After some consideration, I’ve decided to replace my consumer router at home with an OpnSense box I control, and use the consumer router as just an access point. The model I have doesn’t seem to support OpenWrt but the default firmware supports access point mode complete with mesh functionality, otherwise I would have just installed OpenWrt on it. I still like the consumer router’s mesh Wi-Fi capabilities, especially the wireless range extender, but don’t trust it enough to let it be the actual root device separating my home network from the open internet. My reasoning is that by having it behind the OpnSense router, I can monitor and detect if it’s exfiltrating any “analytics” data and block them. Worst case scenario I realize it’s too noisy with the analytics and buy a proper business grade access point, or an M.2 Wi-Fi 6 card with some beefy antennas.
Now I’m trying to decide if I should use one of my old mini PCs or if I should get a brand new one with an up to date processor and microcode. The biggest reason I don’t want the consumer router to be the root device anymore is because I don’t know how well they patch their firmware against attackers constantly scanning the internet for vulnerable devices. I imagine an open source router OS with tons of eyes on it and used by actual professionals would inherently be more secure than whatever proprietary cost cut consumer firmware my current router has. I’ve already picked out a suitable mini PC I’m not using and the reason I even started down this rabbit hole is because I have it, but after thinking more about it, I’m worried that whatever security I gain might be undermined by the underlying hardware being old and outdated, especially since the processor is definitely pre Spectre/Meltdown and I doubt it’s still getting microcode or firmware updates.
Again, the reason I ask is because the internet really wants me to think old disused computers are perfect for converting into routers, and I really don’t want to buy a new computer if I don’t have to. How important is the hardware for a router? Can I expect OpnSense to have sufficient security on pretty much any hardware or will a sufficiently old computer completely defeat the purpose of even switching away from the consumer router?
Alternatively, I also have another mini PC with a Ryzen 5 from 2020, and I can reposition it from its current job to router duty, though it would definitely be overkill and wasting the hardware capabilities. Would that be substantially more secure than an older Intel processor?
I also have a Raspberry Pi 4 I can put OpenWrt on, would that somehow be more secure than an x64 computer?
i’m talking about services you might want to expose, which might have rce vulnerabilities. i edited my post for slight clarification but i think you replied before i had the chance, so i’m doing it here.
many people do end up hosting other services at home besides just the bare router when they get sufficient “tinker” hardware, which seem to be the case.
either way it’s indeed not something one should worry too much about in op’s case atm, if just to understand what one can expect from older hardware or the limits of what you can get away with.
I hear you, I host lots of stuff. But none I can think of would be RCE vulnerable directly from a CPU vulnerability. You could use a CPU vulnerability to privesc later, but once someone has RCE, your already pwn’d, and privesc is mostly a given anyway either way. So CPU vulnerabilities falls way down the list of things to worry about.
As long as you keep your router OS patched and up to date, CPU vulns really arent a concern.