How to properly secure a wireless home network

I'm soon going to be setting up a wireless network for me and some buddies and (hopefully) making it secure. I have some questions and concerns regarding this and figured someone here could give me a hand and steer me in the right direction.

  • I have a WRT55AG (version 2) loaded with the factory firmware. I've heard that it's possible to load your own firmware onto routers like these. Is it worth it? What can be achieved with it?

  • I was wondering what kind of security I should use on my wireless. Ideally I would want all devices to be 'accepted', but I'm not sure how to accomplish this. I'm guessing it has something to do with MAC addresses, but I don't know the first thing about them. It would be great that ALONG WITH encryption (I'm told WPA2 is the best), every device would need to be added to a list of some sort before even being able to access the AP.

  • Another feature I was thinking of would be completely hiding my wireless from showing up on other people's computer. Is this possible (like an SSID broadcast thing). Is it worth the trouble?

  • One more option I was looking to implement would be bandwidth calculators. Ideally something in the router to measure the amount of bandwidth being used and how much has been used for that month (this has to do with bills and limits, obviously). Is it possible to throttle down speed when a certain limit is reached?

These are alot of points but I was hoping someone who has more knowledge than me in this subject could give me a hand and a few pointers. Hopefully all this is possible and I'm not dreaming :)


Ok I'll address the points that I can: Yes it is possible to upgrade, or change the firmware on your router to another type. In doing so you will gain access to a far greater set of settings that you wouldn't already have on the factory firmware. Have a look at this article for a good idea of how to do it using DD-WRT: http://www.howtogeek.com/56612/turn-your-home-router-into-a-super-powered-router-with-dd-wrt/

WPA2 is a great encryption method which basically lets anyone who knows your passphrase connect. What you are also talking about is MAC address filtering which basically adds another layer of security to the connection meaning that if you add MAC filtering to the connection then although you know the passphrase if your MAC address is not in the table you won't be able to connect. A MAC address is just basically unique identifier associated to a specific piece of hardware. You would need to know the devices MAC address before they could connect as you would have to add it to the table in the router's security settings section.

Turning off your SSID is easily possible. That way your network would not show up when a computer or device scans for available networks. People trying to connect would have to do so manually having to enter your SSID name in the connect to dialogue box. Is it worth it? Well it is just another layer of security so yes if that is what you want. Bear in mind though that any serious hacker worth their salt could bypass this without much effort.

Bandwidth calculators. If you want this then that pretty much makes the decision about point 1 for you. You will need to change the firmware on the router if you want this functionality.

I would have a read of that article above and then decide if you are comfortable doing what it suggests. Good Luck.


Some additional information to the answers already posted:

  • Yes, you should use MAC address filtering as an extra layer to dissuade casual users, however it is trivially simple to spoof MAC addresses so don't assume it will protect you from anyone with a reasonable technical skill level. All an attacker has to do is watch for other MAC addresses which connect and copy them:-)

  • Yes, DD-WRT or Tomato are well worth a look. Tomato, in particular does allow bandwidth measuring etc.

  • Hiding your SSID is mostly pointless - it does still broadcast the SSID in frames, just not the beacon frames, so any attack tool will still find it. Hidden SSID's can actually impact your valid users, as sometimes windows wireless drivers have problems if they can't see the SSID in a short enough timeframe.

  • Yes, WPA2 TKIP is currently recommended as a minimum.


If you aren't comfortable with flashing the device with alternate firmware (such as dd-wrt), the Linksys firmware is fine for the average home user.

As far as security goes, WPA2-PSK (AES) is the best that your particular router will offer, and it is a good choice. You can also do MAC address filtering so that only devices with MAC addresses that you specify will even get a chance to authenticate with a security key.

Your router will be able to hide the SSID (router name). This way only those that know the SSID by name can attempt to connect, this is a good idea in densely populated areas.

The router itself cannot do bandwidth measuring, but you can use various techniques to do this. You can do QoS to limit or prioritize bandwidth based on various criteria (not based on a monthly limit however) on that router, but from my experience with Linksys, their QoS does not work all that well. Software like Wireshark and Spiceworks, or SNMP monitoring, can give you an idea of bandwidth consumption.


If you enable WPA2 and have a strong password, the rest is overkill is most cases. MAC addresses can be easily spoofed and hidden SSIDs can be sniffed.

The downside in doing MAC filtering and hiding the SSID is complexity and increased administrative burden. But they can definitely be easily done.

I do recommend dd-wrt though.