Business Routers and Firewalls for Australian SMBs: Choosing the Right Network Foundation

Business Internet

Business Routers and Firewalls for Australian SMBs: Choosing the Right Network Foundation

Your internet connection is the front door to your business. The router and firewall sitting between that connection and every device on your network determine whether that door has a deadbolt or a flimsy latch. For Australian small and medium businesses, getting this right is not optional — it is the foundation on which everything else sits: your staff computers, your VoIP phones, your cloud applications, your payment systems, and increasingly your security cameras and access control.

The problem is that most SMBs do not think about the router and firewall until something goes wrong. Either a staff member clicks a malicious link that spreads through the network, or the business internet goes down and takes the phones with it, or an IT consultant arrives and quietly sighs at the consumer-grade modem still running the office of a 30-person business.

This guide explains what a business-grade router and firewall actually does, what features matter for Australian SMBs, which products are worth considering, and when it makes sense to let a managed IT provider handle the whole thing.

Why the Consumer Router That Came with Your NBN Is Not Enough

When you sign up for an NBN service — business or residential — your internet provider often supplies a modem-router combo unit. For a home, this is usually adequate. For a business, it is typically inadequate from day one and becomes a liability as the business grows.

Consumer-grade NBN equipment is designed with a specific use case in mind: a household of two to five people browsing the web, streaming video, and occasionally video calling. The hardware, firmware, and security posture reflect that use case.

Here is where the limitations show up in a business context.

Device limits. Most consumer routers are built to handle 10 to 20 simultaneous connected devices comfortably. A business with 15 staff, each running a laptop and a phone, plus a VoIP handset, a printer, a couple of access points, a NAS, a smart TV in the boardroom, and a few IoT devices on the wall — can easily exceed 40 or 50 devices. Consumer routers degrade noticeably under this kind of load.

No traffic inspection. The built-in firewall on a consumer device typically performs basic Network Address Translation (NAT) — it separates your internal network from the internet, which provides some protection. But it does not inspect what that traffic actually contains. Malware, ransomware command-and-control traffic, and phishing callbacks can move freely through a device that is only checking whether a connection is allowed or not, rather than what is flowing through it.

No VPN server. Remote workers need a secure way to connect back to the office network. Consumer routers generally do not support site-to-site VPN or remote access VPN in any meaningful way. Staff end up using workarounds — consumer VPN apps, shared drives exposed directly to the internet, or remote desktop tools with poor security practices — all of which create risk.

No QoS for business applications. Quality of Service settings allow the router to prioritise certain types of traffic — VoIP calls, for example — over others. Without this, a staff member downloading a large file or joining a video call can degrade the audio quality of every phone call in the office simultaneously. Consumer devices either lack QoS entirely or implement it in a basic, poorly configurable way.

No VLAN support. A virtual LAN (VLAN) lets you segment your network into isolated zones. Most businesses should have at minimum a staff network, a guest WiFi network, and an IoT device network. On a consumer router, your guest WiFi is often on the same underlying network as your computers, meaning a compromised guest device — or a contractor's laptop — can potentially reach your internal servers. Business-grade equipment supports proper VLAN isolation.

Limited visibility and logging. When something goes wrong on a consumer router, there is often little or no logging to help diagnose what happened. Business-grade equipment maintains detailed connection logs, generates alerts, and integrates with monitoring systems.

Infrequent and uncertain firmware updates. Consumer routers from major carriers are sometimes updated, but there is no guarantee of how quickly security patches arrive, or whether the device will receive updates at all after a few years. Routers are a primary attack surface — unpatched vulnerabilities in consumer equipment have been exploited in real-world attacks on Australian businesses.

The short version is this: the free modem your internet provider sent you was not designed for your business, and running your office on it is the network equivalent of keeping your business records in an unlocked filing cabinet on the footpath.

Router vs Firewall vs UTM — What's the Difference?

The terminology around network security hardware can be confusing, and vendors do not help matters by using these terms loosely. Here is a clear breakdown.

Router

A router's core job is to direct traffic between networks. In a typical small business setup, the router sits between your internet connection and your internal network, managing the flow of data in both directions. It handles Network Address Translation (NAT), which allows all your internal devices to share a single public IP address. It also typically manages DHCP — assigning IP addresses to devices as they connect — and handles basic access control.

A router alone does not inspect the content of traffic. It moves packets from point A to point B according to routing rules. Whether those packets contain legitimate business data or malware is not a router's concern.

Firewall

A firewall inspects traffic and decides whether to allow or block it based on a set of rules. The baseline capability is stateful packet inspection — the firewall tracks the state of network connections and allows traffic that is part of an established, legitimate session while blocking traffic that appears to originate unsolicited from the internet.

Next-generation firewalls (NGFW) go further. Rather than just looking at whether a connection is allowed, they look at what is flowing through it. An NGFW can identify applications by their traffic patterns — distinguishing between Teams, Zoom, and BitTorrent regardless of the port they are using. It can integrate an Intrusion Prevention System (IPS), which recognises known attack patterns and blocks them in real time. It can perform web filtering, blocking access to categories of sites known to host malware or phishing content.

The distinction between "standard" and "next-generation" firewall is increasingly moot. Most business-grade devices sold today include NGFW capabilities as standard.

Unified Threat Management (UTM)

A UTM device combines a router, firewall, IPS, web filtering, VPN server, and often antivirus scanning into a single appliance. For SMBs, this is often the most practical approach — one device to manage, one vendor for support, one subscription for threat intelligence updates.

The trade-off is that a single device doing everything is a single point of failure, and a heavily loaded UTM processing many security functions simultaneously needs to be appropriately sized for your traffic volume.

Modern Usage

In practice, when an IT provider talks about a "firewall" for your business, they typically mean a device that combines routing, stateful packet inspection, NGFW capabilities, VPN, and QoS in a single unit. Products from Fortinet, Cisco Meraki, Draytek, Sophos, and Ubiquiti all combine these functions to varying degrees. The category labels matter less than understanding what the specific device you are considering actually does.

What a Business Firewall Should Do

When evaluating a firewall for an Australian SMB, these are the capabilities worth understanding and asking about.

Stateful packet inspection. The baseline. Every business-grade firewall includes this. It ensures that only traffic belonging to connections your internal devices initiated — or explicitly permitted incoming traffic — passes through.

NAT and routing. The device needs to handle routing between your internet connection, your internal networks, and any VLANs you create. This is standard on all business-grade devices.

VPN server. With remote work now a standard expectation rather than an exception, your firewall needs to act as a VPN server so that remote workers can connect securely to the office network. Modern implementations use WireGuard or IPsec. WireGuard in particular has become the preferred choice for many implementations due to its simplicity and strong performance. Your firewall should support at least one of these protocols natively.

QoS for VoIP traffic prioritisation. If your business uses VoIP for phone calls — and most Australian SMBs do — your firewall needs to be able to prioritise voice traffic over other data. Without this, large file downloads, video streams, or backup jobs can degrade call quality for your entire team. See our guide on VoIP bandwidth requirements for more context on why this matters.

VLAN support. Your firewall should support creating and enforcing multiple network segments. At minimum, most businesses need a staff network, a guest WiFi network (completely isolated from internal resources), and often a separate network for IoT devices — printers, access control systems, smart TVs — which tend to have weaker security postures than managed computers.

Web filtering. The ability to block access to known malicious sites, phishing domains, and high-risk content categories. This is not about restricting staff — it is about preventing malware infections that begin with a staff member visiting a compromised or malicious website. Many infections start this way, and web filtering at the network level catches threats that endpoint antivirus occasionally misses.

Intrusion Prevention System (IPS). An IPS inspects traffic for patterns that match known attack signatures — exploitation attempts, command-and-control traffic, lateral movement indicators — and blocks them automatically. This is a meaningful layer of protection that goes beyond what a basic stateful firewall provides.

Dual WAN and failover support. Business continuity requires that an internet outage does not bring your operations to a halt. Your firewall should support connecting two separate internet connections — typically a primary NBN or fibre service and a secondary 4G SIM — and automatically failing over between them. We cover this in more detail in the section below and in our guides on 4G failover and business internet redundancy.

Centralised management and logging. Your firewall should maintain logs of traffic events, connection attempts, blocked threats, and policy changes. These logs are essential both for diagnosing issues and for demonstrating due diligence in the event of a security incident or insurance claim. Cloud-managed platforms offer centralised dashboards that are particularly valuable for businesses with multiple sites.

The following devices and platforms cover the practical range for Australian SMBs. Selection depends on your budget, in-house IT capability, number of staff, and whether you have multiple sites.

Draytek Vigor Series

Draytek is one of the most commonly deployed router and firewall platforms for Australian SMBs, and with good reason. The Vigor series — particularly the Vigor 2960, 2962, and 3910 for firewall/router duties — offers dual WAN with load balancing and failover, comprehensive VPN support (IPsec, OpenVPN, WireGuard on newer firmware), VoIP QoS, VLAN management, and solid web filtering capabilities.

Draytek equipment is well supported by Australian IT partners, locally distributed, and competitively priced. The management interface is not the most modern, but it is thorough. For a business of up to 50 staff that wants a feature-complete device without a large ongoing licensing spend, Draytek is a logical starting point.

Fortinet FortiGate

Fortinet's FortiGate platform is widely regarded as one of the leading NGFW offerings on the market. It delivers best-in-class security features — application control, deep packet inspection, IPS, web filtering, antivirus, SSL inspection — and the platform scales from small office appliances through to enterprise data centre deployments.

The FortiGate is the right choice when cybersecurity is a genuine priority. The security effectiveness ratings from independent testing organisations consistently place Fortinet at or near the top. The trade-off is management complexity: FortiGate requires meaningful expertise to configure correctly, and the value of the platform is significantly diminished if it is not properly set up. Fortinet is best deployed and managed by a qualified IT partner rather than configured by a non-technical business owner. Ongoing licensing for threat intelligence and updates (FortiGuard subscriptions) adds to the total cost of ownership.

For businesses handling sensitive data — healthcare, legal, financial services, professional services — or those that have had security incidents in the past, FortiGate deserves serious consideration.

Cisco Meraki

Cisco Meraki takes a cloud-first approach to network management. The hardware is capable, but the primary differentiator is the Meraki dashboard — a centralised, cloud-based management interface that provides full visibility and control across all your network devices: firewalls, switches, access points, and cameras.

For businesses with multiple sites, Meraki's value proposition is strong. Rather than independently managing each site's equipment, an IT team or managed service provider can see and control every location from a single pane of glass, push policy changes to all sites simultaneously, and diagnose issues remotely without needing to be on-site.

The significant caveat is cost. Meraki licensing is subscription-based and is not cheap — if the licence lapses, the hardware loses most of its management functionality. Meraki makes sense when the management efficiency and visibility benefits justify the ongoing cost, which is generally the case for multi-site businesses or organisations with outsourced IT management.

Sophos XGS

The Sophos XGS series positions itself as a strong UTM platform with particular depth in web filtering, email filtering integration, and application control. Sophos has invested heavily in its security effectiveness, and the XGS integrates with Sophos's endpoint protection (Intercept X) to enable what Sophos calls "Synchronized Security" — where the firewall and endpoint agent share threat intelligence in real time, allowing the firewall to automatically isolate a compromised endpoint.

For businesses already using Sophos for endpoint protection, the XGS firewall creates a tightly integrated security ecosystem. The management interface is modern and relatively approachable. Like Fortinet, Sophos requires subscription licences for full functionality.

Ubiquiti UniFi Gateway

Ubiquiti's UniFi line — the UniFi Gateway Pro or the smaller Express and Cloud Key models — offers a cost-effective option that integrates seamlessly with the UniFi WiFi, switching, and camera ecosystem. For a business that is already running UniFi access points, adding a UniFi gateway gives a unified management interface across the entire network.

The UniFi platform has improved considerably in recent years, and for smaller offices (under 20 staff) that do not have complex security requirements, it offers solid functionality at a lower cost than Fortinet or Meraki. The trade-off is that UniFi's NGFW and IPS capabilities are less mature than dedicated security platforms. For businesses where cost is a primary driver and the security risk profile is modest, it is a reasonable option. For businesses with meaningful security requirements, it is probably not the right primary firewall.

Managed Router Services — When DIY Is Not Appropriate

For businesses without dedicated IT staff — which is most Australian SMBs — a managed router service transfers the configuration, management, and maintenance of the firewall to a qualified IT provider.

Under a typical managed router arrangement, the IT provider supplies the hardware, configures it correctly for your environment, monitors it for issues, applies firmware updates as they are released, and troubleshoots problems remotely. If the hardware fails, the provider arranges replacement. The business owner does not need to understand the difference between IPsec and WireGuard, or know how to configure VLAN trunking — that is handled by people who do this every day.

This model is often bundled with business internet plans or broader managed IT services agreements. The monthly cost covers both the expertise and the assurance that someone qualified is watching the device that protects your entire network.

The alternative — purchasing a business-grade firewall, having someone configure it once, and then leaving it unchanged for three years — is unfortunately common. Routers and firewalls need ongoing attention: firmware updates as security vulnerabilities are disclosed, rule reviews as the business changes, and policy adjustments as new applications and staff are added. A device that was well configured two years ago and has not been touched since may be running firmware with known vulnerabilities.

For any business without a full-time IT staff member, a managed router service is worth considering as a baseline. The cost is typically modest relative to the risk that an unmanaged or misconfigured firewall creates.

The Security Case for a Proper Business Firewall

The security argument for a business-grade firewall is not theoretical. Routers and firewalls are one of the most actively targeted components in the infrastructure of small and medium businesses.

An unconfigured or consumer-grade device at the edge of your network provides minimal protection beyond basic NAT. Default firewall rules on most devices — business or consumer — are permissive in ways that create unnecessary risk. Without deliberate hardening, many devices ship with services enabled that should be disabled, and with default credentials that are publicly documented.

Several specific configurations are essential for any business router or firewall.

Incoming connections from the internet to internal devices should be blocked by default, with exceptions only for services that explicitly require external access — and those exceptions should be tightly scoped to specific IP addresses where possible. There is no reason for an internet-facing port to be open to your internal file server unless a specific, identified user needs it from a specific location.

Universal Plug and Play (UPnP) should be disabled on business networks. UPnP allows devices on your network to automatically open firewall ports — a feature designed for convenience in home environments that creates a significant attack surface in business ones. Malware uses UPnP to open ports for command-and-control communication.

Remote management from the WAN interface should be disabled unless there is a specific operational requirement, and if it must be enabled, it should be restricted to known IP addresses with strong authentication.

Geo-blocking — restricting inbound connections to Australia and a small number of other countries relevant to your business — does not eliminate risk but meaningfully reduces the volume of opportunistic scanning and exploitation attempts your firewall has to handle.

Firmware updates are not optional. Fortinet, Cisco, and other major vendors have all had critical vulnerabilities disclosed and actively exploited in recent years. Australian organisations have been affected. The time between a vulnerability being disclosed and it being actively exploited is often measured in days or hours. A firewall running firmware from two years ago is a known-vulnerable device at the edge of your network.

Logging should be enabled and retained. In the event of a security incident, logs are the primary source of information for understanding what happened, when, and how. Many businesses discover after an incident that their router was logging nothing, or that the logs were not retained long enough to be useful.

The security posture of your firewall is not a one-time configuration. It requires ongoing attention.

Dual WAN and Failover Configuration

Internet outages happen. NBN faults, fibre cuts, carrier maintenance windows, and equipment failures can take a business internet connection offline for hours or days. For a business that depends on cloud applications, VoIP, EFTPOS, or any internet-connected service to operate, an outage is a direct revenue and productivity event.

Dual WAN failover is a fundamental resilience feature that many business-grade routers support, and it is one of the most cost-effective business continuity investments available.

The principle is straightforward. Your firewall connects to two separate internet connections — typically a primary fixed-line service (NBN, fibre, or business-grade ADSL where it still exists) and a secondary 4G or 5G SIM-based connection. The firewall continuously monitors both connections. When the primary fails, it automatically routes all traffic through the secondary, usually within seconds. When the primary recovers, it switches back.

For VoIP in particular, this is valuable. A business phone system that runs over the internet needs that internet connection to be available. With dual WAN failover in place, a primary internet outage does not take your phones offline — calls route over the 4G connection until the primary recovers.

When configuring dual WAN, a few things are worth understanding. The failover connection (typically 4G) is generally slower and may have data costs if traffic volumes are high during a sustained outage. Configure your firewall to prioritise business-critical traffic — VoIP, cloud applications, EFTPOS — on the failover connection if bandwidth is limited. Some platforms also support load balancing across both connections simultaneously, which can increase overall throughput.

Testing is important. A dual WAN setup that has never been tested may not work correctly when it is actually needed. Any managed router service worth its cost should include periodic failover testing.

For a more detailed discussion of internet redundancy options, see our guides on 4G failover and business internet redundancy. If you are evaluating internet providers as part of this process, our guide on how to choose a business internet provider covers what to look for beyond price.

How Pickle Supplies and Manages Business Network Infrastructure

Pickle is an Australian telecommunications and managed IT provider working with SMBs across a range of industries. Our managed network services include the supply, professional configuration, and ongoing management of business-grade router and firewall infrastructure.

When we set up a router and firewall for a business, the process is not simply unboxing hardware and applying default settings. It includes a review of the business's requirements — number of staff, applications in use, remote access needs, VoIP configuration, VLAN requirements — and a configuration that reflects those requirements. That means correct QoS rules for VoIP, properly isolated guest and IoT networks, VPN configured for remote staff, web filtering applied, IPS enabled, firmware current, and logging active.

From there, the device remains under management. Firmware updates are applied as they are released. Alerts are monitored. If something changes in the business — a new application, a new site, a change in staff — we adjust the configuration accordingly.

This is the difference between a device that was set up once and forgotten, and a device that is actively maintained as a security and connectivity asset.

If you are not sure whether your current router and firewall setup is adequate, or if you are setting up a new office and want to get it right from the start, we are worth talking to.

Call us on 1300 688 588 or email [email protected].

Frequently Asked Questions

Q: Do I need a separate router and firewall, or can one device do both?

A: One device can and usually does handle both functions in an SMB context. Modern UTM appliances from Fortinet, Sophos, Draytek, and other vendors combine routing, NAT, DHCP, and full firewall capabilities in a single unit. For most businesses under 100 staff, a single well-specified device is appropriate and easier to manage than separate hardware. Larger organisations with high-traffic environments or specialised security requirements may separate the routing and security functions, but this is the exception rather than the rule for Australian SMBs.

Q: What is the difference between a next-generation firewall and a standard firewall?

A: A standard or traditional firewall performs stateful packet inspection — it tracks the state of connections and allows or blocks traffic based on source, destination, port, and protocol. A next-generation firewall (NGFW) adds application-layer inspection, meaning it can identify specific applications regardless of port, and take action based on that identification. NGFWs also integrate an Intrusion Prevention System (IPS) that identifies and blocks known attack patterns, and typically include web filtering, SSL inspection, and threat intelligence feeds. In practice, almost all business-grade firewalls sold today include NGFW capabilities. If a device is being marketed as a "standard" firewall without these features, it is likely not sufficient for a business environment.

Q: How often should business routers be updated?

A: Firmware updates should be applied promptly when they are released, particularly when a release includes security patches. For actively exploited vulnerabilities, vendors may publish advisories urging immediate patching — and "immediately" in that context means within days, not the next scheduled maintenance window. Beyond firmware, the device's security policies and rules should be reviewed periodically — at minimum annually, and whenever there is a significant change in the business (new applications, new staff, new sites, a change in remote work arrangements). An unreviewed configuration that was correct two years ago may no longer reflect the current environment.

Q: Is the router supplied by my internet provider good enough for my office?

A: For most Australian businesses, no. Provider-supplied equipment is typically designed for residential or very small office use. It lacks the device capacity, security features, VLAN support, QoS capabilities, and logging that a business environment requires. Some business NBN providers supply better equipment than others, but even business-grade ISP-supplied equipment is often a basic modem-router rather than a full NGFW. For any business with more than a handful of staff, VoIP phones, remote workers, or meaningful security requirements, third-party business-grade equipment is appropriate.

Q: What is a managed router service and is it worth it?

A: A managed router service means your IT or telecommunications provider supplies, configures, monitors, and maintains the router and firewall on your behalf. You pay a monthly fee that covers the hardware (usually on a rental or lease basis), the initial configuration, ongoing firmware updates, monitoring, and remote support. For businesses without in-house IT staff — which is most Australian SMBs — this is typically worth it. The alternative is purchasing hardware, having it configured once, and then hoping nothing changes or goes wrong. Routers and firewalls require active management to remain effective as a security control, and managed services ensure that happens. The monthly cost is generally modest relative to the risk and downtime costs that an unmanaged or misconfigured device can create.