Networks

I note a lot of confusion around networking terminology, at least as applied to home and SOHO networking. I am sure that hard-core network professionals speak a different language and communicate just fine when it comes to industrial-strength networking. 

What are the exact definitions of a gateway, an ONT, a modem, SDN, a switch, a router, an access point (AP), a VPN router, and so on? 

As far as I can tell, gateway usually refers to an all-in-one appliance. It does cable modem functions, DHCP services, NAT, firewall, and usually a multiport switch with Ethernet jacks. HOWEVER, at least one vendor - Ubiquity - uses the term "Cloud Gateway" for a family of devices that perform routing functions but do not have built-in modems. Switches are Ethernet connection devices that can be either unmanaged or managed. Unmanaged switches simply connect all the Ethernet ports so they become part of the same LAN. Managed switches can do more sophisticated things like VLANs, traffic shaping, etc. Really confusing is the term router. Routers provide a firewall, NAT, DHCP services, and usually have multiple Ethernet ports. However, routers for home or SOHO usually have WiFi as well, so the term is ambiguous. If you Google "router" you will mostly see devices with WiFi built in. But if you want to separate out the WiFi function, you need to look for routers without WiFi. These can then be connected to an AP, which will provide WiFi channels, often with the option for multiple SSIDs, which can help split and isolate traffic.

So, given all that, I have been reimagining my home network setup for a while now. Like many (most?) I rely on my ISP for a rented gateway to do all the heavy lifting and to keep things simple. My network is pretty much all Wifi based and the gateway with its built-in router and Wifi is adequate to cover most of my house. I do have one repeater in the garage to support my generator monitor project, since the monitor uses a Pi Zero W with a weak Wifi radio, but that is the extent of "complications" to my network. I have just one device connected directly via Ethernet to the router, a repurposed TV appliance box running a Lyrion music server for my music players (which are on Wifi). 

Here's the problem: I also have a bunch of IOT Wifi devices:

• smart switches

• dimmers

• Amazon Echos

• smart TV

• dumb TVs with Firesticks

• printers

• thermostats

• security system

all connected to Wifi. These present a potential threat to my network - there are known examples of hacking exploits that can turn these devices into hijackers and therefore infect the stuff that matters, our computers, which have all our info, passwords, etc. Plus, my Chinese smart TV likes to "phone home" occasionally, and I wonder what it is saying to its parents, Haha. 

One simple mitigation is to put all untrusted devices on a "guest" Wifi network. BUT - the Xfinity gateway I have does not have that feature! Incredibly, Xfinity instead chose to only allow you to enable a Wifi hotspot. Guests (or anybody nearby) can use this hotspot to get internet connectivity as long as they are Xfinity customers. I guess they were thinking this would drive more people to become customers, but why would I enable this on my gateway to share my WiFi, especially since it is useless for IOT devices?

SO here are some of my options:

• It is possible to put an Xfinity gateway into "bridge" mode. This essentially turns it into a dumb modem with no features such as a firewall, DHCP, NAT, or router functionality. I could then connect a Wifi router to it, which DOES have those features, plus guest network functionality. These routers are commonly available for less than $100, depending on Wifi speed. Wifi  7 is now available, but very few devices support it (yet). This would allow me to put all untrusted devices on the guest network, effectively isolating them. One potential downside of this approach is that Xfinity has been known to break bridge mode occasionally by doing equipment updates and resetting the gateway to a default configuration. This would be unacceptable since I am often away and rely on the internet to always be available for me to check on my home devices. On the plus side, the Xfinity smartphone app does allow you to place the router back into bridge mode remotely, but I would rather not have to worry about it. This would be the simplest possible option since it only involves the addition of one piece of gear, a WiFi router.

• A possible next step would be to buy my own modem. Owning your modem (which must be compatible with your ISP) frees you from a rental agreement, although the break-even point will likely take a year. Most of the opinions out there on the web are that it is better to separate modem and router functionality. One justification is that modem technology changes slowly over time, and buying a DOCSIS 3.1 cable modem would allow for 1 Gb+ connectivity and be reasonably future-proof. Wifi and router technology, on the other hand, change rapidly, so replacing these functions may happen more often. Things get trickier if you are on fiber, but I am currently still on cable.

• So, if I decide to separate the modem and WiFi functions from the rest of the network, I need to look at routers (these are non-WiFi):

  1. One choice is to build a software/hardware appliance that can handle all the typical router functions: firewall, DHCP, NAT, and added features such as intrusion detection and VPN. There are a couple of free open-source software options here: pfSense and OPNsense. OPNsense is a fork of pfSense and seems to be preferred by many. It runs on almost any computer platform with at least 2 Ethernet ports (in and out) and is typically used on microPCs like this one, which sells for $135. OPNsense seems to be very popular among network hackers.

  2. MikroTik makes what appears to be one of the lowest-cost small routers with full features: hEX S (2025) for $69. For full management, it requires a separate program that runs on a PC - called WinBox. Some users complain about the complexity of controlling MikroTik devices, but this stems from the large number of options supported. Presumably, the router runs the same OS as MikroTik's larger and more expensive commercial routers. 

  3. Ubiquiti also makes a small, low-cost router, the Ubiquiti Cloud Gateway Ultra, for $129. It seems to be feature-rich, but it does not have a user manual. It looks like it can be controlled from a Ubiquiti cloud interface or the built-in management interface, which is purported to be pretty self-explanatory. Ubiquiti gear is favored among many network geeks. 

  4. TP-Link is another option. Their Omada series of SOHO devices is reasonably priced. The ER605 is described as a VPN router and is only $51 on Amazon. VPN routers have all the basic stuff but add the ability to communicate between sites securely. An example would be to connect between office buildings of the same company over the internet. A big brother to this is the ER7206 for $140, which is described as a "professional" version. It looks like Omada devices can be centrally managed an Omada "controller" node in the network and there is also an app available. You can also buy a dedicated Omada controller appliance box for $80, but the software can even run on a Raspberry Pi if you want. There is also a "Festa" FR205 5-port model for only $47 on Amazon. It claims to be easy to set up (as in zero configuration) and is aimed at small businesses. However, it requires a connection to a TP-Link cloud for management. and is not compatible with Omada. This is currently free, but they reserve the right to charge in the future. Sounds a little like "bait and switch" and possibly not very secure. People are nervous about TP-Link in general, since there may be a ban imposed on them for security reasons. This is very controversial, and TP-Link denies being either a China-controlled company or making products that can be exploited by attackers (at least no more so than the others).

• Regarding hacks and vulnerabilities, apparently, ASUS SOHO routers have been targeted recently (2025): see this article. Apparently, "state actors" have been planting backdoors in ASUS routers using a security vulnerability for some time in preparation for a massive global attack, and thousands of routers are affected. ASUS says they patched the routers to prevent further attacks, but the backdoor is reported to survive firmware updates and reboots. Sheesh!

• An AP (Access Point) would be a good approach for Wifi in addition to a dedicated router and would allow me to implement multi-SSID Wifi LANs. An example of an AP is TP-Link TL-WA3001. These are available used for as little as $30 on eBay. I like this idea since I could have up to 4 independent WiFI networks, allowing good isolation.

• Another WiFi option is to implement a mesh network. I have some experience with eero at another property, but don't like the fact that full management features require a subscription. Other mesh systems are available.

• Putting all this together is a pain, so is it worth the effort? Yes and no. Everything is a tradeoff. On the plus side, it frees me from Xfinity and provides a lot of added security and peace of mind. On the negative side, there is some work to get this all working seamlessly and ongoing management (updates, monitoring, etc.) requires effort. Plus, if something happens to me (the network admin), who could take over and understand or fix problems down the road?

Scribbling all this down helps me clarify my thinking about the "right" approach. Stay tuned.....