Michael Horowitz
Home => A second router for working from home
[Formatted for Printing] From the personal web site of  Michael Horowitz

A second router can make working from home much more secure

Created: September 25, 2020
Updated: Sept. 6, 28, 2021 | April 7,2021 | Feb. 20, 2021 | Oct. 31, 3, 2020

Router Security is my thing. It's a boring subject, often ignored, and when it does get attention, the focus is often wrong. Specifically, the focus is often on isolating IoT devices because their security is so bad. This is a great thing to do, but as more people work from home, the focus of network security should be on carving out a secure enclave for the income-producing devices (computers, tablets, printers, NAS devices, etc).

The official buzzword for this is network segmentation. In English, this means logically grouping the devices in your home and isolating the groups from each other. Perhaps the most common example of network segmentation is having IoT devices use a Guest Wi-Fi network while all the other devices use the main network.

Techies recommend segmenting networks because there are a huge number of attacks that can occur from one device in a home to another device.

The best way to group/segment devices in a network is with a router feature called VLANs (Virtual Local Area Network), but most routers do not support VLANs. Instead, this blog is about a simpler approach, one that is available to anyone - a second router. As I make clear on my RouterSecurity.org site, I am no fan of consumer routers. But as a secondary router, they should be good enough and are far better than doing nothing.

ISOLATING

You can make an isolated group of devices by simply plugging one router into another. Any router can be plugged into any other router. I will refer to the existing router or combination box (both a modem and a router) as the outer router and the new router as the inner one. Using an Ethernet cable, connect the WAN/Internet port of the inner router to any LAN port of the outer router. In most cases, that should be all that is required.

The one thing that can go wrong is if both routers use the same numbering scheme (a.k.a. subnet). Every computer on a network has a unique number, called an IP address, that is written at four numbers separated by periods (192.168.1.5 for example). Normally all the computers in a home will start with the same first three numbers (such as 192.168.1) and the last number will vary. If both the inner and outer routers use the same numbering scheme by default, this will have to be changed on the inner router. For example, if the outer router is using 192.168.1.something, then the inner router can use 192.168.2.something or 192.168.3.something.

Devices that connect to the inner router will be walled off from the other devices in the home by the firewall in the inner router. More specifically, devices connected to the outer router will not be able to see or communicate with devices connected to the inner router. This should be sufficient, in my opinion.

As for the other direction: routers, by default, let all traffic/data out (a typical firewall only blocks unsolicited incoming connection attempts) which means that devices connected to the inner router will be able to communicate with devices connected to the outer one. They shouldn't but they could.

One way to prevent this is with firewall rules. If the outer router offers firewall rules, then you can create a rule that blocks anything coming from the inner router from making a connection to anything in the outer router. This will not affect communication from the inner router to the Internet. For most people, however, this is not an option. Consumer routers and routers provided by an ISP do not offer firewall rules, only professional routers (such as Peplink and pfSense) do.

Another approach is to use a VPN, but this is complicated because there are so many different implementations. To begin with, a VPN connection can be established using either VPN client software running on the inner router itself or on a device connected to the inner router. And, there are different types of VPNs (such as OpenVPN, IKEv2, WireGuard) and a huge variety of VPN client software for the assorted popular operating systems. And, each VPN client has assorted configuration options.

Not many routers offer VPN client software. Asus is an exception, they have provided an OpenVPN client for for years. GL.iNet also offers routers with a VPN client. I keep a longer list of routers that can function as a VPN client on the Resources page of my RouterSecurity.org site. I have not tested this, so I can not say for sure that a VPN connection established by the inner router itself will block all access to the outer router. It is a great question to ask the company running the VPN server(s).

I have dealt with VPN client software running on a Windows computer attached to the inner router. It can go either way. My experience has been that the outer network is blocked by default. However, I asked two VPN companies about this. One company offers three different VPN clients for Windows: their own software, open source OpenVPN software and WireGuard software. With their own software it was impossible to access the outer network. With the OpenVPN and WireGuard software, they offered a tweak that would allow it. The other VPN company, whose software was inconsistent in my testing, would not answer the question. Email me for the name of each VPN company. And, feel free to email me your experience with this.(updated Sept. 28, 2021)

Running a VPN on the inner network has another advantage: it offers protection from a malicious/hacked outer router. Since the least trusted devices are connected to the outer router, there is always a chance that one of them might corrupt the router. Then too, just by being directly connected to the Internet, the outer router is always at risk of being hacked. The VPN connection, once it is established, should be tamper-proof.

What can go wrong, if the outer router is malicious, is that it might disrupt the initial VPN connection. In the VPN section of my DefensiveComputingChecklist.com site, there are a number of things that you can check to insure the VPN connection is doing what it is supposed to do.

Again, in my opinion, blocking devices connected to the outer router from seeing devices connected to the inner one is the main point.

CONFIGURING THE WORK-FROM-HOME ROUTER

Any router can be made more secure by adjusting assorted configuration options. The biggest items are perhaps WPS and UPnP, both of which should be immediately disabled. As for a Wi-Fi password, make it at least 20 characters long. The home page of my Router Security website has a short list of the most important security enhancing tweaks and much longer list for motivated techies to follow.

One thing to change is the DNS servers, you do not want them to be provided by the outer router. There are a number of trusted DNS providers such as Cloudflare (1.1.1.2 and 1.0.0.2), Quad9 (9.9.9.9 and 149.112.112.112), OpenDNS (208.67.222.222 and 208.67.220.220) and NextDNS (45.90.28.119 and 45.90.30.119). (added Sept. 28, 2021)

A router that is used solely to segment off a small number of work-from-home business devices, lends itself to some configurations that do not make sense elsewhere.

For example, MAC address filtering. This feature blocks devices from accessing the router even if they know the Wi-Fi password. Sophisticated attackers can bypass it, but not every attacker is sophisticated. When a router is used by dozens of devices, the bookkeeping involved in maintaining a list of MAC addresses, just does not pay - but it does make sense on a router used by a small number of devices.

Disabling DHCP falls into the same category. It only makes sense when the number of devices using the router is small. It too, is not a perfect defense, but again, every attacker is not a top techie.

Not broadcasting the Wi-Fi network name is, yet again, not perfect security, and something that only makes sense for a small number of devices.

If the person working at home is near their dedicated/inner router, then limit Wi-Fi to the 5GHz frequency band, because the signal does not bleed as much to the outside world. Some routers let you adjust the transmitting strength of the router. If so, make it as low as possible while still providing a strong signal in the area where it is needed.

To recap: the network name is hidden, the signal does not travel far, the password is very long, and, even if an attacker gets on the network, they need to clone a valid MAC address and bring their own IP address. Pretty secure.

Even with all that, Ethernet is more secure than Wi-Fi. Someone who uses an iPad and/or iPhone for work, might consider plugging it into the router via Ethernet. Adapters for this do exist.

April 7, 2021: A bit more protection can come from changing the WAN side MAC address of the inner router. Anything malicious on the outer network can not see the work-from-home devices due to the firewall in the inner router, but the WAN side MAC address of the inner router, advertises the company that made the router. Modifying the MAC address lets an Asus router (for example) appear to be made by Netgear (for example). If a bad guy tries to exploit a known bug in Netgear routers, it will fail. Peplink calls this feature "MAC Address Clone" and you can see a screen shot of it here.

WHICH ROUTER

Although any consumer router should be fine as the inner router, a more secure option is the $200 Pepwave Surf SOHO. However, setup and configuration of the Surf SOHO, like that of any professional grade router, is too much for non technical people to handle. Its maximum download speed of 120Mbps may also not be sufficient for some uses.

As for choosing a router, there are many criteria. For a Work-From-Home router, I suggest focusing on two features.

The first is whether the firmware (router operating system) it is still being updated by the vendor. You can research this at the tech support section of the hardware manufacturer's website. Search for the specific router model you are considering, and check when the last software/firmware update was. If it is more than a year ago (yes, this is arbitrary), don't buy that router. Note that some router models have different hardware versions.

The other aspect to focus on is whether the router is spying on you. Specifically, whether you must have an account with the hardware manufacturer to use the router. In the old days, every router was a free agent. Now, things have shifted and many (most?) routers require you to check-in with the mother ship. In Star Trek terms, they have been assimilated into the collective of their hardware manufacturer.

The potential for being spied on ("telemetry" is the polite word) by the router vendor is something only I consider. The potential privacy invasion of having a vendor account has never been cited as a gotcha in any review of any router, ever. But, to me, it is. We never know what data the router is phoning home with.

A couple years ago, Netgear silently added telemetry to their routers. If you look for it, you can turn it off. Asus routers include anti-virus software which is, itself, a privacy invasion. I am not sure how functional an Asus router is if you do not agree to let the anti-virus software do its thing. Ubiquiti would never spy on their customers, until they did. Their consumer router is the $300 Dream Machine and you should be allowed to block it from phoning home.

On the upside, my experience with the Amplifi HD line of mesh routers (also from Ubiquiti) is that they can be used without establishing an account, as long as you are willing to give up remote access to the router. Being a mesh system, the Amplifi HD is usually sold as a set of three devices, but you can buy just the cube-shaped router. It has 4 Ethernet LAN ports and, as a bonus, tells you the time of day. Another nice feature of the Amplifi HD router is that you can rollback the firmware to the previous version should a new version cause a problem (this is not true of the AmpliFi Alien models).

An excellent choice could be pcWRT. I say "could be" because I have not used a pcWRT router. However, it is very much focused on security and costs only $129. More here.

Some brands to avoid: D-Link, Netgear, Tenda and Synology.

Update Feb 20, 2021: Another company to consider is GL.iNet. I have not used their products, but they are cheap and the company has a focus on security. Their routers run OpenWRT and include an OpenVPN client, a WireGuard client, Tor and encrypted DNS from either Cloudflare or NextDNS. The Slate (GL-AR750S-Ext) was released in 2019 and sells for about $55 (as of Feb. 2021). The Beryl (GL-MT1300) is newer and sells for about $70. At these prices, we can't expect great speeds or for the routers to handle too many attached clients.

Some routers include VPN server software but this is for accessing a home network when away from home and not relevant at all to working from home.

PERFORMANCE

Update: October 3, 2020: Although the point here is about security, let me add this Wi-Fi performance tip: the Wi-Fi network(s) on the inner/secure/second router should run on different channels than the networks used by the outer router. If possible, the inner router should only use one Wi-FI frequency band, again, to avoid interfering with the outer router.

If both routers use the 2.4GHz band, then each should be configured with a different fixed channel, either 1 or 6 or 11. Many routers default to picking a channel automatically, but from what I have seen, they do a poor job. Thus, to avoid interference, it is best to manually pick a channel for each router. More here. If both routers use the 5GHz band, then the channels should be different and fixed, and, in addition, the channel width should be relatively narrow (again to avoid interference). Narrow channels on the 5GHz band are 20MHz and 40MHz wide. Wider channels are 80 and 160MHz. Many, but not all, routers let you configure the channel width.

 

 

 @defensivecomput TOP Home => A second router for working from home   
 michael--at--michaelhorowitz.com   Last Updated: September 29, 2021 3AM UTC  
  License Plate
Copyright 2001-2021
Copyright 2001-2021  
Printed at:   December 7, 2021 3:18am   ET
Viewed 20,292 times since September 25, 2020 (46/day over 437 days)