" analysis by developers.

On the one hand, DrayTek published a 24-page router security best practices paper. On the other hand, it has not been revised since 2017 (last checked October 2024).

See a list of the features on their routers. Not only do they support WPA2 Enterprise, but most DrayTek routers have a built-in RADIUS server which greatly simplifies the implementation of Enterprise level security.

You can judge the user interface for yourself, they have online emulators for all their routers. DrayTek makes many different router models: single WAN, dual WAN and multi-WAN. There are very few installed in the US, they seem to be popular in the UK.

I do not know how long DrayTek supports the software in their routers or what the deal is with tech support (free or not and for how long).

Not Recommended

Say No to Ubiquiti

October 15, 2024: I maintain an Amplifi mesh router system for a relative. The first time I ran their Android app on a new Android device, it wanted these permissions and the app would not run without all of them enabled.

September 27, 2024. Jim Salter is on the 2.5 Admins podast. on the September 26, 2024 episode, he warned people away from using Ubiquiti. That said, his opinion is not security-focused. He has much experience with many Ubiquiti devices and said the company used to be better than they are right now. He continues to use their devices that he already has and/or maintains for others, but he would not advise the purchase of any new Ubiquiti devices.

March 30, 2022: Read this and draw your own conclusion. And, be sure to read the comments: Ubiquiti sues Krebs on Security for defamation by Thomas Claburn of The Register.

- - - - - - -

NOTE: March 31, 2021. Another reason(s) not to trust Ubiquiti. Quoting from this Brian Krebs article, Whistleblower: Ubiquiti Breach 'Catastrophic': "On Jan. 11, Ubiquiti Inc. ... disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. Now a source who participated in the response to that breach alleges Ubiquiti massively downplayed a 'catastrophic' incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication." There is much more about this on the Router News page but, clearly, Ubiquiti showed that they are not a company deserving of your trust, for many reasons.

I have installed two AmpliFi systems and this left me annoyed as heck because I was not sure if the problem affected me or not, which is pretty trivial for the company to convey. Do I need to change the router password? The Wi-Fi password? I bought one router from the Ubiquiti website (store.amplifi.com) and had to create an account there. Is that part of the breach? None of my business. I logged into the site to change my password and there is no change password function. You can't make this stuff up. Heck, even the Copyright year on the bottom of each web page is wrong (still says 2020). Do AmpliFi customers have a Ubiquiti account if they purchased the hardware elsewhere? Dunno. No more Ubiquiti for me.

- - - - - - -

As of January 29, 2020, I no longer consider Ubiquiti devices secure. The company has gone over to the dark side, making it all but impossible to stop their routers from phoning home with data collected about your network. For more on their change of heart see You spoke, we didn't listen: Ubiquiti says UniFi routers will beam performance data back to the mothership automatically. In addition, I have read that their firmware is not of the highest quality.

- - - - - - -

Ubiquiti has many fans and their UniFi line is a step up from consumer routers. Their AmpliFi and Alien lines are both for consumers, so I would avoid them. I have used AmpliFi was not impressed.

Getting started with UniFi has always been both too expensive and too complicated. For example, you need to buy their router, their switch, their Access Point(s) and then deal with their server software, yet another headache. You have to run their controller software somewhere, perhaps on one of your computers, perhaps in a virtual machine or perhaps on a small hardware device (UniFi cloud key) they sell just for this purpose.

The UniFi Dream Machine router, introduced in November 2019, made it both cheaper (it is $300 in US) and easier to get started with the UniFi line. Like the Pepwave Surf SOHO, it is a bottom-of-the-line device from a high end company. In March 2021, I learned that the Dream Machine requires the Ubiquiti cloud service which rules it out for me. Worse, Ubiquiti was hacked in January 2021 and we learned in March 2021 that the hack was much worse than they initially reported.

As a business/professional system, the Dream Machine supports firewall rules, VLANs, 2FA, Intrusion Detection, Intrusion Prevention, GeoIP Filtering and has an extensive web interface (in addition to a mobile app). It self-updates and supports 4 SSIDs (the Surf SOHO can create 16 SSIDs). However, it only supports one WAN connection, there is no provision for fail-over. Another problem is that it requires you to have an account with Ubiquiti. Peplink does not require this.

Of some concern is the fact that remote access is enabled by default - no one does that. Also, remote access seems to be through Ubiquiti (unifi.ui.com), not sure if offers direct access to the router. Also worrying is that when the router was released, many features were in Beta or Alpha. Peplink would never do that.

More here: Ubiquiti UniFI Dream Machine Setup and Review (Nov 2019) and Ubiquiti Unify Dream Machine review by Dong Ngo (Nov 2019). Ngo wrote that he asked Ubiquiti about some privacy concerns and he never heard back. Not good.

He also wrote that it can guard the LAN against online threats, a feature called Internet Security that is similar to Netgear Armor and Asus AiProtection. There may well be privacy implications with this feature too. The Asus software, from Trend Micro, would send your emails to Trend Micro if it thought they might contain a virus. Not good.

Another concern with Ubiquiti is that sometime in October 2019 they started spying on their customers, did not tell anyone about it and offered no way to opt out.

I first noticed this November 3, 2019, in this Twitter thread by Royce Williams. It links to a Reddit discussion: Ubiquiti adds phone-home to the access point firmware and an official response from the company. Quoting it: "We have started to gather crashes and other critical events strictly for the purpose of improving our products. Any data collected is completely anonymized, GDPR compliant, transmitted using end-to-end encryption and encrypted at rest. There is no on/off switch ... The memory leak that you reference above was a bug specific to release 4.0.60 which was fixed as of 4.0.61."

In other words, they screwed up the AP phoning home and created a memory leak that crashed their devices. Even if their intentions are not bad, their software quality seems poor. The Access Points phone home to trace.svc.ui.com which Ubiquiti says you can block in the router. However, it keep re-trying which is where the memory leak came from. That bug has been fixed.

More official response on Nov. 3, 2019: Update: UniFi Phone Home/Performance Data Collection. They gave in and will let customers opt out of this. This article: Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it? by Shaun Nichols of The Register (Nov 2019) adds nothing but there are 107 comments as I write this.

As for trusting Ubiquiti, there is this story (Ubiquiti, go write on the board 100 times, 'I must validate input data before using it'... Update silently breaks IDS/IPS) from July 2020, where they made two mistakes in their Threat Management component. Trusting external input without validating it is as basic a mistake as anyone can make. Granted, its beta software, but the company got snippy with the guy who reported the problem and failed to award him a bug bounty for finding the problem.

In February 2021, Leo Laporte did a video review of his experience with a large, very expensive UniFi installation in his house. Wi-Fi was his priority, not security. He warned about staying away from the pervasive beta software. The demo he did was of the Ubiquiti portal, which I assume is a web based thing. This means Ubiquiti knows a ton of information about you. Privacy is not a priority. Despite having 75 devices in his home, he had only two subnets, one for IoT and one for everything else. For a techie this is very disappointing, he did not bother to make subnets where suspect (IoT) devices can and can not see each other. He had created no external firewall rules. His main LAN is 192.168.1.x and the router is 192.168.1.1 also disappointing from a security perspective. The only thing that impressed me was that UPnP could be enabled/disabled on a subnet basis. The cost of this multi-device system is increased because the APs only do PoE which means you need expensive Ubiquiti switches to power them. Ubiquiti has a UniFi demo if you want to kick the tires for yourself.

Ubiquiti also has a line of Edge Routers. They are a step above consumer routers but I have not used one, so I have no opinion on how secure they are. None of the EdgeRouters do Wi-Fi, so you would need to add wired access points. The user interface may be too difficult for anyone that is not a networking techie. Some have said that the documentation is almost non-existent. The three cheapest models are $59, $99 and $109 (as of Sept. 2019). The Operating System is called EdgeOS and the User Guide is online. Many have spoken highly of the Ubiquiti EdgeRouter Lite that sells for about $100. It has a console port and three Ethernet ports, none of which are dedicated. Doug Reid reviewed it in June 2017 for SmallNetBuilder.com and warned that: the GUI is still a work in progress, it is not plug and play, tech support is only available from a community forum and QoS kills the performance. On the upside, it is highly configurable, if you know what you're doing.

Slightly off-topic: AmpliFi is a line of mesh router systems from Ubiquiti. Except, it is not a mesh system which has been an ongoing annoyance for many, myself included. The upside of AmpliFi is that it is a bit more techie oriented compared to other consumer mesh systems and that it did not depend on a cloud service. The downside is the lack of mesh. The system is typically sold as a router and two mesh points (secondary antennas). In a real mesh system you can place the router at the South end of a house, one antenna in the middle and the other at the North end of the house. The antenna in the North should talk to the one in the middle, which in turn, talks to the router. But the AmpliFi system can not do this, most of the time both antennas will only talk to the router. And, you have no control over this. There have been ongoing gripes about this for years on the AmpliFi forum: How do i force one meshpoint to connect to the other?

Gryphon

I have no hands-on experience with Gryphon.

Update March 10, 2021: My opinion of Gryphon has changed thanks to Exodus, a company that evaluates Android apps. Gryphon routers are configured with an Android app called Gryphon Connect. The Exodus examination of the app found 9 trackers. Exodus examined app version 03.0003.06 on March 10, 2021.

Gryphon talks about security, but offers no technical details.

The Gryphon router is a consumer device with many security features. The security features include: parental controls, intrusion detection, an ESET database of dangerous software and a verification of the firmware when first powered on. If the firmware was tampered with, it will not start up. There are three LAN ports in the first generation devices, it does not support WPS, it can run a speed test on its own, the software self-updates and administration is done with a mobile app (no web interface).

Downsides: you must setup an account with Gryphon and give them an email address. Administration of the router is only via mobile apps, there is no web interface. Documentation is sparse, there is no User Guide. There is no phone-based tech support. When they transitioned from one app to another, there was no notice given to users of the old app. It does not support VLANs. At least initially, it only offered two SSIDs. Their web page about Internet security is does not inspire confidence, its all marketing. It is a consumer device.

Firmware updates are automatic. They nothing about whether this can be customized, such as, only do it in the middle of the night or only do it on week-ends or don't do it until next Thursday.

Parents can see the websites kids visit. Parents can even view browsing history if the child surfs with Incognito Mode. Parents can limit the screen time of children. It claims to prevent users from clicking on websites with malware. The problem with any such system is dealing with exceptions. With much Parental Control software, kids using a VPN can bypass any restrictions in the router. No review that I have seen addressed this.

The app notifies you when a new device connects and you can then assign a profile to it. New devices can be blocked from the Internet by default. You can schedule the Wi-Fi to turn off at night. Whether this applies to one or all Wi-Fi SSIDs, they don't say.

They claim it blocks DDoS attacks and monitors IoT devices for unusual network traffic. It claims to scan network traffic with antivirus tools. The ESET malware and ransomware protection is free for a year. After that, it costs $79 annually.

For mobile devices away from home, they offer Gryphon Homebound for free for three months. It routes data from the mobile device back to the Gryphon router at home, so that it can be "managed".

HISTORY: Gryphon is a startup based in San Diego. They launched in 2014. They have been on IndieGoGo, Kickstarter and Backerkit. Bloomberg wrote about them in Nov. 2016. Shipping was initially planned for June 2017. In August 2017, shipping was expected in October 2017. In Feb. 2018 they claimed to have "received the first production batch of Gryphons last week and are in the process of shipping them."

PRICING: As of September 2020, a single box cost $210, and it was also sold as a pair for $400. A few Gryphon routers can be combined to form a mesh network. After the first year, owning it costs $99/year. An exception is the parental controls, that feature is free forever. In August 2019 a single Gryphon router was $230 from Amazon.com while their website sold it for $219 new and $189 refurbished. A pair was $400. In Dec. 2018, a single unit was $200 at Amazon and the Gryphon website sold a single unit for $220 and a pair for $420. In Sept. 2018, it cost $240 at Amazon for one unit. In Feb. 2018 pricing at Backerkit was $250 for a single unit and $450 for a pair while pricing at their website was $200 for a single device and $350 for a pair.

REVIEWS: There have been very few reviews of the Gryphon router. In a Sept. 2018 review at Business Insider the author admitted to not being techie enough to evaluate the security of the router. So, why does the company give him a router to review? Could they be afraid of a technical examination? He found the parental controls to be "tedious" but the router was fast. Installation was a pain. A Dec. 2018 review by Brian Nadel at Toms Guide did not go into much depth. A Jan. 2019 review by John Delaney for PC Magazine said the parental controls were excellent. It is very well reviewed at Amazon.com.

According to a Nov. 2019 review by Brian Walker, Gryphon can block ads and store a browsing history for each device. It does not support VLANs. One way around router controls is to run a VPN and he claims that it can block VPNs. A paid service called Gryphon Homebound (free for 90 days) allows you to block threats and unsafe content from your kids' cellphones even when they are not home. There are no details on how this works.

The second generation Gryphon is called Gryphon Guardian and the first shipments were in early 2020. Like Eero and Synology, Gryphon seems to be scaling back with their latest generation. The new devices are smaller, probably less powerful and cheaper. They include malware filtering from ESET and have only one Ethernet LAN port. The Guardian initially sold for $120. In July 2020 it was $109 for one or $299 for a three-pack. In September 2020, it was $99 for one and $239 for a 3-pack. They offer a 90 day money-back guarantee.

FYI: OKYO is gone

In September 2021, Palo Alto Networks touted their upcoming Okyo secure router, their first product for consumers. In August 2022, they announced the End-of-Sale for Okyo and they ended service for the thing December 31, 2022. As of May 2023, the www.okyo.com website is gone.

April 13, 2022: Okyo Garde Enterprise Edition: Now Available from Palo Alto Networks.

September 10, 2021: Okyo Garde: Enterprise-Grade Cybersecurity With Consumer Simplicity by Palo Alto Networks. They claim their new Okyo product offers unparalleled protection from malware, ransomware, phishing attacks and more, yet with consumer simplicity. You don't pay once, you pay every year, between $350 and $450 for the year. If you stop paying, is the router useless? They don't say. They also say that it is mesh-enabled, but all the pictures show a single device. The cost for extra devices to make a mesh network is none of your business. The router is controlled by a mobile app and is expected to start shipping in Fall 2021.

FYI: F-Secure SENSE is gone

As of October 2020, the SENSE router is no longer available.

I have no hands-on experience with the F-Secure SENSE router.

Like Gryphon, SENSE is marketed on its security. A big difference is that SENSE seems to have been discontinued. As of Jan. 2020, it is no longer available as a stand-alone purchase. It is now part of the F-Secure TOTAL Premium cyber security package, which also includes their Freedome VPN and password manager. When you buy TOTAL, you get the router for free. But, this offer is only valid while supplies last. You pay for TOTAL every year. One year to protect 5 devices is $110, 2 years to protect 1-3 devices is $140. The elephant in the room, however, is how long the SENSE router will be supported. Beats me. Also, it does not support mesh.

As of May 2020: If you buy TOTAL, you can order a SENSE router in Austria, Belgium, Denmark, Finland, France, Germany, Netherlands, Norway, Sweden, and the United Kingdom. The company says "The list of countries is limited due to regulatory compliance reasons."

The explanation of the SENSE router on their website is poor. It does every good thing you could imagine, curing Cancer and world peace included. In fairness, here is their lead: "Secure your smart home with one device, now and in the future. Sense creates a secure network for all of your connected devices to monitor and protect them through one simple interface. With privacy and security both at home and on the go, you have the freedom to unleash your smart lifestyle." Beats me what the product does. Here's more: "Sense creates a secured Wi-Fi network in your home. Traffic in the network is analyzed by Sense with the help of F-Secure security cloud, where threat definitions are updated in real time. The cloud leverages next generation security features such as machine learning and behavior based threat analysis to give you corporate-level security in your own home, and block attacks before they even happen. Sense also blocks unwanted tracking attempts ..."

My concern is that like the Trend Micro software in Asus router, could F-Secure be reading your emails as part of checking things for viruses? Eventually they got clearer: "F-Secure SENSE is the combination of a smart security router, an advanced security app and industry-leading cloud protection." There is no web interface. Sense initially did not include a VPN or Tor but they planned to integrate their VPN service in the future. It is not clear to me (as of Jan. 2020) if their TOTAL package uses software on your devices for its VPN or if the VPN runs out of the router.

As of Aug. 2017 it did not support a Guest network, but that was planned. It included software for Windows and Macs. See the Quick Guide PDF, their Twitter account and their firmware release history.

HISTORY: As of Nov. 2015 they were taking pre-orders with an estimated ship date of Spring 2016. As of Oct 2016, they were still taking pre-orders for 200 Euros, which included a one-year subscription but there was no estimated ship date. As of May 2017 it was available in Denmark, Finland, France, Germany, Ireland, Netherlands, Norway, Sweden and United Kingdom. As of July 2017, it was available in the US for $199 which included the first year of an ongoing subscription that was to cost $119 after the first year. The router was said to be usable without the subscription. As of Sept. 2018 it was still $199 and there was free shipping. In Jan. 2019 it was $100 at Best Buy in the US with free shipping and a 1 year F-Secure Internet Security subscription for up to 25 PCs or Macs and unlimited Android devices.

REVIEWS: Your Questions On F-Secure SENSE, Answered Videos from F-Secure. No author, undated. Reddit AMA August 2017. F-Secure Sense Review by Brian Nadel of Toms Guide Nov 2017. No WPS but support is planned. This is not a good feature in a secure router. Each Wi-Fi frequency band is required to have a different SSID. Ugh. Does not support static IP addresses. Ugh. No parental controls. Windows software includes a firewall. During initial setup, you "can opt out of having local data about usage sent to F-Secure." F-Secure provides 24/7 phone support.

Tech Support from Asus and Netgear

It is hard to tell how much a router vendor really cares about security - until you submit a bug to them and see how the deal with it. On the October 19, 2019 episode of the Cyberwire podcast (Hoping for SOHO security) someone from ISE was interviewed about their recent report SOHOpelessly Broken 2.0 that found multiple flaws in routers and NAS devices. When it came to dealing with the problems that ISE reported, Asus and Netgear were drastically different. Simply put: Asus good, Netgear bad.

Quoting ISE: "Netgear exhibited severe communication issues, resulting in our finding being patched long before our reports were even confirmed. This was the longest and most arduous disclosure of this research project. Nearly 5 months were spent waiting for Netgear to respond to the BugCrowd reports, and an additional 3 months were spent attempting to get CVEs from Netgear, and then MITRE. After contacting MITRE, Netgear was removed from the official CVE numbering authority list." In contrast, they said "Asus promptly responded to our vulnerability submission. They worked closely with us to ensure they were mitigating the reported vulnerabilities appropriately.".

Below are the bugs that ISE found. Both companies have been making routers for a very long time. This seems like quite a lot of bugs for software that should be mature at this point.

ASUS RT-AC3200
CVE-2018-14710 – Reflected Cross-Site Scripting via appGet.cgi
CVE-2018-14711 – Missing Cross-Site Request Forgery Protection on appGet.cgi
CVE-2018-14714 – Command Injection via load_script Hook in appGet.cgi
CVE-2018-14713 – Uncontrolled Format String via nvram_match Family in appGet.cgi
CVE-2018-14712 – Stack Buffer Overflow via delete_sharedfolder() in appGet.cgi

Netgear Nighthawk X10-R9000
CVE-2019-12510 – Authentication bypass via X-Forwarded-For header
CVE-2019-12511 – System command injection via SOAP API
CVE-2019-12512 – Cross-site scripting via X-Forwarded-For header
CVE-2019-12513 – Cross-site scripting in logs via malicious DHCP request

Tech Support

An experience of mine points out how much tech support cares. If they don't care, then it is impossible to consider the router secure. Peplink cares, AmpliFi does not.

In October 2019 I had a problem that I don't understand: TCP port 53 appeared to be open on the WAN side of an AmpliFi router and on three Peplink routers. The problem itself is not relevant here, just how each company dealt with it.

AmpliFi ignored my first email for a week. A second email was responded to and they said it was needed and pointed me to an irrelevant article about a Linux system needing port 53 open on the LAN side. A couple back/forths made it obvious that the person I was in contact with either didn't know or care. I had given them the public IP address of the AmpliFi router and the nmap output. They did not try to replicate the nmap result. In contrast, Peplink did try to replicate the nmap scan. The first and obvious step from a company that cares.

In addition, AmpliFi has a poor record with WPS. You can appear to disable WPS in the mobile app, but it is not fully disabled. Network scanning software shows that WPS is still enabled. Their tech support told me not to worry about it. But, I do. And, it is not clear to me at all how remote control of an AmpliFi works. So, I can't tell if it's secure. Their remote control system is unlike others I have seen, it requires you to use a Google account.

Also, the AmpliFi mesh points (candlesticks) can be used as Wi-Fi extenders for any network. The bad news is that when used with non-AmpliFi routers they enable WPS with no way to disable it. AmpliFi is a typical consumer product and should be avoided.

Don't Trust Consumer Reports

When it comes to Router Security and/or Privacy, Consumer Reports is as wrong as wrong gets. I am referring to this August 2019 article: Many Wireless Routers Lack Basic Security Protections, Consumer Reports' Testing Finds which says:

CR's router testing includes the companies' privacy policies, because so much sensitive data flows through the devices. Our privacy experts analyzed every router manufacturer’s documentation. We gave better scores to routers—including some models from Eero, Google, and Netgear—that spell out what information their manufacturers might collect from users, such as network speeds, the name of the internet service provider, and how much data you're transmitting to the web.

This is as wrong as wrong gets. For one thing, it assumes all router vendors spy on you, which is NOT true. There are routers that can be used without the router company knowing a damn thing about your network. And, without having to create an account with the router manufacturer. My favorite router company, Peplink/Pepwave is one such company. So too is Ubiquiti which makes the AmpliFi. Each can be used with total privacy.

That said, to use AmpliFi privately means giving up remote access to the system. AmpliFi only allows remote control using a Gmail or Facebook account. Peplink offers two systems for remote access to their routers, one system goes through them (InControl2), the other does not. Specifically, they still offer remote access via an open port. The port can be anything, access can be limited to HTTPS and you get to change the userid too, so it is as secure as this type of system can be.

In contrast, there is no opting out of Eero/Amazon or Google with their routers. Each requires you to have an account. But worse, they are the last two router companies anyone concerned with privacy should use. Yet, Consumer Reports gives them high marks for privacy. Lunacy. Both companies want to spy on you and a router is a perfect place for this spying.

Another indication that Consumer Reports is clueless, comes from the last few words in the quote above. A router offers access to much more than just "the web".

My final indication of their incompetence comes from their approach - reading privacy policies. If a router is phoning home, this can be detected. But, that requires technical competence.