Here you go:
- Archer C7 v2 with LEDE 17.01.4, periodically updated.
- iptables DROP incoming packets. The only way to get in from outside is with fwknop.
- WPA2-PSK, forced cipher, long non-dictionary key, KRACK countermeasures, MAC address filter to only allow known MACs, hidden SSID (I’m aware this last one is ineffective).
- All regular PCs on the network have no open ports. Windows ones with ZoneAlarm firewall, Androids with NoRoot Firewall. Firewalls are manually configured and users are trained. My security cameras may be vulnerable (without known/published vulnerabilities, but I’m considering switching to Android phones per this thread), but they should only be accessible from the LAN (thus fwknop). Hidden FTP server for the cams only accepts connections from cams and one PC. And if you hack my TV I’ll know my setup isn’t as good as I hoped
.