I have opinions but they are only slightly more informed than the average public on this specific topic. Most of my active work is niche and most of the generic stuff I mention here on the forum comes from my degree (MS Security Engineering), personal experience at home, and keeping an eye on the computer security press and academic publications.
In general you are correct, the routers are not automatically bad. And they come with the advantage that your ISP can usually reach into them and fix things that are broken. But that also means your ISP can reach into your router and do anything else they want to too, like get a map of all your devices and services, enable/disable features without asking, etc. YMMV depending on the ISP in question.
In general, I recommend treating any hardware provided by the ISP as “outside your network”. Put your own device, even if it’s just an off the shelf WiFi router, even if it duplicates capabilities provided by the ISP’s device, between the ISP hardware and your LAN. It’s a little more expensive but provides some protection in case the ISP router is compromised or your ISP likes to snoop.
Internet <--> ISP Router <--> Your Own Gateway <--> LAN
In my case the “Your Own Gateway” is the OPNsense box and my WiFi routers are set to just AP mode so all the network stuff (DNS, DHCP, etc.) is implemented by the OPNsense box.
Internet <--> Cable Modem <--> OPNsense <--> WiFi AP Mesh Network <--> LAN
I started with OpenWRT but moved to PFsense because OpenWRT is way low level and primitive in comparison and I didn’t want to work that hard to implement parental controls. Updates for individual gateways is hit and miss as well.
It might be worth spinning up an OPNsense VM and playing around if you still have some needs beyond what your ISP can provide. Even out of the box you can get some nice monitoring and protection on your network with very little effort and it’s way more user friendly compared to OpenWRT, Tomato, and all the other alternative firmware.
Treat any hardware you don’t “own” as the Internet. If the ISP can log into it, you don’t own it. Note often cable modems end up running firmware pushed by the ISP even if you bought it in which case you don’t own it. Even though I bought it myself, you’ll notice in the diagram above that the Cable Model is on the other side of my OPNsense. There are technical reasons for doing that too (it’s hard to buy an off the shelf machine capable of running OPNsense that also includes a cable modem) but even were it not so I’d put it outside the LAN rather than on the gateway because of that ISP pushed firmware. So put some sort of controlled interface between it and your LAN.
Don’t do NAT. Use a VPN instead. Tailscale is super simple to set up (supported on both PFsense and OPNsense BTW).
The general advice is to put all your IoT devices into their own VLAN. I’m ambivalent on this. On-the-one-hand it’s recommended for good reason. Many vendors are super insecure or bad actors. Putting that stuff into it’s own VLAN protects your “data” LAN from attack. However, it greatly increases the complexity of the network setup and OH setup too and it can often be far beyond the average user. If you don’t do VLANS, be sure to be vigilant and monitor the network and carefully research devices before buying them to see if the vendor has a good reputation.
I couldn’t even access ESXi to start the VM again because it needs the networking to access it. Luckily I was able to restart the physical box and the VM was configured to boot on start. So pay close attention to what depends on what.
