Introduction
How can you secure your IOT devices from the outside world without cutting off features/
Even before the formulation of the term "Internet of things", Steve Gibson proposed home networking topology changes designed to deal with this new looming security threat. Unfortunately, little or no thought is given to the security aspects of the devices in this rapidly growing market.
One of Steve's proposed network topology adjustments involved daisy-chaining two routers together. The WAN port of an IOT-purposed router would be attached to the LAN port of the Border/root router.
In this arrangement, only IOT/Smart devices are connected to the internal (or IOT-purposed) router. The idea was to isolate insecure or poorly implemented devices from the more valuable personal local data devices such as a NAS with important files and or backups. Unfortunately this clever arrangement leaves any device directly connected to the “border” router open to attack by infected devices running on the internal/IOT router. Said devices could perform a simple trace-route and identify that an intermediate network exists between it and the public Internet. Any device running under the border router with known (or worse – unknown!) vulnerabilities can be immediately exploited.
Gibson's alternative formula reversed the positioning of the IOT and border router. Unfortunately, this solution also came with a nasty side-effect. The border router (now used as the "secure" or internal router) became subject to all manner of man-in-the-middle attacks. Since the local Ethernet network basically trusts all traffic within its domain, an infected device on the IOT router (now between the internal router and the public Internet) can manipulate or eavesdrop on any traffic emerging from the internal router. The potential consequences of this flaw are obvious.
The third time really is the charm for Steve! On February 2nd of this year (Episode #545 of Security Now!) Gibson presented us with his third (and hopefully final) foray into the magical land of theory-crafting as it related to securing our home networks against the Internet of Things.
With this iteration Steve moved us from a two-router solution to a three-router solution. The new arrangement involves three fundamental elements to the network – an “external” or “border” router that has one purpose and one purpose ONLY; to move traffic back and forth between the public Internet and the two internal subnets underneath it. The second is an IOT-purposed router which houses all “Smart” / “Internet of Things” / “Internet-Enabled” devices whose uplink port is connected to an open LAN port of our border router. Devices such as PCs, laptops, phones and network storage devices have NO place inside this segment of the network. The third and last element is the “Secure” or internal router which, in similar fashion to the IOT router, has its uplink port connected to an open LAN port of the border router. Any valuable device (high value targets to hackers) such as desktops, laptops and network storage devices (a NAS of similar network appliance)) are all clustered together inside this subnet.
Maintaining three separate purpose-driven subnets affords our network some key protective features unavailable to us with both of our previous configurations.
1. Separation of Ethernet Segments: Compromised devices and or malicious payloads no longer have the luxury of unfettered access to devices (either upstream or downstream) by exploiting the trusting Ethernet protocol.
2. Damage control: Compromised devices and or malicious payloads are separated from higher value targets such as PC workstations and network attached storage devices. In the event of a breach, the damage an “expendable” IOT device can cause on the network will be contained and compartmentalized to the local subnet.
Although our proposed variation so far seems very bullet-proof (it is for the most part), we cannot neglect to briefly discuss one outstanding caveat. Even though corralling all of our less secure devices into a single subnet will dramatically improve our overall security, the threat of an already infected device hijacking or exploiting the vulnerabilities of an adjacent device in the same IOT subnet is still a very real possibility. For this reason, I would propose an additional modification to this blueprint (Which Steve also slightly alluded to). Whether built in software or (preferably) hardware, a per IP “virtual LAN pipe” should be constructed on the fly with each new IOT device connection that would allow IP-based communication to only one endpoint – the publicly facing Internet. It’s important to note that a VLAN does not provide the form of security we desire on a wireless interface. Our goal is to draw on the concepts of how a VLAN works while the implementation will most likely utilize some other method/protocol. In other words, a device would ONLY have the capability to transmit and receive as if it were the only device behind the protection of the NAT. The idea here isn’t to over-engineer a solution (even though it feels very much that way). This is about advancing our networking technology to address the very real threat IOT devices carry with them.
Router Configuration Walk-Through
The IT veterans among us are most likely already well acquainted with the concepts at work in this type of router configuration. In fact, I would wager that most of you also could easily purchase and configure a system like this blindfolded. Even though most of us might already understand the concepts and steps involved, there are several benefits all of us can take advantage of. Less experienced readers can get a grasp on some basic networking concepts while the IT veterans among us can fill-in some knowledge gaps (we all have them). As a community we can all fine-tune various aspects of this alternative approach to IOT security and begin implementing this network configuration at home or in the office.
Whether you're a beginner or a CISCO certified professional, we will all learn nuances of this alternative router configuration that we wouldn't have had we not walked through it together.
So, let’s assume we’re sold on the idea that Gibson’s router configuration will answer all of our IOT security woes. We’re going to un-box and configure three identical routers so they adhere to this alternative way of handling “insecure” and “secure” traffic. You can, of course, use three completely different router models. To keep things in the realm of sanity and because it’s much more efficient and easy to manage one unified interface, we will be using the same router model for all three.
For this setup we’ll be using three ASUS RT-N12 “3-In-1” Wireless Routers.
I have to pause a moment and chuckle at the advertising ASUS has come up with on this line of routers. The word “FAST” wasn’t good enough apparently – ASUS had to make an acronym out of it to really drive home the point that “this router be FAST, yo!”
This isn’t a Warranty Notice insert that I should just throw away. People, this is a “VIP Member” warranty notice! I am SO important to ASUS they had to include that specific verbiage just for me!
After unpacking all three units, lay everything out so it emulates the network topology we are creating – as shown below. I would HIGHLY recommend labeling each router to eliminate any confusion as to what that router’s purpose is in your network. Ten months from now when you hobble back into your server closet or re-approach the tangled rats-nest of wires we all know you have near your cable modem, you won’t remember why you have three identical routers or what each of them does!
I know that Ubiquiti just had
I know that Ubiquiti just had some MAJOR hacks back in May. ALL of their devices were hacked and the username was set to mother password set to f****r. The hacker bypassed the security of the kernal and reset the credentials. It affected their radios and their routers as well. I don’t know if I would trust the Ubiquiti option for security. I am a wireless provider and luckily, we have SSH and FTP blocked from outside of our network to our WISP.
I was personally looking at one of the Dell Sonic Walls for my home. I have several DVR’s, Media Player and Apple TV on my LAN along w/ my computers. I have Ubiquiti unifi AP’s in my home and my main desktop acts as the controller.
I came to this site because I am trying to figure the best way to set myself up w/ proper security for the future. At this time, I only have one router and a gigabit cisco 50 port POE switch. But am about to put in smart locks, garage door openers and IP cameras. Was wanting to segregate that traffic from the rest of the LAN for security reasons and for bandwidth reasons on my LAN and not make my other video suffer and start buffering.
I only have DSL speed to the Internet even tho I have a gigabit LAN…..
Am I on the right path?
Confused by one point: In
Confused by one point: In discussion it was suggested that a single Ubiquiti box could provide solid enough isolation to avoid the three-router setup. But that doesn’t seem to provide wifi, which is sorta sine qua non for many IoT devices and desirable for guests even if your secure net is hardwired. So it seems at least one additional router or AP is needed, possibly two. What am I missing?
I’m also wondering whether simply firewalling the IoT devices to communicate only with their official hosts/hubs and/or control sources wouldn’t do the job more efficiently…?
So I tried to setup up this
So I tried to setup up this same exact configuration in my house, and I have a question.
I recently purchased a Ring Doorbell — this is an IoT device (for those that don’t know) that has a camera which allows you to see who is at your front door if you use the associated Ring iOS/android application. The Ring app will also allow you to view the camera feed when you are away from your house and outside of your local network. In my setup, I connected the Ring Doorbell to my “IoT network”. Meanwhile, my iphone with the associated Ring phone app is connected to my “Secure network”.
When all three routers (Border, Secure, and IoT) are on, I can access the live feed from the Ring doorbell no matter which network my iphone is connected to (from the “IoT network”, from the “Secure network”, and from my cell phone provider’s internet). However, when I turn off the modem used for the “Secure network”, I can only access the feed on the Ring app when my phone is connected to the “IoT network”. In this scenario, I obviously can’t access the video feed from the “Secure network” because that modem has been turned off. But what doesn’t make sense to me is why I can’t access the video feed while my phone is connected to my cell phone provider’s internet.
Anyone have an explanation for this?
(Apologies if it’s a dumb question — I’m obviously not a networking expert)
Thanks!
Nicolae Crisan, thank you for
Nicolae Crisan, thank you for making SGibson’s theory implementable by those not super technical!
The majority of the comments lean against this “3 dumb routers” configuration. It seem most consider it inefficient. There are comments suggesting the Ubiquity EdgeRouter X, pfSense, or Pepwave Surf SOHO.
If my primary objective is to isolate IP cameras, specifically Foscam 8910s from sensitive devices, is the “3 dumb routers” config an easy to administer set up for a non-technical person that has zero interest in learning anything about networking?
Here is my scenario:
I am assisting my cousin and her two teenage daughters. She lives three states away, so my support will be remote with her acting as my eyes and hands. One device with complex rules, will be too much for her to help me troubleshoot remotely. To date, the guys she has dated have not been technical. I plan to configure/test the network at my house, ship her the pieces and walk her through snapping in the cables. I know a little about networking, but very far from being an expert. By providing her a list of devices types to connect to IOT or Secure, my hope is for her to easily be able to admin her network.
Primary objective: isolate 4 Foscam 8910s from her main network.
Secondary objective: Encrypt Foscam data streams, Foscam 8910s do not have https. Her current contract cell service has spotty service, so she uses free WiFi too much. When using free WiFi, she is giving her network login and password to anyone that is looking or capturing LAN data.
Her current home LAN set up is Time Warner Cable service, a cable modem she owns, connected to a Netgear 3400 v2 wireless router. Netgear has not release an update for v2 in 2-3 years. It is currently running its most recent firmware (1.0.0.52). It supports a guest network, but it is not set up. Remote administration, WPS, and UpnP are turned off. Each of the four IP cameras has a port forwarded in the Netgear.
Her devices are (Netgear 3400 v2 seems to handle load well):
-4 wireless Foscam IPs (640×480 resolution viewed via cell phone),
-1 ring doorbell,
-2 iPhones (various models), [usually on carrier’s 4G network]
-2 iPads (various models),
-2 WiFi Printers,
-2 Android phones, [usually on carrier’s 4G network]
-2 Win 10 laptops,
-1 Chromebook,
-2 connected DVDs that can stream Netflix and Youtube,
-2 Rokus,
-AT&T/Direct TV home DVR system with 3 wireless Genie devices, I think they have their own network to communicate to main DVR unit that is separate from her home WiFi network,
-XBox (no online gaming),
-Wii U (does do online gaming),
-1 Fitbit type devices,
-Guess network (she is the neighborhood and Drill team mom, many different teen girls on and off network).
Her family: 50 year old mom. 17 & 14 year old daughters. Many, many friends and drill team members have the guest password saved in their devices.
Suggested Map of Devices to Router and SSIDs (not real name of SSIDs):
-Border Router: Secure Router & IOT Router
-IOT Router; Video SSID: Foscam 8910s; Ring Doorbell;
-IOT Router; Media SSID: Rokus, Connected DVDs, XBOX, Wii U, Fitbit
-Secure Router; Family SSID: Cellphones, Printers, Apple iPads, Windows laptops, Chromebook
-Secure Router; Friends SSID: Printer, many teenage friends of their parents. 5-9 friends at one time seems to be average.
Questions/Concerns:
1. NEED TO ISOLATE FOSCAMS. 8910s are using Foscam’s DDNS and port forwarding through the Netgear 3400 v2. They call home often but Foscam initially denied they did. Who knows what data is being sent to China. I have read creepy stories of how the Foscam’s have a full LINUX system inside with limit security or safe guards. A cleaver hackers can enter the home LAN through the Foscam and hop to other devices on the LAN. Once a laptop/tablet is found, the hacker has access to more RAM and CPU power to do bad stuff.
2. DO I NEED TO PORT FORWARD FOSCAMs ON BOTH BORDER AND IOT ROUTERS? If this is required, am I weakening my setup? That is, am I not setting up a potential M-I-M situation since I have granted outside internet access through the border router? What options are there to remedy this scenario? Can it be set up so that I get an email if changes are made to the router’s config? Can a log be set up that will keep its entries through a reboot?
3. HOW DO I ENCRYPT FOSCAM VIDEO STREAMS SINCE THEY DO NOT USE HTTPS? My first thought is to figure out free OpenVPN. But the N12 stock firmware does not support OpenVPN. Is there another router I should consider? I would consider using Merlin firmware, but a few searches suggests the N12 is not stable on Merlin.
4. ARE DATA ON DIFFERENT SSIDs KEPT SEPARATE? One of Nicolae’s images show the Asus N12 D1 firmware can make 3 guest SSIDs. Are data isolated such that data on the MAIN Family SSID is completely separate data on the Friends SSID? Can these separate SSIDs be viewed as a sort of Wifi VLAN? I want to make sure an ex-boyfriend of one of the teens cannot use the commonly accessed Friends SSID to get access to data on the Family SSID.
5. WHICH CONSUMER GRADE ROUTER BRAND HAS BEST REPUTATION FOR MAINTAINING THEIR FIRMWARE? The Netgear 3400 v2 has not been updated in years. I was in Micro Center and noticed the 3400 is still sold, but it is v3. Netgear’s website does not make it clear when the last update was provided for the 3400 v3.
I regret the long post. Please let me know if my requests do not make sense.
Thank you.
RH
Back to basics
Yes, this a
Back to basics
Yes, this a very clever solution. But to what problem? What is really an IoT device??? How can a webcam, printer, Playstation, IP phone etc to be less ‘dangerous’ than a refrigerator(or another traditional IoT device). Even a PC with the wrong software installed would not be more secure than a refrigerator.
My Netgear Nighthawk
My Netgear Nighthawk Router/WAP, like many devices, has a Guest WiFi Network (well, two one for 2.5Ghz and one for 5Ghz).
Why would I not use this? Now my home automation requires an Ethernet connection so to solve this, I’m thinking I could purchase a WiFi extender with Ethernet port, plug that in to an outlet and connect it to the Guest WiFi. Then plug the home automation hub in to the Ethernet port on the extender.
Set up the guest WiFi for isolation and Bob’s my uncle.
What am I missing here? The traffic is isolated, no?
Yes, your traffic would be
Yes, your traffic would be isolated. Guest Networks employ TWO levels of segregation.
1) AP Isolation. Which keeps devices from communicating with each other.
2) Guest Segregation. Which keeps devices on that Guest Network from able to communicate to your internet network AND wired devices.
Both of these function as a sort of VLAN Segregation. There is literally no additional security required for devices segregated in such a way.. Three Router is a nonsense solution.
The issue I have run into
The issue I have run into when trying to implement this isolated type of setup is that with iOT devices needing hubs (HomeKit with Apple TV for example) it becomes harder to separate and firewall. For example if you use the Apple TV to watch movies from your NAS etc you would generally put that on the secure side of the network, however the Apple TV needs to be able to ‘see’ the iOT devices to control them therefore causes a problem with routing. I have tried this with some crazy firewall rules to block all but Bonjour style of traffic but a) that is not easily bounced around (Bonjour is not very re-direct friendly) and b) still leaves a bit of a security gap.
Would love to know if others have run into this and how they are resolving these issues with control of iOT devices from hubs that need access to secure side etc.
Thanks
WC
Make the second router for
Make the second router for IOT devices a VPN router for extra security. You can make one yourself if you are pretty technical or buy a premade one, like https://easyvpnrouter.com/ or google around for others
Please forgive nOOb questions
Please forgive nOOb questions but would like to try this with Ubiquiti edgerouter X as Border, then existing router as Secure, the add new IoT VPN router for IoT devices.
I’m getting impression from other sources that DHCP should be disabled on the IoT and Secure routers. Does that make sense?
Will devices on secure network be able to see and control IoT devices on IoT network?
(I have the existing router config backed up on NAS, I understand this approach is messier than Gibson advice)
Thank you.
Here is another configuration
Here is another configuration question
My situation is slightly more complicated.
I live in an RV, have 2 routers (both tied together, and both (sad-face), using a class A (10.70.x.x) address. We can call this (set) router A, as they are integrated together.
This is how I get my internet. either from a local wifi source (think McDonalds/Home Depot), or from a verizon jetpack.
Sub-problem 1: Router A is not a Gig-Ethernet, but only 100mb/s.
SO.
first problem
my border router has Class A addresses.
My next router (Router-B)is used for my internal wifi, and is tied via ethernet to RouterA (border). it is a Gb consumer switch.
Next , my “dumb” tv has a chrome-cast. I’d guess this is my first IoT device.
My second “dumb tv, has a ROKU model 1 ( because of the old connectors on it!) This would seem to be IOT device 2.
My first question is WHICH router should provide the DHCP addresses?
is there an easy way to integrate this easily?
I would guess that:
A) my slow (class A) border router would STILL be the interface to the outside world, since it knows how to get my wifi signals.
B) the Ubiquiti EdgeRouter x would be next in line, accepting all signals, and forwarding them to the devices.
b.1) I’d guess this would be my DHCP controller.
b.2) I would connect my second (commercial) router to the secure port, and use this one’s wifi signal as my primary device) wifi.
and my next question: where will my secure devices get their DHCP address, from borderA (doubtful), or edge-router(b), or secure (c).
ANd what ip addresses can I use that would be compatible with the class A 10.70 addresses? (I can’t change the addresses, because the system is monitored, and phones home)
thanks in advance!
Mark
This has to be the stupidest
This has to be the stupidest network setup I have ever seen. Clearly done by a networking neophyte and definitely not done by a networking engineer that knows network security. Apparently VLANS, Policy Segregation and DHCP Pool isolation are new concepts to some people? All of this can be done in 2 minutes on any SOHO router and/or switch without need for all of this crappage gear.. Please people, stop giving out this kind of dumb information.
“on any SOHO router and/or
“on any SOHO router and/or switch” is a stretch, since multi-homed routers and VLAN switches are not the norm in the home networking market.
“on any SOHO router and/or
“on any SOHO router and/or switch” is a stretch, since multi-homed routers and VLAN switches are not the norm in the home networking market.
@Sjhhas1, instead of negative
@Sjhhas1, instead of negative comments, please share the correct solution for this issue. I am truly curious what an expert such as yourself would do. Complete instructions with Network Map would be expected from an expert.
So, I’m giving this a try and
So, I’m giving this a try and having a heck of a time with either DHCP or double-nat’ing, I’m really not sure which… I have the routers set up as described, and here’s where my understanding of these various concepts meets its limit: if the point of this is to “secure” my IoT devices on a separate network and that network is on a router behind which itself is behind another router, how on earth is the IoT network supposed to do it’s UPnP thing (which Phillips Hue Bridge, among others, requires) which requires as direct a path to thee internet as possible, no?
Which router should handle the DHCP, or does each handle it for it’s own subnet (if I’m using the term correctly)?
Should I be reserving IP addresses in the border router’s DHCP server for the two “sub” routers? What about using some kind of bridge (I have both dd-wrt and Merlin-wrt routers and both seem to offer this – would it help)?
Should I attempt to assign specific routes to/from the external IP’s these devices use to “call home”?
I truly appreciate any help anyone can offer.
First of all, I am NOT very
First of all, I am NOT very knowledgeable about Networks & Routers, so keep your troll comments to yourself. Luckily I work at a company that has lots of very smart folks who do know all about this stuff.
The instructions here are insufficient for people like me, who want to secure our home networks but are unsure how to set things up. Maybe the author assumes we know more about setting up routers than the average bear.
On the WAN side, do you leave the IP as Dynamic, or set that up to a specific set of IPs.
DNS: I think (not sure) that each router DNS needs to point to the router above to get to the Internet. My Secure router could not access the internet because I hadn’t set the Border router DNS to the Cable Modem. I’ll try that when I get home tonight.
LAN Setup: My Netgear WNDR3400 has a section “Use Router as DHCP Server”. I think that needs to be enabled, but again, I’m not sure. When I set the Border Router up with IP 10.10.1.1, the LAN set up the IPs for the DHCP Server from 10.10.1.2 to 10.10.1.254. Seems like this is the correct thing to do.
There is no mention that I can find about the WAN, LAN (other than setting the IP) or DNS setups.
AP Isolation: So this prevents the endpoints from talking to other devices on the wireless router? I have Amazon Echo Plus, and a bunch of lights, switches and plugs connected throughout the house. With all of these on the IOT router, don’t they need to be able to talk to each other? Or do they ALL send their info up to the internet and get their instructions from the internet and not the Echo? My two WNDR3400s have this capability. Once I get all three routers talking to the internet I will try it.
I have a Roku box. Connected wired to the Cable Modem now, so TV can still work while I muck with the 3 routers. Does the Roku need to be connected to the IOT router or is it safe to leave it connected to the Cable Modem?
My third router is an Apple Airport Plus. It does not appear to have any of the options above. I can create wireless networks but can’t specify the IP, and don’t see any options to change WAN, LAN, DNS or AP Isolation. I haven’t gotten to this router setup other than viewing the setup app. The reason I have this router is that we have Apple phones, iPads and iPods, and was sold on the “feature” that the Apple Router beams stronger wireless to Apple products. I realize I never verified this, but it’s what I have. This will be my Secure Router, as it currently works great with our Apple gear.
If one of you IT Experts have the time, some pointers here in the comments would be very helpful to Network Newbies like me. Instructions or links to other websites/pages that help folk like me understand better what the heck we are trying to accomplish.
Cheers!
I actually got it working,
I actually got it working, thanks to the experts at my company. Much of what I assumed above was off or just wrong.
Border: Netgear WNDR3400v3
Internet Setup: Leave it on Dynamic from ISP
WAN side: Leave it alone.
LAN side: Set the Border to 10.10.1.2. I left “Use Router as DHCP Server” checked.
Turned off all Wireless and uPnP.
I set DNS to my Internet company’s IP: Frontier is 74.40.74.40
IoT: Netgear WNDR3400v1
Internet Setup: Leave it on Dynamic from ISP
WAN side: Leave it alone.
LAN side: Set the IoT to 10.10.2.2. Leave “Use Router as DHCP Server” checked.
Wireless turned on with WEPA2-PSK, Unusual Name and a 25+ character password.
Secure Router:
Turned it on, it works. Reaches the Internet with no changes.
Wireless turned on with WEPA2-PSK, Very Unusual Name and a very long password.
I had to basically start over with Echo and all the smart switches, lights, etc. Reset everything and add the devices all over again. I had screenshots of my Routines and device names so we didn’t have to remember new phrases.
I used ShieldsUp! fro Gibson Research Corporation https://www.grc.com/ to test for open ports & vulnerabilities. Everthing passed with flying colors!
I use the 11 router approach.
I use the 11 router approach. I find this to be the most secure method.
Three dumb routers solves the
Three dumb routers solves the network isolation problem. But it’s way too complex for the average home user. This works a lot better:
https://www.pcwrt.com/2018/06/beyond-three-dumb-routers/
One smart router with network isolation builtin. No need to worry about IP, NAT, DHCP etc…
I have something like that
I have something like that running, “upgraded” (I am not sure it’s an upgrade) to a two smart routers setup.
My ISP supplied a Fritz!Box as gateway device, so modem + router. I have a ASUS router with OpenWRT-Merlin running on it.
This is my setup:
The Fritzbox gateway has a guest wireless and a guest wired network. Both have been configured in such a way that devices in these networks cannot see each other.
The guest wired network links into a 8 port smart switch. My wired insecure IoT device are linked to that, the wireless ones to the wireless guest network.
The Fritzbox is also linked to the Asus router.
The Asus router has a wireless guest network, a wireless network and a wired network.
The wired network links into a 24 port smart switch. My secure devices are linked to that, the wireless ones to the wireless network.
The mobile devices of our guests can use the wireless guest network of the Asus. The Asus is configured in such a way that these devices cannot see each other.
Does this setup make sense? Any improvements to be suggested?
I am thinking of moving to a three smart routers setup, but I have the feeling that not much is gained with that (except helping the company which will sell the router to me).
Not an IT guy. Following
Not an IT guy. Following links appear to have design attributes discussed here and involves Ubiquiti Edgerouter X and AC-AP-LR access points. It was useful to me and became a hobby project, I found related link in GRC.com archives (https://www.grc.com/sn/files/ubiquiti_home_network.pdf ) and what appears to be most recent reference at: https://github.com/mjp66/Ubiquiti , Ubiquiti Home Network.pdf. I learned a bunch and am happy with it. It has amazing step by step Instructions, kudos to Mike Potts, author.
One cheap Mikrotik will
One cheap Mikrotik will replace all three “dumb” routers 🙂
In this setup, how do i get access to an IP camera on IOT Network from laptop running on Secure network?
IMO, one of the strengths of this approach is the difficulty of penetrating all the moats. As long as those routers have different chipsets and firmware – you’ve added some serious trouble for creeps.
Have been using this scheme for ~20 years. It’s cheap and it works. I find that using a border router with updated DNS features like IPfire works best. IPfire supports authenticated DNS over secure TLS and makes that available for everything downstream. NextDNS is a good subscription based DNS supplier, and there is a non profit in Luxemburg with very current DNS plumbing for backup.
We fill that border network with servers too. I2P, ZeroNet, https proxies, socks proxies, Tor relays. All of those boxes support software firewalls to keep that IOT menace at bay. Double NAT issues just don’t apply there.
Routers supporting the Qualcomm AN8327N hardware NAT chip are useful for your secure LAN segment. Less to go wrong. Gives you the benefit of a high priced chip engineer.