Our Home Network
Disclaimer: I assume if you are reading beyond this point, then you are more advanced than the typical consumer. Every home, its spectral environment, and the number and needs of wired and wireless connected devices will differ. The best practices that I describe below will differ by the number of gateways, your hardware vendor, your firmware source and version, and the country in which you live.
Updated: A weakness was found in the WPA2 security protocol used by almost every modern phone, computer and router. This is called a KRACK attack. You should update your firmware and also disable EAPOL Key Retries to protect your network against KRACK attack against unpatched clients.
Choosing Your Wireless Router
For detailed wireless router hardware reviews, here are some great online resources:
Here is our family’s situation:
- We have a multi-story, 4000sf home on several acres of land so wireless coverage is an issue for us but interference by our neighbors isn’t
- We have over 50 connected devices on our home network
- A number of those devices need continuous amounts of bandwidth including 4K video settops, game consoles, and HD video cameras
In our home, we use three access points. One is on each floor, at alternating ends of the house. You should use the fewest number of APs to minimize wireless client hand-offs between APs.
We use three traditional, stand-alone wireless routers, rather than a wireless system. I selected Netgear Nighthawk X4S AC2600, a Qualcomm chipset-based router, because they are the fastest AP’s available today in terms of performance in the 5Ghz band.1 The Nighthawk absolutely won’t win any design awards. Two of the X4S routers are configured as access points. We use CAT-6 Ethernet to connect the AP’s to a 24-port switch and then to the router. This not only ensures the fastest possible connection between the router and the AP but also frees valuable spectrum for connections between the AP and client devices. For speed and security, we use open-source firmware, not the stock Netgear firmware. Oddly, the total price of three X4S routers is comparable to less-capable multiple-unit WiFi solutions. I would rather buy a second or third router than buy a single, more expensive router that supports more concurrent channels in a given band.
Spectrum Planning
2.4Ghz Channel Selection
Ideally, every network client would use the 5GHz band rather than the 2.4GHz band because there are fewer devices, less interference, and more throughput in that band. Microwave ovens, cordless phones, analog cameras and other 2.4Ghz devices compete with WiFi for available bandwidth. Because the 2.4GHz has longer range, it will be used by wireless clients when the 5GHz band is not available. In the US, there are only three non-overlapping channels in the 2.4Ghz band: 1, 6, and 11.
First, I use a spectrum analyzer like WiFi Explorer for Mac to determine which channels have the least congestion. I then manually assign each router to a particular channel in the 2.4Ghz band to avoid channel overlap. Depending on how many AP’s are in use, you can select 20MHz or 40MHz. I use 20MHz because I use all three channels across the three AP’s.
5Ghz Channel Selection
Wireless-AC only applies to the 5Ghz band. Where the 2.4GHz spectrum offers only 3 non-overlapping 20Mhz channels, the 5Ghz band offers theoretically as many as 25 non-overlapping 20Mhz channels, all free from interference from those microwave ovens, baby monitors and old cordless phones. These can be combined for 40, 80 or even 160MHz wide channels. The chart below shows available spectrum by channel width.
Don’t focus on 160Mhz throughput for two reasons:
- there aren’t any client devices currently available supporting that channel width and
- using 160Mhz necessarily means using lower power output (and therefore usable range) from your access point (250mW v 1W) while also avoiding weather and airport radar
That leaves 80Mhz as your best choice. It is widely supported in client devices. What the chart doesn’t make clear is the maximum permitted power output: only UNII-1 (channel 36+upper) and UNII-3 (channel 149+upper) domains are permitted as 80Mhz channels at 1 watt. Many routers don’t permit users to select a channel in the UNII-2 domain. Even if your router does, it will operate at a quarter of the transmit power (250mW at best) and only if there’s no weather or airport radar detected in your area. For our third AP, I select an 80MHz channel in the UNII-2 domain for the AP in our basement, where the smallest area needs to be covered and the router is least likely to interfere with airport and weather radar.
If you don’t have this flexibility, then I would suggest using the chart below to select a 40GHz channel in either the UNII-1 or UNII-3 domains.
Router Settings
Local Network
I always enable NAT, local DHCP, and force DNS redirection to prevent users from selecting an alternative DNS service. For the local private network, I recommend using the 10.0.0.0 block. If your ISP is already using that, then you need to either reconfigure your home gateway or use an alternative block like 10.0.1.0 or 192.168.1.0. Additionally, I prefer 30 minute DHCP leases to quickly flush the network.
For atomic clock-based network time, enable the NTP client, select your time zone, then enter a time server name, such as time.nist.gov.
I don’t use IPv6 behind my NAT for my local network. There’s no compelling need for it yet.
Third Party DNS
If your ISP’s DNS service is unstable, then Google and Cisco (OpenDNS) offer solid DNS services. In the case of Cisco, it also offers DNS-level parental controls including site and keyword blacklisting.
Google’s IPv4 DNS Servers
- 8.8.8.8
- 8.8.4.4
Cisco (OpenDNS) IPv4 DNS Servers
- 208.67.222.222
- 208.67.220.220
Wireless
The following settings apply to Qualcomm based routers like the Nighthawk X4S:
Basic Settings
- Wireless Mode: this will depend on whether you are configuring the router v the AP
- Wireless Network Mode: I use NG-Mixed (2.4GHz) and AC/N-Mixed (5GHz)
- Channel Width: I use 20Mhz (2.4GHz) and 80Mhz (5GHz). See above
- Wireless Channel: I use 1, 6, and 11 (2.4GHz) and 36, 149 and 100 (5GHz). See above
- Extension Channel: select ‘upper‘
- Wireless Network Name (SSID): choose a WiFi network name that you prefer. Use the same name for both bands so wireless clients can pick the best band base on signal strength at the devices’ location
- Wireless SSID Broadcast: enable. There’s not much security value in a hidden network name; and hidden networks create connection issues for some wireless clients
- Wireless Security Mode: for residential users, only use WPA2 Personal. Never use unsecured, WEP, or WPA
- WPA Algorithms: only use AES. Never use TKIP or TKIP+AES
- WPA Shared Key: anything memorable but random so others can’t guess it
- Key Renewal Interval: 1800. This changes the encryption key every 1/2 hour
Advanced Settings
- Regulatory Domain: select your country
- TX Power: use 30dBm for 1W transmit output in UNII-1 and UNII-3 domains. Your router should not permit you to use more than 24dBm in UNII-2 domains
- Antenna Gain: 0dBi
- Noise Immunity: enable
- Protection Mode: RTS/CTS
- RTS Threshold: disable
- Short Preamble: enable
- Single User Beamforming: enable
- Multi User Beamforming: enable
- AP Isolation: disabled for your private network
- Beacon Interval: 100
- WMM (wireless multimedia) Support: enable
- Network Configuration: bridged for your private network
- Wireless MAC Filter: I don’t use this because it is easy to spoof a MAC address and a pain to manage device MACs
For more details, see here and here.
Guest Network
We always welcome our friends and guests with WiFi. But, I separate guest access from the private home network. To do this, create a virtual interface for each of 2.4GHz and 5GHz radios. Then apply the following settings:
Basic Settings
- Wireless Network Name (SSID): choose a WiFi network name that you prefer
- Wireless Security Mode: WPA2 Personal
- WPA Algorithms: AES
- WPA Shared Key: anything memorable but random
Advanced Settings
- AP Isolation: enable
- Network Configuration: unbridged with the LAN
- Masquerade/NAT: enable NAT for Internet access
- Net Isolation: enable to block access to the router and LAN
- IP Address: I recommend using the 172.16.0.0 block for your guest network because it is likely different than your private network or any IP address block used by your ISP
Be sure to enabled DHCP for your guest network. Otherwise, your guests won’t have Internet access.
Security
- SPI Firewall: absolutely enable this. Filter/block as many requests as you can including ping, multicast, WAN NAT redirection, IDENT, and WAN SNMP
- Telnet: disable
- SSH: only enable it if you need it
- Remote access: absolutely disable all external access to your router
- USB services: disable all local, file sharing and media sharing services
- Enable DNScrypt and DNSSEC, if available
- Disable EAPOL Key Retries to protect your network against KRACK attack against unpatched clients
- Disable every other possible service on the router that you are not using including: dynamic DNS, DLNA, SMB, SNMP, and UPNP
Other
- Quality of Service (QoS): these will be specific to your hardware vendor, firmware vendor and networked devices. Generally speaking, I give media streaming and gaming devices the highest network priority. But, with a GigE based LAN and a fast Internet connection, QoS isn’t much of an issue for us
- Dashboard/traffic analytics: other things that you should consider include regularly monitoring both your total network usage and those devices on your network that use the most bandwidth
Credit to Digital Ethereal, which has created an amazing gallary of images of WiFi in the real world.
Updated on January 17th, 2018
Higgins, Tim. “NETGEAR R7800 Nighthawk X4S Smart WiFi Gaming Router Reviewed” SmallNetBuilder, http://www.smallnetbuilder.com/wireless/wireless-reviews/32958-netgear-r7800-nighthawk-x4s-smart-wifi-gaming-router-reviewed↩
You must be logged in to post a comment.