Slashdot Mirror
Ask Slashdot: Which Is the Safest Router?
MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?
The unplugged one.
That's optimal safety, and minimal usability.
Your question is ill-defined anyways.
Not trying to be overly pedantic here, but do you mean firewall? Routers aren't necessarily security devices.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
Can get one for $200 or less if you shop around
Number one feature: No upnp available on the device
Specialization is for insects. -Heinlein
A "secure" router won't help you. What does "hacked twice recently" actually mean?
https://www.ubnt.com/edgemax/e...
Just a happy customer. Firewall, VLANs, scheduling, logging, etc. Can't beat the price either.
http://purplebark.net/maffew/scissors.pdf
It is a time proven solution to network woes.
In my opinion the safest router is one that can continuously be updated with the latest patches. About a year ago I used an ARS Technica guide to building your own router (Link below). Ordered a very inexpensive mini PC from china with 4 1 Gigabit ports and put Umbuntu on it. You can set it up to auto update, but I do it manually. Every week I log in and Ubuntu tells me in the login if there are any updates, and if any are related to security.
Besides being a much better performing router with full firewall capability and just about any feature you want to download and install packages for it is on the bleeding edge of security updates.
https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/
one to which you have the source code:
https://www.dd-wrt.com/site/index
OPNsense, a fork of pfSense, which is a fork of m0n0wall. It is based on Hardended BSD, with a ton of additional security extensions not available in normal FreeBSD or pfSense.
But really, security isn't just one device. Secure ALL of your shit.
Does safety mean that you can trust the code in the router or does safety mean performance of router to defend against attacks because those are different requirements. If code trust is more important, I would recommend any router that you can replace the firmware with open source firmware like DD-WRT or Tomato. For performance, I don't know of any comparisons published on different models of routers.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Get a PC running Linux/OpenBSD/pfSense/etc. with two NICs, enable any applicable hardening, enable automatic updates.
Bonus points if you can get that running on a mini fanless system with an SSD.
I chose it mainly for security. As a former Google engineer, I feel that Google's security expertise is top notch.
...as long as you put OpenWrt on it.
Slashdot, fix the reply notifications... You won't get away with it...
...plugging directly into the modem is worse than no router.
I am also networking and programming savvy but I always assumed good hacking jobs would go unnoticed. What tipped you off to being hacked and do you allow admin login to your router from the wan side? I'm generally aware that is the most likely attack vector. Thanks for any info.
In this day and age, nothing will help you. Buy a Microsoft phone and wrap a faraday cage around your bed. Use Microsoft Edge. PFSense is shit, a firewall wont help but disabling your Wi-Fi might.
The truth is, nothing is secure unless you can educate yourself a little bit. However, if time to do so is not a problem, the most secure device to remote hacking is probably something running OpenBSD on some single-core CPU ancient enough to be immune to stuff like the recently discovered spectre/meltdown vulnerabilities.
pfSense running on WANBOX...
pfSense because its open source and free and "just works". WANBOX, because its reliable and supports AES-NI crypto onboard.
Mike @ The Geek Pub. Let's Make Stuff!
A Netgate SG-1000 if you want a packaged solution;
https://www.netgate.com/soluti...
Else load up PfSense on an old PC or search ebay for pfsense... You'll find also repurposed appliance from other people loaded with PfSense.
Fast so it can support a quality VPN.
Then have a computer just for "internet" on it as the only computer on the network.
An OS some bookmarks and what apps are needed.
Have all long term data well away from any networked computer.
Find a fast router with a good CPU that can support the best VPN protection.
Make sure the loss of the VPN will not revert to any ISP ip.
Should any malware get into a computer, they get nothing. Some bookmarks, some productivity apps.
Everything can be restored and be back online quickly.
Stay away from wifi, big brand devices with "helpful" always on microphones, webcams.
Domestic spying is now "Benign Information Gathering"
It depends on your needs and your budget. If you're a typical home user that doesn't have people specifically targeting them then your needs are very different than a corporate executive who is regularly hit with espionage attempts.
I'll answer for a typical home user: Turris Omnia. It's a bit pricey ($339 on Amazon), but it runs a modified version of OpenWRT. It's easy-to-use, reasonably powerful in terms of features and capabilities, and is updated frequently.
Help save the critically endangered Blue Iguana
The Cisco/Meraki devices are phenomenal.
They are not cheap by any means, but you can a short stack of a Router (MX series security appliance, MX64 was given when I took the class,) POE 8-port switch, and Wireless Access Point for free if you attend a Cisco CMNA class.
Routers are guaranteed to be unsafe if either:
1. It has "cloud" in product title or datasheet.
2. It comes in a plastic box.
The absence of either of these things does not imply safety.
Any DDWRT, *Sense or plain old Linux box with some iptables rules if you don't have a life is infinitely better than off the shelf crap by people who don't give a damn.
While firewalls and network security in general are meaningless WRT to security at least having a router that won't be hacked remotely and conscripted into a coin mining DDOS launching botnet is a step in the right direction.
Unless you are talking about your netgear or dlink box getting back doored, I think you are looking in the wrong places.
Any NAT device is sufficient.
Patch all your stuff
Don't download crap
Don't execute the crap you download
Don't play web games
Don't use internet explorer
uninstall flash
uninstall java
If you are really looking for a good firewall, go grab a little pfsense box from netgate. But I think you have many other places to look at first.
I use a cheap Pentium motherboard (also low power), and a quad intel Ethernet card (a used PRO/1000 for ~$50). It has all the bells and whistles of commercial units (captive portal, easy web ui, etc), but has the advantage of being based on FreeBSD.
https://www.pfsense.org/
If you were to prefer Linux, it would be possible to use openwrt instead.
I've heard good things about Cisco very recently. They put out lot of fixes.
They constantly update, and then made it skinny. In fact, I wish I had a couple of features back. However, it does a decent security job.
I prefer the "u" in honour as it seems to be missing these days.
One not connected to a network powered off and in an underground fallout shelter, air-gapped from the world by a vacuum chamber inside a Faraday cage. Everything else is hackable.
A self made/installed Linux box probably the least secure solution for most people. Unless you really know how to secure and lock down your Linux box AND keep it up to date on weekly basis, your "router" is far from secure. There are few people who really know what they're doing in this domain.
This is why OpenBSD was created. Out-of-the-box security, time between remote exploits measured in years, and a firewall is part of the default install. Yes, it still needs patches but one is starting from a far far better place than Linux.
If all you need is a router there are plenty and they're mostly safe because they don't do much.
If you need a NAT gateway, Intrusion Protection System, etc. Now you're talking firewalls.
Firewalls are MUCH more difficult to get right.
Even Cisco just got dinged today (2018-05-17) for having a fixed-password backdoor in some
enterprise-level hardware.
If your goal is to spend less than $200 then you will not be getting anything worth describing
as "secure". Go to your nearest Walmart, Safeway, ACE, or whatever, and buy the feature
set you want, knowing you'll need to do regular firmware upgrades and these will always be
BEHIND the hacker curve. The companies selling "commodity" or "small business" products
don't do research to break their stuff. They just sell as cheaply as possible.
If your budget allows some latitude, check out the Juniper SRX series. They'll do what you
want and thus far are considered great.
If your budget is limitless, Palo Alto Networks or Fortigate.
Again - router just moves IP packets and this can be done by a cellphone running Android.
Firewall, however, includes inner/outer networks, NAT, forwarding rules, possibly packet inspection, and a higher layer of security.
Good luck! This is a quest LOTS of people are on!!
Ehud
Tucson AZ
Get a SparcStation IPX. Install a second ethernet card in one of the Sbus slots.
Install OpenBSD/Sparc on it. Set it up as a router.
Everybody has a different set of principles by which they judge a gateway router...but here's an approach I recommend. Insofar as I know, it's damned hard to "beat" this solution, unless the invader is able to modify the routers' own firmware:
In a solution I call "Friday's Folly," I use TWO cascaded routers: The first is in my ISP's connection equipment, which has it's own configuration. I use that to assign a distinct and unique IP address range (don't use 192.168....; it's too often used for novices, so they don't have to think.). Pick a different range altogether...that's the first point of confusion for the erstwhile hacker. The time delay through both routers is virtually undetectable.
The SECOND cascaded router has, on its' input side, an incoming address (as odd-looking as possible within the first router's LAN range). On the other side (multiple outlets for the LAN), i use a completely different IP Address range, picked almost at random. It is that range (which is masked down to just a small range) to access the protected LAN resources.
Why would any hacker/cracker want to work so long to get inside the LAN; he(/she) would have to find a way to "probe" for the valid ranges inside the cascaded routers. At that point, I make the choice to install routers for which any signal on the WAN side can't be used to configure the router...therefore, its' configuration is withheld from all but qualified parties on the INSIDE of the network, on the LAN.
Anybody figured out how, with a $20 second router in place, that cascaded router scheme can be easily hacked? The goal was to make the solution so cumbersome (from the WAN side), that they'll go try to invade some other, simpler, less well protected target.
The opponent may be able to get past the first router by peeking inside the ISP vendors' equipment...but that's a chimera, reaching only the SECOND router...for which they have no resources inside the first router to leverage to open up the second router. So, now they're constrained to fashion some tool on the first router that will arbitrarily scan the second router, looking for a hit.
A plain PC with two interface running a Linux or BSD system will do the job fine. And since it was not cited yet here, NetBSD can run that as free as secure as the other ones.
A disadvantage (or advantage, YMMV) is that it requires learning some bits of Unix system administration.
Dual ethernet cards/firewall and SAMBA stood up to all but the inside attack
Maybe someone could update current configuration to today
Please dont advertise NAT as security. NAT just allows allocation non-routable addresses that has a convenient by-default side-effect of denying all incoming traffic. In IPv6, you want to just use access lists, rather than NAT, and NAT should die in a fire from its being terribly overused. Lots of people have this idea that NAT is "secure", and access lists arent and put NAT in places where it really has no business Its a very bad rumour that causes people to think that public addresses themselves are *insecure* and that we need to break end to end for security. Leads to many issues. NAT has it's place, but it isn't fu^%%*ing everywhere.
I've had Apple Airports up and running, more than a dozen, since they first came out with newer ones over the years. Never had a problem. Excellent security. The fact that they are no longer being sold just means the price is cheaper - they're still excellent hardware and software.
My current setup: OpenWRT on Turris Omnia. I've disabled Turris internal WiFi module (and installed a 4G PCIe LTE modem for a fallback connection) and I'm using TP-Link PoE wireless access points throughout my house. TP-Links are pretty well maintained, support VLANs and don't have any extra fluff.
Turris MOX is an upcoming project that will make it even easier.
Your average individual has tech that is way beyond their ability to manage and secure, So security is performed as an add on by 3rd parties. And the truth is most of these 3rd party methods are not up to the job.
;)
It is not the fault of the user, since it is the vendors putting the devices out there for all. And not everyone is up to the job of properly managing their devices. It also does not help when vendors put inferior products out there, don't provide updates, etc. The normal user does not know or have the information to select one that makes the grade. In fact it is often true that security is seen as a hindrance to the ease of use and thus discarded by choice. As a result I think there will always be 100s of millions of compromised devices in the eco system.
Which leaves me with this answer, with out proper hands on management you can not have a secure environment for ones devices today.
Just my 2 cents
UBNT routers and access points are crap. They are utterly dependent on their "central management" which you quite often do NOT want and which is dependent on their cloud services.
Don't spread FUD. You can run their management controller (which totally rocks by the way) on any Windows or Linux PC for free or on a small appliance they sell for less than $100. After you've configured them you never have to run the controller again unless you want to change something.
Mike @ The Geek Pub. Let's Make Stuff!
I absolutely love Mikrotik, I was introduced to them about a year ago. And have since then begun migrating everything to Mikrotik. And their Cloud Core routers will blow you away with the amount of features and performance you get for their price.
http://theworkaround.com/
My main router was a Netgear running OpenWRT for years. They lagged behind in updates. Another group picked up where they left, and started the LEDE Project. Now the two projects have merged again.
They provide updates regularly now, and it is very customizable.
Highly recommended. Just pick a router that is explicitly supported.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
I can only imagine that you had a frustrating experience with one product and mistakenly assumed that all of the company's other products work the same way. My EdgeRouter works rather well, and has never required any centralized or cloud management of any kind. I usually manage it via ssh.
If you have technical knowledge... OpenBSD. Actually I find pf(4) to be easier to handle than iptables(8).
But there might be better solutions depending on your use case... like are you using WiFi, etc.. but from security standpoint I would go OpenBSD any day.
Also... it's very lightweight, you can run it on almost anything.
Hackers will always want the biggest bang for their buck, so they'll attack very popular routers. Who wants to bother with the product used by 5% of the population?
If you visit a security conference, you will find that most of the attendees are using Chromebooks. They are much more secure than your typical Windows or Apple device. Another issue people often have is that they re-use the same password for multiple services. One of the services gets compromised, and the attackers use your credentials to access your email account, and thus other services. Set a unique password for each account. Save those passwords in a password manager. Enable the 2-factor authentication feature on your email account. Firewalls will not protect you against modern threats. Antivirus will only protect you against some of the modern threats. I also suggest you also consider taking an internet security class, to avoid common pitfalls. Most modern issues can be avoided by educating yourself against common attacks, which often involve social engineering.
If your going with IPv6, make sure you firewall understands zone concepts. Using address ranges is a very bad idea when IPv6 is used as things can change and testing becomes nearly impossible. For home use you might have a zone for your gaming systems, a zone for your work computers, a zone for guest wifi. Also make sure that it can cope with things more complex than the "Trust/Untrust/DMZ" model which was fine before multi-port routers and VLANs.
Did you read my post? Install DD-WRT and this is a non-issue. I am using the hardware from netgear not he firmware. I actually hate their stock firmware anyway and would recommend not buying the router if you don't plan to install custom firmware.
pfSense is pretty good if you know what you are doing. A firewall is a very partial answer to the problem of "being hacked" though and will not address most attack vectors.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I've been loving my older ASUS wifi router. If I were buying one today, I might get something like this model:
https://www.amazon.com/RT-ACRH...
"I like systems, their application excepted", George Sand (French)
If you loaded an opensource firmware on the netgear like he said, you would not have been vulnerable to that bug because you would not have been running Netgear's firmware.
(Recently got a chance to configure some of NetGear's prosumer/enterprise gear and it was mostly sane... allowed you to turn off all the crap and put all the mgmt on an out of band interface and/or pick and choose which services bound to which SVI. They claim they are starting to take this security more seriously, and at least on the enterprise side it looks like they might be.)
Someone had to do it.
There's a German brand of routers/ATA/IAD/DECT-base/WLAN combined boxes called Fritz!Box. They don't use the web frontend provided by the chipset manufacturer so they use their own, which means that the bugs in 99% of other routers don't work there. Firmware updates regarding features are available for a few years, bugfixes even longer. Costs start at 30 Euros for a refurbished middle model and go up to >200 Euros for the top of the line models.
Other than that, use some Linux computer to build your own router.
I'm assuming we are talking about home routers (no enterprise grade stuff here). If you have the required knowledge, buy a router supported by OpenWRT. Install this distro and keep it properly managed (keep security updates up-to-date, create a sane configuration, etc.).
Otherwise you are screwed.
... that those vulnerable parts of the router firmware typically aren't made by the router manufacturer. The manufacturer usually just reskins the web interface. That's why it's now common to have cross-model attacks on large percentages of the routers.
So you'd probably end up running virtually the same firmware as 90% of the rest. Price is no indication, BTW, as I've seen even expensive routers doing just that.
Wait, you can't use use a web interface like most routers?
Could be a deal breaker as I prefer to avoid being reliant proprietary software that may or may not work with my OS and hardware. Is there and Android version, for example?
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Comment removed based on user account deletion
I created a device that disconnects my home network from the internet..
- during sleeping hours
- when it detects that there are no phones and laptops on the network.
It's part of an Ethical Smart Home experiment where we are designing a privacy friendly smart home. Some details:
- It has a hardware switch to reconnect at any time.
- It's fail safe. In case of power failure the internet is reconnected.
use a small pc, these days you can find enough motherboards with two ethernet connections, and install linux or a bsd on it, done.
the pc doesn't even have to be powerfull or be able to run a gui.
been doing it this way for 20 years, always up to date with patches, easy to replace and get back running if broken, etc.
On a long enough timeline, the survival rate for everyone drops to zero.
In any scenario there are explicit facts and implied facts. The explicit fact in this scenario is that the asker was hacked twice. The implied fact, from the question, is that one or both were related to his router. Turning that around on the asker questions his competence to ask the question, and is an arrogant assertion that your mere assumption that he likely doesn't know what he's talking about is more probable than the poser's clear implication in the question that the router is pertinent to the discussion.
There are some Ask Slashdot questions where the implied facts are inherently inconsistent with the question being asked. In cases like that, go to town pointing it out. This here, however, is pretty open and shut and the asker deserves deference in his scenario. In general all implied facts should be assumed to be in favour of the poser of the question knowing what he's talking about.
In short, and I'm going to bold this so you can refer back to it, unless there is an overwhelming reason not to, either answer the question asked or exercise your constitutional right to remain silent.
The Edgemax routers have their own admin interfaces (web/ssh etc) - no additional things required at all.
If you want an Wifi access point then you need an admin tool, which you can either run on the same machine as you use to operate the browser (and shut it down when you're done), or a raspberry pi, or in my case a VM on my Qnap nas.
What a lot of comments to a 2-line post where the person doesnt even explain what happened, leave alone what router was being used. People just jump into conclusions !?? Obviously your security setup was bad, in which case the router wont matter. Use a VPN.
Thanks, I didn't know that. Seems strange that the WiFi stuff needs an app. why not web interface?
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
The safest router would be the one with rounded corners.
Their wifi stuff isn't so much 'home' kit as it's 'pro'. The admin tool means you can configure a bunch of APs at the same time, put them into groups, aggregate stats and whatnot - it's actually very good (even for home, with maybe 2 APs around the house), but it comes at the cost of needing to run the tool somewhere. I believe they do an appliance for it, although as I say, a Pi is enough if you want it to run 24x7. For home use, you could just start it up on your laptop, do the config and then shut to down until you next need to make a change though.
I have been using Sophos UTM for years and I love how it has a default secure state and you have to unblock everything you want to use. However UTM is getting close to EOL and so I switched to their new XG firewall. IT is more open as a default but that is easily fixed with a new rule that blocks everything. After a bit of learning I like the new xg firewall and because it is free I can't complain about the price. I bought a cheap desktop online and added a second nic card. It has been running for about 6 months without any problems.
For home use, the *best* in safety is that firewall/router that runs third party firmware like DD-WRT or OpenWRT. Personally, I run OpenWRT on my WRT-1900ACS Linksys with a USB powered cooling fan sitting on top. Also, run the minimum on your router. No VPN end points or other services on the router connected to the internet. Don't port forward, except to DMZ based hosts, and don't have the DMZ host on your private LAN, always go though another firewall/router to get to the real stuff.
However, I'm guessing that unless you have port forwarding, you got hacked from the inside by some exploit you willingly executed. All the secure network equipment in the world won't help if you don't keep malware and virus detection actively running and updated regularly, AND if you insist on running stuff from hazy sources.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Untangle Home It is $50 per year for home use, and includes all of the premium features, at a fraction of the cost. Untangle is easily comparable to the other retail security appliance vendors, but it is Much easier to configure. Many of the admins that favor a "lock out everything" mindset do not appreciate Untangle because it does not take that approach. But that makes it easier for the home-gamer to setup and fine tune. There will be a definite learning curve because there are so many more features available. For hardware, I recommend; A barebone headless pc that can be kitted out for $230 or less.
Check out the bidefender box 2.
"I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?"
What make of model was this modem and was it running using the default username/password, UPnP enabled and the ISPs remote upgrade enabled. Personally I've ditched the supplied modem, use a third party model with customized software running as a blob.
The current crisis security problem demonstrate the dangers of a monoculture, as in when a virus comes along, it wipes out most of the ecosystem. The solution being to mix-and-match the hardware/software combinations to effectively produce unique devices, not all susceptible to the latest malware.
'CyberInsecurity: The cost of Monopoly How the Dominance of Microsoft's Products Poses a Risk to Security'
first, like the questions everyone keeps asking is how are you getting hacked? more data would be helpful... baring that...
somethings I would recomend.....
-if you want to change your router any of the decent reviewed routers are ok. or you can roll a bunch of options like ddwrt, etc. I just use a
commercial one.
- make sure your computers firewall is ON and that it logs all connections. (and that its blocking inbound)
- if windows, makes sure the logging and auditing are on.
-use the latest version of what ever your OS is...
-look at whats actually installed, and what your actualling installing. doing install anything thats not 100% trusted. no 'warez', or priated
software, no pirated mp3, movies anything. if its not 100% trusted it needs to go... this is an important step....
-if you suspect a hack, full reinstall of everything is in order period full stop....
-do an opsec review of all your accounts, cleanup on the privacy and security settings and change all your passwords. and update security questions etc. every account should have unique random password, use something like lastpass or 1password.
-make sure your using the latest browser versions chrome is pretty good here and add flash, and ad blockers. and add httpseveryhwere
-dont click on untrusted links, or run anything untrusted like facebook games etc.
-if your using mac or windows use malwarebytes and a good security endpoint product.. sophos is free and decent.
-setup an opendns account and use it block all the bad sites in it.
-make sure all your software is always up to date
-dont run as admin, run as standard user and if windows us UAC to full. use 2nd accout for admin.
this should help your out alot.
-Nex6
There is no simple solution to this problem, it's a full network design issue.
My current network setup:
1. ISP Connection.
2. PFSense Firewall with Suricata.
3. Unifi Gateway: https://store.ubnt.com/collect...
4. Router: https://store.ubnt.com/collect...
5. Switch (Managed): https://store.ubnt.com/collect...
6. Wireless AP's: https://store.ubnt.com/collect...
7. ELK Server, so I can monitor the network and computers
Finally firewalls on all the computers, which are all running Linux, so I use UFW and Firejail to make everything nicely locked down. I don't use those exact parts, but close enough. Make sure to disable any built in AP's that come bundled with ISP Modem / Routers. Your ISP connection should ONLY be a modem.
My recommendations for the most secure options for home or small office use:
Dedicated hardware: Asuswrt-Merlin ( https://asuswrt.lostrealm.ca/ ) combined with one of the compatible ASUS router models. It's being actively supported; new versions appear every one to two months, and would likely appear more quickly if there were a major zero-day exploit. Not as feature-rich as DD-WRT or the like but more frequently updated.
Build your own PC or pre-configured PC: pfSense ( https://www.pfsense.org/ ) or OPNsense ( https://opnsense.org/ ). OPNsense is a fork of pfSense, which in turn is a fork of the now unsupported m0n0wall. They're based on FreeBSD. The companies sell pre-configured systems and support contracts as a source of income, but the software is free and open source and you can roll your own system. A PC has more memory and computing power than a dedicated router box, so these are more feature-rich than anything that runs on one of those boxes.
I would also recommend using carbide bits, as a 98 year old might not be able to change them easily, holding the shaft lock while torquing on the latching nut.
yes, this was off-topic. but it's a nice giggle.
if this is supposed to be a new economy, how come they still want my old fashioned money?
There is no such thing as a perfectly secured router/firewall/gateway. Any degree of access required increases attack surface. The most you can do is lock down everything you possibly can, intelligently allow the absolute minimum of access (bi-directionally) required to do what you need to do, and pray. Most reputable open-source *ix based solutions work the best (unless you're talking commercial/industrial appliances) , and which one you want depends on which featureset you require combined with available hardware. There are even pre-spun *ix distros for this specific purpose. The other half of this is intelligent use of the interwebs. It's already been said, but don't go to sketchy sites, don't fool around with flash/java games (remove flash and java from your PC if you can), don't use windows/OSX unless you absolutely have to, and don't click stupid stuff.
If you have a Mac, I love and have never had a problem with LittleSnitch. https://www.obdev.at/products/...
I recommend Synology RT2600AC. It uses the Qualcomm IPQ8065 chipset.
One of the FreeBSD router packages like m0n0wall or pfsense running on x86 hardware works well enough. Even better, use an inexpensive VLAN switch as an Ethernet port expander so that m0n0wall or pfsense can route between every device on your network allowing you to choose what can see what. By default, everything can then see the internet, the internet cannot see anything, and nothing on the internal network can see anything else on the internal network. This will prevent one compromised system from compromising other local systems.
I'd take a look at the free firewall software from Sophos (Sophos XG Firewall Home Edition). You can load that onto a low-power/fanless PC. Pair that with OpenDNS (also free), and it make for a very secure solution.
You could also look at some of the next-generation firewall appliances out there, but that typically requires spending more and sometimes a subscription is required.
Roqos Core is a Debian Linux based completely open source firewall IPS router that one can login and run any command as "root". All cybersecurity solutions must be open as otherwise you don't know if the router has been hacked code, has malware in it, or participates in DDOS, etc. Roqos Core is the only Intrusion Prevention System based on Suricata in the residential market. Currently it has more than 10,000 signatures specifically compiled for homes, and they are updated automatically every day 4 AM local time, as well as automatic software updates, hence no more firmware updates. For zeroday attached they are updated instantaneously. More information is at http://roqos.com./ Disclosure: This may sound biased opinion as I am affiliated with Roqos :)
I appreciate your claims...but I invite you to actually explain how--if they can get "inside" the first router, and suss out the address range for the second router, they can get into that second router. The routers are not platforms for programming; each has its' own proprietary-ness that must be coped with. Then, even if they gain first-level access, they've got to suss out how to program that second router, too, and develop code for that...which they have to somehow slide past the first router to get into an executable environment on the LAN side.
In general, most security methods are deterrents because they raise the price to the potential attacker to an unacceptable level, and that encourages them to quit and go find that laptop user in a coffee shop using the local (and free) Wi-FI connection. It's a lot of work, just to find out that you've just hacked "Grammy Rose's" Facebook access platform!
In conclusion: I published a common IP-address string. Are you so dense as to believe that I would publish my actual IP Address? And, yes, I've known it as "cascaded NAT," but you can call it "double NAT" if you wish. All I know is that it all works for me, and has for over 30 years. Someday, maybe, I'll have to toss it out and do something more elaborate...but, so far, I've been pleased with my local results.