Network Firewall for $200 or Less

[Hoodrich Iggy]

I'm trying to find a good firewall for a $100-200 range that can support a 300mbps network with at least 5 users. I've noticed multiple DoS ARP attacks and attempts to remotely access my network from different ips definitely over a VPN as I can't trace a good specific location of the ip only getting me to the middle of local towns locations that wouldn't make sense.  I've even noticed other odd occurrences such as my wireless access point completely disconnecting randomly and things on my phone that I didnt do.  Rather than spend money to trace the IP further I'd rather prevent the attacks altogether, plus I'd just like the added security.  I appreciate any feedback I can get and if you can provide some specs of the firewalls or reasoning behind your choice that would also be appreciated.  I've attached a picture of a section of the logs from my router. These only show a few of the ip addresses one of which 45.37.0.1 I was only able to track to the middle a town near where I live not an exact location and I tried a trace route and wasn't able to connect, the same goes for most of the other attacks that one just being the most common ip address hence my thinking that they are using a VPN. I have a NETGEAR WNDR4300 router I forget the modem I use but it is provided by Spectrum, a NETGEAR ProSafe GS108 Gigabit Switch, and a NETGEAR WN2500RP access point.  Don't like the thought of my packets being stolen.

[Fiskelord]

First of all, close all unnecessary access to your network from the outside, and if you need access, setup OpenVPN or similar. Thats the best you can do for free to make your network as secure as you can right now without spending money.

 

Second: I have had problems in that past with someone hi-jacking a device on my network and trying to hack some random server with my connection, which led to my ISP contacting me about it. Luckily, he was really chill about it and even offered some advice for me, which i will relay to you.

 

1. Dont look at the logs, you will only get sad Computers all over the world constantly pings random IP addresses for potential targets, but as long as you dont have ports open and run decent hardware (As you do), you dont have to worry a lot about it.

2. If you have a public IP and dont need it, get rid of it! That way, the bad guys have to go though your ISP's equipment, and that is way too much of a hassle for most attackers to do. If they can and does it, you have pissed off the wrong guy in Call of Duty

3. If you need a public IP, you need some kind of specialized hardware for the job to be relatively safe. Personally, i use UniFi by Ubiquity, but you could use a custom box with pfSense or something similar (Like this: https://store.netgate.com/pfSense/SG-1100.aspx), but there is a caveat: Even if you invest in some decent equipment, your ISP is still buying much more powerful and expensive equipment than you, and there is a reason for that. So dont think you can achieve total security (I love using those words, it means nothing lol) by buying equipment meant for a consumer who thinks it is fun to mess around with IT stuff

[Hoodrich Iggy]

9 hours ago, Fiskelord said:

First of all, close all unnecessary access to your network from the outside, and if you need access, setup OpenVPN or similar. Thats the best you can do for free to make your network as secure as you can right now without spending money.

 

Second: I have had problems in that past with someone hi-jacking a device on my network and trying to hack some random server with my connection, which led to my ISP contacting me about it. Luckily, he was really chill about it and even offered some advice for me, which i will relay to you.

 

1. Dont look at the logs, you will only get sad Computers all over the world constantly pings random IP addresses for potential targets, but as long as you dont have ports open and run decent hardware (As you do), you dont have to worry a lot about it.

2. If you have a public IP and dont need it, get rid of it! That way, the bad guys have to go though your ISP's equipment, and that is way too much of a hassle for most attackers to do. If they can and does it, you have pissed off the wrong guy in Call of Duty

3. If you need a public IP, you need some kind of specialized hardware for the job to be relatively safe. Personally, i use UniFi by Ubiquity, but you could use a custom box with pfSense or something similar (Like this: https://store.netgate.com/pfSense/SG-1100.aspx), but there is a caveat: Even if you invest in some decent equipment, your ISP is still buying much more powerful and expensive equipment than you, and there is a reason for that. So dont think you can achieve total security (I love using those words, it means nothing lol) by buying equipment meant for a consumer who thinks it is fun to mess around with IT stuff

Thanks for the feedback!  I'm aware I can use a VPN but I honestly just want the added security and peace of mind that my packets are getting where they are supposed to go.  The attacks are coming from multiple ips definitely using a vpn my concern honestly is I have some ex girlfriends that would go to the end of the earth to mess up my life and yes I admit the ex girlfriend doesn't seem like the kinds of people who would be able to do this but with as many attacks as there have been theres no telling if they ever actually succeeded and with no way for me to track their ip passed their VPN I wont know who it is either.  I personally want the firewall because of the extra layers of security and I can personally control it not my ISP or anyone else its up to me what's going through and the settings I have and i honestly just want some more cool networking gear I'm CompTIA certified in a few things from classes I had in high school and I learned quite a bit from them granted I knew a lot of it before hand it was still a good experience.  I was looking a some Netgear firewalls that have a built in VPN on top of some other layers of security.  The main thing is that it can support a 300mbps connection and at least 5 users.  Also I checked out what you linked but from what I understand many firewalls can only support so much data going through at certain speeds if you are able to find out what it supports it would be much appreciated.

[Fiskelord]

13 hours ago, Hoodrich Iggy said:

Thanks for the feedback!  I'm aware I can use a VPN but I honestly just want the added security and peace of mind that my packets are getting where they are supposed to go.  The attacks are coming from multiple ips definitely using a vpn my concern honestly is I have some ex girlfriends that would go to the end of the earth to mess up my life and yes I admit the ex girlfriend doesn't seem like the kinds of people who would be able to do this but with as many attacks as there have been theres no telling if they ever actually succeeded and with no way for me to track their ip passed their VPN I wont know who it is either.  I personally want the firewall because of the extra layers of security and I can personally control it not my ISP or anyone else its up to me what's going through and the settings I have and i honestly just want some more cool networking gear I'm CompTIA certified in a few things from classes I had in high school and I learned quite a bit from them granted I knew a lot of it before hand it was still a good experience.  I was looking a some Netgear firewalls that have a built in VPN on top of some other layers of security.  The main thing is that it can support a 300mbps connection and at least 5 users.  Also I checked out what you linked but from what I understand many firewalls can only support so much data going through at certain speeds if you are able to find out what it supports it would be much appreciated.

The log entried you uploaded shows no signs of anything dangerous, the reason the log entry is there is because your router did its job and blocked the attack. Now, you could go all paranoid and ask "But what about the stuff it doesnt catch?", and i would answer "Dont sweat it.". If you go down that rabbit hole, you might as well DC yourself from the internet now

 

Look, i get what you are saying, and if you want a new piece of equipment to play with, go for it! But it is in no way necessary for you to spend that money on your network equipment, you already have a firewall in your router AND on your computer, your router probably already supports a site-wide VPN and if it doesnt, you can just use one from your computer, no big deal.

 

I am not sure about the speed, although i think what you are referring to are called deep packet inspection, and yes, that requires some powerful hardware to pull a 300mbps connection off. Maybe it says somewhere in a datasheet, im not sure, if in doubt, contact them!

[Hoodrich Iggy]

34 minutes ago, Fiskelord said:

The log entried you uploaded shows no signs of anything dangerous, the reason the log entry is there is because your router did its job and blocked the attack. Now, you could go all paranoid and ask "But what about the stuff it doesnt catch?", and i would answer "Dont sweat it.". If you go down that rabbit hole, you might as well DC yourself from the internet now

 

Look, i get what you are saying, and if you want a new piece of equipment to play with, go for it! But it is in no way necessary for you to spend that money on your network equipment, you already have a firewall in your router AND on your computer, your router probably already supports a site-wide VPN and if it doesnt, you can just use one from your computer, no big deal.

 

I am not sure about the speed, although i think what you are referring to are called deep packet inspection, and yes, that requires some powerful hardware to pull a 300mbps connection off. Maybe it says somewhere in a datasheet, im not sure, if in doubt, contact them!

Thanks a lot really most people would just give me a bs answer, tell me something else, or just not know what they are talking about; but I appreciate the time and research you put in to helping out and again thanks for your input and all your effort I'll definitely keep looking into my options and do some digging in my router.  I totally get what your saying about "what about what it doesn't get" too and I agree with what you said and whether my equipment is stopping the attacks or not either way it's nice just to explore what you can get with all the options out there from simple security software to business class server equipment.  I mean ever since I was a kid I was the one who knew the most about it all and most of the stuff I know I've just learned over the years doing research, watching videos, and reading about it, and just playing with my own equipment; it's a valuable skill to have.  Also I appreciate you actually being straightforward and knowledgeable or at least doing you research before telling me something and not just arguing.

[Blade of Grass]

First of all, if you are experiencing ARP poisoning then a device on your network is already compromised. ARP packets are layer 2 and as such cannot be routed (i.e. they cannot be sent over the internet because they are unable to cross network boundaries). Regardless, a firewall in a home setting is very likely not worth the cost or effort, instead I would just double check your rules for accepting incoming packets and call it a day.