Level Up Your Home Network: Advanced Tips and Tricks
Want to do more with your home network? Maybe you already have a NAS, a home server, or a collection of smart devices and want to take control. This guide offers advanced networking tips to enhance your home setup.
Beyond the Basics: Alternative Router Software
Is your router decent, but you wish it had more advanced features? You don’t always need a new router or a custom build. Alternative software can significantly expand your router’s capabilities.
- OpenWrt: A long-standing open-source project compatible with various router models. It’s continually updated and offers powerful features.
- DD-WRT: A once popular option, but hasn’t seen updates in quite some time.
- Tomato/FreshTomato: Tomato is long gone, but FreshTomato is a maintained variant.
- Asuswrt-Merlin: Exclusively for Asus routers, this firmware retains the original interface while adding enhanced features and settings. It’s beginner-friendly for custom firmware.
OpenWrt is the most powerful, supporting VLANs and advanced Quality of Service (QoS) like Smart Queue Management, but its installation can be tricky and has a steeper learning curve.
Separating Your Network: Dedicated Hardware
Professional networks often use separate devices for each task: access points for Wi-Fi, switches for Ethernet connections, routers for internet connectivity, and dedicated firewalls.
While more complex than an all-in-one router, this approach offers benefits, especially with many devices.
To experiment cheaply, use your current router (or mesh system) in access point mode. Install an open-source router operating system on a spare computer or a mini PC (like a Raspberry Pi). OpenWrt works well on Raspberry Pi, but Pfsense or Opnsense, installed on a mini PC with an Intel or AMD processor, offer increased functionality. The requirement here is for at least two Ethernet ports and a decent processor. Additional ports can be added via a HAT for Raspberry Pi.
Then, use a switch to connect both your existing router (acting as an access point) and the new router. Connect the internet cable to the new router’s WAN port. Configure OpenWrt to use the two ports as WAN and LAN.
The hardware in a mini PC significantly outperforms consumer routers and supports advanced security features.
VLANs: Segmenting Your Network for Security
If you use guest networking, you’re familiar with VLANs. VLANs separate network traffic for different purposes, set up within routers, switches, and access points.
VLANs isolate devices into separate address spaces with unique firewall rules. A common use case is creating a VLAN for IoT (smart home) devices.
This protects your other devices if an IoT device is hacked or contains malware and allows you to block internet access for devices that don’t need it.
For example, you can block internet access for cameras that connect to manufacturers’ servers, mitigating risks from compromised cameras. Alternative local usage is a solution here by implementing Home Assistant or Scrypted software with Apple’s Homekit for remote control and management. VLANs are integral to this setup and improve security.
Another common use is a demilitarized zone (DMZ) for servers exposed to the internet, like a Minecraft server. A DMZ-VLAN secures the server by preventing it from accessing the rest of your network.
VLAN setup depends on your router’s operating system. Search online for specific guides for your system.
For Ethernet-connected gadgets, use a managed switch with a network-accessible operating system. Ubiquiti’s Unifi is popular and offers switches and access points to create separate wireless networks with different VLANs. This extends guest networking to a more advanced level, allowing custom rules for device communication with the internet and other networks.
For example, three Wi-Fi networks can be configured, where two of those networks are virtual and connect to a specific VLAN: one for family devices, one for smart home devices, and one for guests. Smart home hubs can be connected via Ethernet to a managed switch, assigning those ports to the smart home VLAN.
Smart home devices often lack internet access, communicating with the regular network via Multicast DNS (MDNS) for updates through Apple’s Homekit.
Pi-Hole: Network-Wide Content Blocking
Install content blockers on your phones and computers to block ads and tracking. For devices like TVs that lack such capabilities, use Pi-Hole.
Pi-Hole is a local DNS server that blocks unwanted domains. Add blocklists for advertising, tracking, malware, and pornography. Pi-Hole has minimal system requirements and is well suited for older Raspberry Pi models.
After setting up Pi-Hole, block devices from using other DNS servers with your router’s firewall.
Create two firewall rules: one blocking TCP and UDP traffic on port 53, and another allowing the same traffic to Pi-Hole. The precise steps differ by manufacturer.
On Asus routers, go to "Network Services Filter" under "Firewall." Enable the function and set the filter table to "Allow List." Add rules directing all traffic except UDP on port 53 and port 53 to the Pi-Hole.
Set the router to use Pi-Hole’s IP address as DNS under WAN and for DHCP devices under LAN > DHCP Server.
Devices with hardcoded DNS servers won’t work, since the rules only block connections and don’t forward DNS traffic to Pi-Hole. Asuswrt-Merlin can redirect all DNS traffic to Pi-Hole. Set "Global Filter Mode" to "Router" and exclude Pi-Hole’s IP address.
Some devices bypass DNS with DNS over HTTPS (DoH), rendering port 53 blocking ineffective. You can partially mitigate this with a blocklist of DoH servers, but this is an ongoing process.
VPN Server: Secure Remote Access
Want to access your NAS or home server remotely? Opening ports is risky due to constant bot scanning.
Run your own VPN server, opening only one port for it. Some routers have built-in VPN servers, providing secure access to your home network.
PPTP and L2TP are older protocols. Use OpenVPN or Wireguard.
Newer Asus routers have a built-in VPN server. Setting up Wireguard provides secure access to your home network without routing all traffic through the tunnel.
The Wireguard app displays a QR code for easy connection. The settings can be exported for devices without QR code support.
Setting "Allowed IPs (Client)" to 0.0.0.0/0 routes all traffic through the tunnel, functioning like a commercial VPN service. This is useful for browsing as if you’re at home or using your Pi-Hole server remotely.
