News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Best configuration settings for new router

    Home Forums Networking – routers, firewalls, network configuration Best configuration settings for new router

    Viewing 13 reply threads
    • Author
      Posts
      • #2370344
        dmt_3904
        AskWoody Plus

        I got a new router.  I’ve read through the users’ manual to gain high level overview of what has to be done.  Seems ok, but I know I will have some questions.  I plan to copy the config in my current router & am following the advice on routersecurity.org – as much as possible. Below are just a few settings I will use, there are a lot more settings as per the users manual – but if anyone has suggestions on what to enable/disable and to look out for, I’m open to suggestions.  thanks.

        • I am not going to set up an online account or use router app.
        • Connect new router via ethernet cable, manually configure with laptop.
        • Change the SSID and password first.  I’d like to keep the same pw & ssid as my current network – so I would make up a new ssid temporarily and change it to the current one once I’ve disconnected old router.
          Set up Guest Network with unique ssid  & pw</span>
        • Turn off UNPNP, WPS, remote access, check for firmware update, set WPA3.
        • I have NAT turned on in my router- should keep it on in new router? I thought NAT was a good thing to have enabled.
        • Can I change new router lan ip’s to duplicate lan ip’s, subnet mask, range, etc from current router?  I want lan ip’s that are not the common ones used (192.168.x.x)
        • Run shields up b4 putting devices on new router.
        • I’ve never changed my DNS settings or done MAC address filtering- not sure I need to do that??? I know it offers more security, but I’m not familiar with either of these configurations.
        • Any firewall settings that I should update?
        • This topic was modified 1 week ago by dmt_3904.
      • #2370360
        PaulK
        AskWoody Lounger

        I’m not an expert here, but this will get you started. I hope. Bullets in order.
        The below is for your doing configurations while others are still on-line on existing router.
        2 – I assume that you mean ONLY to the LAN side; no connection to the modem yet.
        3 – If you first turn off the wireless, and have nothing else connected wired, you don’t need to use temporary SSIDs. You may wish to postpone Guest setup until everything else is working.
        4 – Firmware update will be easiest (and may only be possible) if you wait until you are connected to the modem; see (7, below). I don’t know the status of WPA3; consider using WPA2 first as it is more common. Use the ‘one change at a time’ approach.
        5 – Yes. Without NAT (unless you are piggybacking routers) you have a switch, not a router.
        6 – Yes. No one else is ‘live’; see (3) above.
        7 – Sequence here, for cleanest run: a) shut down computer, power down router and modem; b) disconnect existing router from modem, and connect new router to modem; c) power on modem, wait for it to come up fully; d) power on router, and wait for it too; e) boot the computer.
        Verify that you can get online. Do whatever testing you want to. Update router firmware; run ShieldsUp.
        Connect other wired devices; test. Turn on wireless; test. If everything is OK, you’re in business! Unless you must, postpone other changes until everyone is satisfied for a few days.
        8 – Not all routers have settable DNSs. If both yours do, match them. Otherwise, no change. On MAC filtering, again, unless you already are using it, ignore it for now.
        9 – No.

        Note: The modem will ‘see’ only the first device that it detects after it is initialized. Therefore it must be power-cycled in order for the new router to be ‘communicatingly’ connected. If you need to revert to the old router, you’ll need to cycle the modem again.

        • #2370544
          dmt_3904
          AskWoody Plus

          2 – I assume that you mean ONLY to the LAN side; no connection to the modem yet.
          >>YES. I will not go online until it’s completely configured.

          3 – If you first turn off the wireless, and have nothing else connected wired, you don’t need to use temporary SSIDs. >> I still think it’ll be best to set up temp SSID – then I don’t have to disconnect all my devices or worry about a conflict, it’s easy enough to change the ssid. I also have to go online to check firmware update – so I don’t want to have same ssid’s or any connected devices if the firmware isn’t updated.

          You may wish to postpone Guest setup until everything else is working. >> OK good suggestion.

          4 – Firmware update will be easiest (and may only be possible) if you wait until you are connected to the modem; see (7, below). I don’t know the status of WPA3; consider using WPA2 first as it is more common. Use the ‘one change at a time’ approach. >>> I will stick with WPA2/AES.
          5 – Yes. Without NAT (unless you are piggybacking routers) you have a switch, not a router. >>>thank you for confirming.
          6 – Yes. No one else is ‘live’; see (3) above. >> ok
          7 – Sequence here, for cleanest run: a) shut down computer, power down router and modem; b) disconnect existing router from modem, and connect new router to modem; c) power on modem, wait for it to come up fully; d) power on router, and wait for it too; e) boot the computer. ok
          >> Thank you for your help and advice!
          I’ll report back once I’m done!

      • #2370396
        Paul T
        AskWoody MVP

        Fire up the router via ethernet and set a good admin password.
        Make sure “remote administration” is off. Admin should only ever be done from the local network.

        WPA3 can only be used if your other devices also support it. Stick to WPA2-AES for now.

        You can set the LAN IP to be pretty much anything you want. 192 or 10 networks are the standard for home/small business use.

        Leave DNS and MAC filtering alone. MAC filtering is a complete waste of time. DNS change is a personal thing, but I’ve never changed mine for home use.

        Leave the firewall alone – there be dragons here!

        cheers, Paul

        • #2370542
          dmt_3904
          AskWoody Plus

          Thanks Paul.

          You can set the LAN IP to be pretty much anything you want. 192 or 10 networks are the standard for home/small business use.

          I plan to use the 10 network and will duplicate what is set in my current router config (addressing, subnet, mask, range, etc.) I am assuming that will work? If not, I have to figure out the LAN IP configuration.

          Of course, I will not have both routers online at the same time!!  I will configure the new router, update the firmware and ensure it’s 100% network-ready before deactivating the current router.  Then I’ll plug in the new one, bring that up and add the devices.

      • #2370546
        PaulK
        AskWoody Lounger

        I’m a little fuzzy as to how the new router will have its firmware updated. Will you be downloading new firmware on the existing net, and then uploading it to the router? How will the router communicate with the router support to synchronize firmware levels?

        My experience has been that the router is connected to the modem for its updates. Note that this requires that the existing network (old router) is disconnected, and the modem and new router are power cycled.

        • #2370551
          dmt_3904
          AskWoody Plus

          I’m a little fuzzy as to how the new router will have its firmware updated. Will you be downloading new firmware on the existing net, and then uploading it to the router? How will the router communicate with the router support to synchronize firmware levels?

          My current router has auto update. I checked that box and it automatically checks for updates.  New router user manual instructions are below, so I don’t think it will be auto-update. There is also an option to manually upload firmware.  I will have to set myself a reminder to periodically check for firmware updates.  So hard to find a router that ‘checks all the boxes’!!

          Check for new firmware and update the router.  The router firmware (routing software) is stored in flash memory. You might see a message at the top of the router pages when new firmware is available. You can respond to that message to update the firmware or you can check to see if new firmware is available and update your product.

          Select ADVANCED > Administration > Firmware Update.
          The Firmware Update page displays.
          Click the Check button. The router finds new firmware information if any is available and displays a message  asking if you want to download and install it.

      • #2370559
        PaulK
        AskWoody Lounger

        This is what is baffling me.

        I will configure the new router, update the firmware and ensure it’s 100% network-ready before deactivating the current router. Then I’ll plug in the new one, bring that up and add the devices.

        The sequence implication that I am getting here is that
        – the firmware will be updated, THEN
        – the router will be plugged in

        But – the router has to be on-line through the modem in order to check and get any new firmware. Right? What am I misunderstanding?
        – – – – –
        I think that the instructions for the new router mean:
        – the router automatically checks for updates, and notifies you that one is available
        – “You can respond to that message” I think means: ‘Click here to update’
        – “or you can check” means “manual check for updates” – a la Windows.

        • #2370564
          dmt_3904
          AskWoody Plus

          Yes sorry, I see your confusion! I made a mistake in what I said.   I will have to connect the router to the network to update the firmware.  I will configure it ‘offline’.

          As for the firmware update, my current router automatically updates – without me clicking any buttons. I don’t think the new one will work that way.

      • #2370611
        Paul T
        AskWoody MVP

        You will have to disconnect your PC from your existing network to set up the new router.

        Take screenshots of the settings on your existing router.
        Connect the PC to the new router and set it up.
        Replace the old router.
        Update the firmware on the new router.

        cheers, Paul

      • #2370658
        dmt_3904
        AskWoody Plus

        Thanks for your help – both Pauls!

        I have screen shots from current router.  Not 100% the same but, I will follow advice on settings here and the basics from routersecurity.org

        I’ll disconnect from the network, configure, then follow sequence mentioned here to bring things up properly.  Going to try to work on it today.  Shouldn’t take too long…… ; )

        I’ll let you know what happens.

         

      • #2370692
        dmt_3904
        AskWoody Plus

        Ugh! Setting up the Netgear router and running into some struggles, nothing major mostly my being unfamiliar with how it works. But I have hit what I consider to be a major snag – I was not aware of this – I cannot change the router user name.  It is hardcoded – admin!!!! I have a strong password (22 characters) but I don’t like not being able to change this element. My Linksys let me change it.  Now I’m debating if I should return the router or if having a strong password is good enough.

        • #2370709
          dmt_3904
          AskWoody Plus

          Update to my post.  I think I have to just live with this flaw and the knowledge that I have a strong password.  I cannot understand why Netgear would not allow users to change this!!! But, any router I get is going to have issues.  It’s impossible to find one that ‘checks all the boxes’ of features/function that I am looking for and I am not willing/technical enough to get a commercial-grade router.  I will keep an eye out for Netgear bugs.

          I figure a router user login of ‘admin’ gives a hacker half of what they are looking for, but if the password is secure (plus said hacker would have to be within range of my network, right??), then it’s ok.  I will not enable Remote Admin.

          Any opinions/thoughts on this issue would be welcome.  It’s always something! ; )

           

        • #2370737
          Paul T
          AskWoody MVP

          It’s not unusual to have the username hard coded.
          As you have remote admin off, only people on your network will be able to try logging in and your password will be sufficient to stop them.

          cheers, Paul

          • #2370761
            dmt_3904
            AskWoody Plus

            Actually I think (hope) remote admin is off by default, I had found an article that said something about Netgear  having removed it from the firmware. But now I can’t find that article.  Users manual has instructions on how to turn it off but there is no option for it in the router.  I have no option to turn it on and off……

            • #2370823
              Paul T
              AskWoody MVP
              • #2370852
                dmt_3904
                AskWoody Plus

                Right, but this option is not there
                Select ADVANCED > Advanced Setup > Remote Management

                It is in the users manual, but there is no remote management option.  I have updated the firmware. I had seen something online that said they removed it because most users aren’t tech savvy enough to handle it and it was being exploited.  Thanks Netgear! I guess it’s also a problem if you do want to turn on remote management! You’d need to get a different router.

                I think it is true that the average user doesn’t know anything about security, their router settings, etc. and are in need “somebody”to look out for them.  I don’t like it because I can handle this stuff and I would like the assurance that it’s not on.  I will have to contact them (and hope I get the right answer) and do more poking around online.
                I don’t think my Linksys has this option either. Thanks.

      • #2370743
        PaulK
        AskWoody Lounger

        (plus said hacker would have to be within range of my network, right??)

        Right. But: focusing on “within range” — On one of the panels of my Linksys router is the item “Access via wireless”. When unchecked, one can log on to the router only via a wired connection. Password strength then is a consideration of the likelihood that someone can get physical access to a cabled computer.

        My logon shortcut is just named ‘Router’; and access is http://192.168.1.1/ . If I key just that, the router appends some more characters.

        I don’t consider this to be particularly worrisome.

        You’ve probably see the length discussion of password leaks in the topic at https://www.askwoody.com/forums/topic/largest-password-compilation-of-all-time-leaked-online-with-8-4-billion-entries/#post-2370138 .

      • #2370907
        PaulK
        AskWoody Lounger

        I don’t think my Linksys has this option either.

        ‘this option’ being remote management.
        The User Guide for my EA6350 (ca 2015) points to http://www.linksyssmartwifi.com . There, there is this:
        LSSWF
        So, Remote Administration is established via an on-line account, and not via a local option. Your Netgear may be different?

        • #2370931
          dmt_3904
          AskWoody Plus

          Well I called support. They cannot answer a question unless I have an account & register my device. : /

          I know for sure the setting is in the users guide for my router model, but not in the configuration options.

          https://kb.netgear.com/000063525/How-can-I-make-my-home-network-more-secure

          Found this on their website:

          Make sure that remote management access is disabled on your router. Remote Management is a feature that lets you connect to your router or gateway over the Internet when you are not at home. Most people do not need to use this feature, and it is turned off by default. We recommend keeping this feature disabled so that your router is not discoverable by devices that are not connected to your network.

          • #2370950
            Bob99
            AskWoody Plus

            Ok, I found a similarly titled article on Netgear’s site to the link posted by @Paul-T . The one I found is here, and is worded a little differently than Paul T’s.

            One possibly very important thing it says is about the wording for remote management. It may be called “Web Services Management” on some router models. So, I’m thinking you may have gone to the right place, but didn’t see the different wording that may have been there instead of the wording you were looking for.

            Below is  a partial quote from the page I found. It picks up after telling you how to log in to your router by giving you a hyperlink to that procedure. So, once you’ve logged in to your router’s interface,…

            1. After logging in, select the ADVANCED tab.
            2. Click Advanced Setup.
            3. Click Remote Management.
              Note: On some products, this option is called Web Services Management.

            Pay particular attention to that last Note after step 3. It shows wording that you may have overlooked earlier. All bolding in the quote is what is on the page, I have not added a thing at all for emphasis.

             

            • This reply was modified 4 days, 9 hours ago by Bob99. Reason: Removed a block quote block that was still present with no text
            • #2371164
              dmt_3904
              AskWoody Plus

              Thank you. I do not have “Remote Management”. I do have “Web Services” but the only option under there is to “use HTTPS only to access the router”

              No remote management option anywhere.

      • #2371469
        dmt_3904
        AskWoody Plus

        I have configured the new router, but am hesitant to make the LAN IP addressing change. It is easy enough to follow the instructions to make the change in the router, but I am concerned about creating an unforseen issue technical issue I can’t handle. I believe it will be more secure than the default, so I want to do it. Below are the steps I will take, does this make sense?
        • turn wifi off on all devices. Power down router and modem
        • disconnect existing router from modem
        • connect new router to laptop with ethernet
        • back up router config to go back if changes don’t work
        • change the LAN IP addressing
        • change new router ssid to current ssid
        • power down laptop and new router
        • connect new router to the modem
        • power on modem, wait for it to come up
        • power on router, and wait for it to come up
        • boot the computer. Logon to wifi
        • logon to router via the internet.
        • verify I can get online. Test.
        • connect other wired devices; test.
        • set up Guest Network with unique ssid and put the tv/printer on there

        Also, this router has a password reset function with security questions. I was going to disable it, good or bad idea? I think it’s good that the router doesn’t allow unlimited logon attempts and without the pw reset, I guess I’d have to do a factory reset to get into the router. But I have a vague sense that this feature can be exploited, though I have no idea how! My ignorance makes me a little paranoid sometimes! 😊

        • #2371473
          Bob99
          AskWoody Plus

          Nice list, but it looks like you may have omitted two key things in the list from a security stand point, and both are passwords.

          The first password to change as soon as you get into the router’s interface is the default login password that’s been set at the factory and is probably the word “admin”. Change it to one that’s a combination of upper case, lower case, numbers and any of the myriad of special characters on the keyboard. Make it at least 12 to 16 characters long.

          Next, do the same with the wifi password…change it from the factory default, but first disable wifi so someone doesn’t try to sneak in before you get it changed. Stranger things have happened! For the wifi password, you can make it whatever you want, observing the same guidelines as the password for the router’s interface. Heck, you can make it even longer if you wish, up to whatever maximum number of characters the router will let you have for the wifi password! Just keep the character mix in mind at all times while coming up with it.

          Once you’ve added these two items to your list and completed them, you’ll then be ready to hook your new router up to your modem.

          By the way, bummer to hear that you for whatever reason definitely don’t have access to the remote admin feature, if only to be able to confirm what Netgear’s said recently from some of the posts that quote them above.

          • This reply was modified 2 days, 8 hours ago by Bob99.
          • #2371476
            dmt_3904
            AskWoody Plus

            Thank you for the feedback, Bob and confirmation on my steps. I had updated the wifi & router passwords – 20 characters each!

            By the way, bummer to hear that you for whatever reason definitely don’t have access to the remote admin feature, if only to be able to confirm what Netgear’s said recently from some of the posts that quote them above.

            Yeah it is a bummer!  But I think the remote admin feature is disabled.  The user guide says all this under that option – none of which I have, so I can’t see how it’d be active. I thought I could try to test it to verify it’s not accessible, but I don’t have an ip address or port.

            In the Allow Remote Access By section, specify the external IP addresses to be allowed  to access the router’s remote management.
            Note: For enhanced security, restrict access to as few external IP addresses as practical.
            Select one of the following:
            Only This Computer. Allow access from a single IP address on the Internet. Enter the IP address to be allowed access.
            • IP Address Range. Allow access from a range of IP addresses on the Internet.
            Enter a beginning IP address and an ending IP address to define the allowed range.
            • Everyone. Allow access from any IP address on the Internet.
            7. Specify the port number for accessing the router web interface.
            Normal web browser access uses the standard HTTP service port 80.

      • #2371508
        Paul T
        AskWoody MVP

        Don’t bother with the password reset questions if you store your password in a password manager. If they are only in your head you may need the reset questions.

        Set the wifi encryption, SSID and password to be the same as your existing router. Then your devices will automatically connect to the new router.

        cheers, Paul

        • #2371531
          dmt_3904
          AskWoody Plus

          OK sounds like a plan, thanks everyone ! I’ll be back if I have more questions or problems 😁

      • #2371795
        dmt_3904
        AskWoody Plus

        Well I successfully change the router IP addressing and connected it to the Internet!  Yeah! The Internet actually didn’t come up at first and I got a little anxious but all I had to do was reboot the modem. Now I am running tests. I checked shieldsup on virus total because you never know when a site will become infected. It came back with one malicious entity from Antiy-AVL!!  This was on the port scanning page the main page comes back clean.   I don’t know if it’s a false positive but makes me a little nervous. I will try some other test sites.

      • #2371823
        dmt_3904
        AskWoody Plus

        And a big “Thank you” to everyone here for helping me. I really appreciate it! : ) Donna

    Viewing 13 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Best configuration settings for new router

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.