Home => A second router for working from home
Created: September 25, 2020
Updated: Sept. 6, 2021 | April 7,2021 | Feb. 20, 2021 | Oct. 31, 3, 2020
Router Security is my thing. It's a boring subject, often ignored, and when it does get attention, the focus is often wrong. Specifically, the focus is often on isolating IoT devices because their security is so bad. This is a great thing to do, but as more people work from home, the focus of network security should be on carving out a secure enclave for the income-producing devices (computers, tablets, printers, NAS devices, etc).
The official buzzword for this is network segmentation. In English, this means logically grouping the devices in your home and isolating the groups from each other. Perhaps the most common example of network segmentation is having IoT devices use a Guest Wi-Fi network while all the other devices use the main network.
Techies recommend segmenting networks because there are a huge number of attacks that can occur from one device in a home to another device.
The best way to group/segment devices in a network is with a router feature called VLANs (Virual Local Area Network), but most routers do not support VLANs. Instead, this blog is about a simpler approach, one that is available to anyone - a second router. As I make clear on my RouterSecurity.org site, I am no fan of consumer routers. But as a secondary router, they should be good enough and are far better than doing nothing.
You can make an isolated group of devices by simply plugging one router into another. Any router can be plugged into any other router. I will refer to the existing router or combination box (both a modem and a router) as the outer router and the new router as the inner one. Using an Ethernet cable, connect the WAN/Internet port of the inner router to any LAN port of the outer router. In most cases, that should be all that is required.
Devices that connect to the inner router will be walled off from the other devices in the home by the firewall in the inner router. More specifically, devices connected to the outer router will not be able to see or communicate with devices connected to the inner router. This should be sufficient, in my opinion. Still, as a rule, routers let all traffic out which means that devices connected to the inner router will be able to communicate with devices connected to the outer one.
There are two ways to prevent this:
1) If the outer router offers firewall rules, then you can create a rule that blocks anything coming from the inner router from making a connection to anything in the outer router. This will not affect communication from the inner router to the Internet. Consumer routers and routers provided by an ISP do not offer firewall rules, only professional routers (such as those from Peplink) do.
2) Run a VPN client on the inner router and make a connection to a VPN server. The problem here is that not many routers offer VPN client software. Asus has done this for years. Also, if a device connected to the inner router has a VPN connection, then it will be prevented from communicating with any device connected to the outer router. This does not require the inner router to be running a VPN.
But what of a VPN? What if a device on the inner network is using VPN client software to create a connection to a VPN server somewhere on the Internet? There is no one answer. There are many ways to configure a VPN, many different VPN clients and different VPN protocols. Even if the VPN, by default, blocks access to the outer network, with both OpenVPN and WireGuard a configuration change can allow access to the outer network. In September 2021, I queried tech support for two different VPN companies about this, for a Windows computer. One company offers three different VPN clients on Windows and all three block the outer network by default. However, two of them can be configured to allow access to the outer network. The other company, whose software was inconsistent in my testing, would not answer the question. Email me for the name of each VPN company. (added Sept. 6, 2021)
Again, in my opinion, blocking devices connected to the outer router from seeing devices connected to the inner one is the main point.
The one thing that can go wrong is if both routers use the same numbering scheme (a.k.a. subnet). Every computer on a network has a unique number, called an IP address, that is written at four numbers separated by periods (192.168.1.5 for example). Normally all the computers in a home will start with the same first three numbers (such as 192.168.1) and the last number will vary. If both the inner and outer routers use the same numbering scheme by default, this will have to be changed on the inner router. For example, if the outer router is using 192.168.1.something, then the inner router can use 192.168.2.something or 192.168.3.something.
CONFIGURING THE WORK-FROM-HOME ROUTER
Any router can be made more secure by adjusting assorted configuration options. The biggest items are perhaps WPS and UPnP, both of which should be immediately disabled. As for a Wi-Fi password, make it at least 20 characters long. The home page of my Router Security website has a short list of the most important security enhancing tweaks and much longer list for motivated techies to follow.
But, a router that is used solely to segment off a small number of work-from-home business devices, lends itself to some configurations that do not make sense elsewhere.
For example, MAC address filtering. This feature blocks devices from accessing the router even if they know the Wi-Fi password. Sophisticated attackers can bypass it, but not every attacker is sophisticated. When a router is used by dozens of devices, the bookkeeping involved in maintaining a list of MAC addresses, just does not pay - but it does make sense on a router used by a small number of devices.
Disabling DHCP falls into the same category. It only makes sense when the number of devices using the router is small. It too, is not a perfect defense, but again, every attacker is not a top techie.
Not broadcasting the Wi-Fi network name is, yet again, not perfect security, and something that only makes sense for a small number of devices.
If the person working at home is near their dedicated/inner router, then limit Wi-Fi to the 5GHz frequency band, because the signal does not bleed as much to the outside world. Some routers let you adjust the transmitting strength of the router. If so, make it as low as possible while still providing a strong signal in the area where it is needed.
To recap: the network name is hidden, the signal does not travel far, the password is very long, and, even if an attacker gets on the network, they need to clone a valid MAC address and bring their own IP address. Pretty secure.
Even with all that, Ethernet is more secure than Wi-Fi. Someone who uses an iPad and/or iPhone for work, might consider plugging it into the router via Ethernet. Adapters for this do exist.
April 7, 2021: A bit more protection can come from changing the WAN side MAC address of the router. Anything malicious on the outer network can not see the work-from-home devices due to the firewall in the inner router, but the WAN side MAC address of the inner router, advertises the company that made the router. Modifying the MAC address lets an Asus router (for example) appear to be made by Netgear (for example). If a bad guy tries to exploit a known bug in Netgear routers, it will fail. Peplink calls this feature "MAC Address Clone" and you can see a screen shot of it here.
Although any consumer router should be fine as the inner router, a more secure option is the $200 Pepwave Surf SOHO. However, setup and configuration of the Surf SOHO, like that of any professional grade router, is too much for non technical people to handle. Its maximum download speed of 120Mbps may also not be sufficient for some uses.
As for choosing a router, there are many criteria. For a Work-From-Home router, I suggest focusing on two features.
The first is whether the firmware (router operating system) it is still being updated by the vendor. You can research this at the tech support section of the hardware manufacturer's website. Search for the specific router model you are considering, and check when the last software/firmware update was. If it is more than a year ago (yes, this is arbitrary), don't buy that router. Note that some router models have different hardware versions.
The other aspect to focus on is whether the router is spying on you. Specifically, whether you must have an account with the hardware manufacturer to use the router. In the old days, every router was a free agent. Now, things have shifted and many (most?) routers require you to check-in with the mother ship. In Star Trek terms, they have been assimilated into the collective of their hardware manufacturer.
The potential for being spied on ("telemetry" is the polite word) by the router vendor is something only I consider. The potential privacy invasion of having a vendor account has never been cited as a gotcha in any review of any router, ever. But, to me, it is. We never know what data the router is phoning home with.
Netgear used to allow free agent routers, but at some point a couple years ago, they silently added telemetry to their routers. If you look for it, you can turn it off. Asus routers include anti-virus software which is, itself, a privacy invasion. I am not sure how functional an Asus router is if you do not agree to let the anti-virus software do its thing. Ubiquiti would never spy on their customers, until they did. Their consumer router is the $300 Dream Machine and you should be allowed to block it from phoning home.
On the upside, my experience with the Amplifi HD line of mesh routers (also from Ubiquiti) is that they can be used without establishing an account, as long as you are willing to give up remote access to the router. Being a mesh system, the Amplifi HD is usually sold as a set of three devices, but you can buy just the cube-shaped router. It has 4 Ethernet LAN ports and, as a bonus, tells you the time of day. Another nice feature of the Amplifi HD router is that you can rollback the firmware to the previous version should a new version cause a problem (this is not true of the AmpliFi Alien models).
Some brands to avoid: D-Link, Netgear, Tenda and Synology.
Many employees working from home are required to use a VPN installed on the company-provided computer. If not, the employee may want to look for a Work-From-Home router that can run VPN client software and connect to a commercial VPN provider (ProtonVPN, ExpressVPN, Mullvad, iVPN, etc). The VPN will hide all traffic from other devices in the home and from the ISP.
Update Feb 20, 2021: Another company to consider is GL.iNet. I have not used their products, but they are cheap and the company has a focus on security. Their routers run OpenWRT and include an OpenVPN client, a WireGuard client, Tor and encrypted DNS from either Cloudflare or NextDNS. The Slate (GL-AR750S-Ext) was released in 2019 and sells for about $55 (as of Feb. 2021). The Beryl (GL-MT1300) is newer and sells for about $70. At these prices, we can't expect great speeds or for the routers to handle too many attached clients.
Some routers include VPN server software but this is for accessing a home network when away from home and not relevant at all to working from home.
- - - - - - -
Update: October 3, 2020: Although the point here is about security, let me add this Wi-Fi performance tip: the Wi-Fi network(s) on the inner/secure/second router should run on different channels than the networks used by the outer router. If possible, the inner router should only use one Wi-FI frequency band, again, to avoid interfering with the outer router.
If both routers use the 2.4GHz band, then each should be configured with a different fixed channel, either 1 or 6 or 11. Many routers default to picking a channel automatically, but from what I have seen, they do a poor job. Thus, to avoid interference, it is best to manually pick a channel for each router. More here. If both routers use the 5GHz band, then the channels should be different and fixed, and, in addition, the channel width should be relatively narrow (again to avoid interference). Narrow channels on the 5GHz band are 20MHz and 40MHz wide. Wider channels are 80 and 160MHz. Many, but not all, routers let you configure the channel width.
|@defensivecomput||TOP||Home => A second router for working from home|
|michael--at--michaelhorowitz.com||Last Updated: September 8, 2021 4PM UTC|