I’m much more comfortable use something like opnsense. Router manufacturers seem to just yolo it judging by backdoors etc found frequently
> At some point you will go a year or two, or more, without any updates. That's when it is time for a new router.
Is that good advice? Swapping a mature and patched platform for whatever device with new A.I. enabled half test beta firmware that just got rushed to market?
Yes. If the thing sitting on the external side of your network, exposed to the open internet, isn't getting security patches, then it's time to replace it with something that is.
If you've port scanned your public IP(s) and there are zero open ports, then you only have to worry about bugs in the TCP/IP stack, services listening on UDP, and intentional backdoors (which shouldn't happen but keep popping up). If there are exposed ports, then there's even more attack surface.
Edit: actually I forgot the like of UPnP so that's not exhaustive.
Directly no not to my knowledge. Seems like a bit of an esoteric layout to be honest.
If you really want you could probably do it with two sets of interfaces but you'd still need an external device for wireguard. So same opnsense instance takes lan traffic and sends it to WG device, WG device sends it back to opnsense on a second set of interfaces and that goes out like a normal FW setup.
That way have opnsense both as perimeter device, and also benefitting from it as a LAN mgmt (DHCP etc).
To stick it all on one device you'd need virtualization I suspect. Can be done but wouldn't recommend.
> At some point you will go a year or two, or more, without any updates. That's when it is time for a new router.
Is that good advice? Swapping a mature and patched platform for whatever device with new A.I. enabled half test beta firmware that just got rushed to market?