What a consumer router's firewall actually does
The firewall built into your Eir, Virgin, or Sky broadband router does one thing: it blocks unsolicited inbound connections. That's it. It does not inspect traffic. It does not detect malware. It does not identify ransomware command-and-control connections going outbound. It does not log anything useful.
Most modern attacks don't need to knock on your door. They wait for you to knock on theirs — through a phishing link, a malicious ad, or a compromised website. Once a user clicks, the malware calls home through port 80 or 443 (standard web traffic), which your router's firewall happily passes through.
What a dedicated firewall does differently
Deep Packet Inspection (DPI)
A dedicated firewall like OPNsense with Zenarmor can inspect the content of traffic, not just its source and destination. It can identify malware patterns in HTTP traffic, block known command-and-control domains, and flag unusual data exfiltration even if it looks like normal web browsing.
Intrusion Detection & Prevention (IDS/IPS)
IDS watches for attack signatures — patterns that match known exploits, port scans, and lateral movement techniques. IPS goes further and actively blocks matching traffic in real time. On OPNsense, this is powered by Suricata with regularly updated rulesets from Emerging Threats.
Network segmentation
A dedicated firewall lets you create VLANs — separate network segments for staff devices, guest Wi-Fi, IoT devices, and servers. If ransomware lands on one device, network segmentation means it can't automatically reach everything else on your network.
This is one of the most underused defences in Irish SMEs. A single VLAN for staff and a separate one for the printer, the CCTV system, and the smart TV is a 30-minute configuration job that dramatically reduces your blast radius.
Geo-blocking
If your business only operates in Ireland, there's no legitimate reason for your network to receive connection attempts from Russia, China, or North Korea. A dedicated firewall can block entire countries at the perimeter in seconds. This doesn't stop all threats, but it removes a huge volume of automated scanning and brute-force traffic.
The real cost of going without one
Irish businesses are increasingly targeted — not because they're interesting, but because they're accessible. Automated scanners find open ports and weak configurations around the clock.
€3,200+
Average cost of a data breach for an Irish SME (source: Hiscox 2024)
56%
Of breaches go undetected for months without proper monitoring
€1,000+
Per hour of downtime cost for a typical 10-person Irish business
These aren't worst-case numbers. They're averages. And they don't include the reputational damage, GDPR notification costs, or the hours your team spends cleaning up instead of doing their jobs.
What does a proper setup cost?
For most Irish SMEs — an office of 10–50 people — a properly deployed OPNsense firewall costs:
- Hardware: €200–€400 for a purpose-built x86 appliance (Protectli, Topton)
- Installation & configuration: From €399 (RAIT fixed-price)
- Total first year cost: Under €900
- Optional monthly management: From €79/month for firewall reviews and patching
Compare that to one day of downtime, one ransomware incident, or one GDPR notification. The maths is straightforward.
GDPR and firewalls
Under GDPR, Irish businesses are required to implement “appropriate technical and organisational measures” to protect personal data. Operating a business network with only a consumer router as your perimeter defence would be difficult to defend to the Data Protection Commission after a breach.
A documented, properly configured network firewall with logging is evidence of due diligence. It doesn't guarantee you won't be breached — nothing does — but it demonstrates that you took reasonable precautions.
Not sure if your current setup is adequate?
RAIT offers a free network security assessment for Irish businesses. We'll review your current setup and tell you exactly where you're exposed — no obligation.
Book a Free Assessment