My home wireless network and convenience versus security

July 20, 2024

The (more) secure way to do a home wireless network (or networks) is relatively clear. Your wireless network (or networks) should exist on its own network segment, generally cut off from any wired networking you have and definitely cut off from direct access to your means of Internet connectivity. To get out of the network it should always have to go through a secure gateway that firewalls your home infrastructure from the random wireless devices you have to give wifi access to and their random traffic. One of the things that this implies is that you should implement your wireless with a dedicated wireless access point, not with the wifi capabilities of some all in one device.

When I set up my wireless network, I didn't do it this way, and I've kept not doing it this way ever since. My internet connection uses VDSL and when I upgraded to VDSL you couldn't get things that were just a 'VDSL modem'; the best you could do was all in one routers that could have the router bit turned off. My VDSL 'modem' also could be a wifi AP, so when I wanted a wireless network all of a sudden I just turned that on and then set up my home desktop to be a DHCP server, NAT gateway, and so on. This put wifi clients on the same network segment as the VDSL modem, and in fact I lazily used the same subnet rather than running two subnets over the same physical network segment.

(Because all Internet access runs through my desktop, there's always been some security there. I only NAT'd specific IPs that I'd configured, not anything that happened to randomly show up on the network.)

Every so often since then I've thought about changing this situation. I could get a dedicated wifi AP (and it might well have better performance and reach more areas than the current VDSL modem AP does; the VDSL modem doesn't even have an external wifi antenna), and add another network interface to my desktop to segment wifi traffic to the new wifi AP network. It would get its own subnet and client devices wouldn't be able to talk directly to the VDSL modem or potentially snoop (PPPoE) traffic between my desktop and the VDSL modem.

However, much as with other tradeoffs of security versus convenience, in practice I've come down on the side of convenience. Even though it's a bit messy and not as secure as it could be, my current setup works well enough and hasn't caused problems. By sticking with the current situation, I avoid the annoyance of trying to find and buy a decent wifi AP, reorganizing things physically, changing various system configurations, and so on.

(This also avoids adding another little device I'd want to keep powered from my UPS during a power outage. I'm always going to power the VDSL modem, and I'd want to power the wifi AP too because otherwise things like my phone stop being able to use my local Internet connection and have to fall back to potentially congested or unavailable cellular signal.)


Comments on this page:

From 193.219.181.219 at 2024-07-22 01:02:46:

One of the things that this implies is that you should implement your wireless with a dedicated wireless access point, not with the wifi capabilities of some all in one device.

I'd say it also implies a need for better all-in-one devices, i.e. ones that can actually handle putting those interfaces in separate subnets...

At least on the EU side, so far nothing beats Mikrotik in this regard (though I guess UniFi comes kinda close), and it's what I would generally suggest for this use case – no matter what model you pick up, it has the same RouterOS with support for multiple IP subnets, with multiple SSIDs if it's a unit with Wi-Fi, with WireGuard, with PPPoE, with OSPF and BGP, etc.

They do not have any products with DSL modems built in, however, so that'd have to go through the existing device.

or potentially snoop (PPPoE) traffic between my desktop and the VDSL modem.

I'm not sure if that's ever possible once the tunnel has been established – the Ethernet packets are unicast to the modem's MAC address and shouldn't be carried to any other device, certainly not through Wi-Fi as the AP knows exactly what MAC addresses of associated devices it's handling.

By dcortez at 2024-07-22 16:32:56:

I'd say it also implies a need for better all-in-one devices

DSL is effectively a dead technology. VDSL2-Vplus from the year 2015 was only a slight improvement on VDSL2 from 9 years prior (300 Mbit/s downstream instead of 200), and one that won't work on real-world networks: apart from length limitations, "vectoring" doesn't work with local loop unbundling. In the 9 years since 2015, it doesn't seem that any further development has happened.

There are a few DSL modems with OpenWRT support; and on some of those, the DSL feature actually works when running OpenWRT (if the closed-source modem firmware is provided). I've never actually seen one, nor do I expect to, but probably anyone could purchase them online and then drop unwanted traffic before it hits the wi-fi.

DOCSIS modems, by contrast, are usually pretty locked down, so "all-in-one" probably won't usefully happen. And it's also looking stagnant, anyway: DOCSIS 3.1 from 2013 was a nice improvement, allowing for 10 Gbit/s downstream speeds; then 4.0 from 2017 only increased the upstream rates to 6 Gbit/s. I don't know whether work is still happening.

So, realistically, what we need for the future is a device that can run custom firmware and has some form of SFP port. There exist some with SFP and some with SFP+, though SFP28 is already needed for services being sold in some places (such as init7 in Switzerland). The ISP would only control the SFP module, which could thus be firewalled from the rest of one's network.

I don't necessarily view multiple devices as problematic, though. All-in-one might take up a bit less space with a bit less power usage—or it might not. It probably makes things a bit harder to debug.

From 24.6.210.76 at 2024-07-31 02:02:45:

The (more) secure way to do a home wireless network (or networks) is relatively clear. Your wireless network (or networks) should exist on its own network segment, generally cut off from any wired networking you have and definitely cut off from direct access to your means of Internet connectivity. To get out of the network it should always have to go through a secure gateway that firewalls your home infrastructure from the random wireless devices you have to give wifi access to and their random traffic.

Secure from what? Secure from convenience of using the internet? What's a "secure" gateway securing? What is the actual security goal here? I really think we should challenge these recommendations such as the separating wired from wireless or making someone jump through hoops to get internet access.

This might only be useful in places where you have very little bandwidth or are being charged on usage and want to reduce usage.

By cks at 2024-07-31 11:43:05:

In today's world of unpleasant devices, one thing you want an isolated wireless network segment for is for your devices that you need on a wireless network to talk to but you don't want them to be able to phone home to some cloud service and do undesirable things, like report your usage or randomly upgrade their firmware or fetch ads.

Written on 20 July 2024.
« Part of (computer) security is convincing people that it works
Our giant login server: solving resource problems with brute force »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Sat Jul 20 22:46:13 2024
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.