[brf4n]

Hello everyone,

As the topic says, I just got a WGR614 Netgear router. I'd like to know how to keep people from accessing my network.

Also, there is another router within range (the next house over), so how do I know my computer is accessing MY router and not the one across the street?

I'm really new to all of this so if I could get some help that would be great.

Thanks!

[Advertisements]

Of course the best security is just to use the wired portion, but failing that this is how I have mine set up, starting from the bottom.

UPnP: Disable (no point letting Trojans and others control internet access to your network)

Remote Management: Make sure it's off !!

Wireless Setup: Disable Wireless Access Point (for now)
. . . . . . . . . . . Disable SSID Broadcast
. . . . . . . . . . . Setup Wireless Access Card List
. . . . . . . . . . . Turn Access Control On
. . . . . . . . . . . Enter the MAC Addresses of every wireless interface card you intend to allow to access your network and give them a name.

LAN IP Setup: Reserve by MAC address low range IPs for your computers (192.168.0.2, 192.168.0.3, etc.)
. . . . . . . . . . Set the upper limit of the DHCP server to the highest number you have entered.

WAN Setup (these are all defaults): Auto Connect checked
. . . . . . . . . Disable SPI Firewall, DMZ Server & Respond to Ping unchecked

Port Triggering: Disable all rules (I haven't had any problems, but if you use one of these apps you may have to turn that rule on)

Port Forwarding: Add a new custom rule, "IDENT", port 113 and send it off to 192.168.0.254 (into the ether). The router responds to internet queries on port 113 as closed rather than stealth mode, this will fix it.

Set Password: Choose one for your router, NOT a real word or name.

Block Services: Add a custom service that blocks all ports (1-65534, TCP/UDP) for IP addresses outside the range you have already reserved and set it to always block. (If you want to limit users to standard internet services you can block ports 1280-65534 on their machine via assigned IP as well)

Wireless Settings: Choose a SSID, password type rules apply, for example you will encrypt the transmission so that it will be gibberish, so a password could be "G166er1sh". Do not use your workgroup name.
. . . . . . . . . . . You may need to change the wireless channel if you suffer interference
. . . . . . . . . . . Use WPA-PSK and again use password rules when selecting a keyphrase

You can turn the wireless access point back on now. Some of this is probably a bit over the top, but you asked for it.

To tell if you are accessing the right router you can look at the attached devices section. However as you should only be able to connect to a router on the same channel with the same SSID, it is more than unlikely that you'll connect to your neighbours router

Edited by Kurt_Aust, 29 October 2005 - 06:00 AM.

[Kurt_Aust]

Of course the best security is just to use the wired portion, but failing that this is how I have mine set up, starting from the bottom.

UPnP: Disable (no point letting Trojans and others control internet access to your network)

Remote Management: Make sure it's off !!

Wireless Setup: Disable Wireless Access Point (for now)
. . . . . . . . . . . Disable SSID Broadcast
. . . . . . . . . . . Setup Wireless Access Card List
. . . . . . . . . . . Turn Access Control On
. . . . . . . . . . . Enter the MAC Addresses of every wireless interface card you intend to allow to access your network and give them a name.

LAN IP Setup: Reserve by MAC address low range IPs for your computers (192.168.0.2, 192.168.0.3, etc.)
. . . . . . . . . . Set the upper limit of the DHCP server to the highest number you have entered.

WAN Setup (these are all defaults): Auto Connect checked
. . . . . . . . . Disable SPI Firewall, DMZ Server & Respond to Ping unchecked

Port Triggering: Disable all rules (I haven't had any problems, but if you use one of these apps you may have to turn that rule on)

Port Forwarding: Add a new custom rule, "IDENT", port 113 and send it off to 192.168.0.254 (into the ether). The router responds to internet queries on port 113 as closed rather than stealth mode, this will fix it.

Set Password: Choose one for your router, NOT a real word or name.

Block Services: Add a custom service that blocks all ports (1-65534, TCP/UDP) for IP addresses outside the range you have already reserved and set it to always block. (If you want to limit users to standard internet services you can block ports 1280-65534 on their machine via assigned IP as well)

Wireless Settings: Choose a SSID, password type rules apply, for example you will encrypt the transmission so that it will be gibberish, so a password could be "G166er1sh". Do not use your workgroup name.
. . . . . . . . . . . You may need to change the wireless channel if you suffer interference
. . . . . . . . . . . Use WPA-PSK and again use password rules when selecting a keyphrase

You can turn the wireless access point back on now. Some of this is probably a bit over the top, but you asked for it.

To tell if you are accessing the right router you can look at the attached devices section. However as you should only be able to connect to a router on the same channel with the same SSID, it is more than unlikely that you'll connect to your neighbours router

Edited by Kurt_Aust, 29 October 2005 - 06:00 AM.

[brf4n]

that's a mouthful. i just set up mac address filtering to keep other users out. everytime i set up encryption i am unable to connect though. same goes with just about every other type of filtering.

[Kurt_Aust]

MAC address filtering will stop any of your neighbours connecting accidentally, but will not stop a determined hacker. For why this is so read the latest Security Now !

Of course if you know that your neighbours are trustworthy and/or lack advanced computer skills, that should be enough.

[brf4n]

Some questions:

When I block services, what should be the last IP? Since my computer is at 192.168.1.3, I have the blocking going from 192.168.1.4 to 192.168.1.55. Is this correct?

Should I think about WEP or WPA-PSK security?

I did everything else, so hopefully everything is secure.

[brf4n]

Crap. I have a problem. I can't access the router anymore. It gives me: (192.168.1.3) is managing this device. That is my wireless card's IP. My ethernet port is at 192.168.1.1 which is what I use to access the router...the *only* way I can access my router. But, I can't even access the router from my wireless card which is 192.168.1.3. I can only access my neighbor's router from that IP (ever since I disabled SSID broadcast).

How do I fix this? It seems like everytime I disable the SSID broadcast, I can't connect to the router through the wireless card. But now I can't even access the router period.

[brf4n]

wait nevermind, it just started working again.

the ssid thing baffles me though. i'm going to have to turn the broadcasting on. what could be the problem there?

also, under port forwarding, i put in 192.168.1.254 instead of 192.168.0.254 for the IDENT address. it seems like all in all the ips you gave me, where there was a 0, I had a 1. does that sound like a working substitution?

thanks for help ing out.

[Kurt_Aust]

Under my WGR614v4 all the IP addresses are in the format 192.168.0.x, I can only alter the last digit. If yours is similar but in the format 192.168.1.x, then yes, you only have to match the last digit. The discrepancy is probably due to a difference in chipset version and/or firmware.

You may as well block 192.168.1.4 - 192.168.1.255.

WEP is apparently highly flawed, you should use WPA-PSK (and it's easier to set up to boot).

If SSID is turned off, the wireless card in your laptop will not be able to detect your wireless network (and that's the point, neither can anyone else WHILE you are not acessing it). You will have to go into the network connections properties for your wireless card and enter the channel and SSID directly (or there might be some driver software installed for that model card).

[brf4n]

thanks a lot.

i couldn't find a place anywhere in the properties window of my Atheros AR5004G Wireless Network Adapter though.

[brf4n]

since i don't have windows xp (i use 2000) i can't use the configuration tool. i'm guessing the same place i input the ssid i could also input the WPA key...

ok, nevermind, i just found the software and got everything configured.

thanks a lot kurt!

Edited by brf4n, 31 October 2005 - 03:13 AM.

[Kurt_Aust]

Well, the option has to be there somewhere, perhaps there are updated drivers and/or firmware on the website of the maker of your laptop.