Security Advisories from router vendors
Emulators - kick the tires on a routers web interface top
- Web interface for a Peplink Balance 710, a high end model with 7 Ethernet WAN ports and an AP controller. Peplink also has a live demo of the web interface to their MAX cellular routers.
- The simplified administration interface for Turris routers (Omnia and Mox) is called Foris and a demo is available at https://demo.turris.cz
- The Asus RT-AX88U is a newer model, while the
Asus RT-AC66U is older.
- DrayTek has online demos of their entire product line. For example, you can kick the tires on the Vigor 2926
series and on the Vigor 2133 series.
- Linksys has a text based index of the routers available to demo. Some examples: the
WRT610N running firmware v2, the
WRT1200AC running firmware 18.104.22.168464 and the
EA8500 running firmware 22.214.171.124984
- Cisco Small Business Online Device Emulators
- MikroTik software, RouterOS, has multiple interfaces. One is Telnet, another is a Windows application, WinBox 3.0. A demo of the web UI is at demo.mt.lv. Its v6.38 as of Jan. 2017. You can also download an ISO for free, burn it to a CD, boot from the CD and run RouterOS for 24 hours.
- D-Link does not have one comprehensive list of their available emulators. To see if one is available for a particular router, search for the model number in tech support
section of the D-Link site. That said, some D-Link emulators are listed here
and others are here. Examples:
DIR 825 rev. B,
DIR 818 LW,
DIR 615 rev. C,
- TRENDnet Product emulators. One example, the
- TP-LINK emulators
- There don't seem to be any Netgear emulators
- This list of Router UI Emulators has links to Asus, Belkin, Cisco, D-Link, DrayTek, Linksys, Mikrotik, Netgear, Peplink, TP-Link, TRENDnet, DD-WRT, Gargoyle, OpenWRT Luci and Tomato.
My blogs about routers top
- Two things about Eero routers having nothing to do with Amazon February 18, 2019
- Reporting a UPnP quirk in a Netgear router February 16, 2019
- Debunking the New York Times on Router Security and VPNFilter Lots of errors in an article. June 17, 2018
- VPNFilter router malware - just the bad stuff June 4, 2018
- Routers are constantly being probed - An examination of a firewall log March 19, 2018
- Some routers can force their DNS servers onto all devices and why you should care both at home and while traveling. March 5, 2018
- Using a Ubiquiti AmpliFi Mesh Point to extend a non-AmpliFi Wi-Fi network February 27, 2018
- The Best Security for Wireless Networks October 17, 2017 at eSecurity Planet. A thorough revision of an introductory article that stood the test of time.
- WifiInfoView is a great Wi-Fi utility for Windows Now with extra data. September 18, 2017
- Testing an AmpliFy mesh point as a Wi-Fi extender Initial setup mostly. August 7, 2017
- 7 mistakes Google made updating my Google Wifi router May 8, 2017
- Asus router warnings on privacy and security May 5, 2017
- How seven mesh routers deal with WPS April 28, 2017. Updated Aug 12, 2017 to note that AmpliFi now does WPS and can't turn it off.
- The Netgear router flaw post mortem -- plenty of blame to go around December 24, 2016
- Updates and more on the Netgear router vulnerability December 17, 2016
exploited Netgear router flaw discovered December 10, 2016
- Blame the ISPs rather than the routers December 3, 2016
- Getting started with the Ubiquiti AmpliFi mesh router November 23, 2016
- Another HNAP flaw in D-Link routers November 11, 2016
- What the Ubiquiti AmpliFi mesh router is missing October 1, 2016
- A Defensive Computing term paper on privacy: VPNs, Tor and VPN routers September 18, 2016
- A router security cheat sheet
August 16, 2016
- TP-LINK lost control of two domains used to configure routers and Wi-Fi extenders July 4, 2016
- Router Security done wrong February 29, 2016
- Poor Wi-Fi security - my visit to the dentist
February 3, 2016
- To share or not to share - a look at Guest Wi-Fi networks December 13, 2015
- The D-Link DIR860L router - how secure can it get? November 20, 2015
- How secure can your router get? November 10, 2015
- Wi-Fi at DEF CON -
dealing with the worlds most dangerous network August 23, 2015
- A look at the security of Wi-Fi on a
plane August 6, 2015
- Linksys Smart WiFi makes a stupid Guest
network June 25, 2015. Guest networks are a great security feature, but (at least some) Linksys Smart Wi-Fi routers implement Guest networks poorly. They use a captive portal, for no obvious reason and do not offer over-the-air encryption (WEP, WPA or WPA2).
- In June 2015 I blogged twice about the NetUSB router flaw: What most people don't know about the NetUSB router flaw - Part 1 and The NetUSB router flaw Part 2 - Detection and Mitigation.
- Using a router to block a modem. This was a follow-up to a previous blog about how some modems can be attacked. February 23, 2015
- Wi-Fi security vs. government spies November 3, 2014
- A router firmware update goes bad (and, what to do about it) October 6, 2014
- I blogged, in September 2013, that Google knows nearly
every Wi-Fi password in the world. Soon thereafter, Leo Laporte discussed this on his radio show, The Tech
Guy. I would bet that Apple also knows your WiFi password, just my opinion.
- I spoke on Securing a Home Router
at the HOPE conference back in July 2014. A PDF of the presentation is available
at box.net (last updated Oct. 4, 2014). Audio is available
at x.hope.net (thanks to 2600). An article about my talk appeared in Toms Guide.
- I blogged on how to find the IP address of your home router
- I hope to review some routers ...
Self-updating Routers top
Since many router owners do not update the firmware, a router that self-updates is, almost always, a good thing. Not that it doesn't leave other problems, but one less is one less. This list is, no doubt, incomplete. And, the view that self-updating is always good is overly simplistic. The Security Checklist page has the details on what to look for. The Routers with Self Updating Firmware page has details on how some vendors compare to this checklist.
- Google Wifi and their previous OnHub line. Beware though, Google Wifi likes to reboot itself in the middle of the afternoon.
- The Eero mesh router system
- The Turris Omnia is fully open source, both the hardware and software. They maintain a change log so you can verify that the automatic updates are being installed. As of June 2018, it was available all over Europe and is expected to be approved by the FCC for sale in the US by Oct. 2018. I have a page devoted to the Turris Omnia router.
- All three Synology routers are probably king of this hill. I say probably because I have not used them personally, but a demo indicated they update like Synology NAS devices. The first was the RT1900ac. The second, released Dec. 2016, is the RT2600ac. Synology claims "SRM can automatically perform upgrades on a schedule for maximum convenience." Release notes for the RT1900ac and RT2600ac are reasonably detailed. Download manuals for the RT2600ac here.
- The Linksys Velop mesh router system. See SNB review.
- Based on my reading, the Linksys EA7500, EA8500 and EA6900 can update their firmware automatically. So too can the Linksys WRT1900ACS according to page 67 of its manual. In addition, I am told by someone at Linksys that all of their "Smart-Wifi" branded routers can self-update. These devices usually have model numbers starting with EA or WRT.
- The Nokia mesh routers self-update
- On the Plume mesh Wi-Fi router system, software updates are managed automatically for you.
- The Luma mesh router system. See their pledge.
- According to this article the Netgear Orbi mesh router system does self-update. However, the Orbi WiFi System User Manual dated August 2019 says nothing about automatic firmware updates. Someone I know who owns an Orbi said that, by default, it does not auto-update itself but that it can do so.
- The Starry Station
- The Almond3 by Securify
- The F-Secure Sense router "regularly and automatically updates its software in a secure manner."
- FRITZ!Box home routers, popular in Germany and Australia, can not only self-update but they (or the ISP or the manufacturer, its not clear) can send email notification of newly updated firmware.
- Avira Safe Things is router firmware. Its website says: "It will constantly be up to date."
- If you build your own router, as per this article The Ars guide to building a Linux router from scratch by Jim Salter (April 2016), then Ubuntu server can be configured to self-update.
- According to Gryphon their Software and Protection updates occur automatically. Gryphon routers were first shipped in Feb. 2018.
- Untangle, which is high end router software, can self-update
- According to this article the Motorola devices used by AT&T UVERSE automatically update whenever the AT&T management platform rolls out an upgrade.
- As of April 2018, The Mercku M2 mesh router system is on Indiegogo and its expected to ship in July 2018. This article about it says "Updates are made automatically over the air to keep the M2 up to date in both its features and security" but the Indiegogo page says nothing about self-updating.
- According to a Feb. 2018 article, someone from Netgear claimed that from 2017 onward, Netgear routers have had the automatic update function built in. The Netgear R6400 router can self-update. This was a new feature added around May 2018, give or take.
Consumer Router Alternatives top
- My recommended router is the $200 Peplink/Pepwave Surf SOHO. Its a huge step up from consumer routers. See what Peplink has to say about it. My only relationship with Peplink is as a customer.
- Many of the options below can run on generic fairly low end hardware. But, there are many such choices. Jim Salter (an expert) strongly recommends Qotom mini-PCs for these home-built routers. They are cheap, available at Amazon, have a low power draw and lots of ports. He says that a Celeron J1900 or better is fine.
- pfSense is recommended by many, but I have no personal experience with it. On the Oct. 20, 2015 episode of the Security Now podcast Steve Gibson, a pfSense user, described why he
likes it: there are lots of features, very flexible NAT translation including dynamic mapping, great flow control, and it includes both an OpenVPN client and server.
The software, based on FreeBSD, can be downloaded for free and installed on an old computer as long as it has two Ethernet adapters. Gibson initially used a box from SOEKRIS to build his. On a later podcast, he also recommended pcengines.ch for buying hardware that supports pdSense. It is also sold by Netgate as a hardware appliance. The cheapest appliances all have a single LAN port and no Wi-Fi. In the old days, the cheapest model, was the $300 SG-2220. Then for a couple years the cheapest model was the $150 SG-1000. Sometime in 2018, the SG-1000 was discontinued, replaced by the $150 SG-1100 which claims gigabit throughput. On the Feb. 12, 2019 edition of Security Now, Gibson was told by a listener with questions about configuring pfSense
that Netgate charges a minimum of $900 for support. His response: Google is your friend. The Netgate tech support page shows the cheapest support option is $1,044 for 36 months. On this site, I have setup instructions for the Pepwave/Peplink Surf SOHO. See also You should be running a pfSense firewall in InfoWorld Dec. 2014.
- The Sophos XG Firewall Home Edition is a fully-equipped software version of the Sophos XG firewall, available at no cost for home users. It needs to be installed on your computer, something like the Qotom and PC Engines devices noted above. It offers malware protection, web security and URL filtering, application control, IPS, traffic shaping, VPN, reporting and monitoring, and much more.
- MikroTik routers have been recommended by techies. I have no experience with them. They run a Linux system
called RouterOS which is available for free and runs on many computers. They offer a number of routers for under $100 but the majority of their line is high end. Their hardware is sold at routerboard.com. The $50 MicroTik RB750GR3 hEX Router was reviewed by Doug Reid at SmallNetBuilder September 25, 2017. He found it a very powerful, cheap router that may drive you crazy trying to configure it.
- Ubiquiti Networks normally deals with techies, but in May 2016 they announced a new line, AmpliFi, targeted at consumers. The
first AmpliFi product is a router
sold with two pre-matched Wi-Fi extenders (not a mesh). It is expected to ship in the summer of 2016. There will be three models, priced at $200, $300 and $350. No idea yet about router security but at least the company has a long history making router firmware. It will allow a single guest network with a maximum number of guests, each of which can be time limited. First look.
- Ubiquiti has a whole line of Edge Routers. The three cheapest models are $59, $99 and $109 (as of Sept. 2019). None do Wi-Fi, so you would need to add wired access points. The OS is called EdgeOS and the User Guide is online. While I have no personal experience with it, many have also spoken highly of the Ubiquiti EdgeRouter Lite that sells for about $100. It has a console port and three Ethernet ports, none of
which are dedicated. It does not do WiFi. The user interface may be too difficult for anyone that is not a networking techie. Some have said that the documentation is almost non-existent. Doug Reid reviewed it in June 2017 for SmallNetBuilder.com and warned that: the GUI is still a work in progress, it is not plug and play, tech support is only available from a community forum and QoS kills the performance. On the upside, it is highly configurable, if you know what you're doing.
- I have no personal experience with DrayTek but they seem to be a business class vendor and I have heard good things about them (second hand). Their routers, however, are barely available in the US. As of June 2018, I saw the Vigor-2925n for $260, the Vigor 2926n for $250 (dual WAN, /Wi-Fi only 2.4GHz), the Vigor 2926ac for $300 (Dual-WAN, Wi-Fi ac). Cheaper was the
Vigor 2912 for $115 (no Wi-Fi, Dual WAN, can connect a 4G modem to the USB port as backup net access). See a demo of the web interface for the Vigor 2926 series.
- DNSthingy is a service ($8/month as of July 2017) for controlling everything about DNS for devices on a LAN. Parental control on steroids, if you will, with adblocking thrown in too. For Asus routers, it is customized firmware with the addition of the DNSthingy service. Or, they will sell you a few Asus routers with their firmware pre-installed. For pfSense, it installs as a service. Or, they will sell you a pfSense box with their service pre-installed. clearOS is also supported. For their Asus firmware, my big question would be if they mirror Asus bug fixes into their firmware. Are they trustworthy? I have no experience with it, but their FAQ says "DNSthingy provides all of the security of a VPN connection" which is clearly not true. Their site offers no details about the company offering the service.
- Cradlepoint makes business routers and they have a couple low end models priced around $200 or so. They seem to specialize
in 3G/4G Internet access. The specs of one router say it supports WiFi as WAN but
someone at Amazon said they do not support it.
I have been very successful with WiFi as WAN on my Pepwave Surf SOHO when my wired Internet access failed, so I consider it an important feature.
The cost of tech support is also a concern. I have no first-hand experience with this but people at Amazon have said that you have to pay for tech
support even with a new router (here and
The Cradlepoint website does not show the cost of tech support.
According to 3G Store its about $28/year for their
- OPNsense is a fork of pfSense based on FreeBSD.
- Security Router from Halon Security is based on OpenBSD, with the main differentiator being the single, revision-managed, clear-text configuration file with soft re-configuration and documented security architecture. It competes with Cisco IOS and Juniper Junos. Its free and runs from a USB flash drive or as a virtual machine.
- While I suggest stepping up from consumer routers, you can step too high. Examples of this would be either a device or software billed as UTM (Unified
Threat Management) or NGF (Next Generation Firewall). Sophos offers a Next Gen Firewall both as a hardware device and a software download. For their 2015 explanation of
what it does see Firewall for dummies
- or, what do we mean by a next-generation firewall?. CheckPoint, Sonicwall, Fortinet and Watchguard offer UTM devices. Both UTM and NGF do a lot, require a techie to setup and maintain, are expensive to buy and require ongoing paid software maintenance.
- Darren Kitchen of Hak5 recommends making your own router using a spare PC and Untangle. You can buy a Firewall Appliance with Untangle pre-installed starting at $400. He also recommended Monowall (since discontinued) and Smoothwall. Smoothwall is also used at home by
Lee Hutchinson of Ars Technica.
- Jim Salter, writing for Ars Technica, argued in Jan. 2016 that you should build your own router, assuming you are very familiar with Linux and iptables. In April 2016, he followed this up: The Ars guide to building a Linux
router from scratch. In June 2016, he pointed out the limitations:
"... setting up your own router from a generic server distro isn't a project for everyone. It certainly isn't user-friendly, both during the build process and once it's finished ... it's definitely arcane, with absolutely no hand holding along the way. If you aren't already very experienced with Linux, you'll likely do a lot of puzzled head scratching (and maybe a little cursing). You won't get a super feature-rich build once you're done, either ... you won't have fancy quality of service features, usage graphs, or much of anything else...".
- SmallWall bills itself as a small and lean firewall. It is an outgrowth of m0n0wall, its based on FreeBSD and runs on low end
x86 hardware. You can download it for free (the ISO is only 23MB) or buy it pre-installed in a box for as low as $250. At that price, Wi-Fi is not included, but a supported Wi-Fi card can be
installed into the box.
- IPFire is an Open Source Linux Firewall available both as software only or as a hardware appliance.
IPFire was designed to be modular an flexible. The primary objective of IPFire is security. Updates are digitally signed and encrypted and can be automatically installed by Pakfire. Users are notified by mail of updates. IPFire is not based on any other Linux distribution, it is compiled from the sources of every included package.
- Just for the sake of completeness, I mention the BSD Router Project. BSDRP is only available as software. It is
a free open source router distribution based on FreeBSD with Quagga and Bird. The main goal of BSDRP is not firewalling but routing. If you are looking for
a firewall, or for sharing Internet access, the developers of BSDRP suggest m0n0wall or pfSense instead. BSDRP does not have a Web interface,
it is configured from a command line. BSDRP is not intended for home use.
- Article: Review:
5 open-source alternatives for routers/firewalls By Eric Geier Sept. 2016. A review of ClearOS, DD-WRT, pfSense, Untangle and ZeroShell.
- Another UTM version of Linux is ClearOS. The website says "ClearOS is an operating system for your Server, Network, and Gateway systems. It is designed for homes, small to medium businesses, and distributed environments. ClearOS is commonly known as the Next Generation Small Business Server, while including indispensable Gateway and Networking functionality." There is a free community edition, a rented home edition,
a rented Business edition and a virtual version. It is also available on hardware devices starting at $1,200 without WiFi.
- Slightly off topic are the Xclaim access points from Ruckus Wireless. I say off-topic because they are not
routers, just access points (they have a single Ethernet port). That said, if you need great WiFi, Ruckus should be on the short list. I have owned a Ruckus
router (don't think they make routers any more) and was impressed with its WiFi. Introduced in November 2014, Xclaim is a new product line for Ruckus.
It's their cheapest line. For $90 you get a single band N device, concurrent dual-band N is $200 (see a review).
Stepping up to ac WiFi (see a review)
costs $250. They are configured either via the cloud or a smartphone app, there is no web interface.
Third Party Firmware top
One way to avoid consumer router firmware is to install alternate, third-party firmware.
- The website PrivacyTools.io recommends three Open Source router firmwares: OpenWrt, pfSense and LibreCMC.
- myopenrouter.com is devoted to open source router firmware on Netgear devices. According to Jim Salter, writing in
Ars Technica in May 2017:
"Netgear directly runs myopenrouter.com, where they actually collaborate with open source developers who are adapting builds of open source firmware for installation on Netgear routers. This is extremely cool, not least because it means that you can install firmware from myopenrouter directly onto a supported Netgear router using the router's own Web-based interface. It's certainly possible to install DD-WRT or OpenWRT on a non-Netgear consumer router, but it's generally a giant pain in the ass and a good way to potentially brick your router. "
- In The Router rumble:
Ars DIY build faces better tests, tougher competition (Sept. 2016) Jim Salter wanted to test the x86 build of DD-WRT, but found that it hasn't had a stable release for 8 years, the last stable version wouldn't boot and the newest beta was mind-blowingly awful, both in terms of performance and
bugs. He also tested DD-WRT on a Netgear Nighthawk X6 where someone named Kong curates the builds. The Kong builds were good, the raw beta
builds were buggy as heck. The Kong builds also install easily and safely and did well in performance tests. But, Salter notes "you're depending on some semi-anonymous person named after a movie gorilla to keep up with vulnerabilities, comb the bugs out of your firmware, and resist the urge to sell you out to the NSA."
- How to Choose the Best Firmware to
Supercharge Your Wi-Fi Router offers an overview of available firmwares. By Alan Henry April 1, 2015. There are two approaches to using alternate firmware: install it yourself or buy a router with it pre-installed. The article notes that Buffalo sells routers with DD-WRT pre-installed. So to, some VPN providers
sell routers with open firmware and client software for their VPN.
- Note however, the title of the article above, it refers to supercharging a router, not making it more secure.
Craig Young of Tripwire, an expert on the subject, said in April 2015:
"... alternative open firmware ... is not necessarily ... any more secure or even more frequently updated than commercial router firmware. Back in 2012 I submitted a report to DD-WRT while testing a D-Link device running DD-WRT v24-sp2. The bug report is still open 2.5 years later. The advantages for an advanced user include the ability to have enterprise style features on consumer hardware as well as to fix bugs for themselves, remove unwanted services, and truly lock down the router. For the non-technical user however the benefits are far more limited and the difficulty to configure the system is far greater."
- In a December 2012 article at SmallNetBuilder, ASUSWRT-Merlin
Reviewed, Scott DeLeeuw wrote: "The dirty little secret of alternative firmware is that the open source drivers it must use aren't always the best. This is particularly true of wireless drivers, where chip manufacturers work closely with their customers to squash bugs and tweak performance ... DD-WRT and Tomato add a wealth of features, they usually introduce problems of their own along with potentially lower performance." For ASUS routers, he much preferred ASUSWRT-Merlin firmware by Eric Sauvageau.
- Tomato was replacement firmware for the Linksys WRT54G/GL/GS, Buffalo WHR-G54S/WHR-HP-G54 and other
Broadcom-based routers. The last release was in June 2010. See WikiPedia.
- Tomato by Shibby is from Michal Rupental
- AdvancedTomato adds a new user interface to Tomato by Shibby. It supports 26 routers as of Feb. 2016.
- OpenWRT is a Linux distribution for embedded devices such as routers. It offers a writable filesystem with package management. See What is OpenWrt? by Jack Wallen.
- In May 2016, the LEDE project formed as a spin-off of OpenWRT. It too, is an embedded Linux distribution that makes it easy to build and customize software for wireless routers. LEDE stands for Linux Embedded Development Environment. See Router hackers reach for the fork: LEDE splits from
OpenWRT. However, as of January 2018, the LEDE project has been amicably merged with OpenWrt under the OpenWrt
TOR and VPN Client Routers top
- InvizBox, based in Dublin, Ireland, offers two routers, the InvizBox 2 and the InvizBox Go. Each comes in two flavors and is sold with a year or two of VPN service from IP Vanish. Documentation from the company is very simplistic and, to a techie, useless. They promise all good stuff without any details on what it actuall does. They wrote an undated blog about competitor Keezel.
- First generation: called InvizBox has been discontinued. It supported Tor rather than a VPN. It was based on OpenWRT and was first released in March 2015. It used Ethernet for Internet access and had a second Ethernet port. It was reviewed by Daniel Aleksandersen in Feb. 2016: InvizBox review: Tor anonymity in a box (last updated Sept. 2017). It was open source.
In March 2015 it cost $39. In Jan. 2016, it was $49 or $99 with a year of VPN service. On April 19, 2016, it was $139 with 12 months of VPN service from an unknown provider. On Aug. 14, 2016 it was $109 with a year of still-mystery VPN service. In Jan. 2016 it was expected to ship Feb. 2016. On April 19, 2016, it was to ship in April 2016. On May 8, 2016 it was expected to ship in May 2016. On Aug. 14, 2016 it was expected to ship in early July 2016. On Sept 16, 2017 it sold for $49 with just Tor. By March 2018, it was gone.
- Second generation: The InvizBox Go is a portable VPN router that also features ad blocking, can act as a Wi-Fi extender and a power bank. It does not seem to do Ethernet. The website says it also supports Tor. On Sept 16, 2017 it cost $139 with one year of VPN service. On March 24, 2018 it cost $160 wit one year of VPN service from IP Vanish or $200 with two years, or $120 with 2 months. It was on Kickstarter.
- There was a Kickstarter for the third generation, called InvizBox 2 that was to end Oct 17, 2017 with estimated delivery of April 2018. It gets plugged into an existing router via Ethernet. Setup instructions for the InvizBox 2 make no sense: "Connect it to your home router and that’s it. The setup is complete. Simply connect your laptop, phone, smart TV or any other device over WiFi or wired connection. All of your Internet traffic is now encrypted, ensuring your privacy and security." Not sure if it does Tor. On March 23, 2018 the regular model was $150 and the Pro version was $220. The difference was not clear to me. Both prices include 1 year of VPN service.
- Hard get a feel for the Invizbox 2. It was reviewed by Ars Technica Sept. 2019 but the review was short. Their website is all marketing baloney. Greatest thingie every made. Its a router, Ethernet in, WiFi and a single LAN port out. It can act as both a VPN client and a Tor client. They have their own VPN or you can use it with ExpressVPN, NordVPN, Windscribe, PIA or IPVanish. Prices vary based on the VPN and the number of months of service. If you already have a VPN, the thing is $130. There is also an Invizbox Go, if you can figure out the difference, let me know. IB2 is open source, based on OpenWRT. Made in China but the firmware is flashed in their offices. Firmware self updates using a Tor hidden service. It can create 8 SSIDs but they seem to be locked down in purpose, not really clear. Each SSID can isolate devices so they can not see each other (great). It seems that it can create multiple concurrent VPN tunnels and assign a different tunnel to different SSIDs. I think. It does parental controls and blocks some known bad websites. Company claims to still update software on their first product from 2014.
- The original Anonabox was a Tor router. Its security was shown to be an inexcusable disgrace in April 2015. See
Anonabox Recalls 350 'Privacy' Routers for Security Flaws and Anonabox Analysis. According to the Ars article below, it has no user interface at
all, you can never change the password and you can not update the firmware. As of April 2015, it sold for $99.
Anonabox or InvizBox, which Tor router better anonymizes online life? Ars Technica April 8, 2015.
I would rule out the first Anonabox as per the articles linked to above. Take this as a review of InvizBox.
- April 2016: There are now four models of Anonabox. The high end model is the Anonabox Pro and it sells for $100 on Amazon. It uses 2.4GHz Wi-Fi for both input
and output (5GHz is not supported). It also has a WAN Ethernet port and a single LAN Ethernet port. It runs, or is based, on OpenWRT (not clear). It can be
powered from a USB port, its not clear if it has an internal battery. The included VPN service is HideMyAss which has been shown, multiple times, to do logging.
(almost) anonymous on the Internet with Anonabox by Roger A. Grimes April 19, 2016. The initial setup described here is very insecure, which is troubling for a
device selling security. In addition to being a TOR client, you can also set yourself up as a TOR exit node or even run your own .onion website.
Review: Anonabox Pro Tor And VPN Router Review by Josh Norem. April 29, 2016. He tested the top of the line Pro model. "...all of the issues we've seen brought up in other reviews have been fixed or addressed in the most current form of the Anonabox." The VPN service is free for 30 days. Can use it as a secondary router by plugging an ethernet cable into a LAN port on your router and the WAN port on the Anonabox. Then, use the LAN port on Anonabox for a computer. Anonabox also does WiFi N. The instructions may not be completely clear to users with minimal networking experience. Local administration is HTTP. A single click connects to TOR. User interface is for techies. Tech support is good.
- The Tiny Hardware Firewall was endorsed by Leo Laporte,
a.k.a. The Tech Guy. There are three models, sold by the vendor for $30 or $35. The smallest model has no Ethernet ports (its too small), the other two models have an Ethernet WAN port and an Ethernet LAN port. A big limitation is that it works with only one VPN provider, HotSpotVPN. Purchases come with one year of VPN service. Expect to pay about $91 for the second year of service. Laporte warns that it can take 5 minutes to boot up. He also claims that it can engage both the VPN and TOR at the same time. These are low end devices, Ethernet is 100Mbps, WiFi is G and N.
VPN Client Routers top
When most consumers encounter a VPN router, they are dealing with a router that can function as a VPN server. Much more interesting, to me, are the few routers that can function as VPN clients. That is, the software necessary to connect to a VPN server, is built into the firmware of the router. Very few routers, running the software they shipped with, can function as a VPN client. However, alternate firmware, such as DD-WRT and Tomato, do include VPN client software. Complicating things, however, are the multiple types of VPN.
An excellent article on the subject (best I have seen) is VPN Router – Ultimate Guide (Setup, Tests, Best VPN Routers) by Sven Taylor of RestorePrivacy.com (Dec. 2017). HowToGeek wrote about using VPN client software on a router in
July 2016. PC magazine has their opinion of the Best VPN Routers of 2018 (last updated Nov. 2018) but they only consider consumer devices from Asus, D-Link, TP-Link, Trendnet, Linksys and Netgear. And security is not a strong point: 9 of the 10 support WEP encryption and only 4 support WPA2 Enterprise. Privacy Australia wrote Best VPN Routers (+ Setup Guide) which was last updated July 2019. Wayne Rash wrote If You Don't Use a Business-Class VPN Router, Here's Why You Should for PC Magazine (November 28, 2018). He argues that while a consumer router may support a VPN, it can not match the capabilities of a business-class router.
- On the low end is the GL.iNet GL-AR750 router that comes with OpenWRT and an OpenVPN client. It is sold as a travel router and its pretty small. It is dual band, with three 100Mbps Ethernet ports, a USB 2.0 port and a MicroSD slot. It is powered by Micro USB and can run off the USB port of a computer. An Amazon user felt the hardware was not powerful enough to run a VPN through it with reasonable speed. It has a WISP mode, which seems to be analogous to what Peplink calls Wi-Fi as WAN. Simply put, it can use a Wi-Fi network as its Internet connection and still provide a Wi-Fi network for your devices to use. See the User Guide from June or Nov. 2017.
In April 2018, Amazon was selling it for $45.
- The GL.iNet AR750 was replaced with the AR750s Slate which sells for about $70. It can connect to the Internet FOUR ways: via Ethernet, Wi-Fi, tethering to a smartphone via a USB cable, or a USB based 3G/4G antenna. Its small and light weight, good for traveling with. It can be both an OpenVPN client and server. The client is compatible with 25 commercial VPN providers. Also comes with a Wireguard client pre-installed. It runs OpenWRt. Dual band Wi-Fi N (not ac). Two GB Ethernet LAN ports. File sharing via a MicroSD slot that has a 128GB capacity. If you are not using a VPN, then it does Cloudflare DNS over TLS. There are two 2dBi antennas that can not be detached. No internal battery. Its not clear if it can be powered from the USB port of a laptop. There is no default password for configuring the router, you have to choose your own at first use. This would be great on a public Wi-Fi network. It would connect to the network, offering a firewall in front of your laptop. Then you could connect to it via Ethernet, letting you disable Wi-Fi on your laptop, making it even more secure. Then, when you add a VPN client connection, your laptop is a secure as possible.
- All three Synology routers can function as VPN clients for OpenVPN, L2TP/IPsec and PPTP. On a related note, they can also be VPN servers for OpenVPN, L2TP/IPSec, PPTP, WebVPN, SSL VPN, SSTP and they support site to site VPN connections too. A Feb. 2016 review by Lester Chan reported that it worked fine with VyprVPN.
- Running Asus firmware, many Asus routers can function as a VPN client. Asus supports the three most popular VPN flavors: PPTP, L2TP and OpenVPN.
- Vilfo costs $429 as of June 2018. It works with many different VPN providers, but it only supports OpenVPN. You can see more at Indiegogo. In March 2018, it was harshly reviewed by Daniel Aleksandersen. The company responded by making 9 changes.
- FlashRouters.com sells many standard consumer routers that have been flashed to run either DD-WRT or Tomato. You pay a premium for this service. They have documentation on configuring their routers to work with many VPN providers and they offer "3 months of basic Internet and VPN setup support from our knowledgeable staff" for free. They support OpenVPN and L2TP type VPNs. Non-techies can provide their VPN provider username and password and the router should be ready to use out of the box. This review, FlashRouters VPN router review: VPN privacy for the whole home by Gary Sims of Android Authority (June 2019) says nothing about the speed hit, so take it with a grain of salt.
- RouterSource.com is much like FlashRouters in that they offer consumer routers flashed to run DD-WRT. In addition, they offer
their own router firmware called SABAI OS which was derived from Tomato. They claim SABAI is simple enough for non-techies (I have never used it). Both of their firmwares support PPTP and OpenVPN, they do not seem to support L2TP/IPsec. Their free tech support is for one year. They have a working relationship with 15 VPN providers and 11 others are known to be compatible with their routers.
- ThinkPenguin sells TPE-R1100 Wireless-N Mini VPN Router for $49 as of July 2016. It has a single LAN side Ethernet port and the Wi-Fi tops out at N. It runs LibreCMC which is based on the Linux-libre kernel and a stripped down version of OpenWRT without the non-free bits.
- Easy VPN Router sells two TP-Link routers flashed with OpenWRT and configured to work with Private Internet Access. As of April 2017, the TP-Link N300 is $60 and the TP-Link AC1750 is $150. Plans are to support another VPN provider in the future.
- The OVPNbox is a VPN router from VPN provider OVPN.se. It is based on pfSense, runs FreeBSD and has a single LAN port. As of April 2017, they only ship to Europe.
- ExpressVPN offers tutorials on configuring their VPN service to work with many routers such as: Asus
OpenVPN, D-Link L2TP, FlashRouters DD-WRT, FlashRouters Tomato, DD-WRT OpenVPN, Tomato OpenVPN, Sabai OpenVPN and more. They also offer their own routers and an app that can be installed on some routers.
A Oct. 2016 review of a Linksys router with ExpressVPN pre-installed
noted that you can disable the VPN per device but individual devices cannot use different servers.
- VPN provider Witopia sells a CloakBox VPN Router that works with their service.
- VPN provider BlackVPN used to sell routers that work with their service, but they no longer do. However, they do still support routers running DD-WRT, OpenWRT, pfSense and anything that supports OpenVPN.
- VPN provider TorGurad also sells DD-WRT routers pre-configured to work with their service.
- VPN provider StrongVPN sells routers that work with their service.
- VPN provider VyperVPN has their own app that can be installed on routers running Tomato.
TOR Routers top
A word of warning about running Tor on a router from Matt Casperson: "Tor is only as secure as those applications whose data it is transferring, and one of the benefits of the Tor bundle is a browser that has disabled a number of plugins that are known to leak identifiable information."
- Asus routers, running the Merlin firmware can connect to Tor. According to Matt Casperson, they can route some connected devices through Tor while ignoring others.
- Onion Pi is a Raspberry Pi-based TOR router that sells for about $70. You have to install TOR yourself.
- Article: How to Anonymize Your Browsing with a Tor-Powered Raspberry Pi Hotspot by Thorin Klosowski March 2017. First you turn a Raspberry Pi running Raspbian into a Wi-Fi hotspot, then you install Tor on it so all the traffic that goes through the Pi is anonymized.
- Privacy On Top is based on OpenWRT and from a company called Open Netware. It creates two Wi-Fi networks, one of which goes through Tor. It can be purchased pre-installed on a handful of routers.
- The Personal Onion Router To Assure Liberty (PORTAL) is a build it yourself TOR router. It is not a hardware product that you can buy, rather, it is software that needs to be installed on a limited number of supported routers. See A portable router that
conceals your Internet traffic at Ars Technica Aug. 2014. An updated product release was expected at the end of April 2015 but as of
the end of May 2015, there has been no sign of it.
- The PogoPlug Safeplug is also a TOR router. Consumer Reports liked it, but a more trustworthy source (which I have lost track of) said the security it uses stinks.
- The Cloak router was to be a cheap router with two networks: one that is normal and one that sends all traffic through the TOR network. It will run a modified version of OpenWrt. This could be a great solution, but the website (as of May 26, 2015) says nothing about whether it is now available or when it may become available. Update Oct 22, 2015: the website has not been updated in months, it seems the project has been abandoned.
Just Released Routers top
Hot off the router presses.
- The Portal router is hard to classify. Its main claim to fame is improved use of the 5GHz frequency band. By adding new hardware and software, the router will offer additional channels in the 5GHz band, which should come in very handy in areas with many Wi-Fi networks. I mention it here because this new device was also touted as having some interesting security features: intrusion detection (not explained anywhere yet), 2 factor authentication for the web GUI, and a new take on Guest network security. Later documentation on the security is incomprehensible to me:
-- Portal combines the security and privacy capabilities of iOS or Android devices with those of WiFi
-- Portal protects your family’s privacy with things like continual intrusion detection, geo-fencing and ID obfuscation
-- Cloud-based authentication provides Portal users with improved security, including dynamic, adaptive guest virtual access.
-- It creates virtual networks for individual guest users
Too soon to tell if this is miserable documentation or if they are selling snake oil. As of Oct 14, 2016, the page on their website that is supposed to explain how it works is non-existent. The firmware for this router is very new, from their website it seems that the
ability to create a Guest Network was rolled out Oct 1, 2016. The firmware is based on OpenWRT and setup is done via a mobile app and bluetooth. Any early review appears to be a press release in disguise. It says the router is pretty and that it creates a mesh network, despite being a single device. Now thats a trick! Photos show that the LAN ports don't have LED lights, which I take as a bad sign. The antennas are internal (to make it pretty). It was expected to ship in late summer 2016 but actually shipped in early Oct. 2016. As of Oct 14, 2016, it cost $200 at the only available outlet, Amazon.com, which said it usually ships in 1 to 2 months. portalwifi.com
- Most of the press around Luma has to do with its mesh network, but, the company is also touting security. They claim to constantly monitor "for viruses that try to infiltrate your network". Another
security claim is: "Luma alerts on unknown devices that attempt to join your network and can be configured to block them". No details however are provided. It should also have parental control that can monitor network devices in "real time" and set per-user Internet use limits and content level policies. Finally, it claims to: "identify if there are devices onyour network with weak passwords and can alert you if it detects that a computer is infected with malicious software". We'll see. There is no web interface, just a smartphone app (iOS, Android). As of March 13, 2016 it was scheduled to ship in Spring 2016. It actually shipped around July 2016. As of Aug. 2016 a set of three is $350 and a single one is $150. The SNB review at the end of July 2016 said the price for a three-pack was $400. Early reviews say its not fully baked. When doing initial setup from a smartphone app, they require location services to be enabled on the phone. Not good. If the router is off-line
it can not be configured. As of late July 2016 the router does not report its own firmware release number. WPS is not supported. The only supported WiFi encryption is WPA2-AES PSK.
- NetSequre (formerly Genie) is a router from Open Netware focused on security. For example, it creates two WiFi networks, one for adults and one for children. It also offers phishing and malware site protection, Online Child Safety, ad blocking and anti-tracking. And, it self-updates. Initially, it was a single WiFi N router sold in India. Now, the firmware is available for over 200 routers including models from TP-Link, D-Link, Netgear, Linksys, Belkin, Asus and more. There are two versions, one for low end hardware with fewer features and one for faster hardware with more features. Downloading and installing the firmware is free. The yearly cost of ownership is $18/year and $23/year with a free trial of 3 months.
Coming soon. Maybe. top
A number of security devices are planned. Some are routers, others sit between your router and modem and yet others can plug into a router. These upcoming security devices are getting some press attention. See These Devices Are Trying To Secure The Internet of (Hackable) Things by Lorenzo Franceschi-Biccheirai (Jan. 8, 2016 at Motherboard). This list is in no particular sequence.
- The Avira SafeThings is router firmware "which vendors can integrate into their products or that consumers can purchase as a complete offering from us directly." Its chock full of sexy buzzwords, Avira calls it " an ecosystem: a platform as a service solution installed on the router, an AI-driven behavioral threat intelligence cloud platform, together with a user interface that enables users easily know what is going on within their home network ... a disruptive technology in an exceptionally easy-to-use package to secure the smart home." It will automatically discover and profile connected smart home devices and identify normal behavior for each device so that it can flag anomalies. It does cloud too which means it phones home with info about your network. A router with it is scheduled to be released later in 2018 and Avira is trying to get ISPs to pre-install it. We have already seen McAfee and Trend Micro embed security software in routers. See Avira SafeThingsTM WiFi Router will provide comprehensive protection for smart homes against cyber threats by Avira February 22, 2018. As of Jan 2019, the router had not yet been released, but you can pre-register. Pricing: 179€.
- OLD: The Flter router plans on offering Tor, its own VPN service and VPN client software for use with any VPN provider. It is a
Kickstarter project that was launched in February 2017 and is expected to be released in June 2017. It will also block malicious ads. Its VPN client wil support OpenVPN, OpenConnect and L2TP/IPsec. Fltr is a 4-person company founded in 2015. This has been replaced by Beam, see below.
- Beam is a second generation secure router from the Brooklyn, New York company that started with Flter (above). The company is now (June 2018) called Passel and has 5 employees. They also have their own VPN service called Forcefield. Beam is an IndieGoGo project set to expire June 30, 2018. As of a week beforehand, they had raised $256,000. Their goal was only $30,000. Beam is a VPN client router using, by default, their own Forcefield VPN. It should work with other VPN services too. Their VPN service can be used on your devices when traveling. The Beam router supports VLANs, access point isolation, MAC address spoofing and it can force all devices to use its configured DNS servers. You can let some devices bypass the VPN in the router. It will also offer Tor and they say it will self-update. Beam will scan your network for vulnerabilities and alert you on how to fix them. It shares intrusion attempts with other Beam routers. It can block IP addresses and even block entire countries. It also blocks ads and lets you disable IPV6. As of June 2018, estimated delivery is October 2018. See also Beam: An Advanced Home Router with Security and Privacy Features from Encrypt The Planet (June 8, 2018).
- Originally expected to ship in Jan. 2017, the Betterspot router was supposed to support Tor and a single VPN provider. It is from a Canadian VPN provider, Betternet. It is designed to be a second router, that is, to plug into a LAN port on an existing router. It will only work with their VPN as it uses a proprietary protocol. The VPN service is $5/month or $30/year. The box is $100. They claim it will self-update. A prototype was reviewed Sept. 19, 2016 by Simon Hill of Digital Trends. It can only be configured with an iOS app, but Android and web interface are planned. Note that the Betternet VPN service was dinged for miserable security in January 2017. See
here. As of early August 2017, it had moved from KickStarter to IndieGoGo and the expected ship date was August
2017. As of March 2018 it is not available, but judging by Amazon.com comments, it was available.
- German made eBlocker offers ad blocking and tracker blocking. Quoting their website: "eBlocker is a smart device that anonymizes your online behavior. It blocks all ads, stops all trackers, hides your IP - and lets you surf truly anonymously - on ALL your devices.". It is not clear how they hide your public IP address. They mention TOR in their FAQ, but the description makes no sense to me. Initially it only worked with HTTP websites, now it also supports HTTPS, which may be a bad thing, I could not find a detailed explanation of how they intercept TLS. Rather than putting eBlocker in front of your router, you plug it into a LAN port. This means it must be doing ARP spoofing on your LAN to pretend to be your router. There are two versions of the product, Pro and Family. Pro is the simpler version; the Family version supports parental controls and different users, each with their own profile. This requires each person to logon to the eBlocker using a personal PIN. It self-updates its list of bad stuff daily. It started as a Kickstarter project. In Jan. 2016, the product was estimated to ship in the second quarter of 2016. In Aug. 2016 the Pro version without Wi-Fi was available for $179 and the Family version was $199. Wi-Fi enabled versions of each were expected at the end of Aug. 2016. It came to the U.S. in 2017 and may now only protect Wi-Fi devices (not clear). As of July 2017, the Pro is $219, the Family is $249. After a year, updates are $59/year for Pro, $99/year for Family. You can also download the software for free and install it on a Raspberry Pi or Banana Pi. In Oct. 2018, David Strom said the default menus are in German and you need to know some German to change it to English. He also had trouble getting a new public IP address using it.
- ArmorVPN is a Kickstarter project that ends Sept 20, 2017. It is both a VPN and Tor box that sits between a modem and router. There are two Ethernet ports but it is also portable, an internal battery is claimed to last 8 hours. You can buy it without any VPN service, or it has deals with TorGuard and PureVPN. Any OpenVPN VPN provider should be compatible. Some configuration can be done with a touchscreen. It is expected to cost $70 with an estimated ship date of Jan. 2018. The software that runs on this device is planned to be released as open source once a patent is secured on the hardware. See This VPN box makes privacy and security a doddle from Sept 8, 2017.
- Keezel is a portable VPN device. The output is a secure WiFi network that your devices talk to. The input is another WiFi network, perhaps
a public one, perhaps your home WiFi. The device makes a VPN connection over the input WiFi network, giving attached devices access to the VPN. There is no Ethernet port but they claim you can use a USB-to-Ethernet adapter. It is powered either by its internal battery or a USB port. Keezel says they use three different VPN providers but they refuse to identify them. They claim their VPN usage is more secure than normal because their mystery VPN providers don't know the identity of Keezel customers. In turn, since Keezel does not run the VPN, they state that they can't spy on their users. Original design was WiFi G, now it also does WiFi N on the 5 GHz band. For $99 you have to use your own VPN. With one year of VPN service, it costs $129, for two years $169. Shipping was initially scheduled for March 2016. As of April 2016, it had been pushed back to June 2016. As of Sept 1, 2016, an article said October 2016 but their website said Sept. 2016. As of Oct 15, 2016, the
estimated ship date on their website was Sept. 2016. I heard nothing about Keezel for two years, then in June 2018, an advertisement disguised as an article showed up on Mashable written by "Team Commerce". This scam article says the thing regularly sells for $600 but is on sale for $450. It includes a lifetime VPN subscription (always a bad idea) to something called Premium VPN. No thanks.
- On Aug. 1, 2017, Karma Mobility announced a new product, Karma Black, that they say will provide "anonymous browsing through Tor, an integrated VPN, black listing, and ad blocking." The announcement said nothing else; nothing on pricing or which VPNs it will support. Availability is planned for September 2017.
- Fortigis does not exist. It is/was an IndieGoGo project from Yiannis Giokas that did not meet its goal. It is/was an ambitious security device that works alongside an existing router.
It controls and manages who connects to your Wi-Fi network and alerts you when someone is trying to connect. It includes a VPN client, Firewall, Intrusion Prevention System, Antivirus, and Anti-malware. Maybe it has died? There was no activity on their Twitter feed in May and June 2018. For more see Fortigis - Home Network Security Device from April 2018.
- NOTE: Itus Networks is gone. || Another company front-ending your router is ITUS Networks. In August 2014 they were planning on releasing a product called iGuardian by Feb. 2015. As of Nov. 2015, there was no more iGuardian. The idea was to run Snort, an Intrusion Prevention System (IPS) on top of OpenWRT. It too, did every good thing in the world, protecting against: viruses, phishing scams, malicious websites, Java, browser, and file exploits. It would also block drive-by-downloads, watering-hole attacks, botnets, data-theft, remote access Trojans, and key-loggers. And, if a computer on the LAN tried to contact a known bad server, that too would be blocked. The product line had 4 devices, as of Nov. 2015, only the WiFi Shield was shipping. There was no date for when the Shield Pro would ship. The Shield Mobile was said to be coming soon. The ITUS Pro was scheduled for release in early 2016.
Default Router Passwords top
Other Router Security Advice top
This topic was moved on January 1, 2018 to the new Other Router Security Advice page.
Adding a router to a gateway top
Add-on Security Devices top
Many devices are sold that claim to add security to an existing network. Note three issues with this class of device: (1) A VPN running on a device on your LAN should be able to bypass whatever restrictions and/or protections the add-on box offers. (2) These devices play in the sandbox of a single VLAN. (3) If you are trying to block children from doing stuff, they can use the 4G/LTE Internet connection on their phone to bypass restrictions on your LAN.
The Fingbox is networking device that you plug into a LAN port on your router. For it to babysit all the devices connected to the router, it has to be futzing with ARP and making itself the default gateway. If you use VLANs, you need one for each VLAN. Some routers block some features. It collects data about your network activity and sends it to Fing. So, people who want security get more surveillance. Features: block kids from using the Internet during dinner time, notify you of new devices on your network, block new devices by default, notify when a device leaves the network, block any device from accessing the Internet, it detects any nearby WiFi device, even those not on your network (is Billie home yet?), bandwidth analysis, Wi-Fi signal strength analysis, test Wi-Fi and wired speeds, detect evil twin networks and report on WAN side open ports in router. Notifications are by an alert on a mobile device running the Fingbox app and/or by email. No texts. It also has a network vulnerability test. It can detect whether UPnP or NAT-PMP are enabled in the router, and, if so, it reports on the ports that were opened by UPnP and can also close these ports. It was discussed on Episode 745 of the Mac Geek Gab Podcast (Jan. 21, 2019).
See the June 2018 User Guide and the March 2018 User Guide.
History: It first became available in October 2017. It was reviewed in Dec. 2017 by Doug Reid for SmallNetBuilder.com. As of Jan. 2019, it cost $99, in Dec. 2017 it cost $129.
Perhaps the first such home network security appliance was the Bitdender box. David Strom reviewed it in June 2015. At the time it cost $199 to purchase and $99/year to own. In August 2017, it was reviewed by Doug Reid at SmallNetBuilder.com. The box has two 100Mbps Ethernet ports and 2.4GHz Wi-Fi and includes a Bitdefender software subscription. However, it only inspects outbound traffic and is hard to install. It needs to be the DHCP server for the LAN and it sets itself as the default gateway, even when working with an existing router. Outbound connections are checked by the Bitdefender cloud. If a URL is considered malicious, it is blocked and a message appears in the mobile app. It also scans the LAN for devices with security flaws. The box does not detect DoS attacks either incoming or outgoing. At the time, it sold for $130.
Sometime in 2018 they released a second generation, the Bitdefender BOX 2, that sold for $180 to $200 with a 1 year subscription (still $99/year afterwards). The company offers 24/7 Setup and Tech Support for free at 800-804-4602. You must create a Bitdefender account. It includes their antivirus/security software for an unlimited number of Windows, MacOS, Android and iOS devices. Also includes Bitdefender VPN to use on Windows, Android, macOS and iOS. The free vpn offers 200MB of daily traffic per device. They sell a higher end VPN product for an additional fee. Three configurations are supported: with an ISP-supplied gateway, with a modem and an existing router, or, with just a modem, in which case the Box functions as the only router. They prefer using it with a modem and existing router in which case the Box does DHCP. It works with most routers, not all. It will notify in the mobile app when a new device connects to the LAN and it can control what that device can do. It self-updatess and re-boots in the middle of the night to install new firmware. It offers Parental Controls, blocks bad URLs, scans for network security flaws and alerts about malicious activity. See their comparison with Cujo, F-Secure SENSE and the Norton/Symantec Core router. As of Jan. 2019, it was available in the US, Canada, Japan, France, Germany and Romania.
The Trend Micro Home Network Security box plugs into your router via Ethernet. In Jan. 2017 it cost $400 which included a two year subscription. In Sept. 2017 it cost $300 with a two year subscription. In May 2019 it cost $110 with a one year subscription. If you don’t purchase renewals the device will simply stop working. The vendor says it "provides protection against cyber-attacks for every Internet-connected device in your home." An Intrusion Prevention System blocks network attacks. It checks for default device passwords. It prevents downloading of dangerous files. It has assorted Parental Controls. It can disconnect unwanted devices from your Wi-Fi network. Ethernet? None of your business. It can tell you when the kids are home. As of Jan. 2017 it assumed all HTTPS websites were safe. A Dec. 2016 review said it does not scan incoming email attachments for malware, does not filter out spam and does not check for malicious web links in real time. An Oct. 2017 review noted that you can not use port forwarding with the thing.
Firewalla plugs into a router LAN port via Ethernet to offer security, monitoring, ad-blocking (based on ad serving domain names) and parental controls. It is from a new company started by former executives at Cisco. There are two models, $109 for 100 Mbps Ethernet or $179 for faster Ethernet. See the differences. There are no monthly fees. You can squeeze some more performance out of it by picking which devices are monitored. It claims to protect your network from viruses and malware, and if so, is a rare product offering that for free. It can notify you when a new device joins the network and the notice lets you block the new device. It can also notify you when an offline device it has seen before comes back on-line, or when a currently on-line devices goes off-line. It does intrusion prevention, both IDS and IPS. It does both internal and external vulnerability scans and self-updates. It runs a full Linux distribution and includes an OpenVPN server which could save the cost of a VPN service. It looks for unusual uploading behavior and has hourly, daily and monthly bandwidth usage reports (for each device?). It can track bandwidth by domain. It can show every single IP connection for a monitored device. It offers outbound firewall rules. As for privacy, it continuously monitors your network and phones home about what is going on: Quoting: "Firewalla uses deep insight and cloud-based behavior analytics engines to actively detect and automatically block problems as they arise." Parental controls show what kids are doing, lets parents cut off all net access, or block just gaming or social networks. It can block adult websites. It uses either ARP poisoning or DHCP to intercept Traffic and thus is not compatible with all routers. It is administered with a mobile app (no web UI) that can be used anywhere. It was reviewed in July 2019 by Kevin C. Tofel and in March 2019 by Neil J. Rubenking. See its history of firmware releases.
Cujo sits between your router and modem (logically or physically) and offers security protection (but no privacy protection). It is billed as a smart firewall. The original plan was for it to offer firewall, anti-malware, antivirus, deep-packet inspection and machine learning protection. Only some of these features were in the first release. Steve Gibson pointed out in July 2016 that it can run in either Gateway mode or Bridge mode. The new mode lets it plug into a LAN port of your router. So, how does it then intercept LAN traffic? It does an ARP spoofing attack on your LAN. Quoting the company "We send packet header data (but not full packets) to our cloud to analyze device behavior, compare your traffic to commercial threat intelligence feeds, and to make sure that unauthorized IP's do not connect to your network." And, this: "CUJO analyzes your local network traffic data locally and in real time. It then sends statistics on that data to the cloud for further analysis ... we don't send the contents of those packets to the cloud. If a threat or suspicious activity is detected, CUJO will tell the cloud what it has blocked so you can receive a notification on your mobile app to confirm it." The pre-order price was $99 and the first models were expected to ship in March 2016. Then May 2016. The devices actually shipped in July 2016 for $99 with 6 months of service included. Afterwards, service is $9/month. SmallNetBuilder first reviewed it in Sept 2016, then again June 2017. See CUJO Smart Internet Firewall - Second Look by Doug Reid. In the cloud CUJO keeps tracks of bad IP address. It is also aware of normal device behavior. It has been reported that Spectrum will start using Cujo sometime in 2019. In March 2019, Talos found 11 bugs in the device.
Dojo plugs into your router and watches your network for security
issues. There is a companion smartphone app, of course. Dojo is a rock/pebble looking thing that glows different colors to indicate current status. On June 1, 2017, TechCrunch wrote: "All traffic on a home network has to be routed via the Dojo for it to be able to see what's going on ... and perform its anomaly detection function ... You'll also need to be comfortable providing a third party company with data stream visibility of your home network."
History: Pre-orders started Nov. 2015 for $99 with a year of service. The estimated price then was $199 with a year of service. The first devices were expected in March 2016. As of May 8, 2016 there was no expected ship date. In August 2016, Dojo Labs was purchased by BullGuard.
On Oct 15, 2016, Amazon.com said it was unavailable.
In January 2017 it was reported that Dojo would be available in the US in mid-April 2017.
By May 2017, there was a new Amazon page that on Jan 21, 2019 was selling it for $99.
On May 31, 2017 Wired did a puff piece about it saying it went on sale that day for $200 (including the first year of service). The ongoing charge, after the first year, will be $99/year. As of Jan 21, 2019 it was being sold by Bullguard for $200 with a free lifetime subscription service.
Recon Sentinel is a small box that plugs into a router and "automatically finds everything that is connected to your network." Their press release: Cigent Announces Availability of Recon Sentinel, Allowing Small Office and Home Office Users to Fight Back Against Cyber Attacks (June 11, 2018) is all fluff. It begins: it "adds a layer of detection and defense above and beyond traditional antivirus, antimalware, and firewall solutions ... adds endpoint security that keeps users from losing their data once a breach does occur ... detects and block nefarious behavior ... constantly looking for signs of intrusion or other cybercriminal activities ... uses sophisticated deception technology to identify hacking activity." Its costs $150 for the first year and $100/year thereafter. It is only available directly from the company.
Add-on Security via Router Firmware top
In January 2018, Netgear announced a forthcoming security subscription service for their routers called Armor. Basically, it is Bitdefender antivirus running in the router. There is a 90 day free trial, thereafter it will cost $70/year. As of July 31, 2018, it was available for only two Netgear routers, the R7000P and the R6900P. As of Jan. 2019, it was slated to "soon" be available on the Orbi AC3000 model RBK50 and the Orbi Voice AC3000 model RBK50V. The number of features is long, perhaps too long. My favorite feature is that it dings the router administrator when a new device joins the network and lets the admin block the new device. It also claims to block viruses, spyware, spam, phishing and bad websites. Netgear claims it will scan your LAN and report on connected devices with vulnerabilities and weak passwords. We'll see. The subscription lets you install Bitdefender security software on your Android, iOS, Windows, and Mac devices. Your network can be remotely managed at armor.netgear.com. I have not seen a single review of the service. Note that a similar service from Trend Micro and used inside Asus routers had been found to spy on you.
Owners of the Eero mesh router system can pay an extra $10/month for added security called Eero Plus. They have partnered with a few companies to offer assorted security features. From Zscaler they get a database of threats to protect you from malicious websites with viruses, phishing scams, and more.
It claims to block everything bad: ransomware, malware, viruses and ads. It also watches out for unknown or suspicious domains. It lets you download Malwarebytes on up to 3 devices. It can control what your kids can access. They partnered with the 1Password password manager. Paying for the service gets you VIP tech support from Eero. Finally, it lets you install the encrypt.me VPN (formerly known as Cloak) on your devices (it does not run in the router). Eero Plus costs $99/year the same price as the VPN service by itself (assuming unlimited bandwidth).
Press release: D-Link Wi-Fi Router Powered by McAfee Will Automatically Protect Connected Home Devices January 8, 2018. The D-Link AC2600 router is expected to be released in the second half of 2018 at an unknown price. It will feature security by the McAfee Secure Home Platform that will monitor the network for malicious activity, whatever that means. It will also monitors the network activity of individual devices for threats such as visits to malicious sites. It will notify you when a device on your network does not have antivirus software installed. It will have parental controls that can restrict activities by device, including the types of websites visited and times of day that Internet access is allowed. Parents can monitor their kids' online activities.
Some Asus routers include security software from Trend Micro. I wrote Asus router warnings on privacy and security on May 5, 2017. This was based on Review: ASUSWRT router firmware by Daniel Aleksandersen (created in May 2017, last updated: Nov. 2017). It focuses on the data leakage to Trend Micro by their software running in Asus routers.
Likewise, some TP-Link routers also include Trend Micro software, marketed under the name HomeCare. The software adds antivirus and malware protection, and malicious site blocking to the firmware. It was initially released for the Deco M5 mesh system and the Archer C5400, C3150 and C2300. They also claim it will quarantine a previously infected device that joins the network.
Securifi's Almond Routers Get Subscription-based IoT Device Security Service by Ganesh T S at AnandTech Jan 4, 2017. A subscription-based cybersecurity thing for routers that focuses more on traffic rather than viruses. It claims to report on connected devices with ports open to the Internet (nothing new here) and/or weak login credentials. Also claims to analyze the traffic pattern of connected devices to ensure that popular IoT devices are communicating only with their vendors' servers. It should detect devices whose traffic pattern is indicative of being a botnet member. I can also monitor the websites browsed by selected devices (parents watching kids). My favorite feature: notifications when a new device joins your network. An issue with all these systems is data leakage and the article says: "It must be noted that some of the above captured data is stored in Securifi's servers because they need to send push notifications to the user's smartphone even if it is away from the primary network." After a free trial, price will be from $4 to $10/month.
Millions of Routers are about to Get a Lot More Secure a Press Release. May 9, 2018. Many IoT devices lack basic security and privacy protection capabilities. F-Secure is trying to secure them by offering its F-Secure SENSE product directly to router makers and operators as software. They call it their Connected Home Security solution. It is said to integrate network and cloud security, router security and endpoint protection into a single experience for end users.
Minum, in their own words, "is an IoT platform that enables and secures a better connected home." They will offer an add-on to router firmware that they hope to get ISPs and router vendors to incorporate. Quoting again: "Minim’s self-learning platform employs Quantum Fingerprinting and behavioral models to detect threats before they become problems." They are also partnering with IoT device manufacturers.
Dovado, a router manufacturer based in the United Arab Emirates has integrated a SafeDNS filtering module in
one of its routers.
For the most part, I avoid Parental Controls on this site, but what the heck. Netgear has partnered with Circle to include Circle's parental control software in some NETGEAR routers. Specifically, Circle is available in the Orbi line and 7 different Nighthawk routers (see here and here). You create profiles for each family member and then assign devices to each person. For free you can pause the Internet for specific people, filter what is and is not allowed and view a history of visited websites for each profile. Premium features cost $50/year (as of Jan. 2019) or $5/month. This lets you set time limits, create OffTimes when the Internet is blocked and offers more detailed usage statistics. Circle has to be activated first, then it is managed with a mobile app. They claim all data is kept locally, that nothing is sent back to Circle. It is also available as a stand-alone device. Jim Salter reviewed Circle for Ars Technica in July 2019.
Supposedly Secure Routers top
These routers are marketed as being secure, I have not tried any of them (other than Turris).
- The Turris Omnia may have been the first router sold for its security features. It is fully open source, both the hardware and software. The OS is based on OpenWRT. It is from CZ.NIC, a non-profit organization that runs the .CZ top level domain of the Czech Republic. I was lent one inJune 2018 and my notes about it are here.
- F-Secure is working on a product called SENSE but their website explanation of what the product does is poor.
It does every good thing you could imagine, curing Cancer and world peace included. Eventually, they called it a secure router and app. In fairness, here is their lead: "Secure your smart home with one device, now and in the future. Sense creates a secure network for all of your connected devices to monitor and protect them through one simple interface. With privacy and security both at home and on the go, you have the freedom to unleash your smart lifestyle." Beats me what the product does. Here's more: "Sense creates a secured Wi-Fi network in your home. Traffic in the network is analyzed by Sense with the help of F-Secure security cloud, where threat definitions are updated in real time. The cloud leverages next generation security features such as machine learning and behavior based threat analysis to give you corporate-level security in your own home, and block attacks before they even happen. Sense also blocks unwanted tracking attempts ..." My concern is that like the Trend Micro software in Asus router, could F-Secure be reading your emails as part of checking things for viruses? Eventually they got clearer: "F-Secure SENSE is the combination of a smart security router, an advanced security app and industry-leading cloud protection." There is no web interface and no system that depends on a mobile app can ever be really secure, in my opinion. Sense does not include a VPN or Tor but they plan to integrate their VPN service in the future. As of Aug. 2017 it does not support a Guest network, but that is planned. Considering the security offered by a Guest network, it makes me question their competence. It includes software for Windows and Macs. See the Quick Guide PDF, their Twitter account and their firmware release history.
As of Nov. 2015 they were taking pre-orders with an estimated ship date of Spring 2016.
As of Oct 2016, they were still taking pre-orders for 200 Euros, which includes a one-year subscription but there was no estimated ship date.
As of May 2017 it was available in Denmark, Finland, France, Germany,
Ireland, Netherlands, Norway, Sweden and United Kingdom.
As of July 2017, it was available in the US for $199 which includes the first year of an ongoing subscription that will cost $119 after the first year. The router is said to be usable without the subscription.
As of Sept. 2018 it was still $199 and there is free shipping
In Jan. 2019 it was $100 at Best Buy in the US with free shipping and a 1 year F-Secure Internet Security subscription for up to 25 PCs or Macs and unlimited Android devices
Your Questions On F-Secure SENSE, Answered Videos from F-Secure. No author, undated.
Reddit AMA August 2017
F-Secure Sense Review by Brian Nadel of Toms Guide Nov 1, 2017. No WPS but support is planned. Ugh. Each Wi-Fi frequency band is required to have a different SSID. Ugh. Does not support static IP addresses. Ugh. No parental controls. Windows software includes a firewall. During initial setup, you "can opt out of having local data about usage sent to F-Secure." F-Secure provides 24/7 phone support.
- Gryphon is a 17-employee startup in San Diego working on "Safe, Secured, and Fast WiFi for Whole House". When they say security, they mostly mean parental controls but it also does Intrusion Detection via machine learning and Whole House Malware Protection (?) with integrated software from ESET. Parents can see the websites kids visit. They claim to block DDoS attacks and monitor IoT devices for unusual network traffic. It should prevent user from clicking on websites with malware and claimed to scan network traffic with antivirus tools. Its mesh too. You must setup an account with Gryphon, which is never great for privacy. Documentation is sparse. No website interface, just mobile apps. No WPS support. Great feature: new devices can be blocked from Internet by default. At least initially, it only offered two SSIDs. I have to assume that kids using a VPN bypass any restrictions in the router. Just a guess.
HISTORY: They have been on IndieGoGo, Kickstarter and Backerkit. Bloomberg wrote about them in Nov. 2016.
Shipping was initially planned for June 2017. In August 2017, shipping was expected in October 2017. In Feb. 2018 they claimed to have "received the first production batch of Gryphons last week and are in the process of shipping them."
PRICING: As of Aug. 2019 a single Gryphon router is $230 from Amazon.com while their website sold it for $219 new and $189 refurbished. They also sell a pair for $399.
In Dec. 2018, a single unit was $200 at Amazon and their website sold a single unit for $220 and a pair for $420. In Sept. 2018, it cost $240 at Amazon for one unit.
In Feb. 2018 pricing at Backerkit was $250 for a single unit and $450 for a pair while pricing at their website was $200 for a single device and $350 for a pair.
Parental controls are free forever but network protection is only free for first year. Then, if you want it, it will cost $100/year.
REVIEW: by James Brains of Business Insider sometime in Sept. 2018. The author admitted to not being techie enough to evaluate the security of the router. So, why does the company give him a router to review? Could they be afraid of a technical examination? Company launched in 2014. He found the parental controls to be "tedious". Its fast. Installation was a pain.
REVIEW: by Brian Westover at Toms Guide December 2018. It verifies its firmware at startup. Does intrusion detection (how?).
REVIEW: Gryphon Smart WiFi Mesh System by John R. Delaney for PC Magazine (Jan 2019). Excellent parental controls. Built-in anti-malware protection. No wired backhaul.
- The pcWRT router was initially sold for its Parental Controls rather than security. That said, it has had security features added since it was first released. For $129 (last checked Jan. 2019) you get dual band AC Wifi with GB Ethernet. For $99 you get Wi-Fi N on the 2.4GHz band and the Ethernet is only 100Mbps. There is an online demo of the router interface. It can create four Wi-Fi networks. Privacy is great, no account is needed with the vendor and they say the router does not phone home at all. Some security features are: VLANs, WiFi client isolation, an OpenVPN server and an OpenVPN client, the availability of WiFi networks can be scheduled, you can be emailed when new firmware is available or it can automatically update itself. For the OpenVPN client, if there are multiple VLANs or WiFi networks, you can select which of them send through the VPN. It also does ad blocking using the same technology as Pi-hole. Interesting article, How to use your router to block smart TV snooping talks about the VLAN feature and watching the domains a smart TV talks to and then limiting the domains it is allowed to communicate with. The website says nothing about who created the router, and there is no Contact Us page either. All communication is via a Forum. Documentation is mostly in the blog on the website. There is also a 5 page pcWRT Parental Control Router User's Guide. The router has a checkbox for "stealth mode" but I could not figure out what this does. They have good release notes and a history of firmware releases.
- Bit Defender Box 2 - A May 2018 review in Mashable says that it monitors Internet traffic and provides security alerts but that it does not have a Guest network. It introduces a new hassle, router user profiles. Security features cost $99 a year but it comes with one year of service for $200. It has only one Ethernet port and the website uses a DV certificate which is a bad look for a company selling a security appliance.
- Roqos strikes me as the Donald Trump of routers. It has every feature ever invented, and, its the best at all of them. They publish a list of features that only Roqos has. It is targeted at service providers, home users and businesses. When initially launched in 2016, the router was $19 plus $17/month for the service. Now (May 2019) it sells for $300 which includes a year of service. It does VPN in and out. Took me a minute to realize that means VPN client and server. They have their own VPN service or it can work with a dozen or so other providers. It can make a site-to-site VPN, as can the Pepwave Surf SOHO. It can block new devices. The big selling point seems to be parental controls and security. The service costs $149 or $249/year for different models. If you don't pay, the router works, but security and parental control signatures are not updated. A Feb. 2017 review in PC Magazine said that if you don't pay, you can't make router configuration changes.
- Norton Core. It was originally $200, but as of mid-January 2019, it was $150. However, according to this story the router has been discontinued.
Router/Network software top
- NetworkConnectLog repeatedly scans your local area network (Using ARP and Netbios protocols) and adds a new log line every time that a new device connects to your network, and when a device disconnects from your network. By Nir Sofer. It is free and portable. Only for Windows. Be sure to check the scan options.
- RouterPassView can recover a lost password from a router configuration backup file, for a limited number of routers. By Nir Sofer. It is free and portable. Only for Windows. It might be able to recover an ISP user name/password, the login password of the router, and wireless network passwords.
- See all of Sofer's network related software.
Assorted Resources top