Router Hardening

Router Hardening

Wireless Access Point Security and Privacy

For the full DFP Guides, see Guide

This page provides guidelines and recommendations for configuring wireless access points (WAP), commonly referred to as routers, to enhance users’ security and privacy.

Recommended Home Routers (2026)

Why Replace TP-Link?

In March 2026, the FCC placed foreign-produced consumer routers — specifically naming TP-Link — on its Covered List, blocking them from obtaining the FCC equipment authorization required for U.S. market sale. ¹ This followed multi-agency investigations by the Commerce, Defense, and Justice departments starting in 2024. ² The FCC cited supply chain vulnerabilities and the Volt Typhoon ³, Flax Typhoon, and Salt Typhoon cyberattacks. In September 2025, CISA added two actively exploited TP-Link CVEs to its Known Exploited Vulnerabilities catalog, both linked to the Quad7 botnet operated by China-linked threat actors. ⁴ This is not just a federal procurement issue — it affects consumer market availability.

Before You Start: Modem vs. Router

Your ISP provides a modem (the box that connects to the internet). Your router distributes WiFi and manages your home network. They are separate jobs, even if your ISP combines them in one box. You can replace just the router with any recommendation below — plug it into the ISP modem’s Ethernet port.

[ISP Modem] ——ethernet——> [Your Router] ——wifi——> [Your Devices]

Quick Pick by Skill Level

Skill Level	Router	Price	Setup Time	Why
Beginner	GL.iNet Flint 2 (GL-MT6000)	~$90	~15 min	OpenWrt-based, VPN built-in, simple web UI, WiFi 6. Can flash vanilla OpenWrt for maximum auditability
Beginner	Ubiquiti UniFi Express 7 (UX7)	~$199	~20 min	WiFi 7, 10G, clean app-based setup, all-in-one. Requires UniFi cloud account
Intermediate	Firewalla Gold	~$500	~20 min	Built-in IDS/IPS, no monthly fees, no CLI needed, great visibility dashboard
Advanced	OPNsense on Protectli VP2420 + WiFi AP	~$350+	45+ min	Fully open-source firewall, weekly security updates, enterprise-grade features, no licensing fees
Advanced	Netgate pfSense Appliance + WiFi AP	$200–600+	45+ min	Established firewall platform, commercial support available

Tier 1: Plug-and-Play (Non-Technical Users)

These are complete routers — just plug in and configure through a web browser or app. No command line needed.

GL.iNet Flint 2 (GL-MT6000) — Best value for security-conscious users. Community top pick.

• Runs OpenWrt (open-source router operating system) under a friendly web interface
• Built-in WireGuard and OpenVPN client/server — encrypts all your internet traffic with one toggle
• AdGuard Home DNS filtering toggle — blocks ads and trackers across your entire network
• Automatic firmware updates
• The Flint 2 uses a MediaTek chipset with full upstream OpenWrt support ⁵ — you can flash vanilla OpenWrt for a fully community-audited firmware with no proprietary components

What about the Flint 3?

The GL.iNet Flint 3 (~$120) adds WiFi 7 and 2.5 GbE ports, but uses a Qualcomm IPQ5332 chipset that does not have upstream OpenWrt support. ⁶ You’re locked into GL.iNet’s firmware, which ships with cloud-connected services that increase the attack surface. ⁷ The Flint 3 also has lower WireGuard VPN throughput than the Flint 2. ⁸ For security, the Flint 2 is the better choice. The Flint 3 is fine if WiFi 7 matters more to you than firmware auditability.

Ubiquiti UniFi Express 7 (UX7) — Best for users who want modern hardware with app-based management.

• WiFi 7 with 10 Gbps backhaul
• Managed through the UniFi mobile app or web portal
• Automatic threat management (IDS/IPS — software that detects and blocks hacking attempts) built in
• Compact form factor, integrated gateway + access point

UniFi Cloud Dependency

UniFi requires a ui.com cloud account for initial setup and strongly encourages it for ongoing management. Local-only mode exists but limits functionality. In March 2026, a critical vulnerability (CVE-2026-22557) allowed unauthenticated account takeover in UniFi Network — directly tied to the cloud architecture. ⁹ Ubiquiti has also disclosed critical unauthenticated RCE flaws in UniFi OS (CVE-2025-52665) ¹⁰ and UniFi Access (CVE-2025-27212) ¹¹ in 2025. If zero-phone-home is a hard requirement, choose GL.iNet or OPNsense/pfSense instead.

Tier 2: Security Appliances (Some Technical Comfort)

Firewalla Gold / Gold Pro — Best for users who want enterprise visibility without the command line.

• Linux-based firewall appliance with built-in IDS/IPS, VPN server, and network segmentation
• Clean mobile app dashboard shows all network activity, blocked threats, and bandwidth usage
• No monthly fees, no cloud dependency — runs entirely on your local network
• Firewalla Gold ($500) or Gold Pro ($500, dual 10 GbE) ¹²
• Requires a separate WiFi access point (Firewalla handles routing/firewall only)
• Limitation: proprietary OS — less community extensibility than OPNsense/pfSense

Tier 3: Full Control (Technical Users)

These are dedicated firewall/router platforms that require a separate WiFi access point. They handle all routing, firewall rules, VPN, and intrusion detection — the AP just broadcasts WiFi.

Firewall + Dumb AP Setup

Buy a firewall appliance (OPNsense, pfSense, or Firewalla) and a separate WiFi access point like a Ubiquiti U6+ ($100) or TP-Link EAP670 ($120). Yes, TP-Link access points are acceptable here because the AP is managed by your firewall, not internet-facing — it just broadcasts radio signals. All security decisions happen on the firewall. This separation means your firewall runs on dedicated, hardened hardware.

OPNsense on Protectli Hardware — Community-recommended open-source firewall.

• OPNsense is a FreeBSD-based firewall/router OS, fully open-source under the BSD license
• No licensing fees ever — the full feature set runs on any x86 hardware at no cost
• Weekly security updates with a fixed release schedule (two major releases per year, January and July) ¹³
• Stateful packet inspection, IDS/IPS via Suricata, WireGuard/OpenVPN, VLAN support
• Protectli VP2420 (~$300 with 8GB/120GB): fanless, 4x 2.5 GbE, American company, coreboot firmware available on some models ¹⁴
• The security community has increasingly favored OPNsense for its transparent development, faster CVE patching, and no feature-gating behind paid tiers ¹⁵

Netgate pfSense Appliances — Established firewall platform with commercial support.

• Runs pfSense Plus (Netgate’s proprietary fork) on Netgate hardware, or pfSense CE (open-source, Apache 2.0) on any hardware
• Same core features as OPNsense: stateful packet inspection, IDS/IPS, VPN, VLANs
• Commercial TAC support available — valuable for businesses
• Popular models: Netgate 1100 ($200, entry-level), Netgate 2100 ($400), Netgate 4200 (~$500)
• Extremely low vulnerability track record among consumer firewall platforms

pfSense CE vs Plus — Know the Difference

pfSense CE (Community Edition) is free and open-source on any hardware. pfSense Plus is Netgate’s proprietary fork — free on Netgate appliances, but requires a paid TAC Lite subscription (~$129/year) on third-party hardware. ¹⁶ New feature development is directed at Plus, not CE. If you’re buying Netgate hardware, this doesn’t matter. If you’re building your own box (like a Protectli), OPNsense gives you the full feature set for free.

What to Avoid

• TP-Link routers — FCC Covered List (March 2026), actively exploited CVEs, Chinese supply chain concerns. See warning above
• End-of-life routers from any brand — In January 2024, the FBI disrupted the KV Botnet — a Volt Typhoon tool built entirely from end-of-life Cisco and NetGear SOHO routers used to attack U.S. critical infrastructure. ¹⁷ If your router no longer receives firmware updates, replace it immediately
• ISP-provided routers — Often outdated firmware, remote management enabled by default, limited configuration. These are the most common end-of-life devices in homes
• Any router you can’t change the admin password on — 41% of router breaches trace to unchanged default credentials ¹⁸
• Routers that require cloud accounts for basic functionality — Your router should work without phoning home

VPN on Your Router

Running a VPN at the router level means every device on your network is protected — phones, smart TVs, IoT devices — without installing VPN apps on each one. For recommended VPN providers, see the VPN Recommendation page.

• GL.iNet: One-click WireGuard/OpenVPN toggle in the web UI — easiest setup
• Firewalla: Built-in VPN server and client via the mobile app
• UniFi: Built-in Teleport VPN or third-party VPN client via settings
• OPNsense/pfSense: Full WireGuard/OpenVPN server and client with granular per-device routing (most flexible — can route specific devices through VPN while others go direct)

Larger Homes and WiFi Coverage

If a single router doesn’t cover your whole home, you have two options:

1. Add access points (recommended): Keep your secure router and add one or more wired access points (Ubiquiti U6+, TP-Link EAP series) connected via Ethernet. Each AP extends WiFi while the router handles all security
2. Mesh systems: Consumer mesh systems (Eero, Netgear Orbi, Google Wifi) prioritize coverage over configurability. They typically don’t support custom firmware, VLAN segmentation, or advanced firewall rules. Fine for convenience, but not ideal if security is your primary goal

Jargon Glossary

Term	What It Means
OpenWrt	A free, open-source operating system for routers — like replacing Windows with Linux on your computer. Anyone can inspect the code for backdoors
VPN	Virtual Private Network — encrypts your internet traffic so your ISP and others can’t see what you’re doing. See VPN Recommendation
WireGuard	A modern, fast VPN protocol. Simpler and faster than the older OpenVPN
IDS/IPS	Intrusion Detection/Prevention System — software that watches network traffic for hacking attempts and blocks them automatically
VLAN	Virtual LAN — splits one physical network into separate isolated networks. Used to keep IoT devices (smart TVs, cameras) away from your computers
DNS	Domain Name System — translates website names (google.com) into IP addresses. Changing your DNS to Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) adds security and speed
Firmware	The software that runs on your router. Keeping it updated patches security holes
Access Point (AP)	A device that broadcasts WiFi signals. A “dumb AP” only does WiFi — all security is handled by a separate firewall/router

---

Resources for Home Network Security

Here are authoritative guides for home network security:

CISA Enhanced Visibility and Hardening Guidance (2024)

• The most current comprehensive guidance from CISA and NSA, developed in response to the Salt Typhoon telecom compromises. Covers access controls, network segmentation, logging, and end-of-life device replacement.

• CISA Hardening Guidance

NSA Best Practices for Securing Your Home Network (2023)

• The National Security Agency’s consumer-facing guide to protecting home networks from cyber threats. Covers routers, computers, mobile phones, and IoT devices.

• NSA Guide

CISA/FBI Secure by Design Alert for SOHO Routers (2024)

• Joint alert urging router manufacturers to eliminate default credentials and web management interface vulnerabilities. Useful context for understanding why certain brands are more secure than others.

• CISA Secure by Design Alert

CISA/NSA Volt Typhoon Advisory (2024)

• Joint advisory on Chinese state-sponsored actors pre-positioning in U.S. critical infrastructure networks, primarily through compromised SOHO routers. Key takeaway: replace end-of-life network devices immediately.

• CISA Advisory AA24-038A

Home Network Security - CISA

• General CISA guidance on home network security fundamentals.

• CISA Home Network Security

Additional Guides

• ProPrivacy WiFi Security Guide — WiFi security for home and public networks
• ProPrivacy Home Network Check — Actionable security audit tips
• Kaspersky Home Network Guide (Archive) — Step-by-step home network hardening

Related Wiki Pages

• Travel Routers — Portable GL.iNet routers for travel, privacy hardening, and field reconnaissance
• WiFi Security — Technical details on WPA2/WPA3 encryption, WiFi signal analysis, and penetration testing tools
• VPN Recommendation — Recommended VPN providers (Mullvad, IVPN, ProtonVPN) and when to use them
• Mobile Hardening Guide — Securing phones and tablets that connect to your network
• CISA Resources — Free cybersecurity tools including DNS filtering (Quad9) and intrusion detection (Snort)
• Digital Force Protection Guide — Complete personal security checklist (router hardening is one layer)

Open-Source Router Firmware

Replacing your router’s stock firmware with open-source firmware gives you faster security patches, eliminates manufacturer telemetry, and extends the useful life of your hardware by years. In 2025 alone, thousands of routers running stock firmware were compromised: CISA flagged actively exploited TP-Link CVEs ⁴, the KadNap botnet backdoored 14,000+ ASUS routers ¹⁹, and the FBI warned of active exploitation on 13 end-of-life Linksys and Cisco models. ¹⁷ Open-source firmware addresses all three root causes — slow patching, hidden telemetry, and abandoned hardware.

Firmware Comparison

Firmware	License	Latest Version	Supported Devices	Update Cadence	Best For
OpenWrt	GPL	25.12.0 (Mar 2026) 20	2,200+	Major yearly + security patches	Most users — largest ecosystem, best security
FreshTomato	GPL	2026.1 (Feb 2026) 21	~30 (Broadcom ASUS/Linksys)	Annual	ASUS router owners on Broadcom chipsets
Asuswrt-Merlin	Mixed	3006.102.7_2 (Mar 2026) 22	~20 ASUS models	Monthly	ASUS owners wanting light hardening without full replacement
OPNsense	BSD	25.1 (Jan 2025) 23	x86-64 hardware	Weekly security patches	Dedicated firewall hardware (see Tier 3 above)
DD-WRT	Mixed	Rolling beta (r61408) 24	Thousands (overlaps OpenWrt)	Irregular	Legacy use only — not recommended
Gargoyle	GPL	1.14 (2023) / 1.15 beta 25	Tracks OpenWrt	Slow (~annual)	Bandwidth quotas and per-device monitoring
LibreCMC	GPL (FSF-endorsed)	6.6 (Dec 2025) 26	WiFi 4 (ath9k) only	Annual	Strict free-software mandates (FSF/GNU compliance)

OpenWrt — The Community Standard

OpenWrt is the recommended open-source firmware for most users. It has the largest hardware support (2,200+ devices), the most active development community, and the fastest security response.

Key features:

• Linux kernel 6.12 with 8,000+ installable packages ²⁰
• Native WireGuard VPN (kernel-integrated, fastest performance)
• Encrypted DNS: DNS-over-HTTPS and DNS-over-TLS via built-in packages
• Ad-blocking network-wide via AdGuard Home or Adblock
• Full firewall with nftables (replaced iptables in 25.12)
• LuCI web interface for configuration — no command line required for basic setup

Security track record: When CVE-2024-54143 (CVSS 9.3, critical) was discovered in the Attended SysUpgrade server, the OpenWrt team patched it within the same disclosure window ²⁷ — the kind of response most router manufacturers never achieve.

Hardware to look for: Routers with MediaTek MT7986/MT7981 or Qualcomm IPQ807x chipsets with at least 256 MB RAM and 32 MB flash. ²⁸ Check the OpenWrt Table of Hardware before buying. OpenWrt does not support Broadcom WiFi chipsets due to the lack of open-source drivers — if you have a Broadcom router, see FreshTomato below.

Best OpenWrt-Ready Routers

• Budget: Linksys E8450 / Belkin RT3200 (MT7622, ~$50 used)
• Mid-range: GL.iNet Flint 2 GL-MT6000 (2.5G ports, 900+ Mbps WireGuard, ~$90)
• Headless gateway: NanoPi R5S (dual 2.5G Ethernet, no WiFi, ~$60)

FreshTomato — For Broadcom ASUS Routers

If you own an ASUS or Linksys router with a Broadcom chipset (RT-AC68U, RT-AC86U, RT-AC88U, RT-AC3100, RT-AC3200, RT-AC5300, TUF-AX3000 V2), FreshTomato is your best open-source option — OpenWrt doesn’t support these chipsets. ²¹

Key features:

• Full WireGuard support with policy-based routing (ARM builds)
• OpenVPN server and client
• Historical bandwidth graphs and per-device monitoring
• Advanced QoS and IP/MAC bandwidth limiter
• Clean interface — generally considered easier than OpenWrt’s LuCI

Limitations: Narrow hardware support (Broadcom MIPS/ARM only), small development team, limited WiFi 6 support.

Asuswrt-Merlin — Stock ASUS with Security Fixes

Asuswrt-Merlin is not a full firmware replacement — it’s an enhanced version of ASUS stock firmware that adds security features while keeping the familiar ASUS interface. ²²

What it adds over stock ASUS firmware:

• DNS-over-TLS support
• Entware package repository (ad-blocking, custom scripts)
• Improved OpenVPN and WireGuard support
• Removed AiCloud in February 2026 due to its “poor security track record” ²²
• Better Samba and dnsmasq customization

Best for: ASUS router owners who want better security without the complexity of a full firmware flash. Supports ~20 ASUS models. Not fully open-source (retains Broadcom binary blobs).

DD-WRT — Legacy, Not Recommended

Why We Don’t Recommend DD-WRT

DD-WRT has been maintained by a single developer since 2008 with no stable release since then — only rolling betas. ²⁴ The firmware contains mixed proprietary and open-source components, making a full security audit impossible. There is no formal security advisory process. For any router that OpenWrt supports, OpenWrt is the better choice. DD-WRT remains functional for experienced users on specific hardware, but it should not be a first recommendation in 2026.

LibreCMC — Free Software Purists Only

LibreCMC is the only FSF-endorsed router firmware, removing all proprietary firmware blobs and binary-only kernel modules. ²⁶ The tradeoff is severe: it only supports WiFi 4 (802.11n) hardware using ath9k chipsets, because no free drivers exist for WiFi 5 or WiFi 6 radios. Best paired with ThinkPenguin RYF-certified routers. Only appropriate for environments with strict free-software mandates.

Why Open-Source Firmware Is More Secure

	Stock Firmware	Open-Source Firmware
Patch speed	Weeks to months (if ever)	Days to weeks (OpenWrt patched CVE-2024-54143 same day) 27
End-of-life support	Cut off after 2-3 years	Community maintains support for years beyond manufacturer EOL
Telemetry	Often phones home with usage data	No call-home behavior — you control all network traffic 29
Auditability	Closed source — you trust the vendor	Open source — anyone can inspect for backdoors
VPN support	Basic or none	Full WireGuard, OpenVPN, IPsec with policy routing
Package ecosystem	Fixed feature set	8,000+ packages (OpenWrt): IDS, DNS filtering, ad-blocking, monitoring

Flashing Risks and Recovery

Before You Flash

Replacing firmware carries some risk. The most common causes of “bricking” (making the router temporarily unresponsive) are: using the wrong firmware image for your hardware revision, power loss during the flash, or selecting the wrong image type (factory vs. sysupgrade). ³⁰ Always:

1. Verify your exact hardware version — check the label on the router. Model RT-AC68U v1 and v2 use different firmware images
2. Use the “factory” image for the first flash from stock firmware (not “sysupgrade”)
3. Keep power stable — use a UPS or at minimum don’t flash during a storm
4. Back up your current firmware and configuration before starting

If something goes wrong: Most “bricked” routers are actually recoverable: ³⁰

1. TFTP recovery (easiest) — Most routers expose a TFTP server during boot. Connect via Ethernet and push a factory image with a TFTP client
2. Serial/UART console — Open the router and connect a 3.3V TTL serial adapter to the UART pads for full shell access
3. JTAG — Hardware-level flash access as a last resort

Permanent bricks (bootloader overwritten) are rare. The vast majority of flash failures are recoverable.

Devices That Cannot Be Flashed

Not all routers can run open-source firmware. Some manufacturers enforce secure boot and locked bootloaders that make firmware replacement impossible without destroying the hardware. Know before you buy.

Amazon eero (Pro 6E, Max 7, and all WiFi 6+ models)

eero Cannot Run Open-Source Firmware

Amazon eero routers use U-Boot with enforced secure boot on all WiFi 6 and later models. ³¹ The boot delay is hardcoded to zero seconds — even with physical serial console access, you cannot interrupt the boot sequence to load alternate firmware. ³² Neither the eero Pro 6E nor the eero Max 7 appears in the OpenWrt Table of Hardware, and no active porting effort exists. ³³

The only documented root access on WiFi 6 eero hardware required physically desoldering the BGA eMMC chip — a destructive operation that left the device non-functional and still did not produce a path to running custom firmware. ³⁴ In January 2025, Amazon patched a U-Boot zero-day across its entire eero WiFi 6+ fleet, confirming that bootloader integrity is actively maintained. ³¹ Do not purchase eero hardware expecting to flash it.

eero hardware specs (for reference):

Model	SoC	RAM	WiFi	Ethernet	Can Flash?
eero Pro 6E	Qualcomm IPQ5018	1 GB	WiFi 6E	1x 2.5G + 1x 1G	No
eero Max 7	Qualcomm IPQ9574 (Dragonwing NPro 7)	2 GB	WiFi 7	2x 10G + 2x 2.5G	No

If you already own eero hardware — bridge mode is the answer:

Bridge mode turns your eero nodes into pure wireless access points, letting a real router handle security. The eero TrueMesh backhaul continues working in bridge mode — you keep the WiFi coverage and mesh performance.

1. Enable bridge mode: eero app > Settings > Network Settings > DHCP & NAT > Bridge Mode
2. Connect an upstream router to the gateway eero via Ethernet — use a GL.iNet Flint 2 (~$90), OPNsense mini-PC, or Netgate pfSense appliance
3. The upstream router now handles: VLANs, custom DNS (AdGuard Home/Pi-hole), WireGuard VPN server, firewall rules, and traffic shaping
4. Features lost in bridge mode ³⁵: eero Secure/Plus content filtering, parental controls (Profiles), historical data usage, Internet Backup, and Smart Queue Management. WiFi and mesh remain fully functional

Opt out of Amazon Sidewalk immediately. Sidewalk is enabled by default on eero and uses your internet connection to create a shared neighborhood mesh network for nearby Amazon devices (Ring cameras, Tile trackers, etc.). ³⁶ Amazon caps bandwidth at 80 Kbps per device, but it is your connection being shared with strangers’ devices. Disable it: Alexa app > More > Settings > Account Settings > Amazon Sidewalk > toggle off.

eero privacy concerns: eero’s privacy policy ³⁷ acknowledges collection of: MAC addresses and IP addresses of all connected devices, network performance statistics, bandwidth usage patterns, device type fingerprinting, and app engagement metrics. Data is shared with “Service Partners” (ISPs, security companies). Bridge mode does not eliminate this telemetry — the eero nodes still report to Amazon’s cloud.

If Replacing eero Hardware

For comparable mesh WiFi coverage with open-source firmware: use a GL.iNet Flint 2 ($90) as the router and GL.iNet Beryl AX (GL-MT3000) ($70 each) as mesh nodes, all running OpenWrt with 802.11s mesh. Total cost for a 3-node setup is ~$230 — less than a single eero Max 7 — with full VPN, VLAN, custom DNS, and zero telemetry. WiFi 7 mesh with open firmware is not mature as of April 2026.

---

Configuration Recommendations

Wireless Router Configuration

Factory Reset Router

If you have not had total control of the router since it was activated, you should factory reset it using the physical reset button (long press the small button) or through the admin portal. This is important as the router could already be exploited by backdoors, services, or users.

Logging In Access Admin Portal: You must access the admin page, typically by going to 192.168.1.1 in a browser. However, your router’s IP can differ, so check your network settings. Logging In to the Admin Portal: The admin password is typically found on the router physically or may be something that you can search online for, such as:

• Router_Brand "default admin" ("password" OR "credentials")

Common Router Configuration

Secure your router effectively by following these key steps, each designed to enhance the security and performance of your network:

Change the Default Admin Password: The default password is often simple and known to attackers, making it imperative to change it to prevent unauthorized access. Use a manager.

• Access your router’s admin panel through a web browser.

• Locate the settings for the administrative password or router password.

• Change the default password to a strong, unique passphrase.

• Save the changes.

Enable WPA3 Encryption: The latest encryption standard, WPA3, significantly improves network security by making it harder for attackers to crack passwords.

• In the router’s admin interface, find the wireless or security settings.

• Look for the Wi-Fi encryption options and select WPA3. If WPA3 is not available, select WPA2-PSK as an alternative.

• Generate and save a password with a manager.

• Apply and save the settings.

Disable WPS (Wi-Fi Protected Setup): While WPS offers convenience by allowing users to connect to the network easily, it also poses a security risk and should be disabled.

• Navigate to the wireless or WPS settings within the router’s admin interface.

• Find the option to disable WPS and select it.

• Save your changes.

Update Firmware Regularly: Firmware updates often contain security enhancements and bug fixes, making it crucial to keep your router’s firmware up to date.

• Go to the system or firmware update section of your router’s settings.

• Check for any available firmware updates.

• Download and install the update following the on-screen instructions. Restart the router if required.

Separate your IoT devices from your main devices: Internet of Things (IoT) devices (i.e., TV streaming sticks, smart lights, smart speakers, etc.) increase the attack surface and, if compromised, can be used to access other devices on your network. IoT devices often won’t have as robust security architecture/programs as your main devices.

• Authenticate IoT devices to only a single network.

• Recommend 2.4 GHz Guest network (many IoT devices won’t be 5 GHz compatible).

• Authenticate main devices (i.e., computers, cellphones) to a different network on your router.

Disable Remote Management: Remote management can be a vulnerability if not used securely, allowing potential external access to your router’s settings.

• Locate the remote management or WAN management settings in the router’s admin interface.

• Ensure remote management is turned off or set to the most restrictive setting possible.

• Save the changes.

Use a Guest Network: A guest network isolates visitors’ internet use from your main network, safeguarding your personal data. The guest network isolates your devices and the admin portal from devices on that guest network. DO NOT let guests onto your main (non-guest WIFI).

• Find the guest network settings in your router’s configuration.

• Enable the guest network feature and set a unique SSID (totally unassociated from your main WIFI) and password.

• Generate and save a password with a manager.

• Configure the network to isolate guest users from your main network.

• Save and apply the settings.

Create a Backup: Saving a backup of your router’s settings ensures you can quickly restore your network’s configuration in case of a reset or error. Save backup to manager.

• Look for the backup or save settings option in the router’s admin panel.

• Follow the prompts to create a backup of your current settings.

• Store the backup file in a secure, encrypted drive.

DNS Configuration: Changing your DNS settings can not only speed up your internet connection but also add an additional layer of security by blocking malicious sites.

• Log into your router’s admin interface.

• Navigate to the DNS settings section.

• Replace the default DNS server addresses with a more secure and faster DNS service. Recommended options include:

  • Cloudflare: 1.1.1.1 and 1.0.0.1
  • Quad9: 9.9.9.9

• Save your changes and reboot the router if necessary.

Travel Router Configuration

For comprehensive travel router guides including GL.iNet hardware, privacy hardening, and automated reconnaissance, see the dedicated Travel Routers page.

To ensure security and efficiency while using a travel router, follow these configuration steps:

Connection Methods: Choose how to connect based on your needs.

• For Ethernet: Plug the Ethernet cable from the modem or another network connection into the travel router.

• For Wireless: Access the travel router’s network settings and configure it to connect to an available Wi-Fi network as a client.

WIFI Name (SSID): Customize your network name to avoid identification.

• In the router’s settings, find the Wi-Fi or Wireless section.

• Change the SSID from the default to something unique that doesn’t disclose personal information.

• Save the changes.

Wireless Power (Range): Adjust to manage the coverage area.

• Locate the wireless settings in your router’s admin interface.

• Look for a transmission power setting and adjust it accordingly. Lower it to reduce the range if needed.

• Apply the changes.

Whitelisting: Allow only known devices to connect.

• Find the MAC Address Filtering or Access Control section in the router settings.

• Enter the MAC addresses of the devices you wish to allow.

• Enable the filtering and save your settings.

Regular Factory Reset (Restore from Backup): Maintain a clean state.

• Perform a factory reset via the router’s admin interface or a physical button, typically held for a few seconds.

• After resetting, access the router and restore settings from a previously saved encrypted backup file to quickly return to your preferred configuration.

Security Audits: Ensure your travel router remains secure.

• Regularly log into the router’s admin interface to check for firmware updates.

---

Footnotes

1. FCC National Security Determination on the Threat Posed by Foreign-Produced Routers — FCC, March 2026. See also Cybersecurity Dive coverage ↩

2. U.S. agencies back banning TP-Link home routers on security grounds — Washington Post, October 2025. See also Bloomberg on TP-Link’s China split ↩

3. PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (AA24-038A) — CISA/NSA/FBI Joint Advisory, February 2024 ↩

4. CISA Flags TP-Link Router Flaws CVE-2023-50224 and CVE-2025-9377 as Actively Exploited — The Hacker News, September 2025 ↩ ↩²

5. GL.iNet GL-MT6000 Flint 2 WiFi Router Review — ServeTheHome ↩

6. GL.iNet Flint 3 BE9300 WiFi 7 2.5GbE Router Review — ServeTheHome ↩

7. Flashing OpenWrt into a GL.iNet Flint 2 and Thoughts on Security — Tech Shinobi (discusses GL.iNet stock firmware attack surface) ↩

8. Flint 2 vs Flint 3 — Flint 3 is a downgrade — GL.iNet Official Forum ↩

9. Ubiquiti warns of UniFi flaw that may enable account takeover (CVE-2026-22557) — BleepingComputer, March 2026 ↩

10. Critical UniFi OS Flaw Enables Remote Code Execution (CVE-2025-52665) — GBHackers, 2025 ↩

11. Critical Vulnerability in Ubiquiti UniFi Allows Remote Code Execution (CVE-2025-27212) — GBHackers, 2025 ↩

12. Firewalla Gold Pro review — TechRadar, 2025 ↩

13. OPNsense Road Map and Release Schedule — OPNsense ↩

14. OPNsense Hardware Recommendations — Home Network Guy, 2025. See also Protectli coreboot firmware ↩

15. Why I use OPNsense over pfSense, and why I don’t trust Netgate at all — XDA Developers ↩

16. pfSense Software Types — Netgate. See also pfSense Plus FAQ ↩

17. U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure — DOJ, January 2024 ↩ ↩²

18. CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers — CISA, January 2024 ↩

19. ASUS Router KadNap Botnet Campaign — Fing, 2025 ↩

20. OpenWrt 25.12.0 ships with new package manager, 2,200+ devices — Help Net Security, March 2026 ↩ ↩²

21. FreshTomato — the only actively maintained Tomato firmware fork — FreshTomato Official Site. See also Tomato firmware history ↩ ↩²

22. Asuswrt-Merlin Changelog (AiCloud removal, DNS-over-TLS, WireGuard) — Asuswrt-Merlin Official Site ↩ ↩² ↩³

23. OPNsense 25.1 “Ultimate Unicorn” — 10 years of OPNsense — Deciso B.V., January 2025 ↩

24. DD-WRT — single maintainer since 2008, mixed licensing, no stable release since v24 SP1 — Wikipedia. See also DD-WRT beta downloads ↩ ↩²

25. Gargoyle 1.15.x beta based on OpenWrt 24.10 — Gargoyle Forums, January 2026 ↩

26. LibreCMC — FSF-endorsed GNU/Linux-libre distribution for routers — Wikipedia. See also FSF endorsement announcement ↩ ↩²

27. Security Advisory CVE-2024-54143 (CVSS 9.3) — patched same day — OpenWrt Announce Mailing List, December 2024 ↩ ↩²

28. In search of the perfect OpenWrt router — hardware tier recommendations — Dariusz Wieckiewicz ↩

29. Why You Should Flash Your Router With Open-Source Firmware for Privacy — ModemGuides, 2026 ↩

30. Recover from a Bad Flash — TFTP, Serial, and JTAG recovery methods — DD-WRT Wiki ↩ ↩²

31. How Amazon and eero continue to keep customers secure — eero Blog, January 2025 (U-Boot zero-day patch, secure boot confirmation across WiFi 6+ fleet) ↩ ↩²

32. Hacking Amazon’s eero 6 (Part 1) — secure boot confirmed, boot sequence cannot be interrupted — Markuta, 2022 ↩

33. Eero Pro 6 OpenWrt — “support is very unlikely” without shell access — OpenWrt Forum, February 2024 ↩

34. Hacking Amazon’s eero 6 (Part 2) — eMMC desoldering required, no custom firmware achieved — Markuta, 2023. See also 2nd-gen eero root shell via SPI flash desoldering ↩

35. What features do I lose if I put my eeros in bridge mode? — eero Help Center ↩

36. Amazon Sidewalk — how to opt out — Dong Knows Tech. See also Amazon Sidewalk Privacy Whitepaper ↩

37. eero Privacy Notice — eero/Amazon ↩