Monday, January 12, 2026

Secure Your Home Network: Watertight Compartments

This post is the third in a series on how to make your home network harder to attack.  Here are links to posts one and two

Post two introduces the concept of a Firewall which is a device that lets you connect to the Internet without letting the Internet connect to you.  Firewall technology comes embedded in your Internet provider's device like a Cable TV modem.  A recent article does a comparison on a number of these devices.

If you look at the device it will look a lot like this:


The red colored connection goes out to the Internet, the yellow ones go to your devices (as does the Wifi).  This one has a connection for a landline telephone as well (ask your parents, kids).

Installing the device is really simple - red (labeled "WAN") goes to the outside which is untrusted, and yellow/WiFi go to your own devices which are trusted. 

Except nothing is as simple as that.  Your Internet provider actually owns the firewall device, it's not really yours.  Some providers run their own WiFi network for other subscribers who happen to be passing by - Verizon is notorious for this, and you will often find all sorts of WiFi networks called "VerizonXYZ" or some such.

So who is outside the firewall, and who is inside?  The question may sound pedantic but it's terribly important.  Fortunately there is something you can do about this.  

Ships used to sink all the time but this is pretty rare these days.  One major reason for this is that they are divided into compartments which are watertight - if the ship hits a rock (or, like the Andrea Doria gets rammed by another ship) only one compartment will flood and the ship can likely make it to port. 

USS South Dakota under construction

The network security analog of this idea is to use more than one firewall.  Don't trust your provider's firewall? (and you really shouldn't)  Buy your own and hook it up to your provider's firewall. The red (WAN) port on your firewall gets connected to the internal (yellow) connector on the provider firewall.  Now anyone that the firewall lets in can't get past your firewall.

And it really is your firewall, although you'll have to buy it with cash money.  But your devices connect to your firewall's yellow network connections, or to your firewall's (NOT your provider's firewall) WiFi.

Now you don't have to trust your provider because their device doesn't have access to your internal "watertight compartment".

Linksys, Netgear, and TP-Link are low cost options, running $30 - $70 or so.

The first thing you should do is replace your firewall's operating system with dd-wrt:

DD-WRT is a Linux based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems. The main emphasis lies on providing the easiest possible handling while at the same time supporting a great number of functionalities within the framework of the respective hardware platform used. 

Here's a step by step tutorial on how to install dd-wrt on a Netgear device:

 


[UPDATE: Rick T in the comments says to check the dd-wrt website before buying a device, to make sure that the software supports that particular hardware.] 

Why go to this hassle?  Product longevity.  Consider a $60 Netgear device.  The profit margin on this to Netgear is probably $5.  You can't pay for a lot of enhancements or security bug fixes with that.  DD-wrt is an open source project with a bunch of passionate contributors.  I like my chances on having a viable, supported software five years down the road with them.  Not so much the device manufacturers.

So now you have a device you can trust for the long term.   We're not done yet, because there's all sorts of new tech evil that people want to use - Ring doorbells, Alexa, etc.  That's tomorrow.

9 comments:

  1. Rick TJanuary 12, 2026 at 3:40 PM

    This comment has been removed by the author.

    ReplyDelete
  2. Rick TJanuary 12, 2026 at 3:41 PM

    An important note: Don't listen to a Best Buy employee who claims you can't run nested routers. I've been doing exactly what Our Host recommends for decades without an issue. I have two nested routers to give an untrusted wired network outside my trusted network. Gateway>External router (untrusted networks)>Internal router(trusted networks). The only issue is making sure your internal networks use IP address ranges that are different from the one offered by the ISP's router (and different from your employer's internal network addresses too if you are using a VPN for work).

    ReplyDelete
  3. Old NFOJanuary 12, 2026 at 8:58 PM

    Thanks!

    ReplyDelete
  4. BobFJanuary 13, 2026 at 12:01 AM

    I, too, run nested. My Verizon-supplied router is backed by my Asus router to which I make my connections.

    ReplyDelete
  5. Rick TJanuary 13, 2026 at 9:48 AM

    One warning: Check the DD-WRT web site before you buy a new router to be sure it supports the reload. Not all routers are supported.

    ReplyDelete
  6. PeteforesterJanuary 13, 2026 at 4:02 PM

    Minor nit-pick; the Andrea Doria sank. The Stockholm, the ship that collided with the 'Doria, made it to port, minus its bow section. As a retired Coast Guardsman I get your point about watertight integrity though.

    ReplyDelete
  7. BillBJanuary 15, 2026 at 9:20 PM

    I am using a pair of TP-Link CPE710s to link my house to my Ham shack. dd-wrt does not support them but Openwrt does. Borepatch, what is your opinion of Openwrt?

    ReplyDelete
  8. libertymanJanuary 15, 2026 at 9:52 PM

    You lost me at Linux, that is way too much for me to comprehend.

    ReplyDelete
    Replies
    1. BillBJanuary 15, 2026 at 10:51 PM

      You should not be afraid of dd-wrt using Linux as it is completely hidden behind a good UI (User Interface). There are a number of network "appliances" that run Linux and you would never know that they do.

      Delete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.