Router Security IP Addresses Website by     
Michael Horowitz 
Home | Site Index | Bugs | News | Security Checklist | Tests | Resources | Stats | About | Search |
New page on learning what your current DNS servers are: Test Your DNS Servers

As you would expect, every computer on a network has a unique number. And, by "computer," I mean any computing device (phones, tablets, ROKU boxes, routers, Amazon Echos etc.). The unique numbers are called IP addresses and they are written as four decimal numbers separated by periods (rather than commas). A common IP address is Each number can, technically, range from zero to 255.

Routers differ from other computing devices in that they have (at least) two IP address: a public one and a private one. The public side of a router is visible on the Internet. The public side is also referred to as the WAN or Wide Area Network side of the Internet. The router has no control over the public IP address, it is assigned by the ISP (Comcast, Verizon, Spectrum, etc.). The public IP address is not a secret and there are many websites that display it (, and

In contrast, the router has total control over the private side (a.k.a. LAN or Local Area Network) IP addresses, both for itself and for all the computing devices that connect to it.

The range of allowable LAN side IP addresses is called a subnet (as in sub-network, as in only use these few numbers of all the billions of possible numbers). A very common subnet range of numbers are those that start with 192.168.1 and only vary in the fourth and last number. This is often written as 192.168.1.x where the x is a placeholder for all the possible numbers in the fourth position (0 to 255).

These are the decisions that need to be made regarding LAN side IP addresses:

  1. Pick a subnet (the full range of allowable IP addresses)
  2. Assign a fixed IP address within the subnet to the router
  3. Decide which IP addresses within the subnet will be given out on an on-demand basis to devices that connect to the router
  4. The flip side of the previous decision are the IP addresses that can be permanently assigned to specific devices on the LAN

Every router has default values for all the above decisions and the defaults will, of course, work. Dealing with IP addresses and subnets is optional, but recommended for a few reasons.

For one, you will be a bit safer by not using the defaults. This is because some malware targets routers by their default IP address. Also, some devices on the Local Area Network work best with a fixed, permanent IP address and the defaults for your router may not allow for any fixed IP addresses. Using a subnet that is off the beaten path can also come in handy for VPNs. If, someday in the future, you setup a site to site VPN, having each site use its own subnet is cleaner and easier. And, should you ever want or need to plug a router into another router (which I suggest when setting up a new router for the first time), it will not work well if each router uses the same subnet.

The downside to configuring IP addresses and subnets is that a mistake can totally screw things up. So, the four decisions mentioned above (and detailed below) are best done early in the game. This way, if the change screws things up, the router can be reset without losing any other configuration changes you may have made.

Choosing a subnet

So, using the subnet 192.168.200.x as opposed to 192.168.1.x makes you safer because no router uses subnet 192.168.200.x by default.

Many, if not most, routers use the 192.168.0.x, 192.168.1.x or 192.168.2.x subnets. Why the devotion to 192.168?

Some IP addresses are not allowed on the public Internet, they are reserved for internal use only. That is, you can, and should, use them in your home or office. IP addresses that start with 192.168 are on this reserved list. So too are all IP addresses that start with 10.

You will never find any IP address on the public Internet that starts with either a 10 or with 192.168. Meanwhile, every home in the world can use the 192.168.1.x subnet without a problem.

If you prefer 192.168, then avoid the subnets that other devices default to. That is, avoid networks where the third number is 0, 1, 2, 3, 5 (used by Hawking), 8 (used by GLi), 9 (used by Gryphon), 10, 11, 19 (used by Anonabox), 50 (used by Peplink), 55 (used by Luma), 72 (used by Asus Lyra), 85 and 86 (used by Google routers), 88 (used by MikroTik), 100 (used by assorted cable modems) and 178 (used by FRITZ!Box). If you know of others, please send me an email. In September 2018, malware was found looking for routers on the 0, 1, 2, 15, 25 and 100 subnets, a good reason to avoid them. Some good subnets would be 192.168.68.x or 192.168.77.x or 192.168.200.x.

If you prefer IP addresses starting with 10, then the subnets to avoid are 10.0.0.x (Netgear), 10.0.1.x, 10.1.1.x and 10.10.10.x (used by HooToo in their HT-TM05 TripMate Titan Wi-Fi sharing device). Some easy to remember networks would be 10.11.12.x and 10.20.30.x. That said, easy to remember should not be a priority, security should be. So, something that no one would guess, like 10.43.27.x is better. If you live at 123 Main Street, then 10.123.123.x is a great choice.

Hand in hand with picking a subnet, is the concept of a subnet mask. The mask is what defines your subnet to the router.

A subnet of 192.168.200.x means that all devices on the network will have IP addresses that start with 192.168.200. In this case, the subnet mask is The 255 means that that part of the IP address is part of the subnet, the 0 means that part is not. So, in English, means that the first three numbers are being used to define the subnet. Not that you need to know this, but this mask is 24 binary ones, followed by 8 binary zeros.

Specifying the subnet for an Asus router

The image above shows how you define the subnet for an Asus router. The subnet mask goes hand in hand with assigning the router an IP address (our next topic below).

IP addresses that start with 10 default to a different subnet scheme. Here, the subnet is defined simply by the first number. A subnet mask, of indicates this. That said, unless your network needs to accommodate more than 250 devices, you are probably better off using the first three digits to indicate the subnet. So, again, a subnet mask of indicates that the first three digits will all be same on your network, even though the first digit is a 10. As noted above, in the list of 10.x.x.x networks to avoid, Netgear and HooToo are doing this.


Choosing a router IP Address

Along the same line, within a given subnet, routers are usually assigned the number 1. There is no technical requirement for this, it's just a custom. Thus, on the 192.168.1.x subnet, the router will almost always be assigned Likewise, on the 192.168.200.x subnet, the router is likely to be

Here too, this custom makes it easier for malware to find the router, so you are a bit safer if your router is not the number 1 device.

Regardless of the subnet, everyone is in the habit of assigning their router an IP address that ends with 1. On the 192.168.1.x subnet, for example, you will, almost always, find that the router is assigned to As noted above, this is a custom rather than a technical requirement and you will be safer by not following the crowd. For example, in September 2018, malware was found targeting routers on 7 different subnets, but in each case it assumed the router's IP address ended in 1.

The second most popular default IP addresses for routers end with 254 as shown in this Dec. 2017 article: A List of Common Default Router IP Addresses. So, 254 is out too.

Zero often has a special meaning when it comes to computer networks, so it is best not to use zero either. That leaves 2 through 253.

But, Trend Micro says not to use IP addresses ending in 100 or 254 for the router. See Protecting Home Networks: Start by Securing the Router May 18, 2017.

What, specifically, to do?

You get the most flexibility by using either a very low (2,3,4) or very high (251,252,253) number. I normally opt for low, admittedly out of habit.

But, just as choosing a subnet required knowing about subnet masks, changing the routers IP address, requires knowing about DHCP.

Computing devices that connect to a router get their IP address either statically or dynamically. Static means that the computing device has been pre-configured to always use one specific IP address. A router always has a static IP address on your network. Dynamic is the norm. The problems with static are: it takes more expertise to setup, not all devices support static IP addresses and it doesn't travel well (an IP address that works with one subnet will not be valid on another subnet).

The thing (really a protocol) for giving out dynamic IP addresses is DHCP. I mention it here, because changing the IP address of the router, impacts the available IP addresses that DHCP can use.

In the picture below, from the same Asus router as above, we see that DHCP will give out IP addresses from through Considering that the router is statically assigned to, DHCP is using every possible IP address. In theory, this router could talk to 252 concurrent devices. The Lease Time refers to how long a computing device can use its dynamic IP address before it has to go back to the router and ask for another one.

Specifying DHCP for an Asus router

The point to all this, is that if you change the IP address of the router, it will impact the pool of IP addresses that DHCP can use. If, for example, the router were assigned to, and no change was made to DHCP, then its possible that DHCP would give to an iPhone. That would be bad. IP addresses have to be unique on any given subnet.

My experience has been that most routers were smart enough to adjust the DHCP range on their own, when I modified the router IP address. Still, if you do change the router IP address, be sure to verify that the new address is not also in the range used by DHCP.

On a related note, there are some devices that should use a static IP address. Two that come to mind are a NAS (Network Attached Storage) and a network printer. I always like to keep some IP addresses away from DHCP so they can, in the future, be statically assigned to something.To pull this all together consider a router at and DHCP giving out through This leaves a few IP addresses for static use.

That said, there is a facility for making a dynamic IP address non-dynamic but that's not a security issue in any way.


Using a non-standard subnet and assigning the router a non-standard IP address makes your network safer, but it is not a perfect defense.

For one thing, a service called WebRTC, that runs inside a browser, can leak the internal IP address of the router. The Test your Router page has links to a number of online tester pages that report whether WebRTC is enabled in your web browser. If you don't use WebRTC, then you will be safer having it disabled in every web browser that you use. Many of the tester pages have instructions for disabling it. The Ublock Origin browser extension can disable WebRTC, but does not disable it by default.

Another way the internal router IP address can leak is via the hard coded domain names used by some routers. To make it easier to access the web interface of a router, Netgear lets its customers use rather than an IP address. Likewise, Asus uses A longer list of these router aliases is on the Introduction to Routers page. In theory, Javascript running inside a web page can use these aliases to access a router.

All that said, should bad guys learn the LAN side IP address of the router, there are still many ways to keep them from interacting with the router. Not using a default password goes without saying, but assorted routers have other defenses such as limiting access to Ethernet connected devices, limiting access by IP address and more. A list of these other defenses is on the Security Checklist page in the LOCAL ADMINISTRATION section.

Router attacks based on IP addresses

One example of this is a bug in D-Link routers that was reported in January 2015 (DNS hijacking flaw affects D-Link DSL router, possibly other devices). Quoting:

"A vulnerability found in a DSL router model from D-Link allows remote hackers to change its DNS (Domain Name System) settings and hijack users' traffic ... Attackers don't need to have access credentials for the affected devices in order to exploit the vulnerability, but do need to be able to reach their Web-based administration interfaces ... Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers."

The critical point being that using the same LAN IP addresses that everyone else does, makes you more vulnerable to certain types of attacks.

Here is an example of malicious JavaScript attacking modems and routers: Owning Modems And Routers Silently. This type of attack requires the bad guys to guess the IP address of the victim device. If you use a non-standard IP address, you are safer.

The March 2017, WikiLeaks data dump, Vault 7: CIA Hacking Tools Revealed, included a page called JQJDISRUPT - WAG200G that discussed hacking a Linksys router. Of a particular attack, a CIA employee wrote: "it was determined that was not going to work to get Cannoli on the Linksys target. When running it eventually always returns errors. User xxx advised that it would only work if the target was in the 192.168.x.x space." The same page describes another attack that only worked if the routers IP address was

Other attacks that need to know (or guess) the internal IP address of the router:

NOTE: On January 27, 2018 this page was drastically re-written.

This page was last updated: December 10, 2018 6PM CT     
Created: June 3, 2015
Viewed 56,912 times since June 3, 2015
(44/day over 1,288 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2018