Network security devices

Are there any security devices that you can put between your router and the rest of your network that don't leave you with double NAT?

A hardware firewall perhaps?

Failing that, there's always some old school security - https://ibb.co/k0Gfyp

It is possible to do transparent layer2 (ethernet) firewalling/packet analysis, etc., but it is uncommon. More usually the device would operate at layer3 (IP) and rather than it doing NAT you would add a static route on your router to direct return traffic to the new "clean" network.

For example, if the WAN router had a LAN address of 192.168.1.1/255.255.255.0 you could set the security device input connection to 192.168.1.250/255.255.255.0, default gateway 192.168.1.1 and output connection to 192.168.2.1/255.255.255.0, then add a static route on the WAN router of 192.168.2.0/24 via 192.168.1.250 - all of your clients would have 192.168.2.x addresses and the single NAT is still carried out on the WAN router.

Note that some of the ISP supplied routers have crippled user interfaces so you can't do this, and if they have inbuilt wireless that traffic wouldn't be handled by the device.

Thank you for the reply. Unfortunately the Gigaclear router, which I have to use, does not support static routes.

What I would like is a box that inspects and checks the packets that I send to and receive from the Internet. The box would be updated with the deails of new threats much like anit virus software on a pc.

You could look for a WatchGuard firewall secondhand and use that in 'drop in mode' which uses the same IP address and range on internal and external interfaces and gives full firewall features. Drop in mode is designed to do exactly what you want.

What speed connection are you on? I ask about the speed because if you want higher than about 500Mbps you'd probably need a model with a fan (to be affordable) and that could be an issue for you.

Up to 540Mbps you could use a secondhand XTM 26 (no fan). They can be found on eBay for about £30-40. The XTM 33 (no fan) is similar (about £40-60) and runs out of steam at 850Mbps. A T50 (no fan) would set you back a lot more secondhand but does cope with full Gigabit throughput.

If a fan is no issue, an old XTM 5 series model would cope or the XTM 330.

Avoid anything called Edge or Core, and anything called Xsomething that isn't XTM.

You can look at comparisons of specs at https://www.watchguard.com/wgrd-products/appliances-...

Untangle or Pfsense in bridge mode should do what you want, there are many free or home license versions of UTM's available.
You would need the hardware to install them on which Amazon sell many multi network mini pc type boxes, some even have pfsense already installed.

I note you have gigaclear, if thats the full fat 1Gb connection, the choice of hardware will be important as with all the feature turned on that 1Gb could end up at a tenth of that after all the inspection has been done. Check out their forums for advice.
I use untangle which costs $50 a year for home license as I found it easier to understand.

Edited by Rolandrat (Wed 10-Oct-18 08:27:47)

Thank you very much for a very useful and interesting post. So it is possible to buy something that would do what I am looking for.

In reply to a post by Michael_Chare:

Thank you very much for a very useful and interesting post. So it is possible to buy something that would do what I am looking for.

Indeed it is. Other enterprise firewalls may offer the same functionality too but I'm most familiar with WatchGuard.

WatchGuard's drop-in mode is not the same as bridge mode, you can see what the differences are here

One word of caution; after placing the firewall between the router and the LAN you will need to reboot the router to clear it's ARP cache otherwise computers on the LAN won't see the internet.

How useful would a Watchguard device be if one does not also subscribe to the security suite software? The software is quite expensive just for home use!

It will come with fully functional firewall software - this never expires. You only need a subscription to be able to update it to the latest firmware or add subscription only features such as virus scanning.