John's Musings

Yeah, Me Neither

Synology RT2600AC Review

I'm a firm believer that a stock router from Walmart or Target is wildly ineffective and minimally secure. I'm also a firm believer that you have to be a lot different from the crowd and that act itself makes you a little more secure simply because it makes you not as soft a target. Some ways to be different are to run open source firmware such as DD-WRT or LEDE. Yet another way is to get a non mainstream router such as a Synology RT2600AC. It has some great features not found on many regular routers.

First of all it does one amazing thing not found on almost any other router. IT MAKES YOU CHANGE THE DEFAULT ROUTER PASSWORD. Most routers steer you towards a hardened WIFI password while completely ignoring the actual "hooked directly to the internet via ethernet" connection. Default passwords are published on the internet. If your wifi has a gaping hole somebody has to be within 300 feet or so of you to exploit it. If your router is PHYSICALLY connected to the internet with a default password of admin / admin or admin / password then you're a sitting duck. MOST PEOPLE DON'T CHANGE THEIR DEFAULT ROUTER PASSWORDS. A blind kid could hack you.

It also has a unique feature where you can schedule the wifi to shut off. If you go to bed at, say 10 PM every night, why leave your wifi on? It can't be hacked if it isn't turned on. This router also has a button on the side where you can manually turn wifi on and off. What a concept!

Also you can schedule the LED lights to turn on and off at certain times. Nice to extinguish the flashing distractions especially if your router is in the bedroom or next to the TV you're trying to watch a movie on.

Because Synology routers are not really mainstream or sold in huge quantities they're a less attractive target.

What's the downside you say? It's a little tougher to set up. A bit more geeky. Another bizarre thing I noted was that as soon as I set it up it told me the SRM (firmware) needed to be updated. So I updated. It took longer than most routers AND when it was finished and just for fun I asked it to check again it found yet another firmware update. Apparently the upgrades are incremental. That's not very intuitive. Finally it tells me it's up to date!

Take notice of the control page here. It looks more like an operating system than a router configuration page. And of course it is. And of course they all are but this has a way different feel to it. This is like your basic window type graphical user interface. This router feels more like a Office/Small Business router rather than a home router. It is definitely a few steps up from a bottom shelf router at Walmart.

There is a Package Center where you can add packages (apps) to give increased functionality. This router provides excellent hardware specs to run a VPN Server and it has one of the easiest implementations of setting up a VPN server and providing client configurations to put on your devices. It's easy. It also can auto configure your firewall to keep the VPN from getting blocked. The only thing about that I didn't like it that it asked to open the ports for every kind of VPN the device supports. There is no reason to open the ports for an L2TP or PPTP VPN if you are running an OpenVPN instance. Advanced users will know to uncheck the radio boxes for those unnecessary ports but I don't think a first timer would. Never have open ports on your firewall that you don't need or intend to use. It's an open door or at the very least a poorly locked door with a really cheap lock on it.

Also it has a package called Intrusion Detection (Beta). Synology defines it as this:

Intrusion Prevention guards your Synology NAS from network threats, and identifies malicious packets to prevent your Synology NAS from infection and data compromise.

Other devices do this as well. For example my pfSense hardware firewall uses a program called pfBlockerNG which is similar. I'm sure the concept is the same. After reading through some forum entries I'm not sure this is smooth and polished yet. Without having deployed this at all I can tell you that many times these things are too restrictive. You just want to go to some website and it's blocked or elements of it are blocked. Then you go in the program and try to find the "rule" that blocked it. Many times you end up clearing the log and trying to recreate the problem so you can identify it so you can whitelist the problem. It's network administrator stuff, not Jenny from the Block stuff.

But if you put in the time and effort you'll have a decent intrusion detection system. Will it keep the NSA out? Ha. Doubtful, but it will keep out some segments of exploit attempts. I doubt a nation state or super hacker wants in your computer. It's the people scanning for social security numbers, identity theft mining, and pictures of wife getting frisky after the Christmas party with the new GoPro she got you that you are worried about.

blog comments powered by Disqus