How to Protect your wifi-Lan

Now that more and more people buy wifi-dsl-routes the security risks for the users grow.

Last month I have read an article at an italian magazine about this. The giornalist that wrote it had made a test at Milano in Italy to see if the Wifi-lans of the users are protected.
The results were that over 1000 wifi-lans they tried to get access at, they succeded on more than 85%, which is pretty impressive. A lot of people put wifi-dsl-routers but don’t really have a clue of the risks of the wireless networks.

The great difference of a cable-Lan and a Wifi-Lan is that on a cable-lan someone can get access by fisically connecting to the network with a cable and for doing this must have access at your enviroment. At the other side on a Wifi-Lan someone can get access on your network and at your internet connection by distance; and this can be very risky!!!

How can we protect our wifi-Lans?

  1. The first thing to do is to change the default username and password at the router. A stronge password is required. By this we can be sure that none will have access on our routers settings.

  2. Make another password, that will be needed by every computer or machine, that needs to get access at the network. This password must be even stronger than the first one. Prefer a WPA (or better WPA2) key and not WEP, it is much safer. Better use a 128bit encryption which means that your password have to be 13 caracters long. Be sure not to use yours or your family members names.( these will be the first that people who know you will use to get access)

  3. On Comodo Personal Firewall instead of adding your entire network range as a trusted zone add only the IP adress of your wifi-router as trusted. By this, even if someone succedds in getting in your wifi-network, he won’t have access at your computer and your personal documents. :wink:

  4. If you want to have access on other computers or machines at your network give them a permanent (static) IP adress (this can be done by the routers lan settings) and add these IP adresses as trusted in your CPF.

ps. It can be a little annoying doing all these, but remember it has to be done only once and it will maximize your protection. ;D

by pandlouk (L)

edit: 04/02/07 (d/m/y)
It is wise to restrict also the range of the computers that you want to connect at the same time at your lan. This one depends from the “subnet mask” of your network (LAN settings).
If you want to connect:

  1. 1 pc change it to
  2. 5 pcs change it to
  3. 13 pcs change it to
  4. 29 pcs change it to
  5. 61 pcs change it to
  6. 125 pcs change it to
  7. 253 pcs leave it as it is

The one thing I do on my router is MAC address filtering and turning the Broadcast off. When I first hooked up the cable modem, it took about two days for me to have three neighbors piggybacking off of my service. My simplest solution was to block all access and through MAC addresses, allow only my computer and the one downstairs to access the network. I check my router’s access table every so often and I only ever see the two computers on there. So, I guess that’s another easy quick fix.

You should also change you subnet address, use at least WPA-TPK, change the username and password to access to your router, and if you are the only one that use the wireless connection, restrict the number of users to 1, or to the number of users that use it… :wink:

Guys. This is just a simple (but powerfull) tuttorial for giving the maximum protection for novice users, with some simple steps.

If I had to make a complete guide then I would have to write about 30 pages, and novice users could not understand a thing :wink:

ps. even with mac adresses (not all routers and not all lan-cards support them) and WPE or better WPE2 (encryption) key you can’t be sure that someone will not enter in your network.
That’s why steps #3 and #4 are important :wink:

Was just to add more info… :wink:

This looks like a great topic! Thanks!

If admin doesn’t like to continue the posts here, maybe this would be a good place to recommend some links to other sites that go into more detail.


Excellent idea. Anyone that has links from sites that explain in a more detailed manner wifi-lans can post here.

ps. posts and recommendations should continue but remember to keep it simple, so that novice users can understand too. :wink:

One of many helpful articles Part 3: Securing your WLAN

Ok, I REALLY need help. On one of the wireless laptops, I get a limited connection to the net (and it does not work at all) if I leave the firewall running. It has the little yellow flag. If I turn it off, or uninstall the firewall, it works fine. What do I need to put in the firewall so it works??

Thanks, Jim

Try turning the firewall off, then connecting, then turning the firewall back on, what happens?

Another useful thing to do is look for an update for your wireless adapter.

Mines and Intel and I only recently found out pretty much by accident that there was a driver upgrade for it. It fixed a lot of instability problems I was having. Here’s the site:

Also, if you don’t have the KB 893357 hotfix installed on your machine and if you’re running WPA-PSK you might consider the Windows Hotfix which will enable you to connect using WPA2 and WPA2-PSK as well as making your WPA-PSK more stable. Here’s the info and download link:

I thought it might be useful to add as most Wireless Driver Updates won’t show in Windows Update or even you get windows to search for a driver update manually. I can now use WPA-PSK without any problems and everything is more secure.


Okay, so I think I’m getting the hang of this, but when it comes to this kind of thing I’d rather somebody “check my math” for me. I’ve been setting up a wireless home network, and in regards to number 4 above I added these rules to computer A…


… where is the static IP address of computer B. I placed them at the very top of my Network Control Rules. Am I on the right track?

Now, to get these rules I made some temporary rules using the “Define a new Trusted Network” wizard and used those as a guide (and then deleted the wizard’s rules), but assuming I’m right, I have to say I don’t quite understand why the first one is needed. Isn’t all IP OUT going to be allowed anyway, unless the specific destination is blocked?

  1. Correct

  2. Wrong. If you check the Default rule IP out only one ptype of protocol is allowed.

Thanks for the reply pandlouk. I’m not quite with you, though. Which do you mean when you say the “Default rule”? This one: Allow IP OUT [Any] [Any] where IPPROTO IS GRE?

Is GRE the protocol my comps are using to communicate with each other? Sorry, guess I’m in deeper than I thought. But trying to learn! Honestly, I don’t even know what GRE is. I’m guessing you’re just telling me I can narrow down the access even further?


For more information about Generic Routing Encapsulation check here

If you want the two computers to have full access you have to allow ANY IP and not just the GRE protocoll. :wink:

Found this article on ZDnet. Explains what GRE tunnels are and their use (you link was down, pandlouk ;)).

Thanks. I corrected the link :smiley:

I updated the guide How to Protect your wifi-Lan

Please look at the subnetting information again. The last octet isn’t supposed to be manipulated in that manner.

Assuming classical routing

1 computer & the router means that you need 2 IP’s in addition to the network and broadcast, so you need to unmask the last 2 bits => 11111100 (

2 computer & the router (plus network and broadcast) means that you need to unmask the last three bits => 11111000 (, and this means that you have room in the subnet for one more node (computer, printer, NAS, whatever attaches to the network

4 nodes & the router means that you need to unmask the last 4 bits => 11110000 (, this allows for up to eight total IP’s to be in the subnet.

Normally this should be as far as you would need to go in a regular household. Granted if you have more that 8 nodes and less than 16 the 224 subnet is what you need.

my 2 cents. (too much cisco stuck in my head, I guess that means the Prof did a good job…)


P.S. Of course if you throw out the classical rules and go VLSM or CIDR then all the rules change. you no longer need to reserve two IP’s.

Thanks for the info. I corrected it. ;D