Everybody has a different set of principles by which they judge a gateway router...but here's an approach I recommend. Insofar as I know, it's damned hard to "beat" this solution, unless the invader is able to modify the routers' own firmware:
In a solution I call "Friday's Folly," I use TWO cascaded routers: The first is in my ISP's connection equipment, which has it's own configuration. I use that to assign a distinct and unique IP address range (don't use 192.168....; it's too often used for novices, so they don't have to think.). Pick a different range altogether...that's the first point of confusion for the erstwhile hacker. The time delay through both routers is virtually undetectable.
The SECOND cascaded router has, on its' input side, an incoming address (as odd-looking as possible within the first router's LAN range). On the other side (multiple outlets for the LAN), i use a completely different IP Address range, picked almost at random. It is that range (which is masked down to just a small range) to access the protected LAN resources.
Why would any hacker/cracker want to work so long to get inside the LAN; he(/she) would have to find a way to "probe" for the valid ranges inside the cascaded routers. At that point, I make the choice to install routers for which any signal on the WAN side can't be used to configure the router...therefore, its' configuration is withheld from all but qualified parties on the INSIDE of the network, on the LAN.
Anybody figured out how, with a $20 second router in place, that cascaded router scheme can be easily hacked? The goal was to make the solution so cumbersome (from the WAN side), that they'll go try to invade some other, simpler, less well protected target.
The opponent may be able to get past the first router by peeking inside the ISP vendors' equipment...but that's a chimera, reaching only the SECOND router...for which they have no resources inside the first router to leverage to open up the second router. So, now they're constrained to fashion some tool on the first router that will arbitrarily scan the second router, looking for a hit.