You might think you have a firewall protecting your business network. For most small businesses, that “firewall” is a $60 router from a big box store. Here's what that actually means — and what to do about it.
We've been doing this for over 30 years. And one of the most common things we see when we first walk into a small business is a consumer-grade router — Netgear, Linksys, ASUS, TP-Link, whatever was on sale — sitting at the edge of the network, doing the job that a real firewall should be doing.
Nobody set out to do this. Usually it went something like: your ISP gave you a modem, you needed Wi-Fi, you bought a router, and things worked. Or maybe your IT person set it up years ago and it's just always been there. The router has a “firewall” checkbox in its settings menu. Someone checked the box. Everyone figured you were covered.
You're not. Not really. And understanding why matters a lot more than most business owners realize until something goes wrong.
Let me be clear about something: your consumer router does have a basic form of protection built in. It does Network Address Translation (NAT), which means your internal devices share one public IP address and unsolicited inbound traffic from the internet gets dropped. That does provide a layer of protection.
But NAT is about as basic as it gets. It's not really a firewall — it's a side effect of how home routing works. And “drops unsolicited inbound traffic” is the bare minimum. The real threats hitting businesses today don't come from someone trying to knock on your front door.
They come in through what you invite in: email attachments, websites your employees visit, compromised software updates, phishing links. They come in through the stuff your router happily passes through because it looks like perfectly normal traffic. Your consumer router has essentially no ability to tell the difference between legitimate traffic and malicious traffic riding along inside it.
If you're already thinking about how bad actors actually get in, our cybersecurity guide for small businesses covers the full picture. But your network edge — that router at the front door — is where a lot of this could be stopped before it becomes your problem.
A real firewall — something like pfSense, OPNsense, or a commercial option from Fortinet or SonicWall — is a completely different class of device. Here's what it can do that your consumer router can't:
Instead of just looking at where traffic is coming from and going to, a real firewall looks inside the packets. It can identify what application is actually running, what protocol is being used, and whether the contents look malicious — even inside encrypted traffic. Your consumer router sees a stream of bytes and passes them along. A business firewall understands what it's looking at.
A real firewall maintains active threat intelligence. It knows what ransomware command-and-control traffic looks like. It knows what port scans look like. It knows when something on your network is trying to reach a known malicious server. And it can block it automatically, in real time. Consumer routers don't have any of this. They have no concept of “threat” — traffic is either allowed or blocked based on simple rules.
You can control what your network actually allows. Block known malware distribution sites. Block categories of sites that put your business at risk. This isn't about spying on employees — it's about reducing your attack surface. A business firewall can stop a malicious download before it ever reaches the employee's machine.
When something goes wrong on your network, do you have any idea what happened? A business firewall logs everything: what connected to what, when, from where, and what happened. Consumer routers keep minimal logs, and most people never look at them anyway. Good logs mean the difference between “we got hacked somehow” and “here's exactly what happened and here's how we stop it from happening again.”
A real firewall handles VPN properly — strong encryption, user authentication tied to your directory, and granular access controls. The VPN on consumer routers is usually an afterthought: often outdated protocols, no logging, and no integration with your actual user accounts. If your remote workers are connecting through a consumer router VPN, that's a separate problem worth addressing.
Your security cameras, smart TVs, and IoT devices shouldn't be on the same network as your business data and your point-of-sale system. A business firewall makes VLAN setup and enforcement straightforward. Properly segmenting your network is one of the most effective things you can do to limit the damage if something does get in. If you want to understand why this matters for IoT devices specifically, we cover it in depth in our post on security cameras and network segmentation.
Let me give you a concrete scenario, because abstract security talk doesn't really land until you can picture it.
A ransomware group targets businesses in your industry. They send a targeted phishing email to one of your employees. The employee clicks a link, which downloads a payload that looks like a routine software update. The payload runs quietly in the background, calling home to a command-and-control server to receive its instructions. Then it starts moving laterally across your network, encrypting files as it goes.
Your consumer router sees none of this. Every step of that attack uses traffic that looks perfectly normal to a NAT-based router. The malicious payload came in over HTTPS. The command-and-control connection goes out over HTTPS. The lateral movement uses standard Windows file sharing, which you need for your business to operate.
A real firewall with IDS/IPS would have flagged the command-and-control connection — that server is on known malicious IP lists, and the traffic pattern is distinctive. With content filtering, the malicious download site might have been blocked before the employee even saw it. With network segmentation, the lateral movement would have been contained to one segment instead of spreading across everything.
This isn't a worst-case hypothetical. It's a realistic scenario that plays out at small businesses every single day. The question isn't whether these threats exist — they do. The question is whether your network is set up to see them coming.
And it's not just ransomware. A compromised machine on your network could be quietly exfiltrating customer data for months. A poorly secured IoT device could be relaying traffic for a botnet. None of these show up on your consumer router because it has no way to look for them.
Here's something a lot of people don't know: you don't need to spend thousands of dollars on enterprise gear to get real firewall protection. This is an area where open source has made enterprise-grade security genuinely accessible to businesses of any size.
pfSense and OPNsense are open source firewall platforms that run on inexpensive hardware — a capable mini PC runs $200–$400 — and provide every feature we've described above. IDS/IPS, content filtering, VPN, VLAN support, comprehensive logging, all of it. We use and recommend these regularly because they give small businesses access to the same quality of protection that large enterprises use, without the licensing costs that come with commercial alternatives. This is core to why we use open source for our clients.
If you'd rather have hardware with vendor support, Fortinet's FortiGate line has solid small-business options in the $300–$600 range with reasonably priced subscription updates for threat intelligence. Sophos and SonicWall are also legitimate business-grade options at comparable price points.
The right answer depends on your team, your tolerance for configuration work, and your budget. But all of these are dramatically better than a consumer router — and the cost difference is far smaller than most people expect.
A firewall is not a set-it-and-forget-it device. It needs to be kept updated, and its threat intelligence signatures need to stay current. An outdated firewall is better than no firewall, but not by as much as you'd hope. Threat signatures that are six months old might as well not exist for the threats that emerged in those six months. This is one of the places where having competent ongoing IT management — not just a one-time install — makes a genuine difference to your security posture. You can read more about what that kind of proactive relationship looks like in our services overview.
First: find out what's actually at your network edge. This is usually easy to determine. Look for the device that your internet connection comes into, and trace the cable from your ISP modem. Whatever sits between that modem and your internal network is your “firewall.” If it says Netgear, Linksys, ASUS, TP-Link, or a similar consumer brand, you're in the situation we're describing.
Second: have a conversation with your IT provider about upgrading to a business-grade firewall. It should be a relatively straightforward project — typically a few hours of work with no meaningful disruption to your operations. The hardware cost is real but reasonable. The ongoing management cost is part of any competent IT relationship.
If your IT provider tells you a consumer router is “good enough,” push back. Ask them specifically what intrusion detection it provides. Ask how they'd know if something on your network was communicating with a command-and-control server. Ask what the logging looks like. If they can't answer those questions, or they brush them off, that's worth a second opinion.
Third: if you're not sure what you have or what you need, a basic network assessment will answer all of these questions clearly. We do them regularly as part of our onboarding, and we're happy to do a free one-hour conversation with any business owner who wants to understand where they stand. No obligation, no sales pitch — just an honest read on your situation.
Your network edge is the first line of defense for everything your business runs on. It deserves something better than the device you'd buy to get Wi-Fi in a vacation rental.