RouterOS's firewall can shield networks (VLANs) from outer threats, but the most hacks are executed from within the network by a malicious actor (compromised device with software/firmware backdoor phoning C&C,...).
I'm thinking of adding pfSense, OPNsense, Suricata, snort or other IDS/IPS to the stack. I have literally zero experience with those. I'm wondering, which one to pick.
Some of those can also act as router, and also do inter-VLAN routing, and act as IPS - blocking suspicious traffic between VLANs. Does it make sense to run a router with RouterOS then, if such firewall can basically replace it? Did anyone replace edge/main RouterOS router with routing IDS/IPS firewall?
In case of not replacing RouterOS, does RouterOS support (easy) integration with any IPS?
And, what's yours overall experience IDS/IPS for SOHO? What's the most easy to setup, and reliable?