Secured Apartment Wifi

Videodrome

Videodrome

Truckinator
Sep 12, 2013
12,859
9,916
3,730
BBQ Belt
banhammer.us
Since I moved into this place, I've been mostly content to be on wired ethernet, but I dusted off an old project router I have that runs alternative firmware called Tomato. Alternative firmwares like this or DD-WRT are interesting to mess with and make a regular router almost like an Enterprise Router with more options.

http://www.polarcloud.com/tomato

Tomato-firmware-Linux-router.jpg


I turned off the SSID Broadcast so most casual laptop or mobile device users shouldn't even know my device exists or see it in the list of available APs.

I altered my Tomato Router's Subnet Mask to 255.255.255.252 which reduces the allowed connections to only 2 devices which includes my DSL, so any devices past one Wifi device should fail to be assigned an IP Address. The DHCP range was also reduced to the size of the shrunken network.

Also of course using WPA2 with a long password.

For what it's worth, all of my devices also have a VPN.

I suppose I could also White List my allowed devices by MAC Address.


lol just a side project, but I think my stuff is locked down.
 
Last edited:
My networking is a bit rusty but on this piece:

I altered my Tomato Router's Subnet Mask to 255.255.255.252 which reduces the allowed connections to only 2devices which includes my DSL, so any devices past one Wifi device should fail to be assigned an IP Address. The DHCP range was also reduced to the size of the shrunken network.
Click to expand...

Reducing the subset to giving the last octet 252 is not the same as only allowing two device connections. It’s allowing two entire sub nets, 252 and 253. So you could have a multiple of devices trying to connect over that range. Again, I am rusty here, it’s been ten years since I did any networks in detail but that’s what I think it’s doing.

What you could do is disable DHCP completely and only use static IPs. Of course that means you will need to manually add a new device to your network but it’s a super secure way to do things, especially if you suspect someone is free loading off you.
 
D-V-ANT said:
My networking is a bit rusty but on this piece:



Reducing the subset to giving the last octet 252 is not the same as only allowing two device connections. It’s allowing two entire sub nets, 252 and 253. So you could have a multiple of devices trying to connect over that range. Again, I am rusty here, it’s been ten years since I did any networks in detail but that’s what I think it’s doing.

What you could do is disable DHCP completely and only use static IPs. Of course that means you will need to manually add a new device to your network but it’s a super secure way to do things, especially if you suspect someone is free loading off you.
Click to expand...

I'm rusty on this to.

But in the case of a basic Router, if the network is split, is the other chunk effectively inaccessible? I mean this was never intended to be an Enterprise Router so it's kind of hacked. Also, I tested and was unable to connect more than one device wirelessly. Is the other chunk of the network set aside for a bank of ports that doesn't really exist? Maybe I could see if the other Ethernet jacks work at all.

I'm not super worried, just being prudent living in an Apartment on a busy block. Also kind of dusting off rusty skills as I have a 2 year degree in Cyber Security that isn't being used. o_O

You're right though about the Static IPs; that is another step I could do.
 
Videodrome said:
I'm rusty on this to.

But in the case of a basic Router, if the network is split, is the other chunk effectively inaccessible? I mean this was never intended to be an Enterprise Router so it's kind of hacked. Also, I tested and was unable to connect more than one device wirelessly. Is the other chunk of the network set aside for a bank of ports that doesn't really exist? Maybe I could see if the other Ethernet jacks work at all.

I'm not super worried, just being prudent living in an Apartment on a busy block. Also kind of dusting off rusty skills as I have a 2 year degree in Cyber Security that isn't being used. o_O

You're right though about the Static IPs; that is another step I could do.
Click to expand...

I think yeah, if you assign a sub net domain like 252 to a device then anything connecting to that device gets assigned to an address on that domain and another device can’t connect. But you still have a subnet with a range of IPs that can be assigned.

Basically the biggest hole I’ve seen people exploit in house / apartment based networks is DHCP. If you aren’t broadcasting and aren’t assigning out IPs chances are extremely low (pretty much non existent unless some wants to crack it for the challenge) of some one free loading from you.
 
  • Like
Reactions: Videodrome
Mac address filtering is the way to go unless you have lots of visitors and/or constantly change phones. I used to do mac address filtering along with static IPs, but honestly it was just a pain in the butt to manage. Someone would come over to my house and it was such a pain to let them on the wifi.

Now I just go with keeping firmware updated and using a good, secure password. As was already said, unless you live near a major hacker or something nobody is going to bother unless you leave a big security hole open.
 
You must log in or register to reply here.
Top Bottom
Back