|Router Security||Bad Neighbors||
Website by |
If you have neighbors that you do not trust, here are some steps you can take to keep them away from your Wi-Fi network(s).
One way to discourage neighbors from focusing on your Wi-Fi network is to weaken the signal leaving your home.
Wi-Fi uses two different frequency bands, 2.4GHz and 5GHz. Walls and furniture block the higher frequency more than the lower one, so try limiting the Wi-Fi in your home to the 5Ghz band. This will limit your access to own network too, as your walls and furniture become bigger barriers, but it's worth a shot.
Another way to keep your Wi-Fi signal from leaking outside your home is to limit the transmission power of your router. Some routers offer this as an option, some do not. If yours does, experiment with it, lowering the power up to the point that it interferes with your use of your network(s).
A more drastic way to lower the transmission power is to use access points. These are Wi-Fi transmitters connected to the router by Ethernet cable. Since they can get closer to where you are, they can use a lower power setting. The same applies to a mesh networking router system, as long as it supports an Ethernet connection between the main router and the assorted mesh points (the technical term for this being "backhaul"). Running Ethernet cables is, of course, not always an option.
Update May 29, 2020: To really block the signal from a neighbor, a reader (thanks Mike) suggested using a foil parabolic reflector on the router's antenna and point it away from your neighbor. This requires the router to have an exposed rod antenna. As an example, see the Ez-12 Parabolic Reflector Template.
Update August 12, 2021: A great article: 8 reasons to turn down the transmit power of your Wi-Fi by Petri Riihikallio October 21, 2017.
NOT FOOLPROOF SECURITY
Two other security features are both a hassle to use and are not foolproof. That said, each provides another hurdle for someone outside your home to jump over. If your neighbors are not very good hackers, they will not be able to make this leap.
Do not broadcast the SSIDs of your Wi-Fi networks. Since this is not foolproof, no one suggests bothering, but if you are dealing with bad neighbors, it can't hurt.
Use MAC address control. This is a security feature that is on the way out, again, because it is not foolproof. And, the hassle factor is high.
Every computing device connected to a network is assigned a unique 48 bit number, known as the MAC address. This is not an Apple thing, it pre-dates Apple computers. A laptop computer that can use both Ethernet and Wi-Fi will have two MAC addresses, one for each network connection. Many routers can limit access based on the MAC address of the client device. I haven't tested this, but even if a device knows the Wi-Fi password, it should be blocked if its MAC address is not on the approved list.
Don't identify yourself to your neighbors. That is, don't put any identifying information in your network name(s). For more see the SSID page.
No one can interact with a Wi-Fi network that does not exist, so, if possible, turn off the Wi-Fi when you are not using it. Some routers have a button for this, others can schedule the availability of the wireless networks.
All the above is, of course, in addition to the standard recommendations: disable WPS, use WPA2 with AES (not TKIP) encryption and use a long Wi-Fi password. How long is a matter of opinion. If you really want to block out the neighbors, then, in my opinion, use 16 characters or more. If your router offers WPA3, that's fine, but not really necessary.
A huge defense, WPA2 Enterprise, is unfortunately out of the reach of most people. The normal WPA2 encryption is WPA2 Personal which uses one password per Wi-Fi network (SSID). In contrast, WPA2 Enterprise gives every person their own userid and password. It is more secure in a number of ways, including the fact that it is rarely used, so very few bad guys have any experience hacking it.
The main problem using WPA2 Enterprise is the software for creating and validating these many userids/passwords. The software, a RADIUS server, is too hard to get, install, configure and maintain for non technical people. But, I know of two exceptions. Synology routers allow you to install software in addition to the software it comes with out of the box. One of the additional apps you can install is a RADIUS server. It is free and offered by Synology.
Another option is a NAS (Network Attached Storage) from either Synology or QNAP. Both companies offers RADIUS servers that run on their NAS devices. Of course, this approach requires that the router also support WPA2 Enterprise and not many do. A consumer router, for example, is not likely to support it. My preferred router, the Pepwave Surf SOHO does support it. I have used this approach myself for a long time.
IF THEY DO GET IN
If a neighbor does get on your Wi-Fi network, you want to both know about it and limit what they can do.
To see who is on your network(s), it is best to communicate with the router, either via its web interface or a mobile app. There are LAN scanning programs, but they can only connect to one SSID at a time and you need a different one for each operating system that you use.
Some routers, such as Eero, will notify you when a new device connects to your network. Other routers, such as Gryphon, can block new devices by default. So too, add-on security devices (see the Resources page) might be able to block new devices when they first get in.
If someone does get on your Wi-Fi network, then you want to block their ability to get at the web interface of the router (assuming it has one). A number of ways to do this are listed in the Local Administration section of the Security Checklist page. For example, some routers can limit access to Ethernet connected devices, others can limit access based on the Wi-Fi SSID.
You also want to block an intruder from being able to interact with the other devices on your network(s). For many routers, this will be an option for their Guest network. So, use a Guest network whenever you can. Bad guys can capture the initial logon and then try a brute force attack to get the password. Make them do this for a Guest network, rather than for a private network.
For Peplink routers, hiding devices on the same network from each other, is a simple matter of turning on Layer 2 isolation for the SSID.