Home broadband routers are remarkably complex devices that few ever take the time to truly understand. As long as the lights are blinking, and webpages load, most people are inclined to leave them be. The few brave souls who venture into the firmware are often rewarded with a maze of menus that betray the true complexity of these underappreciated appliances. Wireless channels, security modes, and even port forwarding can be frustrating concepts for those without a networking background, but are absolutely critical to understanding how to optimize your home network. In this guide we will teach you the finer points of security, as well as give you surefire ways to boost your router's wireless range and optimize performance.
image credit: pceasycare.com
When most people think about online security, they often assume virus scanners, spyware detectors, and even firewall software are the most important weapons to level against those who would seek to exploit their machines. In reality, the router is one of the most powerful tools in your arsenal, and it rarely gets the credit it deserves. If you actually took the time to look at the raw data coming in through your broadband connection, you would be shocked at just how much background noise is constantly bombarding your machines. Unpatched PCs from around the world form sprawling bot nets designed to spew forth exploits both old and new in hopes of finding vulnerable targets.
Prior to the days of Windows XP SP2, machines plugged directly into the internet would often fall prey to these exploits, and would become infected simply because they were left on, and were connected to the internet. With the introduction of the firewall in SP2 the world literally changed. Windows now comes with this feature on by default, and drops unsolicited traffic coming into your connection. The Windows firewall isn’t perfect, but it was still a huge improvement.
Think of your router as an upgrade on this basic concept, and in reality, it makes for one of the most powerful firewalls money can buy. Forming an invisible barrier between you and the net, routers drop incoming packets that you weren’t expecting, and is much less vulnerable to exploits that would seek to poke holes in your defenses. A good router not only drops incoming packets, but it also refuses to acknowledge that an active connection even exists. This simple, but powerful difference between routers, and many software firewalls, provides that extra bit of security that can mean the difference between a virus poking around on your machine, or moving on. The Windows firewall is still important, but these days it should only be used as a secondary line of defense.
This string of letters and numbers is a unique identifier applied to all networking components. Think of it like a serial number that can be used to identify machines or devices on a network, even if their physical location or connection point changes.
This is essentially your phone number within a network. An IP address doesn’t necessarily only come from the Internet, each and every device that connects to your home network also has a unique IP address within the routers network. This is how a router is able to share a single Internet IP address, but share it with multiple devices across its various connections.
Dynamic Host Configuration Protocol servers are built into every router, and provide each device with IP addresses, default gateways, domain names, DNS servers, etc. The most important thing to know about DHCP is that this is how your router manages IP addresses.
PC gamers might know this better as ping. It is a measure, usually in milliseconds, of how long it takes your data to get from your machine to its destination and back.
Every router is going to be a little bit different, but most can be accessed from your web browser by entering in 192.168.0.1 or 192.168.1.1 into the address bar. Once done, you will be prompted to enter your user name and password, which if you don’t know it, is probably just the default. Many routers come stamped with this information on the bottom but if not, here is a link to your one stop shop for all the login info you’ll need. Generally your user name will always be either “admin” or “administrator” and your password will either be the same, or try leaving it blank.
Know your password? Skip ahead to the next step.
If you’re still locked out of your router and are unable to login, examine the hardware itself, often times you’ll find a manual reset button on the device that will restore it to factory defaults. This is a great way to unlock your device, but beware, more often than not this step will also clear all of the routers settings as well. Here are a few tips to make sure you do the reset properly.
1.) Always hold down the reset key for at least 30 seconds, or until the indicator lights give you the impression that the reset has taken place.
2.) Some routers require you to unplug them prior to trying a hard reset.
3.) Always wait at least 30 seconds after plugging in your router before trying to reconnect.
The first thing you should do if your working with a new router is to change the default user name and password. Leaving the defaults in place is like leaving the front door open, and anybody within range of your router can gain access to your network, no matter how strong your wireless encryption password is. Some routers also give you the option to “remotely configure” or “remotely access” your router. You’ll want to make sure that these are disabled. Basically this feature gives you the ability to access your router configuration via the Internet. Sounds innocent enough, but I honestly can’t think of a circumstance where this would be useful, and you simply expose another surface for attack.
It is also a good idea to change your routers SSID (Wireless Network Name). Broadcasting to the world that you are using a Linksys for example might not be a problem if you’ve changed the default passwords, but the trick to security is to always keep your attackers guessing. Many routers give you the ability to make the wireless network invisible, but don’t bother with this feature. Setting your network to invisible might keep people from accidentally latching on to your connection, but anyone using the right tools can find it easily. A very common security mistake with wireless routers is to set them to “invisible” and then run with no security. All of your data is still being transmitted in the clear and don’t kid yourself, the bad guys won’t be fooled. Security through obscurity alone isn’t enough to protect your wireless network.
Plugging devices in using the RJ-45 Ethernet connectors on your router is the safest way to setup your home network, but let’s face it, its rather inconvenient. Wireless networking has made it possible to roam around the house and connect devices no wire could ever reach, but its important to remember that it comes with a slew of security considerations. Everyone has heard the terms WEP, WPA, WPA2, etc tossed around, but what is the best option? When it comes to wireless security, WPA2 is always the way to go, but WEP is still better than nothing at all. Here is a summary of the most popular options.
Connecting to an unsecured wireless access point is like having a conversation in public. Anybody within range of your signal can see the information passing through the air “in the clear”. This basically means that when you type in your usernames, and passwords, they can be easily recorded by anyone who feels the need to listen in. The same is true outside of your home when you connect to unsecured wireless hotspots, so beware of what services you login to on open networks. Sessions on open networks can still be conducted safely if you notice an “https://” in the address bar (also look for the lock icon in your browser).
Running with no security on your home router doesn’t just allow your neighbors to share your Wi-Fi, but in addition to monitoring and recording your sessions, they can also access shared drives on your machines that are connected to the network. On my last vacation I got a kick out of browsing through peoples iTunes libraries that automatically appeared courtesy of the unknowing souls who were connected to the hotels wireless network. Logging into a VPN will also allow you to safely work on unsecured wireless networks, but if you don’t know what a VPN is, you probably don’t have access to one.
Wired Equivalent Privacy might sound like a fancy and secure acronym, but sadly it’s a flawed, and painfully inadequate encryption method. WEP is generally good enough to keep out nosy neighbors, but it can be easily cracked within minutes using freely available software tools, so it’s definitely not to be trusted for your everyday use. Some find themselves using this method to ensure backwards compatibility with older devices such as the Nintendo DS, but anyone who wants to get into your network can do so in a matter of minutes. Some routers offer the ability to enable a “guest mode” and run a separate unsecured or lower security network in addition to something stronger, but these generally still aren’t recommended.
If you absolutely must maintain a WEP or No Security enabled router, the only safe way to go about this is to create a “Y” configuration with one router just for your insecure WEP traffic, and a third for trusted WPA capable devices. To do this you need to have a central router to connect you to the Internet, and then have a WPA access point and a WEP access point. Basically you would be running two wireless networks. One is secure, and one is not. With this configuration, even if someone cracks your WEP protected router, the best they can hope for is to mooch off your Internet connection. Fancier solutions to this problem exist, but with consumer grade routers going for around $20 these days, you won’t find anything cheaper.
Wi-Fi Protected Access was implemented to replace the much weaker WEP encryption mentioned above, but we now know that it too is vulnerable to attack. The underlying encryption method behind WPA is called TKIP (Temporal Key Integrity Protocol) and it is now known to be vulnerable to a “key stream recovery attack” that will allow hackers to inject packets onto your network.
For the most part this attack isn’t as serious as those found on the WEP side, because it doesn’t actually review your master key, and they still won’t be able to eavesdrop on your session or monitor your traffic. Of course, once they start injecting code into your connection, the possibilities are endless, but most home users can get away with running this if they have devices that don’t support the newest WPA2 encryption method.
This setting typically isn’t for home users, and is designed to work with a RADIUS server which allows for centralized authorization of clients.
Wi-Fi Protected Access 2 replaces the beleaguered TKIP encryption from its predecessor with one of the most powerful algorithms available, AES. Advanced Encryption Standard is a robust, lightweight solution, which only has one known weakness, a brute force attack. Somebody wishing to crack into a WPA2 protected network will need to try random combinations in the hopes of guessing your passkey, that’s why its important to avoid using common dictionary words. The headline “WPA has been cracked” has been in the news recently, but rest assured this applies to WPA, which uses TKIP, and not WPA2, which exclusively uses AES. Some routers will offer the ability to run both WPA and WPA2 encryption on the same wireless connection, but keep in mind your security is only as strong as the weakest link. This approach should be taken only if you have hardware that won’t work with WPA2.
Pretty much every new client device I’ve tested within the last five years (except the Nintendo DS) supports WPA2. This offers up unbeatable protection that will allow you to fearlessly do even your banking from any room in the house. Of course, any encryption is only as powerful as the Pre-Shared Key (pass-phrase) that you select as your password. WPA2 is still vulnerable to “brute force” style attacks which attempt to guess your pass phrase, and they often try combinations from various common passwords. Simple word combinations might “feel secure”, but these simply aren’t enough these days to keep out a determined brute force attacker. New GPU assisted crackers have significantly improved the efficiency and viability of brute force, so as a rule of thumb, your password shouldn’t be easy to remember.
Want to grab a random and secure password? Surf over to the passwords section on GRC to get a peek at what a really strong password looks like, or grab one that is randomly generated for you. With one of these passwords protecting your router, a brute force attacker is more likely to die of old age (or get evicted from his parents basement) before he ever breaks in.
Its true in real estate, and its true for routers, finding the right location is one of the most important steps you can take to boost your routers performance. Most new consumer grade routers ship with Omni-directional antennas. This means it broadcasts your signal uniformly in a 360-degree radius. If you need to locate your access point in the corner of your house, a large percentage of its capability is being wasted. If you find you have dead spots in areas of your home, you can replace the antenna with a hi-gain version that will focus your signal in a 180-degree radius, vastly increasing your range in the chosen direction.
Selecting the right wireless channel, particularly in older routers, can have one of the biggest single impacts on your speed and range. If your router is operating on the same channel as your neighbor, or if your operating two separate routers close by, sharing a wireless channel basically cuts your performance in half. Most of the third party connection tools that ship with laptops or wireless adapters, will show you what channel nearby networks are on, all you need to do is pick a spectrum that isn’t in use. If you’re using the built in plain vanilla Windows tool, you’ll want to download Network Stumbler to help you find a vacant channel.
Some newer routers have an “auto” option which is designed to monitor and change the channel as needed, but more often then not I find this setting doesn’t work as advertised. The D-Link DIR-655 I used for testing locked on to channel 3, even though a second router sitting directly beside it was operating a separate network on the same channel. Your best bet is to manually select the best channel by determining those of other access points within range. Generally it is best to use channel 1, 6, or 11, if they are available, otherwise choose any available free channel. If you live in an apartment building or a condo you might have a hard time finding an open channel, but then again, you probably weren’t having coverage problems anyway. Based on the screen shot shown above, I would most likely configure my new access point using channel 11, since it will encounter the least amount of interference.
This might sound like cheesy and obvious advice, but you would be surprised how many people ignore the firmware on their networking equipment. Many advances, particularly in the draft n devices, are leading to vastly improved performance and stability. A simple update to the DWA-552 XTREME N Desktop Adapter in my test system lead to a near doubling in transfer speeds over the original drivers that shipped with the unit, and added two extra bars of connection strength. Make sure to update the drivers both on your adapters, and your router.
802.11n includes many new features to improve the quality of wireless connections, and increases both data rate, and range. The most significant new feature introduced in 802.11n is MIMO (multiple in, multiple out), which allows data to be sent out upon multiple streams on different antennas using the same frequency. The more data your router can squirt out, the better the odds your intended device will catch it, and yes, the recent resurgence of the Zune’s popularity has made squirting cool again.
Its also worth noting that even if your client device only supports 802.11g, if your access point is 802.11n, you will still see a great deal of benefit from the upgrade. In addition to the extended range, often times you are able to maintain 54 Mbps connections from much greater distances.
Wireless G routers are cheap, cheerful, and still by far the most common type of Wi-Fi available today, but switching to 802.11n is a major upgrade.
If you notice that your signal strength is decent one moment, and gone the next, you might have an interference problem from something else in your home. The most common offender is cordless phones. Most of the new cordless phone systems that you buy today operate in the 5.8GHz spectrum, but for several years 2.4 GHz was all the craze. Unfortunately, your Wi-Fi router is transmitting on this same frequency, and the two might be interfering with each other. Often times the interference, particularly from newer and more powerful 802.11n routers is so strong, you can actually hear a buzzing noise on the phone if you’re near a router that’s transmitting data. You will also notice that your signal strength, and transfer speeds will take a significant dive each time the phone rings.
If you do use 2.4GHz cordless phones your options are limited, but still pretty straightforward. You can spring for one of the newer 802.11n dual band Wi-Fi routers that transmit on the higher 5GHz spectrum, or you can buy 900Mhz, or 5.8Ghz cordless phones instead. Personally I stick to the 900MHz phones because they often give you the best range, and they won’t interfere with your Wi-Fi.
Microwave ovens have also been known to mess with Wi-Fi signals, but since they operate so infrequently, and are typically located far away from your wireless devices, this is usually a non-issue. The interference generated is typically limited to a range of no more than ten feet, but in some situations this might cause an issue for a kitchen PC or other nearby client device.
Wi-Fi is all about standards right? Sort of. The Wi-Fi logo ensures that all your hardware from different vendors will be compatible with each other, but many vendors add in additional code or components to try and one up the competition. Linksys for example has SpeedBooster technology that does a very respectable job of increasing the range and speed of devices that all contain this feature. Nearly every vendor offers something above and beyond, but don’t expect to see the benefits if you mix and match.
Most routers come configured out of the box to run at 100% power, but just in case, its worth checking. Under certain conditions you might actually choose to decrease your transmit power, particularly if your setting this up in a small office or condo. Turning a router up to full power to blanket your 800 square foot condo isn’t just pointless; it’s inconsiderate to your neighbors who will need to deal with the added wireless interference.
802.11g claims to offer 54Mbit/s, and in theory 802.11n is capable of speeds up to 600 Mbit/s. In reality, expect these values to be lower, much lower. As you have seen from the tips shown above, everything from walls to Microwaves can wreck havoc on your transfer speeds and range, don’t take it personally. Unless your willing to move to an isolated cabin in the middle of nowhere, and run all your wireless devices directly beside you router, be prepared to settle for speeds that are considerably less than what you might have read on the box.
If you’ve read the previous section you now know routers make excellent hardware firewalls, and do a great job of blocking incoming connections. But what if you want to accept unsolicited incoming connections? This is the case whenever a friend tries to call you on Skype, or you attempt to download the latest World of Warcraft patch or Linux distro on BitTorrent. In the case of Skype, the software will try to work around the fact that you are behind an un-configured router by using “super nodes” to link the two callers together. These “super nodes” are in reality not paid for by Skype, but rather they are simply other Skype users who have configured their routers properly, or aren’t behind any type of Firewall. Think of them as an intermediary that introduces two computers that otherwise would ignore any incoming calls. In the case of BitTorrent, an un-configured router primarily causes low transfer speeds.
Setting up your router properly in both scenarios is not as hard as you might think, but it does involve introducing you to a concept known as port forwarding. Port Forwarding can typically be accessed through your routers advanced preferences pane, and generally looks like the screen shot shown below.
This is the network IP address of the computer that requires the forwarded port. In most modern routers, you will be able to select your computers network name rather than specifying an IP address. If it doesn’t allow this, you will need to access your Network Setup preferences pane, and tie the MAC address of your computer to a permanent IP. For those that have never heard of a MAC address before, simply think of it as a unique serial number that identifies your computer. Our goal is to tell the router to bind an IP address to your connections unique MAC, thereby allowing you to use the IP address as a permanent pointer within your network. Make sure the IP address looks something like this 192.168.0.x (where x is anything between 2-255). Going forward, this will be the IP address of your computer on the LAN.
Before you finish and return to the Port Forwarding configuration, it is important that you make sure if your machine has both wired, and wireless networking capabilities, that you connect with each one separately, and assign the IP address for each network connection method. You will need to bind both to fully cover off your machine. The router should tell you what the MAC address of your computer is, but if you can’t find it, click Start then find and launch Command Prompt. Once you see the cursor type ipconfig /all and look for the “physical address”. It is generally a string of six digits (i.e. 48-3F-0A-91-00-BC).
TCP & UDP Ports
Here you will list which port, or which range of ports) you wish to open. In the case of Skype, and most BitTorrent clients one for each is more than enough, but in some cases you might need to open a range of them. An example would be 6159, or 6159-6180. You should always open ports above 6000 to avoid accidentally opening up a port that is assigned to another service. If you accidentally opened port 80 for example (which is used for HTTP traffic), you would be exposing services that are vulnerable to attack.
This is generally used to limited access to a group of systems on your network. Its unlikely you will ever need to chance this setting from “Allow All”.
Universal Plug & Play
UPnP was designed for one purpose, to make port forwarding so easy that applications could do it for you, no consent required. If you’re the type of person who is security minded, this explanation should raise a few red flags, if your not, here is why you should be concerned. If any application can request your router to open a port, then malware can do it too.
UPnP offers unparalleled convenience by ensuring you never have to look at your port forwarding options, but is one of the most dangerous settings in the router. If port forwarding isn’t your cup of tea, this might be your only option, but don’t say we didn’t warn you!
Fill in the IP Address or the Computer Name of the machine you will be using the software on, pick a port (preferably one that doesn’t conflict with another service), and click Apply or Save. If your having trouble deciding what port number to use, you can read ahead to see where you enter the values in both Skype and uTorrent. You can simply write down and use the default ports that are shown in each application to make selecting a port easier.
Now that you have opened a port on your router, all you need to do is point Skype in the right direction. This can be done by opening up your Options menu, and then selecting the Connection tab. Now simply type in your open port, then click Save to make your changes permanent. You will find it amazing how drastically this will improve the sound quality and performance of your calls. You can also take comfort in the knowledge that because you opened a port that only Skype will access, your network is still secure.
When it comes to BitTorrent clients, you have literally hundreds of choices available, all of which should allow you to set the port for incoming connections. The screen shot shown above is specific to uTorrent, but simply located the Preferences menu, then look for the Connections tab. Once here, simply fill in the box for “port used for incoming connections”.
The two examples shown above are for Skype a VOIP application, and uTorrent for P2P file transfer, but you may need to open ports for all sorts of purposes. The World of Warcraft patch downloader for example requires ports 3724, 6112, & 6881-6999 to be opened for proper operation. As long as you understand the important terms, and how to apply those into opening a port, you should be able to adapt the steps above to open any port you need.
As a rule of thumb, only open up ports you are actually going to use. Don’t simply open up 6000-8000 to make your life easier. When you do this you are opening up a large hole in your network that could become a potential security concern.
If you’re a regular follower of tech news, the term net neutrality likely not only rings a bell, but you probably have a very strong opinion on the matter. At issue is the idea that all data on the Internet should be treated equally. ISP’s will argue that traffic shaping is required to maintain the quality of service for everyone, while those on the opposite side of the fence claim it stifles innovation, and can be easily abused to protect the premium services offered by the network providers. No matter which side of the debate you fall on with regards to Internet traffic however, I’m willing to bet you would be in favor of packet shaping on your home LAN. This is done using a service called QoS.
The configuration options that you see when entering the QoS menu will vary drastically depending on the model of your router, but the end goal is to setup a series of rules that will allow latency sensitive data such as VOIP to be prioritized over something less critical such as a file download. QoS requires you to understand all of the terms we have talked about up to this point, but if you find yourself somewhat lost, many routers have pre-sets that you can pick from for popular items such as VOIP, Torrents, and even gaming.
If you’re looking to create your own manual rules, here is a list of information you will need to provide:
You can put anything here; it is simply used to help you remember what this particular rule was created for.
Here you can tell the router how important the information is. If your creating a rule to prioritize your gaming traffic for example, then you should select 1. You might want to create a separate rule for HTTP traffic, which you could then assign to something higher. People can wait for a webpage to load; your ping in an online game on the other hand can mean the difference between life and death (virtually speaking of course).
Local IP Range
This allows us to set a rule for a single device, or many depending on the range we select. For this to work properly you will need to assign each device to a static IP address if the QoS tool doesn’t support computer names. In the above screen shot, we are only specifying one machine at 192.168.0.1.
Remote IP Range
You probably won’t want to change this unless you specifically know where the traffic you want to prioritize will be coming from. A good example of this would be a Team Fortress dedicated server for example. You could plug in the IP address of your favorite server, and point it to your IP address with a Priority of 1, but giving yourself local priority works just as well.
Local / Remote Port Range
This works just like the IP Ranges, but this time with ports. Remember, many of the tasks you perform on the Internet consistently happen across a single port. HTTP for example comes across on port 80, FTP on port 21, etc. Practicallynetworked.com maintains and excellent list all the common, and even not so common ports you will come across.
Many newer routers will have presets you can choose from if you don’t want to dive into making your own custom rules. If you do go custom on the other hand, you’ll likely fall into one of two camps.
1.) You use VOIP, and or play online games.
2.) You want your traffic to have the highest priority because you were the only one smart enough to figure out how QoS works.
If the first scenario describes you best, then you will need to map out the IP address or ports that match the game or Skype settings you are using, and assign a high priority to your machine.
If instead the second situation best describes you, the rule is fairly simple. Just create a rule that points to your machine with priority 1. You may get an unfair share of the bandwidth, but knowledge is power is it not?
Wireless Intelligent Stream Handling is just like QoS, but instead of prioritizing your Internet traffic, it manages the performance of your Wi-Fi connected devices. Certain applications such as streaming video require a fast and stable connection, and WISH allows you to prioritize this type of traffic, allowing for smooth playback, even on a busy LAN. Configuring this works much the same way QoS does, but this time both devices that will be covered by your custom rules will be located inside your LAN.
Many WISH capable routers come with an automatic setting which by default gives priority to VOIP, and streaming video applications. For most people these automatic settings will do, but if you need to prioritize the traffic between two or more devices for something more specialized such as LAN gaming, this is where you do it.
Most modern consumer routers come with 4 wired Ethernet ports to work with, but for the modern geek, that is rarely enough. Adding additional wired ports to your home network is as simple as joining an Ethernet cable between the two routers, but anyone who has tried this in the past might have noticed that it creates a sharing problem. Because each of these routers are setup by default to assign its own IP addresses, computers plugged into the separate routers will have difficulty sharing files across the LAN.
Solving this problem is simple, and should be done on every router except the first. Simply log in to the Administrative Control Panel, click Setup, then disable DHCP on the second, and every subsequent access point. Doing this will allow the first router to manage the assignment of IP address’s, and will allow you to see and share across all your devices.
By daisy chaining together wireless routers, you can also expand the number of Wi-Fi devices you can have attached to your network. Most consumer routers support a total of eight connections, four via Wi-Fi, and four via the wired Ethernet ports.
A subnet mask doesn’t work like an IP address, nor is it completely independent of it. Instead, subnet masks accompany an IP address. It basically splits your IP into two parts, an extended, and host network address. Generally you can leave this number at 255.255.254.0 for your WAN, and 255.255.255.0 for your LAN.
A gateway is little more than a node (or router) that serves as an access point between two networks. Your router should automatically default to an ISP supplied gateway that allows you to connect to the Internet. To put it in simple terms, it’s an entry and exit point in a network.
This option allows users from the Internet to access services on your LAN. This is actually a useful feature if you want to host an FTP, game, or even web server, and allows you to get around the problem of ISP’s blocking ports. It’s important to note however that hosting a server violates the terms of service agreement with the vast majority of home Internet service providers. ISP can, and often do watch for unauthorized dedicated servers being hosted off their IP’s, so make sure you know what your individual provider allows.
This is the frequency of the synchronization packets router use to keep all your devices communicating properly. Generally a setting of about 100 milliseconds is ideal.
RTS Threshold / Fragmentation Threshold
Tweaking your RTS Threshold can sometimes improve performance on crowded networks that are suffering for heavy packet collision, but if you set this too high or two low, it can have a devastating impact on the routers performance. The same can be said for Fragmentation Threshold which helps to improve performance in the presence of RF interference. Both of these settings should generally be left at 2346 bytes.
If you enable this setting, wireless clients will be prevented from communicating with each other. This is a useful setting to enable if you’re hosting a public hotspot.
Enabling this can help control latency and jitter when sending streaming video over a wireless connection.
Extra Wireless Protection
If all of the devices on your network are 802.11n compatible, then turning this option off will significantly improve the performance of your router.
Hopefully this guide gave you a good overview to both how the router works, and how to increase its performance. Each manufacturer's firmware is going to look slightly different than the screen shots above, but if you understand the principals, you should now feel comfortable taking on everything from a Linksys to a Belkin. Have a router or networking tip to share? Let us know in the comments.