You absolutely must secure your home router and you probably can't

I suspect that most of them are too cheap to actually bother(unless it’s with things that make their lives easier on average; like some ill-secured management backdoor permanently on the WAN); but I can never tamp down a flicker of suspicion when I tell a surprisingly capable box full of firmware that probably hates me “so, just act like a dumb wire and/or rudimentary protocol translator” and it says “OK, I’m definitely doing that now.”

The difference between “bridge” and “zOMG So Many NATs” is quite evident. The difference between “bridge” and “mostly bridge, most of the time” would be a lot subtler.

1 Like

Check your interfaces to see what speed they have negotiated. You may have some fast Ethernet ports in there somewhere; they are still surprising common, especially on cheap wifi routers. Also check your cables, especially if you terminated them yourself.

1 Like

Google Fiber utilizes VLAN packet tagging, for no really necessary reason. :frowning: You’ll enjoy sharply curtailed throughput (even though the port is operating at 1Gb speed) unless your router supports it and you can figure out how to configure VLAN tag re-writing. DD-WRT seems to support it, but I never got it working. (If DD-WRT is so damn great, why does it seem like no-one shares their configuration recipes?) There are some tutorials online for configuring certain SO/HO switches to replace your Google Fiber router as gateway so you can get full speed. You’d connect that to the fiber jack and then you hang your gigabit-capable router of choice after it.

Placing a router, even a gigabit one, after the Google router results in a huge performance hit. But, I’d rather have my router manage my devices, so I settle for ~500Mbps and conceal my devices from Google behind a DD-WRT router which is configured to present a PC’s MAC on the WAN side so Google thinks it’s just a laptop. :wink:

I only get ~700Mbps when my PC is directly connected to the Google router anyway so the difference isn’t noticeable. 500Mbps for $73.71/mo is still a good deal!

2 Likes

free balls me end of life

The passive power load of having everyone lash up a Linux or PFSense server to their ISP appliance in order to improve security addresses one problem but creates another. I like the idea of using an appliance like an off the shelf router and replacing the firmware, but that’s a long reach for a lot of people.

I’ve flashed DD-WRT a dozen or so times, but that didn’t keep me from bricking a gigabit ethernet TP-Link last year (fortunately, I was able to recover it through an arduous process that involved soldering in a USB port). Still have no idea where that went awry. I’m using OpenWRT now, but it’s not something I would recommend to a nontechnical relative who’s becoming concerned.

I have to hand it to the nation state hackers out there. They’ve managed to become a global threat with no effective solution.

You’re still using that old tech? FFS, it’s 2017! Upgrade now to the extra-secure password I use: 12345

3 Likes

For more advice on router security, see my RouterSecurity.org site. It just passed 2 million page views and is not a commercial endeavor (no ads and no affiliate links).
As for a secure router, I suggest the Pepwave Surf SOHO by Peplink. No router is perfect for everyone, but if you care at all about security, I have a long description of the routers features here https://www.routersecurity.org/pepwavesurfsofo.php

3 Likes

The router itself is a PC with 4 GbE ports. I can see that the WAN port is running at 1000 Mb/s, but the LAN port connecting it to my GbE switch is only running at 100 Mb/s.

I’m running a pfSense router precisely because of this. It makes setting up VLAN tagging extremely easy, relatively speaking.

I actually got this working on a DD-WRT flashed router (TP-Link Archer C9). LIke most online forums, the DD-WRT message board is where information goes to die. Once I got the VLAN tagging set up, I discovered that DD-WRT didn’t support hardware acceleration of the NICs, so they would max out at 100 Mb/s anyway. My pfSense solution (at least theoretically) has both the power and hardware support to handle this.

PM me if you’re interested in ditching the Google Fiber Box entirely. I can run through and document my setup pretty easily.

Depending on how much you care about running free software vs. professional support, there are some off-the-shelf routers which come with better firmware than DD-WRT, are fully supported by the manufacturer, and are in the same price range as the typical consumer routers you might put DD-WRT on. Look for devices marketed for small business/home office use.

I switched away from DD-WRT after my second reflashed consumer router overheated and fried itself. Mikrotik is my current choice, and some of my friends are using other brands quite happily. Ticks my boxes for low power consumption, high reliability and performance, timely security updates and support, and very flexible configuration.

1 Like

The router piece covers just about everything except for some handholding options good for users uncomfortable in this aren and unable to configure themselves or have a tech at hand to do it for them for free.

While DD-WRT and most alternative firmwares are free and I have tested and utilizied many of them, I have found that once you tell a friend that can or have installed it and have configured some “advanced” options like VPN everyone and their cousin is looking for one on one help.

While I don’t mind helping here and there, time for me like many equals money. Between researching builds and support and versions on forums. Actually getting people to give me the right model so I can try and help them. Scheduling a call or visit to their home. It all sounds fun and free until you have to do it.

That is one reason I stumbled on Flashrouters DD-WRT Router Sellers & Support. Not only do they offer pre-flashed and configured devices but they do it for a somewhat reasonable price, back it with their warranty/setup guides/support/knowledge base and include a remote support session which is invaluable to noobs and never want to learns.

They also offer Remote Flashing and VPN Setup Support Plans with e-mail support which is a bit more reliable than hoping someone on a message board in Germany might reply to you for free and give you an answer rather than point you to an outdated guide on a Wiki somewhere from 2011. Which is an understandable answer, it is not their job and they do not get paid. Flashrouters gets paid because it is their job and primary focus and a valuable/desirable and niche it appears.

Too bad it was left out of this article and instead their are links to custom options that will get people stuck in a rabbit hole of frustration only leading to their friends because they wanted to save a few bucks. As I said, time = money and from the feedback I got from a few people I sent over to them, Flashrouters does a heck of a job dealing with grandma’s worried about hackers.

And of course DIY and pfsense solutions are good solutions for a certain tier but raising tides lift all boats and getting people away from default routers with outdated firmware and no security is definitely a start.

I use a Cisco 1841 ISR behind Spectrum’s Arris device. To simplify things, I placed the Arris in Bridge Mode, so the 1841 receives the registered IP address directly. All decision making has been removed from the ISP’s equipment. From there, it’s all ACLs to control inbound and outbound traffic, including a roll-your-own L2TP VPN and other “services”.

Here in Germany ISPs can’t force you to use their routers; you’re always allowed to supply your own equipment. Some ISPs tried to do an end-run around that by not giving customers the necessary credentials to have their third-party router connect to the ISP’s network but that practice has also been made illegal. There are very nice third-party routers available on the market (I use a FRITZ!Box 7580 which is nothing short of wonderful, and I’m saying that strictly as a satisfied customer), and indeed various ISPs offer rebranded versions of these routers to their customers.

Incidentally, if you want a really secure router then note that a Linux PC does not require a running init process. You can use init to run the required commands to set up any firewall rules you need and then simply exit process 1, which will give you a nasty-looking error message but the kernel will continue running (and routing packets). This is inconvenient to reconfigure and lacks some features that more fancy units provide (such as a DHCP server) but will be very tough for attackers to get a foothold on or modify.

2 Likes

This topic was automatically closed after 5 days. New replies are no longer allowed.