OSS OSS Support
Help Center Security Basics [EDUCATION] What Is a Firewall and Why Your Router Isn't One

What Is a Firewall and Why Your Router Isn't One

Last updated April 04, 2026

The Short Version

A firewall is a device that sits between your home network and the internet and decides what traffic is allowed in and out. It inspects every packet of data, applies rules you define, and blocks anything that doesn’t belong.

Your ISP router does not do this. It routes traffic. That’s it. The word “router” is right there in the name.

What a Router Actually Does

A router has one job: move data between networks. Your home network uses private IP addresses (like 192.168.1.x) that don’t work on the public internet. Your router translates those private addresses to your single public IP address so your devices can reach websites. This process is called NAT (Network Address Translation).

NAT provides a small amount of incidental security because unsolicited inbound traffic has nowhere to go. There’s no internal IP address mapped to it, so it gets dropped. This is why some people think their router is a firewall. It accidentally blocks some stuff.

But NAT is not a security feature. It’s an addressing workaround. It was invented because we ran out of IPv4 addresses, not because anyone was trying to protect your network.

What a Firewall Actually Does

A real firewall does several things your router cannot:

Stateful packet inspection. A firewall tracks every connection. It knows that a packet coming in from a web server is a response to a request your laptop made 200 milliseconds ago. It knows that a packet coming in from a random IP address on port 445 is not a response to anything and should be dropped. Your router doesn’t track this.

Rule-based traffic control. A firewall lets you define exactly what is allowed and what isn’t. You can say “devices on my IoT network can reach the internet but cannot talk to devices on my main network.” You can say “block all traffic from these 45,000 known malicious IP addresses.” You can say “all DNS queries must go through my own DNS server.” Your router gives you maybe a toggle for “firewall: on/off” that does almost nothing.

Intrusion detection and prevention. A real firewall can run an IDS/IPS (Intrusion Detection/Prevention System) that compares incoming traffic against hundreds of thousands of known attack signatures. If someone tries to exploit a vulnerability in one of your devices, the firewall catches it at the perimeter before it reaches the device. Your router has zero awareness of attack patterns.

Network segmentation. A firewall can divide your home into multiple isolated networks called VLANs. Your laptop on one network, your smart TV on another, your kid’s tablet on a third. If the smart TV gets compromised by malware, it can’t reach your laptop because the firewall blocks traffic between those networks. Your router puts everything on one flat network where every device can talk to every other device.

DNS filtering. A firewall can run its own DNS server that blocks requests to known malicious domains. Over a million domains associated with malware, phishing, and tracking can be stopped before your device ever connects to them. Your router just forwards DNS queries to your ISP, who logs them and may even sell that data.

Logging and visibility. A firewall shows you exactly what’s happening on your network. Which devices are connecting, where they’re connecting to, how much bandwidth they’re using, and what’s being blocked. Your router gives you a list of connected devices if you’re lucky.

What Your ISP Router Actually Provides

Let’s be specific about what that box from your ISP is doing:

NAT. Translates your private IPs to your public IP. Not security, just addressing.

DHCP. Hands out IP addresses to your devices. Any device can do this.

WiFi. Broadcasts a wireless signal. Often with outdated encryption defaults and weak passwords.

DNS forwarding. Sends your DNS queries to your ISP’s servers, where they’re logged, analyzed, and potentially sold to data brokers.

Maybe a “firewall” toggle. Most ISP routers have a setting labeled “firewall” that enables basic stateless packet filtering. It blocks some obviously malicious inbound traffic. It does not inspect packets, track connections, detect intrusions, segment your network, or filter DNS.

UPnP. Most ISP routers have UPnP enabled by default. This allows any device on your network to automatically open ports in your router’s NAT without your knowledge or permission. Malware uses this. IoT devices use this. It’s a security hole that exists for convenience and should be disabled on any serious network.

The Flat Network Problem

This is the biggest issue with a standard home network and the one nobody talks about.

When you connect devices to your ISP router, they all join the same network. Your work laptop, your kid’s iPad, your smart TV, your Ring camera, your WiFi thermostat, your guest’s phone. They can all see each other. They can all communicate with each other.

This matters because IoT devices are notoriously insecure. Smart TVs phone home to servers in countries you’ve never heard of. Cheap security cameras have hardcoded passwords. Smart plugs run firmware that hasn’t been updated since they were manufactured. Any one of these devices can be compromised, and once it is, it has direct access to everything else on your network.

Here’s a real scenario: a smart TV with pre-installed spyware sits on the same network as your work laptop. The spyware scans the local network, discovers your laptop’s shared folders via SMB, and exfiltrates your work documents. You’ve now violated your company’s NDA without knowing it.

With a flat network, one compromised device means your entire network is compromised. There’s nothing between your IoT devices and your personal data except hope.

What Network Segmentation Looks Like

A proper firewall solves the flat network problem by creating separate isolated networks:

Admin network. Your trusted personal devices. Full access to everything including the firewall management interface.

IoT network. Smart home devices that need internet access but should never be able to reach your personal devices. Ring cameras, Ecobee thermostats, Wyze sensors. They can reach the internet to phone home to their cloud services, but they cannot scan or access any other network.

Guest network. Visitors get internet access without being able to see any of your devices. Not just a separate WiFi password like your router offers. Actually isolated at the firewall level with rules preventing access to any private IP range.

Kids network. Internet access with content filtering and optional time-based restrictions.

Each of these networks is enforced by firewall rules. A device on the IoT network trying to reach an IP address on the Admin network gets blocked. Not because of WiFi settings or access point configuration, but because the firewall drops the packet before it’s ever routed.

The “But I’ve Never Been Hacked” Argument

You might be thinking your current setup works fine. You’ve never had a problem. Why bother?

Two things to consider.

First, you probably have been compromised in ways you can’t see. IoT devices sending telemetry to unknown servers. Your smart TV reporting your viewing habits. Your ISP logging and selling your browsing data. Your DNS queries being harvested. None of this shows up as a “hack.” It’s just the normal operation of devices and services that don’t respect your privacy.

Second, the threat isn’t always a hacker in a hoodie trying to break into your network. The more common threat is lateral movement. One device gets compromised through a firmware vulnerability or a phishing link, and then it uses your flat network to access everything else. A firewall with network segmentation contains that breach to a single network segment. Without segmentation, there’s nothing to contain.

Dedicated Firewall vs Router “Firewall”

Here’s the difference in concrete terms:

Typical ISP router:

  • One network, all devices together
  • No intrusion detection
  • No DNS filtering
  • No traffic inspection
  • No network segmentation
  • UPnP enabled by default
  • No visibility into what’s happening
  • Firmware updates controlled by ISP (if ever)

Dedicated firewall appliance:

  • Multiple isolated networks
  • Intrusion detection with hundreds of thousands of signatures
  • DNS filtering blocking over a million malicious domains
  • Stateful packet inspection on every connection
  • Full network segmentation with per-network rules
  • UPnP disabled
  • Complete visibility into all traffic
  • You control the software and updates

These aren’t different tiers of the same thing. They’re fundamentally different devices doing fundamentally different jobs. Calling your ISP router a firewall is like calling a screen door a vault.

What About Mesh Systems?

Consumer mesh systems (Eero, Google WiFi, Ubiquiti AmpliFi) are better routers, but they’re still routers. They improve WiFi coverage and offer a nicer app experience, but they don’t solve the core problem.

Most mesh systems offer a single guest network. That’s it. No IoT isolation, no per-device network segmentation, no intrusion detection, no DNS filtering beyond whatever basic service the manufacturer bundles. And most of them send your network data to the manufacturer’s cloud for “analysis” and “improvement.”

Some mesh systems have added security features as a subscription service. These are typically cloud-based, meaning your traffic data leaves your home for inspection on someone else’s servers. That’s the opposite of privacy.

What to Look For

If you’re evaluating whether your network security is adequate, ask yourself these questions:

Can your IoT devices reach your personal devices? If everything is on one network, the answer is yes and that’s a problem.

Do you know what DNS servers your devices are using? If your router forwards to your ISP, they’re logging your queries.

Is UPnP enabled? If you don’t know, it almost certainly is. Devices are opening ports in your router without your permission.

Can you see what’s being blocked? If your router doesn’t show you blocked connections, it’s probably not blocking anything meaningful.

When was the last firmware update? ISP routers are notorious for running outdated firmware with known vulnerabilities.

If any of these questions made you uncomfortable, your router isn’t doing what you think it’s doing.

Summary

A router moves data between networks. A firewall decides what data is allowed to move. Your ISP router does the first thing and pretends to do the second.

The real risk isn’t a dramatic hack. It’s the slow, invisible compromise of a flat network where every device trusts every other device, your ISP logs everything, and your IoT devices phone home to servers you’ve never heard of. A dedicated firewall with network segmentation, intrusion detection, and DNS filtering solves all of these problems. A router with a “firewall: on” toggle does not.

← More in Security Basics [EDUCATION] Still need help? Submit a ticket →