Tutorial How to protect the wi-fi router and home LAN.

Currently, a wi-fi router is in almost every house or apartment. This is a device that first of all needs to be properly configured, as it is the main target for hacker attacks. Hacking a router, an attacker gains control over the entire local network.
In order for the router to become a truly reliable defender of the home LAN and be an impregnable wall for attackers, careful device configuration is necessary. I will share with you four levels of router protection, according to the principle - from simple to complex. This is suitable for most popular routers from D-Link, TP-Link, Asus.
At the first level, we will carry out the simplest basic protection setup. This setting will help protect against non-professional hackers, those who like to use someone else's Internet access for free.
At the preparatory stage, you need to reset all the current settings of the router and download the latest firmware for your device model from the manufacturer’s website.

The first level consists of eight steps:

1) firmware update to the latest version. This is the first thing to do, because new vulnerabilities are closed in new firmware, which can be exploited by attackers.

2) replacing the default username and password to access the router interface. Since the default username and password are not secrets for anyone (admin / admin, admin / 123, root / root, etc.), then anyone has access and the ability to configure the router.

3) the choice of the strongest encryption option for Wi-Fi networks and a complex password for accessing the network. The password for accessing the network should be as complex and non-trivial as possible so that it is difficult to crack by simply enumerating the options.

4) disabling access to the router using telnet and ssh.

5) disable access to the router from the Internet (WAN) and prohibit ping from the WAN.

6) disabling unused services and functions, for example, Upnp. DMZ and so on.

7) disable the ability to connect to the network using WPS.

8) come up with an original name for your wi-fi network and make it invisible (hide the SSID).

If you are worried that you may become a victim of the remaining few percent of crackers, then we will continue to configure further and move on to the second level, at which we need to take the following five steps:

1) replacing the default IP address of the router and the access port to the WebUI of the router. The well-known IP address and access port of the router make it easier for the attacker, therefore, they should be changed.

2) enable the MAC filter to access the network.

3) establish access to the WebUI of the router only from your computer (MAC authentication).

4) if the local area network is small, then make use of the function of binding computers by IP and MAC in the router, and also prescribe the static IP and MAC of the router itself on each computer in order to protect itself from attacks like ARP-spoofing.

5) if in the settings of the router there is such a function as brute-force protection, then activate it.

Together, these two levels of router protection will already provide approximately 95% protection. But if you want to continue strengthening your local network, then go to the third level at which we need to take two more steps:

1) enable and configure the guest wi-fi network, segment the home network.

2) if the manufacturer allows, then configure a secure connection to the router’s WebUI (only via the https protocol) by disabling access to the administration panel via the http protocol in the router settings. This will protect the router admin panel login and password from being intercepted. You can use either a certificate provided by the manufacturer of the router itself, or a certificate that can be generated free of charge on the Internet.

Thus, in aggregate, the protection of our router will already be approximately 99%. The remaining 1% of crackers are professionals and in order to somehow defend themselves against targeted hacking by a professional cracker (which is an extremely rare situation for a simple home network), there is a fourth specific level of protection, which can be called "hardcore". First you need to install an alternative firmware on the router and again go through all the previous levels. At the fourth level, you will have to master Linux and programming languages in detail, be able to work with complex scripts and know the intricacies of computer networks to complete the last two steps:

1) JFFS activation (if possible), script writing.

2) the use of low-level programming of the firewall of the router for manual adjustment of the rules.

For the home router, the steps of the first three levels are enough.
It should be added that you need to regularly monitor the release of new firmware for your router model on the manufacturer’s website, and update them as soon as possible. If the settings allow, then reduce the level of wi-fi signal so that the coverage area does not go far beyond the borders of your house or apartment. Some top models of routers (for example, F-Secure Sense) have a streaming anti-virus scan function that should be activated.
Be careful about protecting your wi-fi router and then your home local network will be safe.
 
Last edited:

HarborFront

Level 58
Verified
Content Creator
Oct 9, 2016
4,784
Actually, there's a checklist here for securing your home router


Some notes
- For disabling Remote Access (aka Remote Administration) it depends on whether you need to access your home devices like IP cameras, IoT devices, FTP server etc.
- Passwords used for log-in and SSIDs - Recommendation minimum is 15 to 20 alpha-numeric with special characters in a passphrase manner rather than randomly
- Unfortunately, the checklist did not elaborate on the protection of IoT devices which is common nowadays for home users. See my post below for IoT devices protection.


There are some myths on the followings in securing your router

 
Last edited:

blackice

Level 32
Verified
Apr 1, 2019
2,164
Actually, there's a checklist here for securing your home router


There are some myths on the followings in securing your router

This is the guidance most people need. Anybody who says to disable DHCP for router security is begging for a headache. The one caveat I would offer is some routers have methods of detecting MAC address spoofing. Though I'm certain it's not fool proof.
 

HarborFront

Level 58
Verified
Content Creator
Oct 9, 2016
4,784
Network segmentation can be used to isolate risky/unsecured/untrusted devices i.e. such devices (like IoT) need to be protected separately from the main WiFi network

1) Use the default free AiProtection from ASUS/TP-Link/Linksys, McAfee from Dlink routers or subscription-based Netgear Armor for Netgear routers but at the expense of privacy due to user data collection by Trend Micro/BitDefender/McAfee. This method will not impact much on throughput performance

2) Using multi-SSID method like use of the Guest Network and setting with static ip addresses is also possible but the wireless separation of separate LAN access is within the same supporting router. Availability of AP(aka Wireless/Station/Client /Guest Mode) Isolation in Guest Network will depend on the router

3) Attaching a second non-WiFi6 router to the main router(as Access Point) and connecting all the IoT devices to the second router. The second router can provide the firewall/IDS/IPS/malware/AP Isolation protection to the IoT devices

4) Or setup a separate non-WiFi6 router network with second line for IoT devices and set static addresses only with isolated (firewalled) network, intrusion prevention, malware protection and AP Isolation capabilities

5) Install an external hardware firewall like the Netgate SC-5100 (need to confirm whether its VPN is ougoing or incoming)

6) Buy a smart home IoT protection device like BitDefender Box v2/RATtrap etc which comes with IPS/IDS/Firewall but needs to pay for annual subscription. Take note that such devices may not be compatible with your router and will affect the throughput performance

7) Some routers offer the option to create VLANs (virtual LANs) inside a larger private network. These virtual networks can be used to isolate IoT devices. In short, VLANs are Guest WiFi networks on steroids. Generally, not available for consumer routers.
 
Last edited:

blackice

Level 32
Verified
Apr 1, 2019
2,164
Network segmentation can be used to isolate risky/unsecured/untrusted devices i.e. such devices (like IoT) need to be protected separately from the main WiFi network

1) Use the default free AiProtection from ASUS/TP-Link/Linksys (or subscription-based Netgear Armor for Netgear routers) but at the expense of privacy due to user data collection by Trend Micro/BitDefender. This method gives least performance throughput impact

2) Using multi-SSID method like use of the Guest Network and setting with static ip addresses is also possible but the wireless separation of separate LAN access is within the same supporting router. Availability of AP(aka Wireless/Station/Client /Guest Mode) Isolation in Guest Network will depend on the router

3) Attaching a second non-WiFi6 router to the main router(as Access Point) and connecting all the IoT devices to the second router. The second router can provide the firewall/IDS/IPS/malware/AP Isolation protection to the IoT devices

4) Or setup a separate non-WiFi6 router network with second line for IoT devices and set static addresses only with isolated (firewalled) network, intrusion prevention, malware protection and AP Isolation capabilities

5) Install an external hardware firewall like the Netgate SC-5100 (need to confirm whether its VPN is ougoing or incoming)

6) Buy a smart home IoT protection device like BitDefender Box v2/RATtrap etc which comes with IPS/IDS/Firewall but needs to pay for annual subscription. Take note that such devices may not be compatible with your router and will affect the throughput performance

7) Some routers offer the option to create VLANs (virtual LANs) inside a larger private network. These virtual networks can be used to isolate IoT devices. In short, VLANs are Guest WiFi networks on steroids. Generally, not available for consumer routers.
The one note I would mamke on the ASUS Trend Micro privacy (I haven't used the others) is that the text that is so bothersome to privacy advocates reads as boilerplate lawyer speak to cover their backsides. I doubt they collect any more than any browser extensions that most people use. But if you truly want privacy, security is a tough sell with all the cloud networks these days.
 

Tiamati

Level 11
Verified
Nov 8, 2016
513
Network segmentation can be used to isolate risky/unsecured/untrusted devices i.e. such devices (like IoT) need to be protected separately from the main WiFi network

1) Use the default free AiProtection from ASUS/TP-Link/Linksys, McAfee from Dlink routers or subscription-based Netgear Armor for Netgear routers but at the expense of privacy due to user data collection by Trend Micro/BitDefender/McAfee. This method will not impact much on throughput performance

2) Using multi-SSID method like use of the Guest Network and setting with static ip addresses is also possible but the wireless separation of separate LAN access is within the same supporting router. Availability of AP(aka Wireless/Station/Client /Guest Mode) Isolation in Guest Network will depend on the router

3) Attaching a second non-WiFi6 router to the main router(as Access Point) and connecting all the IoT devices to the second router. The second router can provide the firewall/IDS/IPS/malware/AP Isolation protection to the IoT devices

4) Or setup a separate non-WiFi6 router network with second line for IoT devices and set static addresses only with isolated (firewalled) network, intrusion prevention, malware protection and AP Isolation capabilities

5) Install an external hardware firewall like the Netgate SC-5100 (need to confirm whether its VPN is ougoing or incoming)

6) Buy a smart home IoT protection device like BitDefender Box v2/RATtrap etc which comes with IPS/IDS/Firewall but needs to pay for annual subscription. Take note that such devices may not be compatible with your router and will affect the throughput performance

7) Some routers offer the option to create VLANs (virtual LANs) inside a larger private network. These virtual networks can be used to isolate IoT devices. In short, VLANs are Guest WiFi networks on steroids. Generally, not available for consumer routers.

Hello @HarborFront . I was doing some research about routers to solve some problems and just found your post. Can you help me pls?

I currently have 2 problems. I just received a new D-LINK EXO router from D-LINK customer service. I believe this router has the mentioned AI protection you pointed in item "1)". I would like to know more about but found almost no information. What does it do? How it protects the network? I'm asking cause i found some problems enabling it.

For example, when McAfee protection (D-Link defend) is enabled,:
a) My android phone connects to the network normally but takes longer to access the internet. That makes adnroid pop up a message saying that the network can't connect to the internet. But it connects a few secs later.
b) My SmartTV can't connect to "find" its server. So i can't access the "window" that allows access to other apps, like netflix.
c) After turning on my PC/laptops, the network takes much longer to provide an internet connection. So i'm connected to the network but i can't access any website. It works normally after some time. It looks like the android problem.

Furthermore, i'm running a problem isolating my SmartTV from my home network through an ethernet connection. I made a thread about it (but admin didn't accepted it yet). I'm posting the thread message bellow:

Hello! First of all, ty for your help. Let me explain my problem.

I'm currently using an old Philips smartTV, which the last update is from 2014. So I believe it probably has a lot of vulnerabilities issues.
According to some articles (here and here), all IOT should be connected to guest wifi, as they isolate those things from your home network. That's what I do. However, my old tv also can't connect to 5Ghz wi-fi what causes some performance problems. So, I considered changing it to an ethernet connection as I could easily connect the SmartTV to an ethernet cable.
However, IDK if I could isolate the TV from my network in the same way I do with the guest wifi. Do you have any idea?

Btw, my d-link router (EXO model) has a so-called Triple-Play option into VLAN section. Idk what exactly is that, but I wonder if it could help. (I'm posting a print of the function in case you wanna help me with that too)

 
  • Like
Reactions: Protomartyr

Tiamati

Level 11
Verified
Nov 8, 2016
513
Hello @HarborFront . I was doing some research about routers to solve some problems and just found your post. Can you help me pls?

I currently have 2 problems. I just received a new D-LINK EXO router from D-LINK customer service. I believe this router has the mentioned AI protection you pointed in item "1)". I would like to know more about but found almost no information. What does it do? How it protects the network? I'm asking cause i found some problems enabling it.

For example, when McAfee protection (D-Link defend) is enabled,:
a) My android phone connects to the network normally but takes longer to access the internet. That makes adnroid pop up a message saying that the network can't connect to the internet. But it connects a few secs later.
b) My SmartTV can't connect to "find" its server. So i can't access the "window" that allows access to other apps, like netflix.
c) After turning on my PC/laptops, the network takes much longer to provide an internet connection. So i'm connected to the network but i can't access any website. It works normally after some time. It looks like the android problem.

Furthermore, i'm running a problem isolating my SmartTV from my home network through an ethernet connection. I made a thread about it (but admin didn't accepted it yet). I'm posting the thread message bellow:

Hello! First of all, ty for your help. Let me explain my problem.

I'm currently using an old Philips smartTV, which the last update is from 2014. So I believe it probably has a lot of vulnerabilities issues.
According to some articles (here and here), all IOT should be connected to guest wifi, as they isolate those things from your home network. That's what I do. However, my old tv also can't connect to 5Ghz wi-fi what causes some performance problems. So, I considered changing it to an ethernet connection as I could easily connect the SmartTV to an ethernet cable.
However, IDK if I could isolate the TV from my network in the same way I do with the guest wifi. Do you have any idea?

Btw, my d-link router (EXO model) has a so-called Triple-Play option into VLAN section. Idk what exactly is that, but I wonder if it could help. (I'm posting a print of the function in case you wanna help me with that too)


BTW, enabling the Mcafee network protection also impacted DNS responses. As you can check here

1591940668601.png


The McAfee protection can be checked here

 
  • Like
Reactions: Protomartyr

HarborFront

Level 58
Verified
Content Creator
Oct 9, 2016
4,784
Hello @HarborFront . I was doing some research about routers to solve some problems and just found your post. Can you help me pls?

I currently have 2 problems. I just received a new D-LINK EXO router from D-LINK customer service. I believe this router has the mentioned AI protection you pointed in item "1)". I would like to know more about but found almost no information. What does it do? How it protects the network? I'm asking cause i found some problems enabling it.

For example, when McAfee protection (D-Link defend) is enabled,:
a) My android phone connects to the network normally but takes longer to access the internet. That makes adnroid pop up a message saying that the network can't connect to the internet. But it connects a few secs later.
b) My SmartTV can't connect to "find" its server. So i can't access the "window" that allows access to other apps, like netflix.
c) After turning on my PC/laptops, the network takes much longer to provide an internet connection. So i'm connected to the network but i can't access any website. It works normally after some time. It looks like the android problem.

Furthermore, i'm running a problem isolating my SmartTV from my home network through an ethernet connection. I made a thread about it (but admin didn't accepted it yet). I'm posting the thread message bellow:

Hello! First of all, ty for your help. Let me explain my problem.

I'm currently using an old Philips smartTV, which the last update is from 2014. So I believe it probably has a lot of vulnerabilities issues.
According to some articles (here and here), all IOT should be connected to guest wifi, as they isolate those things from your home network. That's what I do. However, my old tv also can't connect to 5Ghz wi-fi what causes some performance problems. So, I considered changing it to an ethernet connection as I could easily connect the SmartTV to an ethernet cable.
However, IDK if I could isolate the TV from my network in the same way I do with the guest wifi. Do you have any idea?

Btw, my d-link router (EXO model) has a so-called Triple-Play option into VLAN section. Idk what exactly is that, but I wonder if it could help. (I'm posting a print of the function in case you wanna help me with that too)

D-Link Exo Series Routers


First things first

1) Update all firmware for your devices and that include router, smartv, phone, PC, laptop etc
2) Connect one device at a time and test it
3) Leave all router settings in default. Slowly enable those you are comfortable with
4) Do NOT enable McAfee protection in the router. Test to make sure all device speeds and performance are ok first. After that enable McAfee protection and compare speed and performance. If speed and performance suffers badly now then McAfee protection is the culprit.
5) Check your surrounding WiFi network traffic congestion. Move to another band and switch channel if necessary. Use WiFi Analyzer app on your android phone to check or the free WiFi Analyzer from MS Store on your PC/laptop to check
 
Last edited:
  • Like
Reactions: Protomartyr
Top