Which network setup fits your threat profile?
From your existing home router to enterprise firewall — an honest overview of all options by threat level.
Which network setup fits your threat profile?
Your router is the door to your network. Everything you do at home or in the office — browsing, banking, storing crypto, working — passes through it. Yet most people spend more attention on the lock on their front door than on their network security.
This article explains what’s available, from free settings on your existing router to enterprise hardware for high-risk situations. Not to sell you everything — but to give you the full picture.
Step one: check your existing router
Before buying anything: check whether your current router already supports better firmware.
Go to openwrt.org/toh and search for your router model. If it’s listed, you can install OpenWrt — free, powerful, no new hardware needed.
Only buy new hardware if your current router isn’t supported or is too old to be worth upgrading.
Level 1 — Regular user
Threat profile: normal-user / basic
You have a standard router from your provider. You have no particular risks — you just want things to work without everything leaking to advertising companies.
What you can do without buying hardware:
- Change the default admin password on your router (it’s probably on a sticker right now)
- Switch DNS to a privacy-friendly resolver: 1.1.1.1 (Cloudflare) or 9.9.9.9 (Quad9)
- Disable UPnP if you don’t need it — it automatically opens ports
- Update your router firmware if an update is available
If your router supports OpenWrt:
Installing OpenWrt gives you DNS-over-TLS, a built-in adblocker (AdGuard Home or Pi-hole), a VPN client at router level, and full control over what your network does. Free, but requires some technical knowledge.
Level 2 — Privacy-conscious / De-Google
Threat profile: privacy-conscious / de-google
You want to get away from Google and other big trackers — including at the network level. You want DNS filtering, VPN on the router so all devices are protected, and visibility into what your network is doing.
Hardware: GL.iNet travel router or home router
GL.iNet makes routers with OpenWrt pre-installed. No manual flashing needed — OpenWrt is already on it, through a user-friendly interface.
| Model | Price | Use |
|---|---|---|
| GL.iNet Beryl AX (MT3000) | ~€80 | Home or travel, Wi-Fi 6, fast |
| GL.iNet Flint 2 (MT6000) | ~€100 | Home, Wi-Fi 6, more ports |
| GL.iNet Slate AX | ~€90 | Travel, compact |
What you can do with it:
- Set up a VPN client on the router (all devices automatically route through VPN)
- AdGuard Home or Pi-hole for DNS filtering (ads and trackers blocked)
- DNS-over-TLS for encrypted DNS traffic
- Guest network fully separated from your main network
ASUS router at home? Look at Asuswrt-Merlin. This is enhanced firmware for ASUS routers — installed like a normal firmware update. No full OpenWrt knowledge needed. Offers DNS-over-TLS, kill switch, VPN client and DNSSEC.
Works well on: RT-AX86U, RT-AX88U, RT-AX68U.
Level 3 — Small business owner
Threat profile: small-business
You work from home or have a small office. You have customer data, financial information or sensitive business communication on your network. A breach isn’t just a privacy problem — it can cause business damage.
Hardware: Firewalla or GL.iNet home router with OPNsense-like settings
Firewalla Gold / Purple
Firewalla is a plug-and-play firewall box — you plug it in behind your existing router. No technical knowledge needed, managed via an app.
| Model | Price | Suitable for |
|---|---|---|
| Firewalla Purple | ~€150 | Home use, Wi-Fi 6 built-in |
| Firewalla Gold | ~€200 | Small office, more ports |
What you get: real-time network monitoring, block devices by category, VPN server so you can connect securely from the office or while traveling, alerts for suspicious traffic.
Advantage: works immediately, no CLI knowledge needed. Disadvantage: closed platform, you depend on the company for updates.
Level 4 — Advanced / Journalist / Activist
Threat profile: journalist-activist / advanced
You have a real risk of targeted attacks. You want maximum control and transparency over your network — no black boxes, no cloud dependency, open-source all the way down.
Hardware: Protectli Vault or mini-PC with OPNsense
A Protectli Vault is a small, fanless mini-PC with multiple network ports. You install OPNsense or pfSense on it — fully open-source firewall software.
| Option | Price | Ports |
|---|---|---|
| Protectli FW4B | ~€180 | 4 ports, Intel J3160 |
| Protectli FW6 | ~€350 | 6 ports, Intel i5/i7 |
| Topton/Cwwk N100 | ~€100-150 | 4-6 ports, AliExpress, flash yourself |
OPNsense is the recommended platform: open-source, actively maintained, weekly security updates.
What you can do with it:
- Intrusion Detection/Prevention (Suricata)
- VPN server (WireGuard or OpenVPN)
- Network segmentation (VLANs — IoT devices separated from your work computer)
- DNS filtering at network level
- Full logs of all network traffic
Difficulty: high. Expect a learning curve of several weekends.
Level 5 — High risk / Maximum
Threat profile: high-risk / maximum
You work with extremely sensitive information. You want professional hardware, professional support, and a system used by security professionals.
Hardware: Deciso DEC series
Deciso is a Dutch company from Middelburg that makes official OPNsense hardware. The DEC series is used by governments, hospitals and financial institutions.
| Model | Price | Suitable for |
|---|---|---|
| DEC630 | ~€600 | Small organisation or high-risk home use |
| DEC3840 | ~€1,200+ | Medium-sized organisation |
Advantages: plug-and-play OPNsense (fully configured), Dutch support, hardware and software from one party, long lifecycle.
We don’t sell this — but if you’re at this level, it’s the honest recommendation.
Overview by threat profile
| Profile | Hardware | Approach | Cost |
|---|---|---|---|
| Regular user | Existing router | Change DNS, router password | €0 |
| Privacy-conscious | GL.iNet or existing router + OpenWrt | VPN on router, DNS filtering | €0–€110 |
| Student / employee | GL.iNet + VPN subscription | VPN always on, guest network | €80–€110 |
| Small business | Firewalla Gold or GL.iNet Flint 2 | Monitoring, VPN server, segmentation | €100–€200 |
| Journalist / activist | Protectli + OPNsense | IDS/IPS, VLANs, full control | €150–€400 |
| High risk | Deciso DEC series | Professional hardware + support | €600+ |
Which firmware fits you?
If you want to flash hardware yourself or already have a supported router:
| Firmware | Best for | Difficulty |
|---|---|---|
| Asuswrt-Merlin | ASUS home routers | Low — normal firmware update |
| OpenWrt | Wide device support | Medium — CLI knowledge helpful |
| DD-WRT | Older routers | Medium — less active than OpenWrt |
| FreshTomato | Older Broadcom routers | Medium — best interface of the three |
| OPNsense / pfSense | x86 hardware (mini-PC) | High — full firewall OS |
| VyOS | x86, complex networks | High — BGP, OSPF, datacenter level |
| MikroTik RouterOS | MikroTik hardware | High — popular with ISPs and datacenters |
Always check your current router first at openwrt.org/toh before buying anything new.
Conclusion
There’s no universal answer to “which router should I get”. It depends on your threat profile, your technical knowledge, and your budget.
What applies to everyone: changing the default password on your router and switching DNS to a privacy-friendly resolver costs nothing and delivers immediate results.
Build from there as your risk level demands.
See also:
- Network security for crypto holders — specific guidance for crypto holders
- Firewalla Gold review — plug-and-play firewall
- GL.iNet Beryl AX review — travel router with VPN
- GL.iNet Slate 7 review — Wi-Fi 7 travel router
- GL.iNet Brume 2 review — VPN gateway without Wi-Fi
- GL.iNet Brume 3 review — VPN gateway with 1,100 Mbps WireGuard
- GL.iNet Flint 3 review — Wi-Fi 7 home router
- Protectli Vault review — OPNsense hardware