Get more from your home network: 5 advanced tips for the hardcore

Fancy doing something more with your home network? Or are you already up and running with a NAS device, a simple server of some kind, or a bunch of smart home gadgets you’d like to get more control over? Join us for this collection of advanced networking tips.

Other articles in this series:

• How to choose a new router and get started with important settings
• Solve your Wi-Fi problems with these smart router settings
• Protect your home network with these essential router tweaks
• More than Internet: 9 tips to maximize your home network

1. Switch to alternative router software

Do you have a reasonably powerful router but have become curious about more advanced features missing from the settings? You don’t necessarily need to buy a new router or build your own, but alternative software can go a long way.

Openwrt is one of the oldest open source router software projects, and is still being developed so that it can be installed on many router models from different manufacturers.

Long ago, DD-WRT was common, but that project has not been updated for a long time. Tomato was another popular option, but died many years ago. Freshtomato is the name of a variant that has kept going and can still be a sensible alternative.

Foundry

For users with an Asus router, there is the Asuswrt-Merlin project with the same user interface as the bundled system, but with a number of additional features and settings. It is definitely the easiest way to get started with alternative software.

Openwrt is the most capable option, with support for features like VLAN and advanced quality of service features like Smart Queue Management. However, it’s also a little trickier to install and has a steeper learning curve for beginners.

Simply Nuc

2. Separate router/firewall and Wi-Fi

Workplaces almost always use separate devices for different parts of the network, each specializing in its own task. Access points for Wi-Fi, switches to connect different devices (including the access points) via Ethernet, and a router to link the local network with the internet. Firewalls are often built into routers, but can also be separate devices.

This division obviously requires more fiddling than a combined router/switch/access point, but the setup can be useful even in homes, especially if you have many devices of different kinds.

If you’re curious and want to try it out, you can do so relatively cheaply by keeping your current router (or mesh routers if you have a set of them), set to act as an access point. Most routers have this setting.

Then you install any open router operating system of your choice, either on an old computer you have on hand or a new cheap one — Openwrt works well on Raspberry Pi, for example, but you can also go for a more advanced operating system like Pfsense or Opnsense on a mini PC with an Intel or AMD processor. All you need is at least two Ethernet connectors and a reasonably powerful processor. For Raspberry Pi, you can get an additional connector with a so-called HAT+. There are models with dual 2.5 gigabit connectors.

Finally, get a switch and connect both your old router or routers and the new router to it. The cable from the wall that you normally connect to the router’s WAN connector, you connect to a different port in the new router. In the settings for Openwrt or whatever you have chosen, you then set the two connectors to act as WAN and LAN respectively.

The hardware in a mini PC like an Intel NUC is significantly more powerful than any consumer router and makes it possible to run advanced security features, for example.

Anders Lundberg

3. Network segmentation with VLAN

If you’re using guest networking on your router today, you’ve had a taste of what’s possible with a technology called VLAN. VLAN separates traffic on the network so that it can be kept apart for different purposes. This is done at a basic level and is set up in routers, switches, and Wi-Fi access points.

By creating different VLAN, different devices can be kept separate in different address spaces and with different sets of rules in the firewall. Among home users, perhaps the most common use case is to create a VLAN for IoT — the internet of things, i.e. smart home gadgets.

This makes it easy to protect other devices in the home in case a connected device is hacked or already contains malware, and to block internet access for devices that have nothing to do with the internet.

In my own home, I’ve done this to switch off the internet for all smart home devices, such as cameras that want to connect to the manufacturer’s servers — you’ve probably heard about how Ring, for example, has repeatedly mixed up different customers’ cameras so that customers have been able to watch video from each other’s homes.

I use my cameras locally using the Home Assistant smart home center and Scrypted software, with Apple’s Homekit for remote control because I trust Apple more than various more or less unknown manufacturers. Without VLAN, this would be much more complicated, and less secure.

Another common use is a so-called demilitarized zone (DMZ) for servers that should be open to the internet. For example, say you run a Minecraft server so that you and/or your children and grandchildren can play with each other, and you want it to be accessible from outside. With a DMZ-VLAN, it’s easy to do this in a reasonably secure way by setting the firewall to prevent the server from accessing the rest of the network.

Foundry

Getting started with VLAN

Setting up VLAN isn’t really super complicated, but how you do it differs greatly in different router operating systems and a step-by-step description would take up the rest of this article. My recommendation if you are interested is to search for guides to VLAN on the system you are using, for example on Youtube.

For Openwrt, this guide from Open Source is awesome, with both video and text.

If you want to use VLAN with gadgets that connect with an Ethernet cable, it’s a good idea to get a so-called managed switch, that is, a switch with a simple operating system and settings you can access over the network.

Ubiquiti’s Unifi is a popular product line among networking enthusiasts, and in addition to such switches, it also offers Wi-Fi access points that make it easy to create separate wireless networks for devices that will use different WLANs. It works like a more advanced form of guest networking, where you set the rules for how connected devices can communicate with the internet and other parts of the network.

In my home, I have three Wi-Fi networks, two of which are virtual, each connected to a different VLAN: one for the family’s various phones and computers, one for smart home gadgets and one for guests. I also have a couple of smart home hubs connected by cable to a managed switch. In the settings of the switch, I have set those particular connectors to use the same VLAN as the wireless smart home network.

As I said, the smart home devices usually have no access to the internet and are only allowed to communicate with the regular network via something called Multicast DNS (MDNS), which in my case is required to get updates via Apple’s Homekit, for example when someone rings the doorbell.

Foundry

4. Pi-Hole for advertising- and tracking-blocking across the network

On mobiles and computers, it’s relatively easy to install content blockers that stop advertising and especially web tracking. But on TVs and other gadgets, this is rarely possible. One way to effectively protect the entire home network including such devices is with Pi-Hole.

Pi-Hole is a local DNS server with blocking of malicious, inappropriate, or unwanted domains. You add one or more links to blocklists, and Pi-Hole takes care of the rest. There are specific lists for advertising, tracking, malware, pornography, and various others. The name comes from the Raspberry Pi, and with very low system requirements, it’s a great use case for an older model of the small computer.

Stop other DNS services

When you have your own DNS server like Pi-Hole, it can be a good idea to block devices in your home from connecting to other DNS servers. You can do this with the firewall in your router.

For a traditional firewall, it involves two rules. One that blocks all traffic over TCP and UDP on port 53 and one that allows the same traffic with destination Pi-Hole. Exactly how you do this differs between different manufacturers.