My Router/Firewall Setup


I have setup my wireless router/firewall using an access list (MAC addresses of trusted computers/laptops) with WPA-PSK (password set from GRC password generator). Previously, I had disabled DHCP and was using static IP’s (matched with MAC’s) of the trusted computers/laptops. Due to problems with Network Manager (Linux), I have changed back to DHCP (only allowing my computers/laptops, i.e small range). Doing this made me review my setup :-. Is the above really necessary? As I have WPA, can I do away with the access list? I have used a non standand IP scheme (i.e not the default 192.168.0or1.1 and the dhcp range starts at a different number (i.e not 2-5). I’ve been thinking, if things have been set (static rather than dynamic) on the router/firewall, is it possible for hackers to obtain this information rather than being random. Hope that makes sense ???.


I don’t know what kind of Wireless router you have, so I’m assuming all the basic functions :slight_smile:
First of all, since you already employ encryption, filtering connections based on MAC addresses should keep your wireless uplink rater safe from hackers. Even though MAC can be spoofed, it’s gonna be hard to guess which MAC addresses you’ve allowed or not. If you also stop advertising the SSID, it’s even more secure.
Applying the above steps should make it OK to use DHCP. As a friendly tip, DHCP is there to make life easier.


Ok, I’ll keep as it is then :). Btw, I don’t broadcast the ssid either. Having DHCP will make things easier for me as the other network I connect to uses DHCP too.


Yup… As life itself is complicated enough, anything that makes things easier is appreciated. Don’t you agree :slight_smile:
Anyways. good luck with your router/firewall setup and please return if you have any more questions or feedback.

Looking out the window, I can see Friday night coming up…

Hmm… Just how does one accomplish this, Graham?

Michele :wink:

Allow me to explain this :slight_smile:
WiFi-Routers for the home market are all produced with a default configuration, which varies little between the various manufacturers. They are all set up with a factory default using private addresses from the well-known address range. Routers are usually given the 1st usable address, or, and this rarely changes.
What Graham1 did to prevent his router becoming an obvious target (besides hiding his SSID and employ MAC filters) was to use a different address range that differs from the most commonly known ones. He (and anyone for that matter) can use any of the private class C addresses out there, ranging from to He can even divide his network into smaller ones using an IP-scheme called subnetting. This for instance allows him to use a small 6 host network, starting practically anywhere in the range he has set for himself. This also conserves address space. Meaning since only he and his router is connected, he won’t waste the other 252 host-addresses :slight_smile:

I know this is rather rough, but I hope I managed to explain to you the finer points of the wonderful world we call TCP/IP ;D

Using IP restrictions on each computer by using firewalls along with good encryption (WPA, WPA2 and others) and a good key lenght are the main preventions against hackers.

MAC address filtering and hiding your SSID are techniques used. SSID hiding is not recommended and has little effect because this is needed for your workstations to connect to the router.

Since the SSID is broadcasted by your Workstations, hackers could spew out spoofed de-authentication packets to every subnet and network in the range of the wireless card. And then connect using the de-authenticated MAC Address and IP address

I suggest NEVER hiding the SSID, although changing what it is called is recommended to stop people from narrowing down what brand it is, incase of exploits.

I am not sure how many routers do this but it seems at least some, even though to have disabled the broadcasting the router still broadcasts the address because the user is asking the router to break the protocol of which Broadcasting the SSID is required for the network to work.

The whole idea is to implement every protecton possible without breaking connectivity. SSID hiding tends to break connectivity while the others while providing limited security are worth implementing. I have stated the limits because i want people to understand the limits of each prevention technique and to know where the main strength in there setup is.

Wouldn’t SSID hiding still be preferred as the hacker would need to find out the SSID to be able to connect. I think I can see where your coming from and maybe my reply below may explain why I would want to hide my SSID.

Since the SSID is broadcasted by your Workstations, hackers could spew out spoofed de-authentication packets to every subnet and network in the range of the wireless card. And then connect using the de-authenticated MAC Address and IP address

My computer/laptop is only on when I’m using it, otherwise it is switched off (as is my wireless router/firewall, unless downloading ISO’s). Would the workstations only need to broadcast the SSID while connecting? Once connected, is the SSID still broadcast?


It amazes me how many people just plug their wireless router/firewall in after purchase and leave it set as the default. Funny thing is, I once installed Ubuntu 6.10 and it connected to another AP and started downloading updates automatically (whilst I was out of the room). When I came back, I had a fully updated system ;D.


It is not about how long you are connected to the wireless access point it is about how many times you connect to the wireless access point. The computer broadcasts the SSID to connect to the Wireless access point even if the Wireless Access point does not do the same. This is at the point where the network is visible.

Their are many freely availible tools that can discover Hidden SSID networks. Some send out heaps of spoofed de-ack packets randomly and when the workstation tries to reconnect the hacker can see your network.

This requires in-debt knowledge and skills to achieve. Not to mention to be in range of the router and be listening in on the right frequency. To be honest I don’t think the issue whether to broadcast or hide your SSID is gonna make a really big difference with hackers of this caliber :slight_smile:
Hiding the SSID and using MAC filters is a good start. Using encryption in addition to this is also recommended. Beyond that and you’re no longer a basic user anymore :slight_smile:

No offense Rotty, but I still believe hiding your SSID is a good thing from a security view-point. To be able to hack a WiFi network you need to know it’s there. And it’s better to be initially broadcasting it when connecting, than having your router broadcasting it 24/7.
Besides… if you spot a spooky looking van from some bogus phone company outside in the streets, I wouldn’t really worry about my Wireless security. I’d be headed for the back door rather quickly :wink:

Well what do you expect when DSL providers like Verizon ship their ■■■■ (westell 327) modems out to everyone with NO info on how to configure the ■■■■ thing. It just comes with the firewall turned off and I guess they figure every noob is just going to use the installation disk and never think anything more about it. Well I’ll tell you… its all pissing me off and im not in a good mood about it. To put the icing on the cake, you got so-called experts over at the DSL forums telling you that MEDIUM SETTINGS tight protection can be had with services like telnet enabled in the firewall rules… just copy and paste… yeah right. I might be a noob but that didn’t sound like a good idea to me when telnet is automatically disabled in the services… UGH

I’ll have questions and I hope I can get some answers- especially now that I need to learn some about the stinkin modem and comodo’s ruleset…