Skip to content

Routers

Prepare yourselves for another long section! I hope you packed a dinner and brought your sleeping bag for this! This is one of the most important sections on this website and for many really important reasons, some of which I’ll talk about here. I have to keep a balance between providing solid info without going overboard though. The router you pick is the first line of defense against threats and it’s also a highly exploited piece of hardware. What you choose here matters much more than you might think.

Building out your threat model is an important step because it will help you decide what router you should buy or build. Read the OPSEC section for more information on threat modeling. If you pick a prebuilt router, which is a good choice for many people, it starts with picking a good brand. There are a lot of options and many of them are mediocre or just downright garbage.

I’ll repeat myself as I have many times now; do your due diligence! If you are looking at a particular router, research that model as well as the brand. Some of the router providers have left CVEs unpatched for a long time. One of the tactics some of these companies use is to release a slightly newer model of a router and take the old one out of support, even though it might be in perfectly good shape. Then the CVEs really start to stack up.

Also, make sure you look at the background of the brand you want to buy. If you live in a Western bloc nation, you should avoid using software from an Eastern bloc nation. Hardware is a much harder area to avoid due to where most factories are, but routers are definitely one thing that needs to be considered here. If a router manufacturer has close ties to a government that’s hostile to your home country, it’s not something I recommend using.

My recommendation here isn’t going to work for a lot of people and that’s okay. Again, work off of your threat model to get an idea of what applies. The consumer grade routers in general tend to be crappy, though they do work for many people. If you’re this far into reading on my website, it’s safe to say you have a much greater interest in securing your devices. My choice is to go with one of the following options: use an enterprise grade solution or build your own and run either pfSense or OPNsense.

The enterprise grade option could be easier and you can find some pretty good options on eBay if you know what to look for and what to be wary of. There’s plenty of good brands to choose from, some of which are Cisco, Fortinet, PaloAlto, SonicWall, Ubiquiti, etc. New is a better option for multiple reasons, though you will definitely pay for it. Enterprise networking equipment isn’t known for cheap prices. Again, just be careful of what you buy and who you buy from on eBay if you go that path. Also, if you buy a used router, make sure it is still receiving security updates. CVEs can come up at any time. You don’t want a router that’s filled with them.

If you want to try something else, you can go down the rabbit hole of making your own router. This is where things can get complicated. The best options on the market for the software side of things are OPNsense and pfSense. These two are about as close to enterprise grade as you can get. They are both excellent options, so just do some research on each one for whatever you might want to use. As with all things, they have their own pros, cons, and quirks. Either option would work great for a home power user.

The hardware selection is very wide with either one. You can buy a premade router from pfSense. The manufacturer is called Netgate. It’s the company that bought pfSense and turned it into a paid model. Their consumer router software is still free and open source. OPNsense sells hardware, but the starting price point is quite a bit higher. The great thing about this software is you are free to make your own router by assembling a computer to use as a router, or you can even just make some modifications to a premade office PC that you could get used for a cheap price.

The setup and configuration of these has a fair bit of depth. At this point, I will need more time to make sure I can thoroughly document these before release. Keep an eye on my YouTube channel or on the change notes for when the guides get released. With all the details involved, it will take some time.

Now, let's cover some general settings you need to pay attention to when setting up a router. These are pretty much universal, no matter what router you choose. In no order of importance, these are things like login security, port forwarding, UPnP, activity monitoring, DNS, IPS, wifi configuration, WPS, and some other miscellaneous items. I’ll cover what each of these are and why they are important.

First, I’ll start with the first and most obvious step. Make sure you lock your admin login behind a strong password. The standard recommendation is at least 12 characters with upper and lower case letters, symbols, and numbers. The longer and complex it is, the more secure it will be. Since my focus is on cybersecurity, I would not recommend allowing anyone other than you being allowed to access the router you have. Someone that either doesn’t know what they are doing or has bad intentions could cause a lot of havoc if they start changing settings.

You also have to be cognizant of who has physical access to the router. It becomes trivially easy to bypass your security measures if someone can go straight to the source. This guide is for home users and for most home users, you’re generally okay with having your router in a typical home user area. The part to be cautious of here would be in case you have people living with you where the trust factor is dubious. There’s people who might have several roommates who they barely know. If you're concerned about the router, you could have it in a locked room only you have access to and have video monitoring to keep watch. This is relative to your threat model.

Next, let's discuss port forwarding and universal plug and play (UPnP.) There are times when people open ports up, such as if a program or video game needs it to work properly with the internet. This is such a huge security risk that the average home user shouldn’t even be attempting this. If you do decide to open ports for whatever reason, just be aware of the massive risk that comes with it. This was somewhat more common in days of old, like back in the 90’s when people would want to play a multiplayer game together like Diablo 1. Now, the “need” to open a port is extremely rare and a niche case.

This is a somewhat rough analogy for opening a port but think of it this way. You have a typical house with windows and doors. For each port you open, it would be the equivalent of taking a sawzall and removing a door or window and just leaving it be. All sorts of nasty garbage can come right into your house through the hole without issue and can bypass all the other areas that are closed off. This is basically what port forwarding is. Again, the use cases for this are extremely niche for a home user and if you need to do this, you probably know how and why. If not, don’t worry about it. The vast majority of routers don’t have open ports and it works just fine leaving it that way.

Now let’s discuss universal plug and play (UPnP). This is a setting that you can find on the router and in applications that may need to use it, though sometimes there won’t be a UPnP option. Some multiplayer games are an example of this where they use UPnP to connect players together. Turning this feature off in your router is much safer, though there may be occasional problems. There are basically an infinite possible number of variants between software and hardware that I can’t predict what issue it may cause for you to disable it, though I use my devices a lot and have not run into an issue with UPnP being disabled.

Here’s why UPnP is an issue. With this standard being the “plug and play” of port forwarding, it takes care of all that behind the scenes, and “opens” ports up and closes them on the fly. The problem is that malware can use this feature too and UPnP has been exploited before. Think of those automatic sliding doors when you go into a store. They open for anyone as long as they want to go in or out. UPnP is the same concept. There’s no safety check in place to make sure malware doesn’t get access.

Next, let’s briefly discuss Wi-Fi and start with selecting network names. You should set a custom network name for your Wi-Fi. Routers will sometimes come with some sort of a default name. The issue with that is routers use the network name as part of the process for encrypting the password by hashing it. While the following example is pretty oversimplified, an attacker could use rainbow tables and hashcat to hack into your Wi-Fi if your network name is generic. Also, don’t use anything that could identify you, such as a nickname.

Staying on the network name (SSID), DO NOT use a hidden network name. It may sound counterintuitive, but doing so just creates more of a security risk. Let’s say your phone is connected to the Wi-Fi and you forget to shut off your Wi-Fi on your phone before you go out and about. When you are driving by stores and homes, your phone is essentially yelling out to all the surrounding routers, “Hey hidden network, are you there?!” A hidden SSID is easy to find for a hacker and if a hacker sees a network name is hidden, they will be more likely to target it since they may think there’s something more valuable on the network.

Now onto the Wi-Fi encryption type. Just avoid WEP as it is out of date and insecure garbage (if your router even lists it). Most routers are now coming with WPA2 and WPA3 as options, and some even have a hybrid option which will use WPA3 if your device supports it or otherwise use WPA2. WPA3 is obviously the better choice, but some devices don’t support it, so you would need WPA2. Again with the password, choose something strong.

If your router has WPS, make sure it’s turned off. There is a long explanation of how insecure this is and how someone can completely bypass your security, but it would be way too long for me to keep this guide short, so you can research more on other sites if you wish. This section is already getting really long and I’m trying my best to keep from bloating it too much. The slightly increased amount of convenience using WPS is absolutely not worth the massive risk.

Lastly, make sure you check for updates every once in a while. There are times that critical vulnerabilities get patched. You don’t want to risk your entire home network and your identity because hardware wasn’t staying updated or because you were using something no longer being supported.