Exactly. That’s why my “home network” (NASes, etc.) are wired-only.
I got a separate router, but with wifi turned off. And the NASes are kept turned off unless/until I need to access anything on them.
When I want to connect, I just connect my laptop via cat5 to the router. I can stick in a flash-thingy to the back of the router as aux storage, to copy stuff to/from.
Before the router, I had a regular hardware switch to connect to my NAS farm, went kinda crazy with address masks, allowed MACs, etc., but that got to be a chore to maintain.
I dislike network management in the extreme (why I call ’em “notworks”), so figured f it, just throw it on a router and maintain physical security, ie, powered off when not in use. Can’t break into a NAS that’s got no power…
First, I should clarify with an apology that I'm not suggesting that your a dillusional or paranoid person, but are instead 'acting' dillusionally and paranoid.
As to your question, since I'm not an expert with regard to WiFi technology, I'll defer that to our members with the appropriate expertise.
Hopefully together, we can help you determine why you believe you're being targeted and being taken advantage. If the experts determine that your fears are both well founded and legitimate, then hopefully they can help you regain your internet security and keep control of it for the long term. Perhaps you could even collect enough legal evidence for law enforcement to take you seriously. In other words, I want to help.
So to that end, please tell us precisely what you mean by "entering my IP address"?
How is anyone "showing up"?
What are you looking at that suggests anybody has gained access to your WiFi's LAN, or showing up in router logs, or...?
Why would anyone target you, and do so through these means?
When I mentioned neighborhood is going nuts. There’s a reason. Some can’t help it, Alzheimer’s disease, or other issues. I shouldn’t have to mention what people are going through in their personal life.
If you’re not an expert in WiFi technology but advise member with appropriate expertise. Maybe you should pretending to be someone you’re not.
Huh, that’s news to me. I know that WEP was comically easy to crack, but not WPA2+AES right?
I’d count three: WAP (hopefully nobody is using it), WPA (usually enabled by default still for old devices), and WPA2. Then there are two encryption standards: TKIP (not secure) and AES (secure). This is what my MikroTik router uses by default:
Which looks correct according to this helpful article.
So for Don, I’d say to just make sure your router is set to use WPA2-PSK + AES encryption (notAES+TKIP) and call it a day. Unless you have any really old devices that can’t log in with those protocols, but then again it would be a known risk and you might want to think about getting rid of those devices if they can’t be updated.
Yep, you’re both correct. The “weakest link” / “lowest common denominator” metaphors would apply here. It’s a good idea to set your router to use the highest WPAx mode it offers (WPA3 or WPA2) plus AES encryption (and not TKIP encryption) and see if all your devices can connect, I suspect they probably will. Then only enable inferior modes and protocols if needed for old devices that can’t be replaced/upgraded.
The main concern for me, which I think is often overlooked, is the security of the entire OS / firmware running on the router. Almost all router manufacturers have a bad habit of developing a piece of hardware, slapping some firmware on it, and then “throwing it over the fence” for consumers. But once the device reaches the homes and businesses of millions of consumers the manufacturer pockets the profits and moves on to the next device for keeping the profit flowing, and more often than not they neglect to release firmware updates for the entire timeframe that their devices can reasonably be expected to last in service. Its not unheard of for router manufacturers to even ship devices from the factory with gaping security holes and forgotten backdoors used during development. And even if the initial release is as secure as possible it still has to receive updates, because all operating systems will eventually have discovered vulnerabilities. The developers of the core operating system and its component utilities are usually responsible and proactive at patching vulnerabilities, but it requires time and effort (“money”) on the manufacturers’ end to integrate those patched versions into their specific patchwork implementations of the components they use in their firmware. So there is a very real threat with the majority of neglected consumer networking hardware that the hardware will far outlast the viability of the software. And with those vulnerabilities we’re not talking about some neighborhood punks in the bushes with a WiFI cracker, but rather experienced attackers across the internet and/or devices on the local network that are secretly participating in all sorts of nefarious activities.
I contacted the manufacturer of one of my devices a few years ago when a widely publicized security vulnerability was revealed, asking if they would update the firmware for an EOL device. They actually sent me a newer device for free rather than change the firmware.
Going forward, this is one reason I have determined to stick to devices that already have third party firmware support, such as dd-wrt et al.
Wow, that’s impressive. That clearly shows why they don’t continue to offer firmware support, because software development is way more expensive than hardware.
Yep, exactly. The only downside for me is that they tend to change the internal hardware specs without changing the model number, so it can be difficult to order the device and be sure you’ll get a version that supports the third-party firmware. And if an unexpected hardware revision arrives you might not be able to return it because the device isn’t defective. Plus it just irks me to give my money to an irresponsible company that only cares about profit. I personally switched to using only MikroTik routers because they support even their most ancient and cheap hardware with the latest firmware version that they offer.
They’re huge, but not exactly end-user oriented. They’re commonly used in large business deployments and also for commercial long-range wireless internet coverage. But they do offer extremely affordable hardware options that are suitable for a SOHO setting. Their firmware is called RouterOS, and it’s insanely powerful. It’s not particularly user-friendly, but they have a quick setup section that should accomplish what most casual users need.
Thanks for checking in on this sb. I have nothing that cannot use WPA2/AES. When we moved I bought a new WPA3 capable router as I wanted/needed(?) a new router anyhow. Some of our devices already had WPA3 but the old router did not.
I thought I knew enough about keeping our devices and systems as secure as possible but that field is just a hobby and I do not continuously follow what is new and developing. We actually have 2 networks now. The new wifi 6 capable router with WPA3/AES security connects with a few devices (phones and PC’s) and is set to only be accessible thru WPA3/AES. The old router connects other older devices and those are all WPA2/AES. And the networks are separate. Eventually the old devices may all go away but no rush on my part.
I learned some time ago that while it may be perfectly alright for me to continue using a 45-year-old band saw safely, but devices like computers, etc. become partially obsolete much quicker. So even though the old devices were actually still basically operable they developed security risks and should be replaced even though still functional. That took some getting used to for a person who likes to get the most use out of a product if it can still do the task at hand.
So it sounds like you have a proper configuration Don. :+1: From what I’ve read WPA3+AES is just an incremental improvement over WPA2+AES, so neither would be considered to be blatantly insecure. WPA1 and especially any mode using TKIP would be the major concern, and since that’s still the default on some junky and outdated routers it probably explains why there are so many cases of WiFI networks getting compromised.
Actually thanks for bringing up this topic, because it made me realize that my router still had WPA1 enabled, although fortunately not with TKIP. I just set it to use only WPA2+AES and we’ll see if any devices stop connecting.
Isn’t that the truth… it also goes against my grain to imagine a perfectly functional device that is rendered unsafe because of software. And it’s worse yet to know that the underlying components of the firmware are openly maintained and updated and are freely available, but planned obsolescence and profiteering prevent the manufacturers from integrating those updates for their customers.
That’s why I’ve soured on mobile devices. I’m the sort of guy that finds a device that I like and I just keep using it until it breaks. But it’s practically dangerous and irresponsible to connect an outdated device to the internet, especially if it contains sensitive data and/or access to banking services. Smartphone and tablet manufacturers are particularly guilty of not updating the devices long before they physically stop working. So I simply use my “real” computers for almost everything, I run a third-party firmware on my tablet, and my phone is almost never online, I just use it for calls. I might as well use a Nokia 1000 for that…
Looks like the MikroTik hAP ax³ might be my next router. The price point is similar to TP-Link Archer AX50 but looks superior in almost every way. The AX50 has a dual core processor rather than a quad core, it doesn’t support WPA3, and it’ll definitely have worse software support. I’m comfortable with software tinkering so that’s not a barrier for me. I just need to look into whether or not I will miss the extra external antennae that the AX50 has.
Ah yes, the hAP is a great opton, I use a hAP ac lite myself.
There are a couple of lesser known aspects to take into account regarding WiFI coverage. I think most router manufacturers try to create a false image of WiFI “strength” by tacking on multiple massive antennas, but from a radio science point of view they don’t really do anything to improve actual WiFI performance. The important thing is selectivity and sensitivity of the WiFI transceiver itself, which is what lets it pick up a weak signal out of the noise. And the other thing is that when it comes to 2.4GHz (“G”) WiFI, additional range is actually a detriment to the network performance, because the router both hears far away neighbors’ signals and also transmits to them. Even though all those WiFI networks aren’t connected they still compete for the same radio bandwidth space. This creates a situation where all the 2.4GHz routers in several city blocks are all stepping on top of each other and playing musical chairs to try to get a time slot to transmit, and what often happens is that the routers simply give up and all the devices disconnect briefly and performance is terrible. So in that case it’s preferable to have less antenna gain and a smaller radius of coverage and not hear distant routers.
That’s an interesting point about signal strength. I live in an apartment building with at least 11 other networks in my space. I definitely don’t need to pick up more neighbor’s networks.
I had been operating on the assumption that antennae number might affect the maximum number of simultaneous connections allowed. The AX50 boasts it can maintain connections with up to 256 devices. I can’t seem to find where this is rated for the hAP ax³. I don’t need to connect 256 devices, but I want to make sure I don’t run out. So many things use wi-fi now and I don’t want to have to think about an upper limit, even if it is just when I have someone over.
I think the 256 device thing is simply the maximum that can connect with he electronics used. Not sure, but that 256 number or multiples of that occurs frequently with computers and memory chips
I don't use the GN included with our ISP-provided router. Our only guests anymore are when our kids occasionally come home and a few others who we can trust. Otherwise, I prefer to pick & choose when any other device attempts to access our router's LAN.
One way I have bolstered our network's security was by adding a app called FING, which includes a supplementary Ethernet-connected security device they call FINGBOX. I've had it in place and protecting the network for over 6 years. Both the app and the FingBox's firmware receive regular updates. The most beneficial feature of the app & device is that it allows you to "auto-block" any new device from accessing the network, and then it forwards a notification of an attempted breach if so desired. It's been providing a sense of security that we didn't really have before.
Curiously, what is everyone else using in the way of supplemental measures to increase the security of their residential WiFi router & networks.
Exactly. It’s a just a mathematical function of how many devices can receive an IP address, and that router firmware is apparently using what is called a /24 subnet.
All that means is that the router assigns IP addresses in a range like 192.168.1.0 - 192.168.1.254.
With a more advanced OS like RouterOS you could even use a /22 subnet for to have enough IP addresses for 1024 devices.
