I
I
Igor2012-12-27 20:35:28
network hardware
Igor, 2012-12-27 20:35:28

Recommend a router for a paranoid security guard

In connection with the growth of "wiser" household utensils that can communicate with the Internet (computers, TVs, media players, NAS-storage), the question of controlling this whole disgrace and preventing access to it from the outside arises. Yes, and I want to strangle their excessive chatter according to various protocols. In general, you need to keep an eye on this zoo and allow only what you want.

So the task is like this:

  1. Router for 4 ports (no longer needed in principle).
  2. The inability to control it from outside (only from the local network)
  3. DHCP: Issuance of IP with binding to a specific MAC
  4. Convenient filtering of traffic by protocols, ports, MAC address (this mainly applies to outgoing traffic, but the possibility of convenient processing of incoming traffic is also welcome)
  5. The provision of visual statistics on traffic (volume and for which protocols) is welcomed, both for all traffic in general and with filtering by MAC\IP
  6. Keeping logs to control and identify problems and possible attacks (on one router it was not possible to figure out a similar situation , he did not keep logs).
  7. Wi-Fi is not required. But if it is, the ability to turn it off at any time and filter connected devices by MAC addresses. And certainly set the encryption key and WPA2 support
  8. It would be generally great if it provided the ability to dump the traffic passing through it (in a cap file is best)
  9. Something else that I forgot, but an experienced Khabrovite will advise
  10. I would like to meet the 5,000 rubles. Although ready and more, if I deem necessary


The place where the router will be located is quite small. Do not put the computer there. So you need a small box.

Answer the question

In order to leave comments, you need to log in

9 answer(s)
H
htaccess, 2012-12-27
@shanker

Mikrotik
RouterBOARD 751G-2HnD

Q
qxfusion, 2012-12-27
@qxfusion

I recommend taking basic models from Cisco if the budget allows

J
JDima, 2012-12-28
@JDima

General recommendation. Any kind of MAC address filtering is by no means a security measure. Rather, it is a means of causing inconvenience to your loved one. I advise you to waive this requirement.
Traffic analysis and logs - it is better to use netflow and merge it onto a separate machine, which will process the bare data. But are you sure you will watch these logs?
Well, for any hamster router, the principle “everything that is not allowed is closed outside” works out of the box.

M
Maxim, 2012-12-27
@Bublik

Any device that meets your hardware needs and supports OpenWrt

S
stan_jeremy, 2012-12-27
@stan_jeremy

what's the problem with buying something like market.yandex.ru/search.xml?text=3Q%20Nettop%20Qoo&mcpriceto=5000 (inexpensive nettop), putting nixes on it and setting everything up yourself?

A
Andrey Grigoriev, 2012-12-27
@eigrad

Budget self-assembly PC with two network and OpenBSD on board.

4
4ika, 2012-12-28
@4ika

I have an Upvel router with 4 ports, wi-fi (there is a function for quickly connecting devices like iPads, smart phones, etc. via a pin code), convenient filtering settings both in LAN and WLAN by MAC addresses and IP, protected from DDoS attacks, traffic filtering by protocols is present, but I personally did not configure it, there are graphical traffic statistics, but I will not say that they are detailed. There are also logs ...
the only negative, sometimes my connection to the provider disappears in the settings, although everything is written correctly in the settings, it just crashes sometimes and you have to reboot 2-3 times (I do not exclude that our provider is, but with their support find out something is unrealistic). For the price, by the way, they were cheaper than the rest.
PS maybe, of course, I have no idea what kind of routers you are talking about, but according to the requirements, it seems to be suitable.

V
Vyacheslav, 2012-12-28
@Armann

Asus router with firmware 'from Oleg', for example WL500GP (it is better to look for a list on wl500g.info, you just need to register so that the Russian encoding does not crook). What is not enough - you can tighten it up, the community is large, many questions have long been sorted out and you just need to find it.

M
mace-ftl, 2014-12-25
@mace-ftl

file.php?id=165&sid=1088c7be4e5127532d93

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question