|Router Security||IP Addresses||
Website by |
As you would expect, every computer on a network has a unique number. And, by "computer," I mean any computing device (phones, tablets, ROKU boxes, routers, Amazon Echos etc.). The unique numbers are called IP addresses and they are written as four decimal numbers separated by periods (rather than commas). A common IP address is 192.168.1.1. Each number can, technically, range from zero to 255.
Routers differ from other computing devices in that they have (at least) two IP address: a public one and a private one. The public side of a router is visible on the Internet. The public side is also referred to as the WAN or Wide Area Network side of the router. The router has no control over the public IP address, it is assigned by the ISP (Comcast, Verizon, Spectrum, etc.). The public IP address is not a secret and there are many websites that display it (ipchicken.com, checkip.dyndns.com and www.ip-adress.com/what-is-my-ip-address).
In contrast, the router has total control over the private side (a.k.a. LAN or Local Area Network side) IP addresses, both for itself and for all the computing devices that connect to it.
The range of allowable LAN side IP addresses is called a subnet (as in sub-network, as in, only use these few numbers of all the billions of possible numbers). A very common subnet (range of numbers) is the numbers that start with 192.168.1 and only vary in the fourth/last number. This is often written as 192.168.1.x where the x is a placeholder for all the possible numbers in the fourth position (0 to 255).
Devices that connect to the router get assigned a LAN side IP address in one of three ways.
These are the decisions that need to be made regarding LAN side IP addresses:
Every router has default values for the three decisions above and the defaults will, of course, work. Dealing with IP addresses and subnets is optional, but recommended for a few reasons.
For one, you will be a bit safer by not using the defaults. This is because some malware targets routers by their default IP address. Also, some devices on the Local Area Network work best with a static/permanent IP address and the defaults for your router may not allow for any static IP addresses. Using a subnet that is off the beaten path can also come in handy for VPNs. If, someday in the future, you setup a site to site VPN, having each site use its own subnet is cleaner and easier. And, should you ever want, or need, to plug one router into another router, it will not work well if each router uses the same subnet.
FYI: There are two reasons to plug one router into another. The first is to make some initial configuration changes to a new router, as I suggest on the new router page. The other is carve out a secluded section within your home for devices involved in working from home. For more on this, see my September 2020 blog A second router can make working from home much more secure.
The downside to configuring IP addresses and subnets is that a mistake can totally screw things up. So, the three decisions mentioned above (and detailed below) are best done early in the game. This way, if the change screws things up, the router can be reset without losing any other configuration changes you may have made.
The first decision is the subnet, which specifies the range of allowable IP addresses on the LAN. This range also determines the maximum number of devices that can connect to the router. For most people, most of the time, a range that allows for 250 connected devices (give or take) should be sufficient. Pretty much every home router uses a subnet that supports a maximum of 250 connected devices.
A subnet that allows for 250 devices is specified with the first three numbers of the four numbers in an IP Address with an X serving as a wildcard. For example, very popular subnets are 192.168.0.x, 192.168.1.x and 192.168.2.x. Because they are popular, they are best avoided. Using a subnet such as 192.168.200.x makes you a bit safer because no router uses subnet 192.168.200.x by default.
Why the devotion to subnets that start with 192.168?
Some IP addresses are not allowed on the public Internet, they are reserved for internal (LAN side) use only. That is, you can, and should, use them in your home or office. IP addresses that start with 192.168 are on this reserved list. So too are all the IP addresses that start with 10. You will never find any IP address on the public Internet that starts with either a 10 or with 192.168. Meanwhile, every home in the world can use the 192.168.1.x subnet without a problem.
Whether you opt for a subnet that starts with 192.168 or one that starts with 10, it is best to avoid subnets used by other devices.
If you prefer 192.168, then avoid networks where the third number is 0, 1, 2, 3 (Amped Wireless, Huawei), 4 (Zoom), 5 (used by Hawking), 7 (Eero), 8 (used by GLi and Huawei), 9 (Gryphon), 10 (Motorola,pcWRT,NetComm), 11 (Buffalo), 15 (D-Link, Linksys and Vonage), 16 (Linksys), 19 (Anonabox), 20 (Motorola,NetComm), 30 (Motorola), 50 (Peplink), 55 (Luma), 62 (Motorola), 72 (Asus Lyra), 85 and 86 (Google), 88 (used by MikroTik), 100 (used by assorted cable modems and Huawei), 102 (Motorola), 121 (Ubiquiti Alien router), 123 (LevelOne, Sitecom, Comfast), 127 (Mercku), 168 (Sonicwall), 178 (used by FRITZ!Box), 218 (Firewalla), 223 (Trendnet), and 254 (D-Link, Actiontec).
In September 2018, malware was found looking for routers on the 192.168 dot 0, 1, 2, 15, 25 and 100 subnets, an extra good reason to avoid them.
If you prefer IP addresses starting with 10, then the subnets to avoid are 10.0.0.x (Netgear, Asus, Cisco, 2Wire, etc), 10.0.1.x (Apple), 10.1.1.x (Belkin, D-Link), 10.1.10.x (SMC), 10.10.1.x (Asus), 10.10.10.x (used by HooToo in their HT-TM05 TripMate Titan Wi-Fi sharing device) and 10.90.90.x (D-Link).
Some easy to remember networks would be 10.11.12.x and 10.20.30.x. That said, easy to remember should not be a priority, security should be. So, something that no one would guess, like 10.43.27.x is better. If you live at 123 Main Street, then 10.123.123.x is a great choice.
If you know of other default subnets used by routers, please send me an email.
To really live off the beaten path, you can chose a subnet between 172.16.x.x and 172.31.x.x. These too, are reserved for LAN-side use only and, I suspect, used much less often than 10.something and 192.168.something. For example, I have never seen or heard of a router that uses one of these subnets by default. My guess is that they are un-popular because they are harder to remember. Then too, their subnet masks (next topic) are non-standard and there may be some routers that do not support it.
Hand in hand with picking a subnet, is the concept of a subnet mask. The mask is what defines your subnet to the router. The bad news is that subnet masks are bit (binary digit) masks and thus confusing for non-techies. The good news is that almost every home network uses the same subnet mask, so chances are that you can skip the details.
A subnet of 192.168.200.x means that all devices on the network will have IP addresses that start with 192.168.200. It also means that the network can not contain more than 255 devices. The highest and lowest IP addresses often have special meanings, so I would limit this subnet to 192.168.200.1 (avoiding zero) through 192.168.200.253 (skipping 254 and 255). Thus, a max of 253 concurrent devices, which is enough for almost everyone.
The subnet mask for any network where the first three numbers are the same is 255.255.255.0. The 255 means that that part of the IP address is part of the subnet, the 0 means that it is not. So, 255.255.255.0 means that the first three numbers are being used to define the subnet. Thus, 192.168.1.x and 192.168.22.x and 10.11.11.x and 10.88.99.x can all use a subnet mask of 255.255.255.0 because, in each case, the first three numbers are the same and define the subnet.
A subnet mask of 255.255.255.0 is actually 24 binary ones, followed by 8 binary zeros. For this reason, you often see it referred to as 255.255.255.0/24.
The image above shows how you define the subnet for an Asus router. The subnet mask goes hand in hand with assigning the router an IP address (our next topic below).
The image above shows how to define a subnet for a Peplink/Pepwave router. The subnet mask comes into play both when defining the IP address for the router and when defining the DHCP range (more below). Note that after the subnet mask Peplink displays a slash followed by the number 24. This is nerd talk for the 24 binary ones that are the real subnet mask. The "Lease Time" is how long a device can use its router-assigned IP address. After the time has passed, it has to ask again. For now, ignore the middle section about VLANs.
THE HARD PART
Any IP address that starts with 192.168 is reserved for internal/LAN use only. Thus, you could have 192.168.5.5 and 192.168.6.6 and 192.168.33.22 all be part of your home subnet. If you do, then your router could, in theory, communicate with over 65,000 devices. In reality, you would not want to pay for a router with the computing horsepower to handle 65,000 devices. Still, for the rich people out there, you would indicate this with a subnet mask of 255.255.0.0 or 255.255.0.0/16.
IP addresses that start with 10 are even more flexible. On the low end, they can mimic the 192.168.1.x subnet and have the first three numbers all be the same, which allows for 253 devices. In the examples above, I assumed this would be the case. As before, the subnet mask would be 255.255.255.0.
On the high end, they can simply have just the 10 be same and let all the other numbers vary. In this case, 10.1.2.3, 10.4.5.6 and 10.123.123.123 are all part of the same subnet. This allows for over 16 million devices on the subnet. Don't do this. You don't need 16 million devices connected to your router. That said, this would be indicated by a subnet mask of 255.0.0.0 or 255.0.0.0/8.
On the high end, subnets between 172.16.x.x and 172.31.x.x can use a subnet mask of 255.240.0.0/12 and have over a million devices on the subnet. They should also work fine with the most common subnet mask (255.255.255.0) indicating a subnet where the first three digits are all the same and supporting up to 253 devices. A subnet mask of 255.240.0.0 is really off the beaten path and there is a chance that a router may not even support it.
Within a given subnet, routers are usually assigned the number 1. There is no technical requirement for this, it's just a custom. Thus, on the 192.168.1.x subnet, the router will almost always be assigned 192.168.1.1. Likewise, on the 192.168.200.x subnet, the router is likely to be 192.168.200.1.
This custom, however, makes it easier for malware to find the router, so you are a bit safer if your router is not the number 1 device. In fact, I would avoid assigning anything to the number 1.
For example, in September 2018, malware was found targeting routers on 7 different subnets, but in each case it assumed the router's IP address ended in 1.
The second most popular IP address for a router is one that ends with 254, as shown in this Dec. 2017 article: A List of Common Default Router IP Addresses. So, 254 is out too.
Zero often has a special meaning when it comes to computer networks, so it is best not to use zero either. That leaves 2 through 253.
But, Trend Micro says not to use IP addresses ending in 100 for the router. See Protecting Home Networks: Start by Securing the Router May 18, 2017.
So, what to do?
You get the most flexibility by using either a low (2,3,4, 5) or high (250, 251,252,253) number.
The LAN side IP address of the router is always static (never changing).
To sum up: We should first pick a subnet that is off the beaten path, then pick an IP address within that subnet for the router (again one off the beaten path), then pick a range of IP address for DHCP. The IP address of the router has to be outside the DHCP range.
The screen shot above shows an Asus router with all default values. It assigned 192.168.1.1 to the router and lets DHCP use everything else (192.168.1.2 through 192.168.1.254). The point of this page is to make better choices.
Note: The Lease Time refers to how long a computing device can use its dynamic IP address before it has to go back to the router and ask for another one. Asus routers make you specify the time in seconds. Peplink lets you specify the time in days, hours and minutes.
At the very least, I would change the LAN side IP address of the router. But, be aware that this will impact the pool of IP addresses that DHCP can use. If, for example, the Asus router in these screen shots were assigned to 192.168.1.3, and no change was made to DHCP, then its possible that DHCP would give 192.168.1.3 to an iPhone. That would be really bad. However, my experience has been that most routers are smart enough to automatically adjust the DHCP range on their own, when the IP address of the router is changed.
My next suggestion is to leave some IP address outside of the DHCP range. I say this because some devices function better with a static IP address. The two most obvious examples are a shared network printer and a NAS (Network Attached Storage) device. In the Peplink screen shot above we see that DHCP can only use 192.168.200.10 through 192.168.200.211. The remaining IP addresses can be used by devices with a static IP address. To repeat what I said earlier, when you are using DHCP reservation, it can give out any subnet IP address, except that of the router.
Using a non-standard subnet and assigning the router a non-standard IP address makes your network safer, but it is not a perfect defense.
For one thing, a service called WebRTC, that runs inside a browser, can leak the internal IP address of the router. The Test your Router page has links to a number of online tester pages that report whether WebRTC is enabled in your web browser. If you don't use WebRTC, then you will be safer having it disabled in every web browser that you use. Many of the tester pages have instructions for disabling it. The Ublock Origin browser extension can disable WebRTC, but does not disable it by default.
All that said, should bad guys learn the LAN side IP address of the router, there are still many ways to keep them from interacting with the router. Not using a default password goes without saying, but assorted routers have other defenses such as limiting access to Ethernet connected devices, limiting access by IP address and more. A list of these other defenses is on the Security Checklist page in the LOCAL ADMINISTRATION section.
As if this wasn't enough, you will get still more security with VLANs (Virtual LANs). A VLAN is another subnet. That is, some devices connected to the router might use the 192.168.1.x subnet while at the same time other connected devices might use the 192.168.11.x subnet and still others might use the 192.168.111.x subnet. This is typically done to segment trusted devices away from non-trusted devices (typically IoT). Someone who works from home, for example, might want to insure that no other devices in their home can communicate, or even see, the devices they use for work.
On consumer routers, the Guest Wi-Fi network is probably implemented under the covers as a different subnet from the main network. But, consumer routers don't support real VLANs, for that you need a router with a more techie audience. A long detailed explanation of VLANs is here on the VLAN page.
One example of a router attack that depended on its IP address is a bug in D-Link routers that was reported in January 2015 (DNS hijacking flaw affects D-Link DSL router, possibly other devices). Quoting:
"A vulnerability found in a DSL router model from D-Link allows remote hackers to change its DNS (Domain Name System) settings and hijack users' traffic ... Attackers don't need to have access credentials for the affected devices in order to exploit the vulnerability, but do need to be able to reach their Web-based administration interfaces ... Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers."
The critical point being that using the same LAN IP addresses that everyone else does, makes you more vulnerable to certain types of attacks.
The March 2017, WikiLeaks data dump, Vault 7: CIA Hacking Tools Revealed, included a page called JQJDISRUPT - WAG200G that discussed hacking a Linksys router. Of a particular attack, a CIA employee wrote: "it was determined that puppetmon.py was not going to work to get Cannoli on the Linksys target. When running puppetmon.py it eventually always returns errors. User xxx advised that it would only work if the target was in the 192.168.x.x space." The same page describes another attack that only worked if the routers IP address was 192.168.1.1.
Other attacks that need to know (or guess) the internal IP address of the router: