Considerations And Musings on Home Routers

I recently went looking for a new home router and as usual I over did it. Here’s a rundown on that quest and many of the things I learned along the way, and things I already knew.

Here’s a few of the routers in my arsenal right now.
Let’s check them out one by one. Hover over for quick stats.

Linksys WRT1900AC - DD-WRT firmware installed

Netgear R7000 - AsusWRT-Merlin firmware installed

TP-Link Archer C7 - DD-WRT firmware installed

TP-Link Archer C5 - Turned into an Archer C7 with firmware hack and updated to Factory firmware.
Stacks Image 23707
Linksys WRT1900ACS

  • 1.6 GHz dual-core processor
  • Wireless-AC, up to 4.3x faster than N technology*
  • Open Source ready**
  • 4 high-performance antennas
Stacks Image 23716
  • Netgear R7000 “Nighthawk”
  • AC1900 WiFi—600+1300 Mbps speeds
  • 1GHz Dual Core Processor
  • Prioritized bandwidth for streaming videos or music
  • ReadyCLOUD® USB Access allows you to enjoy personal and secure cloud access to USB storage anytime, anywhere
  • Manage home network and provide guest access remotely using NETGEAR genie®
Stacks Image 23725
TP-Link Archer C7

  • Supports 802.11ac standard - the next generation of Wi-Fi
  • Simultaneous 2.4GHz 450Mbps and 5GHz 1300Mbps connections for1.75Gbps of total available bandwidth
I didn’t slap a picture up of the 4th router, the TP-Link Archer C5 because that version of it is the SAME as the Archer C7, just cheaper. Interesting. More about that later.

Okay, what did we learn here? Number one…….THEY’RE FAST, Number two……..They’re convenient and easy to use and oh so helpful.

Where’s the discussion on how secure they are?

The simple fact is their security is very poor. You’re going to buy it because it’s fast and sexy. Not because it’s slow and has great software.
Stacks Image 23729
But the reality is that the internet is a strange and dirty place and your IP address is out there for anyone to find during a ping sweep. You’re not special. You are just a number in a range of numbers. If a port scan reveals you’re weak, someone may dig deeper.

- The router is the front door to every connected device you own.

- Your router is likely the weakest point in the chain.

- Your router is likely the least thought about device in the home.

- You likely have no idea what all the acronyms on the configuration pages mean.

This makes it a PRIME target for old Snidely Whiplash here. Because once Snidely hacks your router all your other devices are wide open to him.

Most of us think we have nothing to hide and that may be true however someone taking over your router can at the very least be using it to direct computer attacks against other computers on the internet. No hacker worth his salt would attack you from his computer where his IP address is easily traced. He’ll formulate his attack from your computer or several computers to hide his tracks. Nice that he’s making you complicit, huh?

Why do you care who snags your password logging into MyLittlePony.com? Because if you’re like a lot of folks that is also your password to bankofamerica.com.

Also, are you bandwidth capped on your internet service? Is there a limit to how much traffic you can use every month? Old Snidely doesn’t care about that. You’re paying the bill, but he’s using your bandwidth.

So we should at least give SOME focus to router security. Okay, you’re hooked. Here’s the bad news.

Almost every single home router you can buy is filled with dozens of documented exploits. This has been published time and time again, but hey, you’re not a techie and you don’t read techie news, do you?

Also even if the company patches the exploit you don’t install the new firmware because you don’t know it exists. That router that you bought at Target in 2012 is still sitting there behind theTV with tons of dust on it and has never once been updated has it? You bought it, and forgot it.
Stacks Image 23732
At this point no matter who you are or what your router situation STOP right now and check your router manufacturer name and model number. Find or download your router manual and figure out how to upgrade the firmware.

Here’s some more bad news. You bought a $60 router in 2012. The company no longer officially supports it. The last firmware update was a couple years ago……

In this case you have two options. Hope for an Open Source Software solution or buy a new router.
So what is Open Source Firmware? Quite simply it is another operating system you install on your router hardware. The source code is open to the community and in most cases one might assume it is more secure. As weaknesses and exploits are found they are patched and newer versions are released. Sounds great. The down side is that many of the components in your router do not have open source code such as your wifi transmitter. The manufacturer releases drivers for their wi-fi components and another set of drivers for open source software. The open source releases are often buggy or lagging behind their official releases.

The brand new Linksys WRT1900AC line routers (ACS pictured above) probably just got the first decent wifi driver in a couple years. So the last couple years of open source firmware were somewhat problematic.

Living on the bleeding edge sometimes hurts.

So it’s not all wine and roses. If you want wicked stable open source software that is fast and secure you want a popular router such as the Netgear R7000. Just because DD-WRT supports a router doesn’t mean it supports it well.

Here are some popular open source choices:

dd-wrt-logo-2 DD-WRT



openwrt_logo OPENWRT

Asuswrt-Merlin-2 AsusWRT-Merlin

tomato Shibby Tomato


Gargoyle_logo Gargoyle
And of course you can stick with stock firmware. Because of the expertise required I suspect most users wouldn’t even attempt an Open Source install.

There’s no right or wrong selection here. It’s whatever works for you best. My current rig is the Netgear R7000 with a modified version of AsusWRT-Merlin

The only real way to ensure real security is to do penetration testing. Again this is not something the casual user will not know how to do. There are some tests you can do. One of the best is Steve Gibson’s “Shield’s Up” tests.

Do all the tests. A pass and fail are abundantly clear.



Stacks Image 24837
A passing grade here though doesn’t mean there are no known exploits for your router. But as bots are cruising up and down IP ranges looking for open doors hopefully you’ll get passed on by. Keeping a low profile may be the best thing you can do.


There are much more advanced ways to do penetration testing and even a service with a free account for home use called Nessus. More advanced free methods require some technical expertise. One of the best solutions is to install a Linux distribution called Kali. It has a suite of penetration testing tools and is totally free. But of course you have to install it and figure it all out.

Nessus provides reasonable but kind of hard to understand results. Here’s an example of a Nessus scan I did against an old router. There is a ton of information here but the things I have circled are significant potential exploits but only identified as “INFO”. Other scans on other routers I have done show color coded and graded potential problems. I don’t get why these aren’t highly flagged and more visible. Anyway the information is there for the user, you just have to sift through it and analyze it yourself.
Stacks Image 24841
The problem with routers is the trade off between features and security. Some of the routers above offer things like Cloud servers which is a great selling point but services sometimes equals security problems. Here’s a scan I did on another router. The “Medium” graded results are me opening ports to a server which has a self signed encryption certificate. I have a strong certificate but it is self signed (that means it was FREE). The “Low” grades are that this router previously had an ssh server enabled on a standard port with low encryption. It’s since been fixed and that’s what penetration scans are for.

Also in my scan below it found 7 open ports. Those are ports I opened so that I could access certain things. So while the ability to provide services is GREAT, it opens you up to problems. There has to be some risk mitigation you can do and it’s very important to keep those services up to date on the computers that you operate. For example in the case of the ssh server there is a brand new version of the program called “sshd” which the firmware developer just added in.
Stacks Image 24845
So the greater point is that router security is ONGOING. You should not just set and forget your router. It’s a prime target. So now let’s move on, let’s select a router.

This is NOT easy. I’ve been barking at you about security and testing yet most home router manufacturers are terrible at security. They have to sell you a dumbed down product that you can easily connect to the internet or else you’ll call their expensive tech support people. So the whole experience is based on ease of installation and not overall long term security. Buying commercial,business type routers is an option but they generally cost more. But you are buying a long term solution with business end support. Still you’re a home user in this economy and probably don’t want to spend $400 to $500 for a router.

This is why I like open source firmware. Here’s some pro’s and cons though.

PRO’s

- Open Source. Source code viewable to anyone. Poured over by code junkies.

- When a problem is found, it is usually patched quickly.

- It’s Free.

- Excellent support forums with technically proficient members, also free.

- Higher range of features than your manufacturers factory firmware.

Cons

- Never a notification of newer firmware.

- New firmware builds are almost always beta releases. Sometimes the builds are bad ones that cause problems. Installing a new release on day 1 has some dangers.

- Playing around with your routers operating system can brick the device.

- Open Source SHOULD be more secure,but not a guarantee.

- Hardware in your router has proprietary software drivers that open source software cannot utilize. Wifi drivers are a good example. Many routers with open source software suffer from varying degrees of wifi problems. The open source drivers are just not as fast, robust, or as reliable.

Now what features do you need? There are some really sexy routers out there that even LOOK fast. Look at this one.

Stacks Image 24849
My opinion on the question of which router do you need is best answered by “What kind of clients do you connect to your router, how do you connect them, and what do you do with them once you are connected.?”

Most of us are simply not that sophisticated. You have a laptop, a smartphone and all you do is check email and look at FoxNews.com and the Weather Channel. You don’t need much and you need a much more mature solution rather than like in the pic to the left.

Now one more vital consideration……..How FAR AWAY is the computer from the router.

I don’t care how fast your router is, the further you walk away from it, the slower that wifi connection becomes. On my home setup I have an AC1900 router and my laptop and iPads connect at 867Mbps which is max speed for those computers. When I go into the bedroom across the house I connect at about 180Mbps. Quite a difference.

Max speed on a router wifi is an illusion. For example the box says “AC1900 Speed”.

Guess what? You cannot connect ANY computer at 1900Mbps. Impossible. What it means is your 2.4GHz channel can connect at 600Mbps and your 5GHz channel can connect at 1300Mbps. You can’t use both channels at the same time. And what’s the point of using wifi if you sit right in front of the router? You don’t. You’re in the bedroom across the house.

These claims are just marketing to make you think that your sexy red router is super fast. By the way the sexy red router is an AC3200. Don’t get me started. There is like one or two devices in the world that can connect at that speed and they’re all desktop computers.

My Advice: Buy a WILDLY popular, and mature router (that means old) that has open source firmware support.

I have two recommendations here. Both routers are very popular with the open source crowd, have great driver support, and have been battle tested for a couple of years by geeks. MOST huge problems are discovered and patched. And development is still on-going.

Here they are:

NetGear R7000 Nighthawk.

TP-Link Archer C7

Because they are both a couple years old or older they are getting upgraded in droves and they can be found cheaply on eBay. I just got an R7000 on eBay for less than $100. Both of these are still pretty future proof in my opinion. Both are AC1300 on the 5GHz channel, both support OpenWRT and DD-WRT. My fastest computer in the house only connects at 867Mbps anyway.

The Netgear Router probably has a greater following in the open source community. One of the router genius developers of DD-WRT supposedly still uses one. That’s good enough for me.

The Archer C7 has such a great following because it is a LOT of router for sub $100. It’s won about a million “bang for the buck”awards. Both of these routers are more than almost any internet user needs. There’s a way to get an Archer C7 cheaper. You can buy an Archer C5 version 1.2 (not a newer version 2.0) and convert it to an Archer C7 by flashing firmware. I made a web page on the process here.

NOTE: There are multiple instances of manufacturers selling the same hardware either repackaged or in this particular instance not repackaged and crippling the software to make it slower and sell it cheaper. Another web site I saw recently swears that the Linksys WRT1900ACS ($220) is the same hardware as the WRT1900AC ($150) That web page is here. Anyway do your homework before you buy. You literally can buy the same hardware sometimes much cheaper.

I personally run a Netgear R7000 in my home with AsusWRT-Merlin firmware which tests well in penetration testing and so far has been rock solid stable. It also has good implementation of a guest network (that is network in your home isolated from your other computers by a firewall). Ever go somewhere and check your network neighborhood and see a bunch of other computers? Not good, not good at all. If you can see them, they can see you. Do you have file sharing enabled? Whoops.

Okay so far I think your best, regular guy, budget approach to security is to buy a 2 year old router and install open sourced software. Now let’s configure it a little.
Stacks Image 24857
There are some things you should do before you hook to the internet. Just hook to the router for now but don’t plug into your modem. We want to do the following things before we give it a connection to the world.

- MAKE SURE YOU HAVE THE LATEST FIRMWARE FOR YOUR DEVICE, download the file and have it ready to install, then install it. (I still think you should use open source firmware though but I realize everyone won’t).

- CHANGE THE ADMIN PASSWORD, everybody worries about the wi-fi password but what good does that do you if someone hits your router on the internet side and you have the default password set? Depending on the manufacturer these are different but are usually remarkably non-complex. Like user= admin, password= admin.

- CHANGE THE WI-FI PASSWORD, don’t use the one the manufacturer gave you. Make it fairly complex. Look around the room. KeurigToaster123 is just one example.

- CHANGE THE WI-FI NETWORK NAME, don’t let it be descriptive to you. Another good idea is that if it is NETGEAR24 change it to LINKSYS24 or something subversive like that. Lots of people like to give joke names.

- CHANGE THE INTERNAL LAN IP ADDRESS, almost every router is 192.168.1.1 Take a wild guess what address range behind the front door the hackers set their bots to look for. Change it to a private range like 192.168.25.1
or 10.0.12.1

- TURN OFF WPS if you can find it in the settings. WPS is a “Push the button, enter the 6 digit code on the computer “ to connect setting. Non-Secure.

- CHANGE WEB CONNECTION FROM HTTP TO HTTPS, instead of just going to a browser and typing http://192.168.1.1 you would type https://192.168.1.1,but you hopefully changed the address like I recommended above.

There are several more things you can do but that’s a great start. If you do that YOU’VE DONE MORE THAN ALMOST ANYONE YOU KNOW HAS, and that makes you not the easy target. Keeping that low profile with no obvious services or ports wide open screaming “PROBE ME” will make everyone else an easier target. You know the old saying about being in the woods. You don’t have to run faster than the bear but you do have to run faster than the person you are with.
1,772