Router Security

So I think this is mostly reasonable advice, but I do have to question disabling ICMP/ping and IPv6. I'm not aware of any actual attack that ping allows? And IPv6 should be fine if you have a firewall (which I would rather expect any regular COTS consumer router to have). The link on that suggestion describes a very specific problem where your router is also your WiFi AP and uses the old approach of just shoving the entire MAC address in to its v6 address, but am I wrong in thinking that it would be weird to see that actually happening in a new router, where new is "still getting security updates"?

Disabling IPv6 in 2024 is bad advice. IPv6 adoption is undeniably on the rise. Better advice would be to ensure that the IPv6 firewall is configured to sane defaults, i.e. allow established&#x2F;related, drop invalid, reject unexpected, just like you&#x27;d expect an IPv4 firewall to be.<p>Disabling ICMP is also bad advice. If you want Path MTU discovery to work, you need ICMP. If you want to be told about TTL exceeded (which usually shows a routing loop), you need ICMP. If you are uniquely worried about ping for some reason, then block those ICMP type numbers specifically, not the entire protocol.

0. Don&#x27;t use a garbage retail or ISP-provided, closed-source router.<p>Here&#x27;s one option:<p><a href="https:&#x2F;&#x2F;shop.opnsense.com&#x2F;product&#x2F;dec740-opnsense-desktop-security-appliance&#x2F;" rel="nofollow">https:&#x2F;&#x2F;shop.opnsense.com&#x2F;product&#x2F;dec740-opnsense-desktop-se...</a><p>1. Suggesting turning off IPv6 is ridiculous security theater. It&#x27;s a known quantity deployed at scale. Dual stack or turn in your &quot;hacker cred&quot; card now. ;)

So what is the reality with respect to router security?<p>Looking at <a href="https:&#x2F;&#x2F;routersecurity.org&#x2F;othersgripeonrouters.php" rel="nofollow">https:&#x2F;&#x2F;routersecurity.org&#x2F;othersgripeonrouters.php</a> some 2019 article headline says &quot;the worst is yet to come.&quot;<p>Virtually all routers do not have an admin interface exposed on Internet facing side, moreso due to CGNAT. What threats from routers are we seeing in the wild that are actually having an impact?

The real main point is: how much control users of commercial routers could have with a reasonable effort (I mean, I know most are GNU&#x2F;Linux machines, where the OEM sometimes respect the GPL providing the sources but there is no easy custom build and rom flash with very few exception like the little GL.iNet devices).<p>If the router is just a person mini-computer with some *nix OS and it&#x27;s config, directly tied to a media converter from the ISP it&#x27;s a thing, otherwise it&#x27;s essentially next to impossible doing most of reasonable actions including properly probing the internet-side for a small potatoes audit.<p>Some countries have mandatory free router choice, like Italy (curiously), where at least the user is allowed by law to run it&#x27;s own router so ISPs are obliged to give all settings, VoIP included, without making like of their customers needlessly harder, but that&#x27;s not true in most countries. Some ISPs (i.e. Orange France) run arbitrary custom solution to makes people life harder if their put another router behind the ISP provided one. People choice is very limited even for those who would know and want to run their own home&#x2F;SOHO LAN.

I’m much more comfortable use something like opnsense. Router manufacturers seem to just yolo it judging by backdoors etc found frequently<p>&gt; At some point you will go a year or two, or more, without any updates. That&#x27;s when it is time for a new router.<p>Is that good advice? Swapping a mature and patched platform for whatever device with new A.I. enabled half test beta firmware that just got rushed to market?

I get reducing your attack surface, but to what extent do modern devices still trust the network by default? Laptops and phones have to assume that the WiFi network is not under the control of the user. I guess printers etc assume they are in a trusted network?

Also, use two routers in serial. One is provided by my isp, the other is my own. The chances of both getting compromised at the same time are lower.

Wi-Fi router security could be improved by per-device passwords and micro-segmentation, as seen in OSS <a href="https:&#x2F;&#x2F;github.com&#x2F;spr-networks&#x2F;super">https:&#x2F;&#x2F;github.com&#x2F;spr-networks&#x2F;super</a>.<p>VLAN for insecure IoT devices is a fallback.

It really is difficult to take this seriously when they suggest disabling IPv6. There are already quite a good number of ISPs that use CGNAT for IPv4, which often means that connections die or are intentionally killed in short amounts of time, which can be a huge PITA for certain uses (interactive shells, large downloads, et cetera).<p>Take Starlink for instance. When on IPv4, you really feel like you&#x27;re on a janky network that&#x27;s being rebooted every hour or two. After Starlink enabled IPv6, all sorts of things no longer required babysitting and restarting. The quality difference between IPv4 via CGNAT and native IPv6 is huge and noticeable, even for people who have no idea what&#x27;s going on behind the scenes.<p>Perhaps regular people can naively suggest turning off IPv6 because they don&#x27;t know any better and they believe the FUD they&#x27;ve heard and read about, but if you&#x27;re putting up a web site claiming to have good advice and you put more weight on FUD over real world experience and solid reasoning, then I&#x27;d be suspicious about <i>everything</i> they&#x27;ve written.

Wow, disabling IPv6? Yeah, turning off your internet may increase security but this is pretty nihilist advice.<p>Add &quot;disable IPv4&quot; too.