Tutorial How to protect the wi-fi router and home LAN.

HarborFront

Level 62
Verified
Top poster
Content Creator
Oct 9, 2016
5,100
Actually, there's a checklist here for securing your home router


Some notes
- For disabling Remote Access (aka Remote Administration) it depends on whether you need to access your home devices like IP cameras, IoT devices, FTP server etc.
- Passwords used for log-in and SSIDs - Recommendation minimum is 15 to 20 alpha-numeric with special characters in a passphrase manner rather than randomly
- Unfortunately, the checklist did not elaborate on the protection of IoT devices which is common nowadays for home users. See my post below for IoT devices protection.


There are some myths on the followings in securing your router

 
Last edited:

blackice

Level 36
Verified
Top poster
Well-known
Apr 1, 2019
2,579
Actually, there's a checklist here for securing your home router


There are some myths on the followings in securing your router

This is the guidance most people need. Anybody who says to disable DHCP for router security is begging for a headache. The one caveat I would offer is some routers have methods of detecting MAC address spoofing. Though I'm certain it's not fool proof.
 

HarborFront

Level 62
Verified
Top poster
Content Creator
Oct 9, 2016
5,100
Network segmentation can be used to isolate risky/unsecured/untrusted devices i.e. such devices (like IoT) need to be protected separately from the main WiFi network

1) Use the default free AiProtection from ASUS/TP-Link/Linksys, McAfee from Dlink routers or subscription-based Netgear Armor for Netgear routers but at the expense of privacy due to user data collection by Trend Micro/BitDefender/McAfee. This method will not impact much on throughput performance

2) Using multi-SSID method like use of the Guest Network and setting with static ip addresses is also possible but the wireless separation of separate LAN access is within the same supporting router. Availability of AP(aka Wireless/Station/Client /Guest Mode) Isolation in Guest Network will depend on the router

3) Attaching a second non-WiFi6 router to the main router(as Access Point) and connecting all the IoT devices to the second router. The second router can provide the firewall/IDS/IPS/malware/AP Isolation protection to the IoT devices

4) Or setup a separate non-WiFi6 router network with second line for IoT devices and set static addresses only with isolated (firewalled) network, intrusion prevention, malware protection and AP Isolation capabilities

5) Install an external hardware firewall like the Netgate SC-5100 (need to confirm whether its VPN is ougoing or incoming)

6) Buy a smart home IoT protection device like BitDefender Box v2/RATtrap etc which comes with IPS/IDS/Firewall but needs to pay for annual subscription. Take note that such devices may not be compatible with your router and will affect the throughput performance

7) Some routers offer the option to create VLANs (virtual LANs) inside a larger private network. These virtual networks can be used to isolate IoT devices. In short, VLANs are Guest WiFi networks on steroids. Generally, not available for consumer routers.
 
Last edited:

blackice

Level 36
Verified
Top poster
Well-known
Apr 1, 2019
2,579
Network segmentation can be used to isolate risky/unsecured/untrusted devices i.e. such devices (like IoT) need to be protected separately from the main WiFi network

1) Use the default free AiProtection from ASUS/TP-Link/Linksys (or subscription-based Netgear Armor for Netgear routers) but at the expense of privacy due to user data collection by Trend Micro/BitDefender. This method gives least performance throughput impact

2) Using multi-SSID method like use of the Guest Network and setting with static ip addresses is also possible but the wireless separation of separate LAN access is within the same supporting router. Availability of AP(aka Wireless/Station/Client /Guest Mode) Isolation in Guest Network will depend on the router

3) Attaching a second non-WiFi6 router to the main router(as Access Point) and connecting all the IoT devices to the second router. The second router can provide the firewall/IDS/IPS/malware/AP Isolation protection to the IoT devices

4) Or setup a separate non-WiFi6 router network with second line for IoT devices and set static addresses only with isolated (firewalled) network, intrusion prevention, malware protection and AP Isolation capabilities

5) Install an external hardware firewall like the Netgate SC-5100 (need to confirm whether its VPN is ougoing or incoming)

6) Buy a smart home IoT protection device like BitDefender Box v2/RATtrap etc which comes with IPS/IDS/Firewall but needs to pay for annual subscription. Take note that such devices may not be compatible with your router and will affect the throughput performance

7) Some routers offer the option to create VLANs (virtual LANs) inside a larger private network. These virtual networks can be used to isolate IoT devices. In short, VLANs are Guest WiFi networks on steroids. Generally, not available for consumer routers.
The one note I would mamke on the ASUS Trend Micro privacy (I haven't used the others) is that the text that is so bothersome to privacy advocates reads as boilerplate lawyer speak to cover their backsides. I doubt they collect any more than any browser extensions that most people use. But if you truly want privacy, security is a tough sell with all the cloud networks these days.
 

Tiamati

Level 11
Verified
Top poster
Well-known
Nov 8, 2016
529
Network segmentation can be used to isolate risky/unsecured/untrusted devices i.e. such devices (like IoT) need to be protected separately from the main WiFi network

1) Use the default free AiProtection from ASUS/TP-Link/Linksys, McAfee from Dlink routers or subscription-based Netgear Armor for Netgear routers but at the expense of privacy due to user data collection by Trend Micro/BitDefender/McAfee. This method will not impact much on throughput performance

2) Using multi-SSID method like use of the Guest Network and setting with static ip addresses is also possible but the wireless separation of separate LAN access is within the same supporting router. Availability of AP(aka Wireless/Station/Client /Guest Mode) Isolation in Guest Network will depend on the router

3) Attaching a second non-WiFi6 router to the main router(as Access Point) and connecting all the IoT devices to the second router. The second router can provide the firewall/IDS/IPS/malware/AP Isolation protection to the IoT devices

4) Or setup a separate non-WiFi6 router network with second line for IoT devices and set static addresses only with isolated (firewalled) network, intrusion prevention, malware protection and AP Isolation capabilities

5) Install an external hardware firewall like the Netgate SC-5100 (need to confirm whether its VPN is ougoing or incoming)

6) Buy a smart home IoT protection device like BitDefender Box v2/RATtrap etc which comes with IPS/IDS/Firewall but needs to pay for annual subscription. Take note that such devices may not be compatible with your router and will affect the throughput performance

7) Some routers offer the option to create VLANs (virtual LANs) inside a larger private network. These virtual networks can be used to isolate IoT devices. In short, VLANs are Guest WiFi networks on steroids. Generally, not available for consumer routers.

Hello @HarborFront . I was doing some research about routers to solve some problems and just found your post. Can you help me pls?

I currently have 2 problems. I just received a new D-LINK EXO router from D-LINK customer service. I believe this router has the mentioned AI protection you pointed in item "1)". I would like to know more about but found almost no information. What does it do? How it protects the network? I'm asking cause i found some problems enabling it.

For example, when McAfee protection (D-Link defend) is enabled,:
a) My android phone connects to the network normally but takes longer to access the internet. That makes adnroid pop up a message saying that the network can't connect to the internet. But it connects a few secs later.
b) My SmartTV can't connect to "find" its server. So i can't access the "window" that allows access to other apps, like netflix.
c) After turning on my PC/laptops, the network takes much longer to provide an internet connection. So i'm connected to the network but i can't access any website. It works normally after some time. It looks like the android problem.

Furthermore, i'm running a problem isolating my SmartTV from my home network through an ethernet connection. I made a thread about it (but admin didn't accepted it yet). I'm posting the thread message bellow:

Hello! First of all, ty for your help. Let me explain my problem.

I'm currently using an old Philips smartTV, which the last update is from 2014. So I believe it probably has a lot of vulnerabilities issues.
According to some articles (here and here), all IOT should be connected to guest wifi, as they isolate those things from your home network. That's what I do. However, my old tv also can't connect to 5Ghz wi-fi what causes some performance problems. So, I considered changing it to an ethernet connection as I could easily connect the SmartTV to an ethernet cable.
However, IDK if I could isolate the TV from my network in the same way I do with the guest wifi. Do you have any idea?

Btw, my d-link router (EXO model) has a so-called Triple-Play option into VLAN section. Idk what exactly is that, but I wonder if it could help. (I'm posting a print of the function in case you wanna help me with that too)

 
  • Like
Reactions: Protomartyr

Tiamati

Level 11
Verified
Top poster
Well-known
Nov 8, 2016
529
Hello @HarborFront . I was doing some research about routers to solve some problems and just found your post. Can you help me pls?

I currently have 2 problems. I just received a new D-LINK EXO router from D-LINK customer service. I believe this router has the mentioned AI protection you pointed in item "1)". I would like to know more about but found almost no information. What does it do? How it protects the network? I'm asking cause i found some problems enabling it.

For example, when McAfee protection (D-Link defend) is enabled,:
a) My android phone connects to the network normally but takes longer to access the internet. That makes adnroid pop up a message saying that the network can't connect to the internet. But it connects a few secs later.
b) My SmartTV can't connect to "find" its server. So i can't access the "window" that allows access to other apps, like netflix.
c) After turning on my PC/laptops, the network takes much longer to provide an internet connection. So i'm connected to the network but i can't access any website. It works normally after some time. It looks like the android problem.

Furthermore, i'm running a problem isolating my SmartTV from my home network through an ethernet connection. I made a thread about it (but admin didn't accepted it yet). I'm posting the thread message bellow:

Hello! First of all, ty for your help. Let me explain my problem.

I'm currently using an old Philips smartTV, which the last update is from 2014. So I believe it probably has a lot of vulnerabilities issues.
According to some articles (here and here), all IOT should be connected to guest wifi, as they isolate those things from your home network. That's what I do. However, my old tv also can't connect to 5Ghz wi-fi what causes some performance problems. So, I considered changing it to an ethernet connection as I could easily connect the SmartTV to an ethernet cable.
However, IDK if I could isolate the TV from my network in the same way I do with the guest wifi. Do you have any idea?

Btw, my d-link router (EXO model) has a so-called Triple-Play option into VLAN section. Idk what exactly is that, but I wonder if it could help. (I'm posting a print of the function in case you wanna help me with that too)


BTW, enabling the Mcafee network protection also impacted DNS responses. As you can check here

1591940668601.png


The McAfee protection can be checked here

 
  • Like
Reactions: Protomartyr

HarborFront

Level 62
Verified
Top poster
Content Creator
Oct 9, 2016
5,100
Hello @HarborFront . I was doing some research about routers to solve some problems and just found your post. Can you help me pls?

I currently have 2 problems. I just received a new D-LINK EXO router from D-LINK customer service. I believe this router has the mentioned AI protection you pointed in item "1)". I would like to know more about but found almost no information. What does it do? How it protects the network? I'm asking cause i found some problems enabling it.

For example, when McAfee protection (D-Link defend) is enabled,:
a) My android phone connects to the network normally but takes longer to access the internet. That makes adnroid pop up a message saying that the network can't connect to the internet. But it connects a few secs later.
b) My SmartTV can't connect to "find" its server. So i can't access the "window" that allows access to other apps, like netflix.
c) After turning on my PC/laptops, the network takes much longer to provide an internet connection. So i'm connected to the network but i can't access any website. It works normally after some time. It looks like the android problem.

Furthermore, i'm running a problem isolating my SmartTV from my home network through an ethernet connection. I made a thread about it (but admin didn't accepted it yet). I'm posting the thread message bellow:

Hello! First of all, ty for your help. Let me explain my problem.

I'm currently using an old Philips smartTV, which the last update is from 2014. So I believe it probably has a lot of vulnerabilities issues.
According to some articles (here and here), all IOT should be connected to guest wifi, as they isolate those things from your home network. That's what I do. However, my old tv also can't connect to 5Ghz wi-fi what causes some performance problems. So, I considered changing it to an ethernet connection as I could easily connect the SmartTV to an ethernet cable.
However, IDK if I could isolate the TV from my network in the same way I do with the guest wifi. Do you have any idea?

Btw, my d-link router (EXO model) has a so-called Triple-Play option into VLAN section. Idk what exactly is that, but I wonder if it could help. (I'm posting a print of the function in case you wanna help me with that too)

D-Link Exo Series Routers


First things first

1) Update all firmware for your devices and that include router, smartv, phone, PC, laptop etc
2) Connect one device at a time and test it
3) Leave all router settings in default. Slowly enable those you are comfortable with
4) Do NOT enable McAfee protection in the router. Test to make sure all device speeds and performance are ok first. After that enable McAfee protection and compare speed and performance. If speed and performance suffers badly now then McAfee protection is the culprit.
5) Check your surrounding WiFi network traffic congestion. Move to another band and switch channel if necessary. Use WiFi Analyzer app on your android phone to check or the free WiFi Analyzer from MS Store on your PC/laptop to check
 
Last edited:
  • Like
Reactions: Protomartyr