Build the best, most secure wifi in your neighborhood

My neighbor asked me for advice on setting up wi-fi in his new house. I realized it’s been a while since I’ve written about wi-fi, and it’s never been cheaper or easier to blanket your house and yard with a good signal.

Blanketing your house and yard while remaining secure, though, is still important.

First we’ll talk about confidentiality and integrity, then we’ll tackle availability.

Disable WPS. Disable it. Now! Most attempts to add an “easy button” to security fail spectacularly, and this one has. I have no idea why routers still ship with this feature, but they do. Don’t use it.

Enable WPA2 with AES encryption. If you buy at least wireless-N routers, they require good security by default, so that’s a good thing. If you have the option to enable anything else, don’t, unless you know it’s better and can tell me why. (Like how I left the door open for the future there?)

Use a strong password. My wifi password is a 54-character work of original fiction with lots of odd characters. Yours doesn’t have to be that obnoxious–and ask any of my family members and they’ll tell you my wifi password is obnoxious–but make it at least 12 characters long and mix up the characters a bit–use both upper and lowercase letters, numbers, and punctuation. Longer is better. Much better.

Move your network off 192.168.0.x or 192.168.1.x. Well over 90% of home networks live on one of those two address spaces, so most malware that targets home routers assumes your network will do the same. It also assumes your router is at or Move your network up to 192.168.2.x and move your router to and you’ll foil those attempts to take over your router.

Use an unassuming network name. Don’t be cute and don’t try to be scary, you’ll only draw attention to yourself. Also don’t use your house number or address. I typically just use what time it was when I set up the router. It’s 10:19 as I write, so I’d name the network 1019 if I was building one right now.

Don’t bother with MAC filtering or hiding your SSID. An attacker can sniff both right off the airwaves, then knock your device off the network and spoof your MAC (this is the Media Access Control address that all computers have–it’s not specific to Apple computers), so all you do is make your life more difficult while only slowing an attacker down by a minute or two–and convincing the hacker that you know enough to have something worth hiding. A nonsense name draws less attention to you than a hidden one. Hiding your SSID also seems to decrease your network range. At least it did when I was doing it.

There was a time when doing these two things did indeed help, but now that there’s free software to quickly defeat both measures, they hurt you more than they help.

Get two supplemental routers that have an access-point mode. Micro Center sells the Tenda W368R for $15. You can’t run DD-WRT on it but it does have the ability to function as an access point rather than as a router. Instead of getting the fanciest, most expensive router on the shelf, get something midrange, or even low-end, and supplement it with a pair of these, or better yet, an inexpensive router than can run DD-WRT. Give the two supplemental routers the same SSID and password as your router, put them in access point mode, and run them on 2.4 GHz channels 1, 6, and 11 so they don’t interfere with each other. The 5 GHz frequency automatically chooses the best available channel so there’s no need to tune 5 GHz.

Ideally, your main router should be dual-band. Whether you spring for 802.11ac now is up to you, but dual-band N is definitely worth paying for. The 5 GHz band is much less crowded, so even though it doesn’t have the range that 2.4 GHz has, you’ll get a better signal on 5 GHz as long as you’re in close proximity to the router. If you can afford three dual-band routers, of course, you’ll get more 5 GHz and you’ll get better speed. If nothing else, if you own a Roku box or something similar, it will do a better job of streaming Netflix on 5 GHz because it won’t be competing for signal as much.

The TP-Link TL-WDR3600 is a reasonably priced dual-band router that can run DD-WRT, and I can virtually guarantee you’ll be happier with the results you’d get from spending $150 on a trio of TL-WDR3600s than you would be with a single $150 router. Connect the three devices via wired Ethernet or powerline networking if there’s a part of your house where running CAT5 is too difficult.

Spread your three devices out strategically. Your main router will have to go somewhere that it has access to your upstream provider. If that’s near the center of your house, great. If not, you can work around it. Place the access points near where you get a poor signal. A fast, easy way to find a poor signal is to use Meraki Wifi Stumbler on an Android tablet or smartphone. Fire up Meraki Wifi Stumbler and just walk around your house, watching what your signal does. Where you see the signal fading, look at what other networks are visible and what channel they’re on. Place one of your access points on the most distant channel from the channel(s) you observe, then plug that access point in near where the signal gets weak. Repeat the process with your other access point. Be sure to place one access point on each floor of your house, if at all possible.

Each access point needs a wired connection back to your router. You can run Ethernet, or use powerline networking if Ethernet is impractical.

Your phones, tablets, and laptops will switch to a stronger access point when they sense the signal is getting weak.

If you still have dead spots, add another access point or router in repeater mode. Configure it with the same SSID and password as you would an access point, select repeater mode in the configuration, and place it near the dead zone. Repeaters have more overhead than access points, so they run at half speed at best, but sub-optimal speeds are much better than dead zones.

One thought on “Build the best, most secure wifi in your neighborhood”

Comments are closed.