Home => The Misery of a Linksys router
|[Formatted for Printing]||From the personal web site of Michael Horowitz|
January 2, 2021
When I recently had to configure a Linksys EA8300 router for someone, it just re-affirmed my already-held belief that consumer routers, as a rule, stink.
The EA8300 is a tri-band router, which starts us off with a big lie. Wi-Fi, at present, only runs on two radio frequency bands. There are no tri-band routers. What the term means is that it has three radios, one on the 2.4GHz band and two on the 5GHz radios. I suspect that one of the 5GHz radios does the lower channels, the other the higher channels. This level of detail, however, is none of our business.
The EA8300 originally sold for $200 when it was released in late 2017, it now sells for roughly $130. On Amazon, it has 2,660 ratings which average out to 4.5 stars (out of 5). That said, the top 3 reviews in the United States all gave it one star.
It wasn't all bad.
I liked the display on the top of the router because the status indicators are easier to understand and see than simple LEDs. When all is well, it displays "Linksys" in white. When there was no Ethernet cable plugged into the WAN port, it displayed an orange picture of an Ethernet cable. An orange globe means there is no Internet connection. The router also has LED lights on all the Ethernet ports, which, to me, is a great feature as it indicates both the health and the speed of the Ethernet connection. There are five Ethernet ports on the back and the one for the Internet is clearly labeled as such.
When you first power it up, it creates three Wi-Fi networks (recall the three radios). Each network is called LinksysXXXXX, where the Xs are numbers. The networks use WPA2 and the default password (printed on a label affixed to the getting started booklet) was 10 characters long and seemed to be fairly random.
The networks/SSIDs were on channels 5, 40 and 132 at first. In a different location, they were on channels 5, 40 and 100. Here are my first gripes.
For one thing, no router should use channel 5 on the 2.4GHz frequency band. The only channels that do not overlap are 1, 6 and 11 and routers should stick to those channels. While channel 5 may not have been used, it is nonetheless a worse choice compared with channel 6. Multiple devices using the same channel can co-ordinate with each other. However, devices on nearby channels are just seen as noise and interference to each other. Peplink routers let you limit themselves to channels 1, 6 and 11 while still letting the router pick the channel.
Another gripe was that the two SSIDs on the 5GHz frequency band both were using 80MHz wide channels. This provides faster speeds if, and only if, you have no neighbors at all. Those of us that live in crowded Wi-Fi neighborhoods are better off with narrower channels and the less interference they provide. While anyone can gripe with whatever default a router makes regarding channel width, what is inexcusable is that the EA8300 does not let you change the channel width.
This is not a good router for anyone living in an apartment building.
The manual says you can start off configuring the router by entering Linksyssmartwifi.com into a web browser. This did not work for me. I suspect this requires an Internet connection and I prefer to make the initial configuration changes while a router is off-line. The fallback, using IP address 192.168.1.1 did work. However, the first thing I saw was an error "You must have an Internet connection to log into your Linksys smart wifi account".
This brings up a big security issue - do you want a Linksys Smart WiFi account? I don't. I don't want to risk the router sending data back to Linksys. I also don't want to risk employees of Linksys being able to get into a router of mine. Again, I have no proof of this, but these are always issues with any router that requires an account with the hardware manufacturer. Did I mention that pretty much every router is made in China?
Speaking of privacy, in the Troubleshooting section, there is a checkbox that is on by default: "I want to contribute to future improvements by reporting router errors and diagnostics to Linksys". I suggest TURNING THAT OFF.
Despite the error, I was able to get into the router using the default password of "admin" which is often the default password for a router.
The first thing I did was to try and find out which version of the firmware it was running. This was like finding the Popes in the Pizza. It is hidden under the "Sign Out" link. Duh. It was running version 220.127.116.11925.
The main web page of the router has a link to "Learn more about apps for Linksys Smart Wi-Fi routers". Sounds good, so I clicked on it and was sent to linksys.com/us/smartwifi which ... does not exist. That's Linksys in a nutshell.
Then, I tried to change the name of the Wi-Fi networks and screwed that up. On the top of the main web page is the name of the Wi-Fi network and a link to edit the name. But, the name did not change. In fact, nothing changed. It turns out this is the name of the router, not the Wi-Fi network (initially they are the same). And, the router name does not change until you refresh the main web page. Ugh.
I tried to change the router password and looked everywhere, but could not find a way to do so. Perhaps you can't do this while off-line?
Turning off WPS was easy. IPv6 however, can not be turned off (I have no use for IPv6). The router supports WPA2 Enterprise which does not make much sense in a consumer device. A nice feature is the ability to schedule Wi-Fi. No one can hack a network that does not exist, so you can schedule the Wi-Fi to turn off when you are normally sleeping. That said, the scheduling applies to all Wi-Fi networks. Peplink routers can schedule each network/SSID individually.
You can backup the router configuration to a file for safe keeping.
Eventually, I connected the EA8300 to the Internet and all heck broke loose. I could no longer see the router at 192.168.1.1. Out of the blue, the computer I was using said its IP address was 10.147.1.124 and the default gateway is 10.147.1.1. What the heck? I tried linksyssmartwiwif.com and now it worked and I could again get at the router.
Linksys brags that their Smart WiFi system lets you access your home network from anywhere at any time. To me, this is a bad thing, I see it as a security accident waiting to happen. Another thing I don't like is that you must have an account with Linksys to use the Smart WiFi features. No thanks. I was, instead, able to get at the router using IP address 10.147.1.1 and the default "admin" password.
On its own, the router notified me that new firmware (version 18.104.22.168539) was available. More than just notify, the EA8300 can automatically install new firmware. Self-updating is not for everyone, but it's a great feature on routers owned by non-technical people.
Now that the router is on-line there is a new Connectivity section in the user interface and ... I can now change the router password. I do. I also disable IPv6 and start the firmware update. At first it says that it is downloading the update, then it says that it is checking for updates. Which is it? Beats me. The EA8300 is connected to my router which shows that it is not downloading anything. Yuch.
I logout of the router and then log back in. Its still running the old software, so I start the download again and this time it shows a normal progress bar. Soon the router says its re-booting. While starting up the white Linksys logo on the top blinks. It also displays an orange globe and an orange Ethernet cable.
If new firmware is problematic, you can restore the previous version of the router firmware, which is a great feature. It does not tell you what the previous version of the firmware is (Peplink routers do this), but still, this is a great option to have.
After the router re-boots into the new firmware, I point my web browser at 10.147.1.1 and get right in. No password needed. What miserable security.
Speaking of security, access to the router is always available by HTTP, this can not be disabled. HTTPS is available too, as an option that is enabled by default. You can not change the ports used to access the router. It only uses the standard ports for HTTP (80) and HTTPS (443). Access to the router admin interface can be restricted to devices connected by Ethernet. I enabled this restriction.
UPnP is enabled by default, as it is on all consumer routers that I have seen. Its easy to disable. But, under UPnP there is a checkbox to "Allow users to configure" that is on by default. Beats me what this is. Next to that is a checkbox to "Allow users to disable Internet access". Not knowing what this meant, I read the Help, which said "Allow users to change router settings or disable your local Internet connection while using UPnP". I still don't know what this means. I turned it off.
Speaking of my confusion, there is also a checkbox for "Express forwarding". Again, I have no clue what this is. It was enabled by default.
The router, at first glance, seems to support VLANs, but the feature only applies to the Ethernet WAN port and LAN ports 3 and 4. I suspect that some ISPs require a VLAN to connect with their service.
A speed test ran at the full speed on the Internet connection I tested with, 100Mbps.
Changing the LAN subnet from 10.147.1.x to something else was straightforward. Likewise, it was simple to change the IP address of the router itself so that it was not the dot one IP address on the subnet. I also changed the DNS servers to be those of a trusted DNS provider, rather than the ISP. Among the companies I consider trustworthy are Quad9, OpenDNS and Cloudflare. See the DNS page at my RouterSecurity.org website for more.
There were multiple issues with Guest Wi-Fi. To begin with, you have to assign different SSIDs on each Wi-Fi frequency band but there can only be one password. How strange. Also, the Linksys EA8300 offers no control over the Guest network subnet.
The bigger issue, however, is that Guest Wi-Fi is always a captive portal. If you are not familiar with the term, it is the type of Wi-Fi frequently seen on public networks. You can not simply login with the password. Instead, you first connect to the network and nothing happens. Then you have to go to a web page, any page, and you don't see it. Instead you see a customized web page created by the provider of the network warning you of whatever they care to say. Only after seeing this splash page, can you then get on-line. In a hotel, for example, you may have to type in your room number before you can proceed. This was the first consumer router I have seen that works this way. Captive Portals are usually reserved for businesses.
Creating the Guest Wi-Fi is simple, but the first time I tried to logon to a Guest network, it failed. I never even got to a password prompt. Instead, I got an error that the DNS address of www.gstatic.com could not be found. The web page title was Captive Portal Authorization. What does gstatic.com have to do my Guest network in my living room? Beats me. My one guess is that this is due to assorted firewall rules in my main router which the EA8300 was plugged into. Annoyingly, the computer said I was connected to the Guest network, even though I could not get at the Internet.
I clicked, again, on the Guest network SSID and I was in with an IP address of 192.168.3.114. No password needed. But, no Internet. At every website the browser complains that the IP address could not be found. For good luck, I disconnected from the Guest Wi-Fi and re-connected. Same thing; still no Internet.
I see that the router on the Guest network is 192.168.3.1. As a Guest user I could not get to that either, which is very likely a good thing.
In a Wi-Fi scanning app, the Guest networks appeared as having no security at all; they were not flagged as using WPA2. My guess is that they probably do using WPA2 once you get past the initial splash screen, but still, this strikes me as putting up a "Hack Me" sign on the front door.
Being locked into a Captive Portal for the Guest networks strikes me as sufficient reason to avoid this router. Never mind, that it didn't work for me at all.
As previously noted, the EA8300 was not directly connected to my ISP, instead it was connected to my main router. This let me run nmap against its WAN interface. All TCP ports were closed. This is good, and in my experience, fairly standard for consumer routers.
I also used nmap to scan the EA8300 from the inside, that is, from a computer connected to the router. It found these open TCP ports: 53, 139, 445, 10000 and 10080. 53 is DNS and is usually open on the LAN side. 139 and 445 are for Windows based file sharing and I suspect they are used when a USB flash drive is plugged into the router to serve as a poor man's NAS. I looked everywhere but could find no way to disable file sharing in the router. I have no idea what the other two ports are used for. Any open port is a potential avenue of attack from a malicious device on the LAN.
I also watched outbound requests originating from the router when there were no devices connected to it. Recall, that I had already disabled the option to phone home to Linksys with assorted telemetry.
It consistently tried to contact three IP addresses belonging to Amazon Web Services (22.214.171.124, 126.96.36.199 and 188.8.131.52). I have no idea what these servers do, but rather than send data to them, the router just Pinged them. But, it was Ping-happy, making around 5 pings every second. Seems like a lot but I can't say its a problem in any way.
The main support page for the EA8300 is linksys.com/us/support-product?pid=01t340000042dmYAAQ where you will find documentation and downloads.
The User Guide has no date and no firmware release indication. It is only 24 pages and was copyright in 2017, so it was probably never updated after the first release. This is typical of the disgraceful documentation for consumer routers. Recall that earlier, I had run across an option called "Express forwarding" and did not know what it was. I still don't know; there is nothing about it in the User Guide.
When, previously, I praised the router for notifying me of an available firmware update, I spoke too soon. The support page says that the latest firmware is version 184.108.40.206210 dated June 1, 2020. But the router is now running the older version (220.127.116.11539 from Nov. 8, 2018) and the router says that it is up to date. Yet again, another reason not to buy a consumer router.
Not sure what to do, I look at the Release Notes for the newer firmware. It says "Support both EA8300 V1.1 and EA8300 V1.0". That's it. That's all it says. What does this mean? Don't buy a Linksys router is what it means.
As someone focused on Router Security when I kick the tires on a router, I look for different things than the typical review in the tech press. Other reviews list the features of the router, describe how the thing looks and then spend most of their time on how fast the Wi-Fi is. The total opposite of everything you have read here so far. Below are some typical reviews of the EA8300.
Note that none of them mention that the router sends data back to Linksys by default or that the Guest Networks are Captive Portals or that the User Guide is skimpy, useless and never updated. They all get a kickback (aka commission), when someone clicks a link to buy the router, so, we can expect any faults to be glossed over.
Linksys EA8300 Max-Stream AC2200 Tri-Band Wi-Fi Router Review by John R. Delaney for PC Magazine (Feb. 2018). The article perpetuates the myth about there being three radio bands rather than three radios. The lead paragraph: " Designed for homes with multiple devices vying for Wi-Fi bandwidth, the Linksys EA8300 Max-Stream AC2200 Tri-Band Wi-Fi Router provides three separate radio bands and user-friendly device prioritization to ensure that your clients have all the bandwidth that they need for gaming, video streaming, and web browsing. This router is easy to install and uses all the latest wireless technology, including Multi-User Multiple Input Multiple Output data streaming and beamforming, and it offers Quality of Service settings, parental controls, and intelligent band steering. It delivered good close-range throughput in our tests, but its overall performance was no match for our Editors' Choice .... "
Linksys EA8300 Max Stream: Great Performance for the Price by Brian Nadel for Toms Guide (April 2018). Sub-heading: Excellent speed that's affordable. Quoting: "Small and easy to hide, the EA8300 Max Stream router can deliver the data at high speeds ... you can customize Linksys' router to run the way you want it to, making it among the best Wi-Fi routers around for power users ... the Max Stream is a relatively inexpensive option for filling an apartment or small house with Wi-Fi".
Linksys EA8300 Max Stream AC2200 Router review by Dan Dziedzic for CNET (Nov 2017). Sub-heading: This little Linksys router gets the job done -- up to a point. Quoting: "If you want great coverage for your medium-size home, lots of customization options and top speeds on your router ... the Linksys EA8300 is the one you want ... he Linksys EA8300 Max-Stream router boasts top speeds and tons of features for medium-size homes, and it's affordable...".
This article does, however, point out some issues the others missed, such as the fact that you can not throttle the speed of devices on the Guest Wi-Fi and that the router can function as an Access Point. And, this: "You can also use Amazon Alexa with the EA8300 if you want to turn on/off the guest network, get the guest Wi-Fi log-in credentials or if you forget your regular Wi-Fi password. That last part is a little scary in that anyone can ask her for your password, and Linksys says that you can shut this feature off." Yikes. It also says "The Smart Wi-Fi web interface raised some concerns over its security, but the app is very convenient if you need to update your settings". And there it is in a nutshell: the choice between security and convenience.
If you are interested in Parental Controls, be sure to read this March 6, 2018 review at Amazon.com about a flaw in the feature.
|@defensivecomput||TOP||Home => The Misery of a Linksys router|
|michael--at--michaelhorowitz.com||Last Updated: April 14, 2021 3PM UTC|