It have been listening to Security Now podcast with Leo and Steve since episode 1 and this has had a strong influence in my approach to security and technology.
After listening to the Three Dumb Routers episode I decided to abandon the single ADSL/WIFI Router solution I was using with a more secure architecture. I didn’t just want the segmentation described by Steve, I wanted increased control and security. Steve had mentioned PfSense a few times and I started studying.
I wanted to consider my ADSL service provider router as untrusted (which inherently it is). So I disabled WIFI, and connected only a firewall to it.
I purchased a small but efficient firewall appliance (Pfsense SG-1000), which gives business grade defense and protects all network access. I then connected it to a gigabit switch (which also segments traffic) to witch I attached the cable connected outlets and my WI-FI access point (in my case a Netgear R7800-100PES Nighthawk).
Setting it up was quite simple. In my case I decided to have two networks, one between my firewall and the ADSL router (we could call this a DMZ – DeMilitarized Zone – short term for an unsecured network) and my safe home network handled by the firewalls DHCP server giving out leases.
Initially I was having my wireless access point also be a DHCP server for wireless connections, but I found it too complicated tracking which devices was doing what on my firewall log. Having a single DHCP server on the firewall allows you see all device details and activity in one dashboard.
Taking into account performance the current solution performs perfectly with no sign of bottlenecks.
There is an excellent alternative to PfSense, also suggested by Steve, the Edgerouter-x which costs around less than 50$ and can replace both the firewall and the switch (it has four intranet gigabit ports). It also has a PoE port in and one out so could simplify cabling provided that you router and connected devices are PoE compliant.