@ticedoff 

Its up to you if you enable it or not.  If you do, there is a tradeoff with internet throughput speed.

  @GRL The question was "should" it be enabled. As in... is it recommended.

And, if it is enabled, where can I find details on what the other settings should be.

If speed was the biggest concern, I would build my own transparent filtering bridge using OPNSense (FreeBSD) with the Suricata IPS & IDS enabled and add ClamAV for AV filtering on an old Core i5 miniPC with a 4-slot 1GbE PCI card installed.

But, the TL-ER7206 v6 has load balancing and I don't know if I would have to build two DIY miniPCs to get the job done.

GRL wrote

  @ticedoff 

 

Again, there is no specific recommendation to make.  The feature is there for users to decide if they want it or not

 

IDS and IPS is LAN > WAN only, WAN > LAN is not covered as thats all up to the NAT firewall anyway and by default everything is blocked unless you set up permit ACLs

  @GRL 

Following up on this, I have a question about your reply

Is it safe top assume that IDS, IPS and Firewall all sit on the LAN? (LAN <> IDS <> FW <> IPS <> Router (WAN))

IDS (Intrusion Detection System) is enabled, it’s passively analyzing "outbound" traffic (from LAN out to WAN and to the Internet).

I'm supposed to look at the log for Threat Management and it shows threats from inside devices and I should "do something" about them.

Looking at the Theat Management log, every "source" is Unknown/local" and the "threat" is a DNS lookup to domains like .pw and cc  (likely hostile). I assume those DNS quires are coming from my self-hosted DNS servers.

There were a lot more that were no related to DNS and one the originated from "DE" and the description is "ET Drop DShelid block listed source group 1" 

But when am I supposed to do about them?

IPS (Intrusion Prevention System) is more acive and looks for Intrusion attempts. It complements the Firewall because the FW has specific tasks that don't overlap with IPS.

I assume that I would have to look at the router’s log files to see if the IPS has detected a problem.

What is puzzling to me is that YouTube was really degraded on every device in the house after I enabled it - it took much longer to refresh, the thumbnails for videos were missing and numerous other issues with that site. It was also causing problems with other web sites that wouldn't load at all (like they were being blocked). I also found that the solar inverter that logs data to their NOC was offline.

As soon as I disabled IPS/IDS, YT when back to normal.

Is that IPS blocking certain traffic from YT because it thinks it's being attacked? 

  @ticedoff 

I cant say i have had issues with IPS degrading things like youtube !