How do you protect your home network?

Soldato
Joined
2 Jan 2004
Posts
7,642
Location
Chesterfield
I've got a TP Link Archer VR2800 router at the moment feeding the internet into my home network of several mobile devices, TV's, PC, laptops, NAS, games consoles etc and I use the built in "access control" feature to create a "whitelist" so that in addition to needing the password, the MAC address for each device has to be listed before it will let you use the internet or connect to the network.

Anyway I recently had an issue in adding a new device and it turns out that my router has a maximum number of devices in that whitelist of 30! So now I'm stuck either having to delete a lesser used device first or turning the feature off all together!

Has anyone else had a similar problem or can recommend any better way of securing the network over and above just relying on the Wi-Fi password?
 
Soldato
Joined
1 Apr 2014
Posts
18,532
Location
Aberdeen
Try setting up some VLANs. You could have one VLAN for non-whitelisted devices which has restrictions, and another VLAN for whitelisted devices with no restrictions. A guest wifi is an obvious choice for the former, your physical LAN an obvious choice for the latter.
 
Soldato
Joined
24 Sep 2015
Posts
3,657
MAC address whitelisting is pointless anyway, all it does is slow down the process of adding new legitimate devices to your network. If someone can crack/whatever your wireless network password then it's trivial to find the MAC address of a currently connected client and then spoof that MAC address on their wireless network card.
 
Soldato
OP
Joined
2 Jan 2004
Posts
7,642
Location
Chesterfield
Try setting up some VLANs. You could have one VLAN for non-whitelisted devices which has restrictions, and another VLAN for whitelisted devices with no restrictions. A guest wifi is an obvious choice for the former, your physical LAN an obvious choice for the latter.

Not sure I've got the technical know-how to do this - I mean I was going to look into the guest network option (assuming the whitelist acess control won't affect this??) but wasn't sure how it works!

Is there some info on this you can point me towards??

MAC address whitelisting is pointless anyway, all it does is slow down the process of adding new legitimate devices to your network. If someone can crack/whatever your wireless network password then it's trivial to find the MAC address of a currently connected client and then spoof that MAC address on their wireless network card.

I was wondering about this myself - I mean presumably I'm really only protecting myself from people in the immediate vicinity and the extra level of protection (such as it is) may be useless anyway!
 
Soldato
Joined
24 Sep 2015
Posts
3,657
In my opinion it doesn't add any extra protection since it's trivial to spoof a MAC address. The difficulty is getting past your wireless network password but once someone is passed that it'll be a 30 second job to sniff for a connected MAC address, spoof that MAC address onto their wireless network interface and get connected.

It's an inconvenience that adds no security at all. Personally I'd disable it completely.
 
Associate
Joined
26 Jan 2009
Posts
1,462
Location
Salisbury, Wilts
Only way to truly protect your home network is not have any WiFi running at all - but completely defies most standard logic.

Either way, I highly doubt someone is going to be sat outside someones house trying to crack it.

Shawrey
 
Soldato
Joined
18 Aug 2007
Posts
9,688
Location
Liverpool
As above, VLANs or separate subnets are easiest/best for this. I built my own router using an old Dell Optiplex mini PC (i7 3700, 8GB RAM) with a 4 port Intel server NIC. I installed Arch Linux on it, used the built in network interface (also Intel) as WAN and allocated the four network ports on the card to separate subnets (trusted LAN, WiFi and 'untrusted' visitors, DMZ/servers and IoT/CCTV). Using Shorewall firewall I set up a policy that allows the trusted LAN clients access to anywhere, but nobody (whether from the internet or other subnets) are allowed in. The other subnets can access the net but not other clients on the network, and only servers in the DMZ have needed ports forwarded using DNAT. I have DNS over HTTPS running on the network (and accessible from WAN for when I'm out of the home on my phone/laptop/iPad etc), and SSH is enabled on the router but only to a non-root user with my SSH key, not a password.

When guests come around they scan a QR code on the wall (where the networking gear is) and get connected to a segregated guest WiFi network (Unifi UAP AC Pro) which again only has access out to the net but not to any other clients, WiFi or otherwise. Nobody can get in, nobody can communicate to other devices (unless in trusted LAN) and everything's locked down tight. I see thousands of access attempts every day (mostly from Russia and China on random ports like RDP, Telnet, some SSH) but since everything's locked down tight they can't get in. :p I'd prefer to run the box on an OpenBSD base but until they finish their in-kernel WireGuard implementation I'm sticking to a barebones Linux install (which has no GUI and only uses about 80MB RAM anyway).

You may not wish - or be able - to go to these lengths, but the takeaways remain (and some are listed above by others). Segregate non-trusted clients, don't allow inter-device communication on your WiFi network(s), lock out the router with a strong password, or better yet an SSH key, and don't use the default username (admin, root, whatever) if at all possible. Move to a third party open source firmware if possible, as OEMs are frankly incompetent and dangerously slow at patching security flaws in routers, if they ever do (which is rare). Disable WAN access to any and all services unless you have an explicit reason not to (and still run a firewall on the router), with NAT as a secondary 'soft firewall' backup (i.e. running services don't resolve from your public IP to a local IP). Disable WPS, period. Have very strong (>30 characters, numbers, letters, mixed case, special symbols) WiFi passwords and use a QR code to make it easy to connect devices you trust. Don't open ports unless you know what you're doing. Definitely disable UpNP/NAT-PMP or similar if your router offers it (most normal commercial ones do). Don't let crappy IoT devices like cameras, fridges, TVs etc run on your main network - segregate them off, either with the untrusted WiFi or better yet on a wholly dedicated subnet/VLAN. Educate yourself, even if it's only for a few hours. While 'a little knowledge is a dangerous thing', in the case of cyber security a little knowledge is far better than none at all.
 
Associate
Joined
31 Aug 2017
Posts
2,209
I run a pfsense firewall going through to the internet with a modem on its own network interface. My ISP's router/switch is in the bin, all connectivity is done myself.
The server running the VMs that pfsense is on connects via several separate network interfaces to a managed switch.
This has 2 managed TP link APs connected on there own vlan.
I also run pihole as a dns server on a VM which does all my filtering and ad removal which is critical for a lot of nastys.
Next up is a proxy, running as part of pfsense i run this with active virus checking and other packet scanning tech in pfsense like snort for **** that gets this far.

Finally on the pc i have malwarebytes in active mode (paid for) and use chrome + ad blocking and am patched up to god knows what level.

So er.. yeah a bit of security.:p
 
Associate
Joined
25 Jun 2004
Posts
1,276
Location
.sk.dkwop.
I try to keep things simple at home, but perhaps more complex than a typical setup.

Virgin Media Modem Mode -> Physical port ESXi - Dirty vSwitch for WAN interface on PFSense Firewall.

PFSense firewall has two internal interfaces. DMZ and LAN. DMZ I use for labs and tinkering. It has zero access to LAN, full internet outbound access.

Wifi I broadcast two networks using Unifi AC Pro - Internal and Guest. Guest is restrictive but provides unlimited internet access. Internal has full access to LAN, DMZ and Internet.

I debated moving IOT to a separate subnet / vlan / wifi but I decided against it. I have a handful of systems running, all debian based that are hardened (CIS). They're updated automatically monthly.

My networkshare I care most about - I'm using SMB to provide easier authentication between the various devices I have and shares I needed. I'm sure I could have done similar with NFS but I couldn't get it to play nicely with all devices.

Pi-Hole with a load of malicous sites lists added, using Quad9 DNS as upstream.
 
Permabanned
Joined
1 Jun 2004
Posts
2,019
Location
London
Let’s face it, most of you do this for fun rather than a legitimate reason.

Set WiFi password and use internet is acceptable for almost everyone. Even guest WiFi is pointless for 99.9% of people unless they think their friends are going to do nefarious deeds.
 
Soldato
Joined
13 Jul 2005
Posts
19,205
Location
Norfolk, South Scotland
Let’s face it, most of you do this for fun rather than a legitimate reason.

Set WiFi password and use internet is acceptable for almost everyone. Even guest WiFi is pointless for 99.9% of people unless they think their friends are going to do nefarious deeds.

Absolutely, but just to be on the safe side I’m installing some Dobermann Pinscher dogs
 
Back
Top Bottom