How to Hardware firewall using NAT & SPI

In this thread Post # 50: https://www.xpforums.com/threads/what-are-your-best-memories-of-using-xp.932186/page-3#post-3264044

trimis said "Wanna know the secret to make your crappy Win10 near bulletproof like my XP Pro? Hardware firewall using NAT & SPI. That's right! A good router will allow your weak Win10 to go anywhere on the internet with impunity..."

I will never use Windows10 Nevertheless, I would like to know how to do this. I have heard that a good firewall can make you immune to almost anything. I haven't a clue about this. Could you please explain how to do this "Hardware firewall using NAT & SPI". I am not an expert, far from it, but I can follow instructions competently.

 

No idea. My method is to get a good wired-only router. By this I mean a router that has absolutely zero wi-fi/bluetooth/wireless capability. I choose MikroTik hEX RB750Gr3. Frankly I picked it only because it was cheap, and was intended to be an interim router til I could afford a costly model. It has proven itself so good and reliable that I will likely buy it again, instead of the Ubiquiti Edge Router. So I got the router, then had a computer tech come in to set it up (NAT & SPI), connect all the PC wires, make sure all was working, and I had internet. Best $100 I ever spent. Just make sure you find a good tech guy. Stay far away from the Geek Squad:

https://www.networkworld.com/article/3156029/why-you-shouldnt-trust-geek-squad-ever-again.html

https://www.geek.com/tech/lawsuit-alleges-fbi-used-geek-squad-to-spy-on-customers-1701906/

https://www.bleepingcomputer.com/ne...uad-nerds-search-your-pc-for-illegal-content/

 

I too have a cheepie wired only router with 4 ports. One port goes to a manual 4 way cat 5 switch box, another port goes to another 4 way. I have A, B, & C ports conned to comps. (box one), secong sw box the same. 4th port is set up with KVM + power cord if anyone brings their comp to my house. (my desk, mouse, KB, mon, inet, power). As it is, ONLY 2 comps can be connected to the net at a time. Box one, D is not conned to anything, box 2, D connection is laying on the floor with the KVM bundle. Its all just a matter of manual switching, , , , ,

 

I questioned on here recently, the demise of the stand alone hardware firewall.

In the early years of this century, I recall seeing cheap Linux based hardware firewalls commonly being offered.

They seem to have disappeared.

Complex (and expensive) versions of the same still to be found though. Maybe only commercial-use purchasers were taking up such an option.

I was considering using them, though at the time (circa 2005) my machine's chip set offered me use of 'Nvidia Firewall', which proved adequate. Needed some managing though: had to select what material passed/blocked both inbound and outbound. So frequently recourse to enabling in settings sites which I had not visited previously.

When I chose to revisit the issue, having acquired more networked hardware, they were no longer to be had.

 

The cheap sort are now the territory of the DIY set:

https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/
https://hackaday.com/2018/04/12/building-the-perfect-home-router/
http://www.practicallynetworked.com/networking/convert_old_pc_to_new_router.htm

For them lacking in the necessary skills, the choices of out-of-the-box solutions break down to either routers with SPI & NAT, or standalone devices. For wired-only routers the options are few:

https://www.amazon.com/slp/wired-gigabit-router/8xgzkxc8pzhb4kz

Basically a choice of MikroTik or Ubiquiti, with all the rest having bad reviews of one sort or another. Both use a Linux-based operating system, and neither are easy to setup. For standalone devices, the options are many:

https://firewalla.com/products/fire...A_campaign=1982799286&GA_adgroup=73989775427&

https://www.corporatearmor.com/prod...-vpn-90-mbps-utm/?CAWELAID=120085770000000271

https://store.netgate.com/pfSense/SG-1100.aspx

https://www.newegg.com/p/09Z-01ZK-00003

 

Yes, I almost went down the DIY route, a book which I have (The Linux Bible) has a chapter on re-purposing an old PC to make a HFW. I have old PCs to hand.

However, online searching suggests using old PC results in unsatisfactory performance, and if you are going to do all that work, then investing in a low power Server Board (Atom CPU) and using laptop RAM (eg Supermicro) is preferable. So be it, though it then is no-longer a cheap solution.

 

Yeah, the $60 for my MikroTik and $100 for the computer tech was cheapest I found. Guess if you're able to figure out how to set it up yourself, you could knock off the $100. To me $160 was worth every penny.

 

The instructions would depend on the router used, and can even vary between models of the same brand. You would need to search on Google:
MikroTik hEX RB750Gr3 - NAT SPI setup
as an example. If you cannot find anything, let me know, and I'll do a search. I'd need to know your specific router.