HOWTO Securely Configure a Wireless Router

Choose your hardware

Pretty much any wireless router will provide you with what you need. But there are advantages to some. The newer routers all provide 802.11n, which is faster. However since your broadband connection to the internet is probably the speed limiter, I see little advantage there. I prefer an older model for the ability to install 3d party firmware which provides adjustability not available from factory firmware. My preferred router is the WRT54GL from Linksys. This model costs a little more than similar models but has more flash and RAM, allowing for more flexibility in the firmware.

Setting it up

Bringing up the wireless router should be done carefully if you want to ensure it isn't invaded. The default configuration from the factory is very insecure.

If you may be using third party firmware, download it to your computer before starting this process. My preferred firmware is Tomato . But if you have a router other than WRT54GL you should carefully read the notes on this page to make sure your router is compatible. If it is, download the software to your computer. It's free of charge.

Now lets configure the router.

  1. Unscrew the router's antenna. This is to make it difficult for invaders to reach your router before you have secured it.
  2. Connect your computer to the router using an ethernet cable. On the router the cable connects to one of hte LAN ports. Alternatively you may be able to use a USB cable. But don't try to do this wirelessly. At this point we do not need to connect the router to the broadband modem.
  3. Power up the router.
  4. If your main computer runs Linux you do not need to use the CD that came with the router. Since I am a Linux user I have never used it and can give no other advice on it. But the following instructions should work equally well on other operating systems.
  5. Point the browser on your computer to the router configuration page. If your router is a WRT54GL you choose http://192.168.1.1
  6. Login. If your router is a WRT54GL the user is "admin" and the password is "admin".
  7. Change the password.
  8. Change the option that allows the WAP to be managed from a wireless connection to disallow that.
  9. To update the firmware, uncompress and unpack the archive that you downloaded earlier. If your computer is running Linux the command is 7zr e TomatoArchiveFile.7z Read the documentation to determine which image to use. From your browser instruct the router to update that as the new firmware. The router will reboot. Reconnect from your browser.
  10. Verify the option that allows the WAP to be managed from a wireless connection is set to disallow that.
  11. Change the SSID. With Tomato firmware this is under Basic/Network/Wireless/SSID. Pick a name that is meaningful to you. Also under "Basic/Identification" you can set "Router Name" and "Hostname" to that same name. Click "Save".
  12. Under the wireless security section, turn on WPA2 and. With Tomato firmware this is under Basic/Network/Wireless/Security. I choose "WPA2 Personal". And for Encryption I chose AES. Warning: WEP and WPA+TKIP are each insecure. You will need to choose a shared key. This is basically a password to allow computers to use your network. If you do not do this step your neighbors will be able to use your broadband connection without asking. That can result in a very sluggish network connection. Click "Save".
  13. Only now should you consider plugging the antenna back in.
  14. Connect the router to your broadband modem. It may be necessary to power cycle the modem to get it and the router to talk.
  15. Verify that you can browse the internet from your computer.
  16. Choose "Logout".

Your router is now moderately secure. It should be possible to connect from a wireless computer. And power cycling the router should not cause it to lose this new configuration.

Further securing your network

I prefer to give my computers fixed addresses. That makes finding them on the network easier. It also makes it easier for me to spot interlopers. I also prefer to only allow those computers to connect. Perhaps I am paranoid. Then again, my system has not been compromised. And a friend of mine's (who teaches a class in internet security) has. You can choose the level of security you want.

  1. To assign fixed IP addresses based on MAC first you must set aside some IP addresses for that purpose. On your router under "Basic/Network/DHCP Server" change the last number in the first address from 2 to 100. So now it will look something like 192.168.1.100. That gives you 98 fixed addresses to assign. And it reduces the number of dynamic addresses to 50. Click "Save". You will then need to follow the instructions in the next step.
  2. To only allow those MAC addresses to connect wirelessly: The easiest way to do this is to lower that security just long enough to connect each new computer. Instructions for Tomato firmware:
    1. Under "Basic/Wireless Filter" set "Disable filter" and "SAVE".
    2. From the new computer, connect to the your router using the SSID and WPA password you chose.
    3. On the router choose "Status/Device List". The new computer should show up there. Under it's MAC Address you should see [oui] [static] [wfilter]. Click [wfilter]. That will take you back to "Basic/Wireless Filter" with a new line filled out for your new computer. Click "Add" and then "Save".
    4. Return to "Status/Device List". Under the new computer's MAC Address click [static]. That will take you to "Basic/Static DHCP" with a new line filled out for your new computer. Change the IP Address to something unique. Click "Add" and then "Save".
    5. Under "Basic/Wireless Filter" set "Permit only the following clients" and "SAVE".
  3. You can also assign fixed IP Addresses to computers which connect by ethernet cable (wired). Instructions for Tomato firmware:
    1. Plug the new computer into the ethernet network.
    2. On the router choose "Status/Device List". The new computer should show up there. Under it's MAC Address you should see [oui] [static]. Click [static]. That will take you to "Basic/Static DHCP" with a new line filled out for your new computer. Change the IP Address to something unique. Click "Add" and then "Save".
  4. I also turn the wireless power down on the WAP. But your stock firmware probably doesn't provide that option. It is one of the reasons I prefer the third party software. With Tomato this is "Advanced/Wireless/Transmit Power". Set the power to just high enough that your computer can connect from the places in your house where you will want to connect. I find 5mW to be sufficient. This makes my signal unreachable from outside my house. Click "Save".
  5. Choose "Logout".


Last modified 3 Jan 2010
http://brown.armoredpenguin.com/~abrown/contact.html
http://brown.armoredpenguin.com/~abrown/Linux/HOWTO-Wireless-Router.html