1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do you protect your home network?

Discussion in 'Networks & Internet Connectivity' started by StevieP, Sep 19, 2019.

  1. StevieP

    Soldato

    Joined: Jan 2, 2004

    Posts: 6,850

    Location: Chesterfield

    I've got a TP Link Archer VR2800 router at the moment feeding the internet into my home network of several mobile devices, TV's, PC, laptops, NAS, games consoles etc and I use the built in "access control" feature to create a "whitelist" so that in addition to needing the password, the MAC address for each device has to be listed before it will let you use the internet or connect to the network.

    Anyway I recently had an issue in adding a new device and it turns out that my router has a maximum number of devices in that whitelist of 30! So now I'm stuck either having to delete a lesser used device first or turning the feature off all together!

    Has anyone else had a similar problem or can recommend any better way of securing the network over and above just relying on the Wi-Fi password?
     
  2. Quartz

    Sgarrista

    Joined: Apr 1, 2014

    Posts: 9,425

    Location: Aberdeen

    Try setting up some VLANs. You could have one VLAN for non-whitelisted devices which has restrictions, and another VLAN for whitelisted devices with no restrictions. A guest wifi is an obvious choice for the former, your physical LAN an obvious choice for the latter.
     
  3. the-evaluator

    Wise Guy

    Joined: Sep 24, 2015

    Posts: 1,617

    MAC address whitelisting is pointless anyway, all it does is slow down the process of adding new legitimate devices to your network. If someone can crack/whatever your wireless network password then it's trivial to find the MAC address of a currently connected client and then spoof that MAC address on their wireless network card.
     
  4. StevieP

    Soldato

    Joined: Jan 2, 2004

    Posts: 6,850

    Location: Chesterfield

    Not sure I've got the technical know-how to do this - I mean I was going to look into the guest network option (assuming the whitelist acess control won't affect this??) but wasn't sure how it works!

    Is there some info on this you can point me towards??

    I was wondering about this myself - I mean presumably I'm really only protecting myself from people in the immediate vicinity and the extra level of protection (such as it is) may be useless anyway!
     
  5. the-evaluator

    Wise Guy

    Joined: Sep 24, 2015

    Posts: 1,617

    In my opinion it doesn't add any extra protection since it's trivial to spoof a MAC address. The difficulty is getting past your wireless network password but once someone is passed that it'll be a 30 second job to sniff for a connected MAC address, spoof that MAC address onto their wireless network interface and get connected.

    It's an inconvenience that adds no security at all. Personally I'd disable it completely.
     
  6. mrbell1984

    Capodecina

    Joined: Aug 9, 2008

    Posts: 21,938

    Nope my home network protects me.
     
  7. Shawreyboy

    Wise Guy

    Joined: Jan 26, 2009

    Posts: 1,127

    Location: Andover, Hampshire

    Only way to truly protect your home network is not have any WiFi running at all - but completely defies most standard logic.

    Either way, I highly doubt someone is going to be sat outside someones house trying to crack it.

    Shawrey
     
  8. WJA96

    Capodecina

    Joined: Jul 13, 2005

    Posts: 14,302

    Location: Norfolk, South Scotland

    Puts WiFi Pineapple away quickly....
     
  9. Terminal_Boy

    Soldato

    Joined: Apr 13, 2013

    Posts: 7,307

    Location: La France

    I protect mine by being miles from anywhere.
     
  10. Bug One

    Sgarrista

    Joined: Oct 18, 2002

    Posts: 9,688

    Location: Sandwich, Kent

    I have to help most my neighbours with their IT. I seriously doubt any of them has a hash cracking rig hidden away trying to crack my wifi passcode.
     
  11. Shawreyboy

    Wise Guy

    Joined: Jan 26, 2009

    Posts: 1,127

    Location: Andover, Hampshire

    :D:D
     
  12. Steveocee

    Soldato

    Joined: Nov 5, 2011

    Posts: 5,154

    Location: Derbyshire

    You could spin up a LAN side PPPoE server, requires wifi/physical connection AND username/password then. Massive overkill for a home network though.
     
  13. WJA96

    Capodecina

    Joined: Jul 13, 2005

    Posts: 14,302

    Location: Norfolk, South Scotland

    For router and file server access I use 2 factor authentication as well.
     
  14. Kidge

    Hitman

    Joined: Sep 13, 2012

    Posts: 868

    If you haven’t already, I would recommend disabling WPS as well!
     
  15. Rainmaker

    Sgarrista

    Joined: Aug 18, 2007

    Posts: 8,283

    Location: Liverpool

    As above, VLANs or separate subnets are easiest/best for this. I built my own router using an old Dell Optiplex mini PC (i7 3700, 8GB RAM) with a 4 port Intel server NIC. I installed Arch Linux on it, used the built in network interface (also Intel) as WAN and allocated the four network ports on the card to separate subnets (trusted LAN, WiFi and 'untrusted' visitors, DMZ/servers and IoT/CCTV). Using Shorewall firewall I set up a policy that allows the trusted LAN clients access to anywhere, but nobody (whether from the internet or other subnets) are allowed in. The other subnets can access the net but not other clients on the network, and only servers in the DMZ have needed ports forwarded using DNAT. I have DNS over HTTPS running on the network (and accessible from WAN for when I'm out of the home on my phone/laptop/iPad etc), and SSH is enabled on the router but only to a non-root user with my SSH key, not a password.

    When guests come around they scan a QR code on the wall (where the networking gear is) and get connected to a segregated guest WiFi network (Unifi UAP AC Pro) which again only has access out to the net but not to any other clients, WiFi or otherwise. Nobody can get in, nobody can communicate to other devices (unless in trusted LAN) and everything's locked down tight. I see thousands of access attempts every day (mostly from Russia and China on random ports like RDP, Telnet, some SSH) but since everything's locked down tight they can't get in. :p I'd prefer to run the box on an OpenBSD base but until they finish their in-kernel WireGuard implementation I'm sticking to a barebones Linux install (which has no GUI and only uses about 80MB RAM anyway).

    You may not wish - or be able - to go to these lengths, but the takeaways remain (and some are listed above by others). Segregate non-trusted clients, don't allow inter-device communication on your WiFi network(s), lock out the router with a strong password, or better yet an SSH key, and don't use the default username (admin, root, whatever) if at all possible. Move to a third party open source firmware if possible, as OEMs are frankly incompetent and dangerously slow at patching security flaws in routers, if they ever do (which is rare). Disable WAN access to any and all services unless you have an explicit reason not to (and still run a firewall on the router), with NAT as a secondary 'soft firewall' backup (i.e. running services don't resolve from your public IP to a local IP). Disable WPS, period. Have very strong (>30 characters, numbers, letters, mixed case, special symbols) WiFi passwords and use a QR code to make it easy to connect devices you trust. Don't open ports unless you know what you're doing. Definitely disable UpNP/NAT-PMP or similar if your router offers it (most normal commercial ones do). Don't let crappy IoT devices like cameras, fridges, TVs etc run on your main network - segregate them off, either with the untrusted WiFi or better yet on a wholly dedicated subnet/VLAN. Educate yourself, even if it's only for a few hours. While 'a little knowledge is a dangerous thing', in the case of cyber security a little knowledge is far better than none at all.
     
  16. sideways14a

    Wise Guy

    Joined: Aug 31, 2017

    Posts: 1,618

    I run a pfsense firewall going through to the internet with a modem on its own network interface. My ISP's router/switch is in the bin, all connectivity is done myself.
    The server running the VMs that pfsense is on connects via several separate network interfaces to a managed switch.
    This has 2 managed TP link APs connected on there own vlan.
    I also run pihole as a dns server on a VM which does all my filtering and ad removal which is critical for a lot of nastys.
    Next up is a proxy, running as part of pfsense i run this with active virus checking and other packet scanning tech in pfsense like snort for **** that gets this far.

    Finally on the pc i have malwarebytes in active mode (paid for) and use chrome + ad blocking and am patched up to god knows what level.

    So er.. yeah a bit of security.:p
     
  17. ecksmen

    Wise Guy

    Joined: Jun 25, 2004

    Posts: 1,150

    Location: Cardiff

    I try to keep things simple at home, but perhaps more complex than a typical setup.

    Virgin Media Modem Mode -> Physical port ESXi - Dirty vSwitch for WAN interface on PFSense Firewall.

    PFSense firewall has two internal interfaces. DMZ and LAN. DMZ I use for labs and tinkering. It has zero access to LAN, full internet outbound access.

    Wifi I broadcast two networks using Unifi AC Pro - Internal and Guest. Guest is restrictive but provides unlimited internet access. Internal has full access to LAN, DMZ and Internet.

    I debated moving IOT to a separate subnet / vlan / wifi but I decided against it. I have a handful of systems running, all debian based that are hardened (CIS). They're updated automatically monthly.

    My networkshare I care most about - I'm using SMB to provide easier authentication between the various devices I have and shares I needed. I'm sure I could have done similar with NFS but I couldn't get it to play nicely with all devices.

    Pi-Hole with a load of malicous sites lists added, using Quad9 DNS as upstream.
     
  18. ScoTTyBEEE

    Wise Guy

    Joined: Jun 1, 2004

    Posts: 1,964

    Location: London

    Let’s face it, most of you do this for fun rather than a legitimate reason.

    Set WiFi password and use internet is acceptable for almost everyone. Even guest WiFi is pointless for 99.9% of people unless they think their friends are going to do nefarious deeds.
     
  19. WJA96

    Capodecina

    Joined: Jul 13, 2005

    Posts: 14,302

    Location: Norfolk, South Scotland

    Absolutely, but just to be on the safe side I’m installing some Dobermann Pinscher dogs
     
  20. ScoTTyBEEE

    Wise Guy

    Joined: Jun 1, 2004

    Posts: 1,964

    Location: London

    Make sure you patch the drugged steak vulnerability :]