Hello, this is my first post, I hope you like it
#Starting
- Recycle your ISP router.
- Use a custom router, with the hardware you need and that is configurable (example: openwrt, routers, pfsense, ..)
- Use at least CAT6 Ethernet cabling and Gigabit equipment (1000Mbps). The more Ethernet sockets you have at home the better ;)
- If you have a service under CG-NAT, call to have it removed.
#Local network
- You can create a second local network for your other devices/tests with another addressing, and a different security. Both via Ethernet and WiFi.
- Configure your DHCP service (pool, dns) well.
- You can assign a static IP to your devices by their MAC or use MAC filtering.
- The ping on your local network has to be very low and stable on an Ethernet connection between computers.
#Wireless
*Remember that if you use your ISP's Router, you will still be vulnerable to known WiFi attacks.
- Change your SSID and set a strong enough password. Disable WPS.
- Disable WPA security (if you don't have older devices that need it). Use, for example, WPA2 PSK with AES CCM encryption, there are many more and better options.
- Create a guest network for other devices and make sure traffic is not seen with your local network.
- To optimize your Wi-Fi network, check the Band, Channel Width, Frequency, Wireless Protocol, WPS, WMM, ...
- If you have the option, it is better to use one device as a Router and another as an Access Point.
- Avoid using WiFi repeaters, they only cause problems. Use Ethernet cable + AP.
#Firewall
- You can prevent certain computers on your local network from going out to the Internet in addition to countless rules to allow, block or forward traffic from computers or networks.
- Avoid using NAT (open ports), if you want to access the devices in your home, first establish a VPN tunnel and then access the computer.
#VPN
To go online with VPN<
- Use a paid VPN service that supports Wireguard or whatever protocol you can configure.
- If you have a dedicated router, use only a single Internet outlet per VPN (this ensures that no other traffic will have a route to the Internet if the VPN is not working).
- You can create both a wired network and a WiFi network with Internet access only through VPN.
To connect to home<
- Set up a VPN service on your router with Wireguard (if possible), it's easy, secure and consumes less resources. You will have better performance than ovpn, l2tp/ipsec, pptp,...
- By configuring the VPN you will be able to access all the devices on your local network in a more comfortable way.
#Others
- Remember again to avoid using the ISP router, as an operator can enter the router. Even if you use DMZ or 'bridge mode', the equipment is still there.
- Analyze the traffic that goes out to the Internet, check the destination addresses to which your devices connect. Check router uptime, connections, ...
- Monitor the network with a Zabbix-type service, using an agent, snmp service, or a simple ping...
- Change the router username and password.
- Activate only the necessary services of the router, it is not necessary to have all of them (ssh, www, api, telnet, ftp, upnp, smb, ..), especially if they are not updated.
- Use a system that has constant firmware updates (e.g. openwrt, routers, pfsense, etc.)
- If you have data transfer problems between computers, analyze their performance (cpu, ram, disk, ethernet). Also do it at the same time with your router.
- Check internet access speeds with and without VPN (ping, bandwidth) -Check logs..
Enjoy it!
#it'll make them a proper a heading. I'd consider using####so the headings aren't so big too given you don't have subheadings.