Router Security is my thing. It's a boring subject, often ignored, and when it does get attention, the focus is often wrong. Specifically, the focus is often on isolating IoT devices because their security is so bad. This is a great thing to do, but as more people work from home, the focus of network security should be on carving out a secure enclave for the income-producing devices (computers, tablets, printers, NAS devices, etc).

The official buzzword for this is network segmentation. In English, this means logically grouping the devices in your home and isolating the groups from each other. Perhaps the most common example of network segmentation is having IoT devices use a Guest Wi-Fi network while all the other devices use the main network.

Techies recommend segmenting networks because there are a huge number of attacks that can occur from one device in a home to another device.

The best way to group/segment devices in a network is with a router feature called VLANs (Virtual Local Area Network), but most routers do not support VLANs. Instead, this blog is about a simpler approach, one that is available to anyone - a second router. As I make clear on my RouterSecurity.org site, I am no fan of consumer routers. But as a secondary router, they should be good enough and are far better than doing nothing.

ISOLATING

You can make an isolated group of devices by simply plugging one router into another. Any router can be plugged into any other router. I will refer to the existing router or combination box (both a modem and a router) as the outer router and the new router as the inner one. Using an Ethernet cable, connect the WAN/Internet port of the inner router to any LAN port of the outer router. In most cases, that should be all that is required.

The one thing that can go wrong is if both routers use the same numbering scheme (a.k.a. subnet). Every computer on a network has a unique number, called an IP address, that is written at four numbers separated by periods (192.168.1.5 for example). Normally all the computers in a home will start with the same first three numbers (such as 192.168.1) and the last number will vary. If both the inner and outer routers use the same numbering scheme by default, this will have to be changed on the inner router. For example, if the outer router is using 192.168.1.something, then the inner router can use 192.168.2.something or 192.168.3.something.

OUTER -> INNER ROUTER

With this scheme/approach, the firewall in the inner router serves to block devices connected to the outer router from communicating with devices connected to the inner router. This should be sufficient, in my opinion.

INNER -> OUTER ROUTER

The firewalls in routers default to letting any data/traffic leave the WAN/Internet port of the router. For the most part, router firewalls only block unsolicited incoming data (this is certainly true for consumer routers). For a two-router approach, this means that the inner router will let all data/traffic out, so, in theory, a device connected to the inner router could communicate with a device connected to the outer router. It is very unlikely, but technically possible.

One way to prevent this is with VLANs. If the outer router supports VLANs, then the Ethernet port that connects to the inner router should be assigned to an VLAN that is not allowed to talk with any other VLAN or with the untagged LAN. That one Ethernet port should be the sole thing in the VLAN. For most people, however, this is not an option. Consumer routers and routers provided by an ISP do not offer VLANs or outbound firewall rules (next topic), only professional routers (such as Peplink and pfSense) do. (added Nov 4, 2023)

One way to prevent this is with firewall rules.

Assume, for example, that the LAN side of the outer router uses the 192.168.11.x subnet and that the LAN side IP address of the outer router is 192.68.11.1 and the LAN side IP address of the inner router (as seen by the outer one) is 192.168.11.99. The inner router can use any subnet for its LAN, other than 192.168.11.x.

If the outer router offers firewall rules, then you can create a rule for traffic with a source IP of 192.168.11.99. If the destination is anywhere in the 192.168.11.x subnet, then block it. This would also prevent any device connected to the inner router from being able to administer the outer router, so maybe carve out an exception. The exception would allow traffic from 192.168.11.99 (inner router) to 192.168.11.1. To me, this is a matter of opinion.

If the inner router offers outbound firewall rules then you can block communication with devices connected to the outer router with a firewall rule that blocks communication to anything in the 192.168.11.x subnet. The outer router sees this subnet as its LAN, but to the inner one, it is part of the WAN/Internet. This will also block administration of the outer router, so perhaps carve out an exception that allows communication to 192.168.11.1. Matter of opinion. (updated Nov 4, 2023)

Another approach is to use a VPN, but this is complicated because there are so many different implementations. To begin with, a VPN connection can be established using either VPN client software running on the inner router itself or on a device connected to the inner router. And, there are different types of VPNs (such as OpenVPN, IKEv2, WireGuard) and a huge variety of VPN client software for the assorted popular operating systems. And, each VPN client has assorted configuration options.

Not many routers offer VPN client software. Asus is an exception, they have provided an OpenVPN client for for years. GL.iNet also offers routers with a VPN client. I keep a longer list of routers that can function as a VPN client on the Resources page of my RouterSecurity.org site. I have not tested this, so I can not say for sure that a VPN connection established by the inner router itself will block all access to the outer router. It is a great question to ask the company running the VPN server(s).

I have dealt with VPN client software running on a Windows computer attached to the inner router. It can go either way. My experience has been that the outer network is blocked by default. However, I asked two VPN companies about this. One company offers three different VPN clients for Windows: their own software, open source OpenVPN software and WireGuard software. With their own software it was impossible to access the outer network. With the OpenVPN and WireGuard software, they offered a tweak that would allow it. The other VPN company, whose software was inconsistent in my testing, would not answer the question. Email me for the name of each VPN company. And, feel free to email me your experience with this.(updated Sept. 28, 2021)

Running a VPN on the inner network has another advantage: it offers protection from a malicious/hacked outer router. Since the least trusted devices are connected to the outer router, there is always a chance that one of them might corrupt the router. Then too, just by being directly connected to the Internet, the outer router is always at risk of being hacked. The VPN connection, once it is established, should be tamper-proof.

What can go wrong, if the outer router is malicious, is that it might disrupt the initial VPN connection. In the VPN section of my DefensiveComputingChecklist.com site, there are a number of things that you can check to insure the VPN connection is doing what it is supposed to do.

Again, in my opinion, blocking devices connected to the outer router from seeing devices connected to the inner one is the main point.

CONFIGURING THE WORK-FROM-HOME ROUTER

Any router can be made more secure by adjusting assorted configuration options. The biggest items are perhaps WPS and UPnP, both of which should be immediately disabled. As for a Wi-Fi password, make it at least 20 characters long. The home page of my Router Security website has a short list of the most important security enhancing tweaks and much longer list for motivated techies to follow.

One thing to change is the DNS servers, you do not want them to be provided by the outer router. Perhaps the outer router is using DNS from the ISP, perhaps it has gotten hacked and is now using malicious DNS servers. Either way, you want to be in control of this and pick a trustworthy DNS service. There are a number of trusted DNS providers such as Cloudflare (1.1.1.2 and 1.0.0.2), Quad9 (9.9.9.9 and 149.112.112.112), OpenDNS (208.67.222.222 and 208.67.220.220) and NextDNS (45.90.28.119 and 45.90.30.119). Better yet, if the inner router supports secure DNS, then use it. This should prevent the outer router from being able to see, let alone interfere, with DNS requests from the inner router. (added Sept. 28, 2021, updated Nov 4, 2023)

A router that is used solely to segment off a small number of work-from-home business devices, lends itself to some configurations that do not make sense elsewhere.

For example, MAC address filtering. This feature blocks devices from accessing the router even if they know the Wi-Fi password. Sophisticated attackers can bypass it, but not every attacker is sophisticated. When a router is used by dozens of devices, the bookkeeping involved in maintaining a list of MAC addresses, just does not pay - but it does make sense on a router used by a small number of devices.

Disabling DHCP falls into the same category. It only makes sense when the number of devices using the router is small. It too, is not a perfect defense, but again, every attacker is not a top techie.

Not broadcasting the Wi-Fi network name is, yet again, not perfect security, and something that only makes sense for a small number of devices.

If the person working at home is near their dedicated/inner router, then limit Wi-Fi to the 5GHz frequency band, because the signal does not bleed as much to the outside world. Some routers let you adjust the transmitting strength of the router. If so, make it as low as possible while still providing a strong signal in the area where it is needed.

To recap: the network name is hidden, the signal does not travel far, the password is very long, and, even if an attacker gets on the network, they need to clone a valid MAC address and bring their own IP address. Pretty secure.

Even with all that, Ethernet is more secure than Wi-Fi. Someone who uses an iPad and/or iPhone for work, might consider plugging it into the router via Ethernet. Adapters for this do exist.

April 7, 2021: A bit more protection can come from changing the WAN side MAC address of the inner router. Anything malicious on the outer network can not see the work-from-home devices due to the firewall in the inner router, but the WAN side MAC address of the inner router, advertises the company that made the router. Modifying the MAC address lets an Asus router (for example) appear to be made by Netgear (for example). If a bad guy tries to exploit a known bug in Netgear routers, it will fail. Peplink calls this feature "MAC Address Clone" and you can see a screen shot of it here.

WHICH ROUTER

As for choosing a router, there are many criteria. For a Work-From-Home router, I suggest focusing on two features.

The first is whether the firmware (router operating system) it is still being updated by the vendor. You can research this at the tech support section of the hardware manufacturer's website. Search for the specific router model you are considering, and check when the last software/firmware update was. If it is more than a year ago (yes, this is arbitrary), don't buy that router. Note that some router models have different hardware versions.

The other aspect to focus on is whether the router is spying on you. Specifically, whether you must have an account with the hardware manufacturer to use the router. In the old days, every router was a free agent. Now, things have shifted and many (most?) routers require you to check-in with the mother ship. In Star Trek terms, they have been assimilated into the collective of their hardware manufacturer.

The potential for being spied on ("telemetry" is the polite word) by the router vendor is something only I consider. The potential privacy invasion of having a vendor account has never been cited as a gotcha in any review of any router, ever. But, to me, it is. We never know what data the router is phoning home with.

A couple years ago, Netgear silently added telemetry to their routers. If you look for it, you can turn it off. Asus routers include anti-virus software which is, itself, a privacy invasion. I am not sure how functional an Asus router is if you do not agree to let the anti-virus software do its thing. Ubiquiti would never spy on their customers, until they did.

My preferred router is the $200 Pepwave Surf SOHO. However, setup and configuration of the Surf SOHO, like that of any professional grade router, is too much for non technical people to handle. Also, its maximum download speed of 120Mbps may also not be sufficient for some uses.

Another good choice is the $129 pcWRT router. In addition to a focus on security, the firmware is being actively updated (as of January 2022), it does not spy on you and it can be used without creating an account with the hardware vendor. It also offers VPN clients for all three popular flavors of VPN: WireGuard, OpenVPN and IKEv2. I am currently (Jan. 2022) kicking the tires on it.

My experience with the Amplifi HD line of mesh routers (from Ubiquiti) is that they can be used without establishing an account. Being a mesh system, the Amplifi HD is usually sold as a set of three devices, but you can buy just the cube-shaped router. It has 4 Ethernet LAN ports and, as a bonus, tells you the time of day.
NOTE: As of January 2022, the stand-alone cube router seems to be out of stock most places.

All these suggested routers let you roll back the firmware to the previous version should a new version cause a problem.

Update Feb 20, 2021: Another company to consider is GL.iNet. I have not used their products, but they are cheap and the company has a focus on security. Their routers run OpenWRT and include an OpenVPN client, a WireGuard client, Tor and encrypted DNS from either Cloudflare or NextDNS. The Slate (GL-AR750S-Ext) was released in 2019 and sells for about $55 (as of Feb. 2021). The Beryl (GL-MT1300) is newer and sells for about $70. At these prices, we can't expect great speeds or for the routers to handle too many attached clients.

Some routers include VPN server software but this is for accessing a home network when away from home and not relevant at all to working from home.

Some brands to avoid: D-Link, Netgear, Tenda and Synology.

PERFORMANCE

Update: October 3, 2020: Although the point here is about security, let me add this Wi-Fi performance tip: the Wi-Fi network(s) on the inner/secure/second router should run on different channels than the networks used by the outer router. If possible, the inner router should only use one Wi-FI frequency band, again, to avoid interfering with the outer router.

If both routers use the 2.4GHz band, then each should be configured with a different fixed channel, either 1 or 6 or 11. Many routers default to picking a channel automatically, but from what I have seen, they do a poor job. Thus, to avoid interference, it is best to manually pick a channel for each router. More here. If both routers use the 5GHz band, then the channels should be different and fixed, and, in addition, the channel width should be relatively narrow (again to avoid interference). Narrow channels on the 5GHz band are 20MHz and 40MHz wide. Wider channels are 80 and 160MHz. Many, but not all, routers let you configure the channel width.