I use IPFire, the linux distro firewall with IDS ( IPS if you install the optional Guardian module ) . But lately I am using my Dlink modified to DD-WRT firmware. The logging doesn't work, (firmware is in beta) and there are no firewall rules feature. But I figure the firewall rules are just for show, because everyone has to allow port 80 and 443 outbound, and malware writers and hackers know that too. So they code their exploit to use those ports to reach their C&C. And the IPS can be used against you, by sending a spoofed attack with Google's address, so that you are blocked from using Google for x minutes. DD-WRT also has AP Isolation, which stops one connection from messing with another, very nice if you potentially have a pwned PC in your network. Also, you can create as many virtual Wi-Fi networks (with their own SSID) as you please. And I have hackers who gave up attacking this router, but they succeeded in taking over the original DLink. Yes, routers can be hacked.
The real perimeter is at the end point, where the firewall knows the apps. You harden Windows to narrow down what is allowed to talk to the net. And then you have strict default deny firewall rules. And you block the stupid default apps that MS allows inbound traffic to. Then you have Windows Defender Exploit Protection with per application protection settings. A lot of work - it is at
Harden Windows 10 for Security. How to secure Windows 10.