While I was beta testing the GL.iNet Brume 3, I ended up discovering something I definitely wasn’t expecting — malware activity on my own home network. What started out as normal beta testing turned into a real reminder of how useful good network tools can be.
If you haven’t seen it yet, the Brume 3 (GL-MT5000) is a small wired security gateway from GL.iNet. It’s designed for routing, VPN performance, and network security rather than Wifi. Even though it’s tiny, it still manages to pack in 2.5Gb networking and strong VPN performance, which makes it pretty interesting for home labs, remote access setups, and security-focused networks.
Hardware Overview
The Brume 3 is built as a dedicated wired router and security gateway. There’s no Wifi radio in this device — the focus is entirely on routing performance, VPN throughput, and monitoring the traffic flowing through your network.
Inside the unit is a MediaTek quad-core processor running at 2.0 GHz, along with 1GB of DDR4 memory and 8GB of onboard storage. That may not sound huge by server standards, but for a networking appliance this size it’s more than enough to handle routing, firewalling, VPN tunnels, and traffic analysis.
One thing I really like about the design is the three 2.5Gb Ethernet ports. Normally you’ll run one as the WAN connection and the others as LAN ports, but the configuration is flexible. One of the LAN ports can be reassigned as another WAN port, allowing the router to support dual-WAN setups for load balancing or failover. That’s a feature you usually see on much larger enterprise routers, so it’s nice to have it available in something this small.
Speaking of small, the Brume 3 is seriously compact. It measures roughly 75 × 92 × 25 mm and weighs about 148 grams, so it’s easy to tuck away on a desk or drop into a travel bag. It’s powered via USB-C, and even under load it only uses around 5 watts of power, so it’s efficient enough to run 24/7 without even thinking about it. Overall, it’s a simple design that focuses on doing one thing well: being a fast, secure network gateway.
Software and Features
Like most GL.iNet devices, the Brume 3 runs their customized version of OpenWrt, which means you get a good balance between a clean user interface and the flexibility that power users expect.
It supports the usual routing methods such as DHCP, static IP, and PPPoE, along with standard features like port forwarding, firewall rules, DMZ configuration, and network management tools.
Where it really becomes interesting is the more advanced functionality. The router includes support for SQM, QoS, Multi-WAN load balancing, and failover, along with remote cloud management if you want to access it from outside your network.
VPN performance is also a highlight. The Brume 3 supports both OpenVPN and WireGuard in client or server mode, with speeds approaching 1Gbps for OpenVPN and roughly 1.1Gbps for WireGuard. For a device this small, that’s extremely impressive. But the feature that really mattered during my testing was Deep Packet Inspection (DPI).
The Discovery
While looking through the DPI traffic reports, I noticed something odd. The router was reporting BitTorrent traffic coming from my son’s Windows 11 computer. That didn’t make any sense. There shouldn’t have been any torrent software installed on that system at all. At first I thought it might be a misclassification, but the traffic patterns kept appearing. So that’s when I decided to dig deeper.
What DPI Actually Does
Deep Packet Inspection (DPI) is a technique used by networking equipment to analyze the contents of packets traveling across the network. Instead of just looking at IP addresses and ports, it actually examines the traffic to determine what type of application generated it.
Because of that, routers using DPI can identify things like:
- – Streaming services
- – Gaming traffic
- – Web browsing
- – VPN connections
- – Torrent activity
In this case, the Brume 3 was clearly identifying traffic that matched BitTorrent protocol behavior.
Digging Into the Traffic
To investigate further, I SSH’d into the Brume 3 and captured traffic directly from the router. From my computer I used Wireshark and ran an sshdump capture against the router interfaces such as: br_lan and wan. This allowed me to capture a short sample of network traffic flowing through the router. Once I opened the capture in Wireshark, I filtered it down to show:
- – Only packets coming from my son’s PC
- – Only BitTorrent protocol traffic
Sure enough, there it was. His computer was communicating with multiple torrent peers across the internet.
Tracking the Servers
Looking closer at the packet captures, I started pulling out the IP addresses involved in the connections. When I searched them, many of them resolved to servers located in places like:
- – The United Kingdom
- – Australia
- – Several smaller hosting providers
That suggested the system was participating in a peer-to-peer network, not talking to a single central server. After doing a bit more research online, I found discussions about a certain game available through a popular gaming platform that starts with an “S.” According to several reports, that game used a peer-to-peer distribution system built around the BitTorrent protocol, and in some cases it could move files between players without their knowledge. Some security vendors had even flagged it as suspicious or potentially malicious.
Finding the Actual Source
So I checked my son’s computer. Sure enough, the same game was installed.
Most of the systems on my network run Debian, but my son uses Windows 11 because it’s easier for him due to a learning disability. For those machines I normally just rely on Windows Defender, which generally does a decent job. In this case though, Defender didn’t flag anything.
One tool I’ve relied on for years is Malwarebytes, so I ran that along with additional Defender scans. After removing the game and running several scans, we ended up identifying and removing multiple suspicious files. I also uploaded several of those files to online malware analysis services, which confirmed that the files were indeed infected. After confirming that, I spent the rest of the weekend running deep antivirus scans across every machine on my network just to be safe. Thankfully everything else came back clean.
What I Took Away From This
If I hadn’t been testing the Brume 3, I might not have caught this nearly as quickly. Eventually I probably would have noticed strange traffic patterns, because I keep an eye on my network pretty closely. But the DPI feature made the problem stand out immediately. Instead of digging through logs for hours, the router basically pointed me right at the issue. That’s the kind of visibility you usually only get from much larger monitoring systems.
Final Thoughts on the Brume 3
After spending some time testing it, I can honestly say:
The Brume 3 is an awesome little device.
It delivers:
- – Fast 2.5Gb networking
- – Excellent VPN performance
- – Dual-WAN capabilities
- – OpenWrt flexibility
- – Real visibility into what’s happening on your network
All in a device that fits in the palm of your hand.
If you like understanding exactly what your network is doing — or you just want a powerful security gateway — the Brume 3 is definitely worth looking at.
And in my case, it helped me discover malware activity that might have gone unnoticed for a long time.
WickedYoda
Credits & Disclosure
Hardware specifications sourced from the GL-MT5000 datasheet.
© GL Technologies (Hong Kong) Limited.
Disclosure: I participate in GL.iNet’s beta testing program and occasionally test pre-release hardware and firmware. All opinions in this article are my own.
Tools used during testing:
- – Wireshark
- – Malwarebytes
- – Windows Defender
- – MacBook and Windows PC
- – Brume 3 and various network cables
Additional information about disclosures, privacy, and copyright can be found at: