So I’ve decided to lock-down my consumer ASUS AX86U router and need some advice/thoughts on what I’m planning to do. Router has already been upgraded to the latest Asuswrt Merlin and I’m using ControlD DNS-Over-TLS with the Hegazi Pro block list.
5ghz - All of my trusted devices are on the 5ghz band (Apple devices, computers, Amazon FireTV sticks (Kodi sideloaded which accesses media files on a computer)) with WPA3
5ghz (Guest network) - Internet only devices such as TV and Spectrum XUMO streaming boxes with WPA3 intranet access disabled
2ghz - Four wireless security cameras with WPA3 (I use an app on the Apple TV which is connected by Ethernet to view the camera streams)
2ghz (Guest network 1) - Internet only old laptop and tv with WPA2 intranet disabled
2ghz (Guest network 2) - Internet only devices (Amazon Alexa Echo Dot, Smart clock, lots of iot lights) WPA3 intranet disabled
Should I move the security cameras to a 2ghz [Guest network 3] WPA3 with intranet enabled so I can access the streams on my Apple TV? Intranet disabled won’t work for accessing the streams,
Should I enable MAC Filter for the 2ghz and guest networks band for all devices so only those devices can access the internet? Better security?
Should I enable AP Isolation on the 2ghz band to tighten security even more?
**My entire network is for personal devices and actual humans besides me won’t be accessing my network.
Router has already been upgraded to the latest Asuswrt Merlin and I’m using ControlD DNS-Over-TLS with the Hegazi Pro block list. I also went through the documentaion and didn’t find any details on guest networks, MAC filtering or AP isolation plus any other details on how I’m setting this up. I’m basicly trying to use the guest networks like VLANs but without the specific rules that VLANs provide.
Okay. Turn on HaGeZi’s Threat Intelligence Feeds from ControlD too — that will noticeably improve security. For the Wi‑Fi, there’s not much else to do besides enabling WPA3 on devices that support it and having solid passwords.
Not sure that 5Ghz improves the security by a lot as a whole.
You could also give a try to a Radius server for WPA3 Enterprise.
But there is plenty of stuff to bulk the security besides that I think.
I am not familiar with this particular device, but I would definitely suggest that you isolate from the Internet all Internet-of-Shit devices including cameras, “smart” TVs and other gadgets.
I would also completely isolate WiFi from the wired network. The way I went about it is to create a separate WiFi subnet. I only allow a few select devices (by MAC) to access the rest of the network.
Yup! Some interesting advice. Kissu posted a great link on router security which is mega useful. Unless I’m told differently, looks like using the Mac Filter to only allow my devices and nothing else on the network has no additional benefit which I thought might add some security. Also AP Isolation is also not necessary. Kinda makes since if I’m using only my devices with WPA3 for everything and only two devices on WPA2.
I do have PMF (Protected Management Frames) enabled for WPA3 on the 5ghz band but not on the 2ghz band which I’ll enable today to see if anything breaks. I’ll also use my laptop to connect to each network and see what can and can’t be accessed. So pinging devices should give me an idea what’s actually isolated.
No, port forwarding allows bidirectional communication to the said hosts while disallowing them to communicate with anything else by SNATing via masquerade. Cameras still will be able to talk only with the gateway. This doesn’t mix isolated networks.
I don’t understand what mechanism you’re implying. It’s always better to have a dedicated channel. By decreasing power, you’re losing some channels in the 5ghz due to higher power transmit requirements, so no 160 MHz wide channels, and probably all the DFS channels because of the fact router will go below 250 mW per the recommendation to go as low a possible. non-dfs channels are also allowed to be operated at a higher power levels, so every other AP around the area will interfere.
Maximum distance at which a device can connect is almost always determined by output of the client device. What threat model are you implying anyway? How does it strengthen “security“ when an attacker has an exploit for an SoC?? This is so stupid lol
Yes, since MAC is spoofable and there are better ways to isolate clients.
One way to discourage neighbors from focusing on your Wi-Fi network is to weaken the signal leaving your home.
Wi-Fi uses two different frequency bands, 2.4GHz and 5GHz. Walls and furniture block the higher frequency more than the lower one, so try limiting the Wi-Fi in your home to the 5Ghz band. This will limit your access to own network too, as your walls and furniture become bigger barriers, but it’s worth a shot.
Another way to keep your Wi-Fi signal from leaking outside your home is to limit the transmission power of your router. Some routers offer this as an option, some do not. If yours does, experiment with it, lowering the power up to the point that it interferes with your use of your network(s).
This website is full of bogus advises as was discussed in another thread btw.
Maybe, but should it be as big as hagezi? Doesn’t it also include blocklists for inbound connections for subscriptions for DNS filtering? Can we really say such badness enumeration has tangible security benefits when every threat actor employs dynamic infrastructure? I wouldn’t choose to sacrifice internet speed in favor DNS content filtering. The only good point out of this document is domain squatting and phishing campaigns, but then again password managers solve this problem.
