Budget ($)
Under $100
Interested in
Price
Reliability

lunarlander2

New Member
Need a Router with Network Isolation or otherwise called AP Isolation. DD-WRT has this feature, but mine has been hacked. So need a replacement. DD-WRT also has a restriction for max number of connected WiFi clients. This is a bonus feature, but AP Isolation is a must have.
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Tips for hardening (when you keep your old router):

Old-router:
  1. Keep your old router, connect it through wire with new router. Disable the 5G network on your old router and use it as 2.4 Ghz guest network.
  2. Enable Guest network (most routers automatically partition network for guests) and limit the number of IP's to say 30 or 50 and use an easy to memory long pass phrase e.g."Welcome@2House0fMarry&John" or a song title using easy character replacement "Mary&JohnH0u$eI$@VeryVeryFineH0u$e" (looks like CSN&Y Our house, but is different with simple special character replacement).
  3. Set the lease life time (of IP-address) to 24 hours (this will kick out an intruder for a few secs and offering you time for counter measures) and makes it possible to limit the number of available IP-addresses (intruders sometimes claim all IP-addresses, so you can't log-in to your own network anymore, that is why you want to limit this to a practical number, with some spare IP's and physical wired access to your router you should be able to regain control again).
  4. Also add your IoT devices to GUEST network (because most Guest networks offer network partition or guest isolation out of the box), because vendors of IoT-devices have a bad reputation in updating the software for security flaws (network partition/guest isolation makes it harder to infect other clients).
  5. When your router offers filtering on IP or has parental control create a down window for all IP-addresses in guest network range. When your router does not has such an option a simple electric clock/timer between router an electric wall outlet achieves same hardening.

New Router
  1. Limit the range of IP-s (I have limited it to 10, we "only have" 6 devices, PC's, tablet's and smartphone's). Disable 2.4 Ghz and use it solely for 5GHZ. By nature the 5Ghz network does not travel that far, so they are a bit harder to overhear than 2.4 Ghz networks. So it also helps when you select a higher channel within the 5Ghz range (so it is good practice only for reducing bandwidth collision).
  2. Use the maximum length key-phrase allowed (I asume anyone being a member of this forum has renamed the default admin account and when possible internal IP-address of your router as well).
  3. Enble DHCP-reservation (meaning router gives same IP-address to same Mac Address) with eternal lease time for a while. After a month or so change it to static IP-addresses (offers slightly better protection against, because intruder also needs access to router software).

In netherlands where we live with 18 million on 300 by 200 kilometers, most people live relatively close together (I have "only five 5Ghz networks and over twenty colliding 2.4 Ghz networks in the neighborhood). So I don't need to out run the lion to survive any hacker probes, just have too outrun my neighbors in terms of security (same applies to physical perimeter security, you don't need a fort knox, just make it harder to break in your home than your neighbors).

Sitecom routers offer network partitioning meaning one client does not has access to other client (same as default with most routers when enabling guest network) and I hardened network protocols using IP-filtering also. So it is as solid as a regular Guest network (reason I did not use Guest is that my old Sitecom router add's the text GUEST to my network ID and I don't want script-kiddies to know it is a guest network in practice).

A friend (security specialist) says you should use Guest network and keep the default SSID and use electric timer (when you are not that tech savvy with networks) or use network partitioning, apply IP-filtering to disconnect clients at night and rename SSID to silly name (e.g. SecretNetwork) and hide the network SSID (only to make it a more interesting decoy, not as security measure for tech savvy people). Finding hidden network SSID is a trival task and only raises attention (so bad practice for your inner circle 5Ghz network, good practice for your guest 2.4 Ghz when you check router logs from to time).
 

Attachments

Last edited: