@MIOT 

 

Hey

 

The first question would be is there any specific security or thing you are concerned about?     Generally these devices come setup secure out of the box, however you can indeed tweak them tighter if needed

 

Few suggestions below

 

1.   Check for an updated firmware, always a good idea!

 

2.  WiFi settings.  There are 2x bands on this device, 2.4ghz and 5ghz.    I would recommend changing the following

 

On 2.4ghz 

Security Version to WPA2-PSK

Encryption to AES

Change SSID and Password!

Mode to 802.11N only -  NOTE - This setting will stop some much older devices connecting, but this will decrease the risk the older device pose.  If you have a device that wont connect and its 10 years + old this might be the setting

 

 

5GHz

Security Version to WPA2-PSK

Encryption to AES

Change SSID and Password!

Mode to 802.11 AC/N  -  NOTE - This setting will stop some much older devices connecting, but this will decrease the risk the older device pose.  If you have a device that wont connect and its 10 years + old this might be the setting

 

 

3.   Disable Guest SSID if you fancy, its generally secure but if not needed turn off!

 

 

4.  Ensure the Firewall is ON.   99% sure it will be, however just check .

 

I wouldnt change anything in firewall if honest

 

@Philbert 

Thanks a lot for your recommendations. I already did most of them with few exceptions. I forgot to make 5G ac only, I have to enable guest for the purpose of visiting friends and family although I make it hidden after them joining and not allowed to share my network, just updated to the latest firmware, the firewall was off by default but I turned it on and not sure what levels to choose low or medium or high because I heard the higher the lower the Performance and life of router. Other options I changed was turning off upnp, disabled cwva, setup router whitefish, changed passwords from the default, disabled wps, disabled remote ping and management.

The reason I became obsessed recently was because of the security cameras vulnerabilities i became aware of as well as smart TVs  and what not. I was searching for a VLAN function but seems its not supported. Another thing is how to add a vpn service directly to the router to stop the crazy ads on all devices at once.

@MIOT 

 

Hey again

 

Few responses below but seems like you have it all in order :)

 

the firewall was off by default but I turned it on and not sure what levels to choose low or medium or high because I heard the higher the lower the Performance and life of router

 

The performance will slow if you have a more agressive firewall policy, but unless you are thrashing the router 24/7 this is unlikely to be an issue.   I have never known a firewall setting to shorten the life of a router.    I would just enable this and leave as default, unless you are confident with firewall settings its best not modifying these.

 

turning off upnp

 

While I would agree this is a very good idea, it may cause issues with XBox Live, PSN etc if that is in use.   Its sadly still a commonly used feature.   If you have issues with such services try re-enabling.

 

The reason I became obsessed recently was because of the security cameras vulnerabilities i became aware of as well as smart TVs  and what not

 

If this is the main driving factor, then its a Firewall / IDS features that are most important part for you.    That sadly is the problem with such technology (IOT) that they are a risk as time progresses and firmwares become old.   Moving them onto the guest / WAN only network is a good idea, that way they are segmented completely from the main home network.    I have 3x SSIDs myself, one for home, guest and IOT.   IOT and Guest are direct to internet only, nothing local side. 

 

Another thing is how to add a vpn service directly to the router to stop the crazy ads on all devices at once.

 

The VR400 only works as a VPN server and not a VPN client.   This will also massively restrict the speed of your connection by doing this.   If you are getting Ads then its better to find the port or URL source and block it that way.   I cant say I have heard anyone else report this before, you have me curious :)

 

I was searching for a VLAN function but seems its not supported

 

VLANS are a business grade option and not something that is generally supported at Home Grade hardware.   I use VLANs for the 3x SSIDs mentioned earlier to segment traffic.

 

So can we think of the guest network as a vlan to the main network and function in the same way? If not then one should go buy a managed switch which would cost the same as the router itself if not more to make a vlan. One other question i forgot was how to secure the ftp server over the internet?

@MIOT

 

Hey again

 

Some more answer for you :)

 

So can we think of the guest network as a vlan to the main network and function in the same way?

 

Yes in a matter of speaking.  The Guest network is on the same VLAN as the home network (VLAN 0) however its got Access Controls in place to segment that traffic from the home traffic if you tick the box to do so.   This is a good way to keep IOT and other such things from having any access to your network, they still get an IP but can only go to the internet.

 

 

If not then one should go buy a managed switch which would cost the same as the router itself if not more to make a vlan.

 

VLANs are not just router technology, you also need a switch and APs that are capable of handling the VLANs.  If you want VLANs you would likely need a Router (TL-R605), Manage Switch (2008), Access Points (EAP225) and a controller (OC200) to be able to recreate what you have in one device.. however as it business grade the functionality and specification is much higher as a result.   Those 4x devices would cost around £250 / $320 US.. or equilivent in your local currency. 

 

 

One other question i forgot was how to secure the ftp server over the internet?

Hard one as its not designed to secure FTP.   If I was you, setup up FTP for local only and have the users VPN into the router and access that way.   Its the safer option.

 

 

 

 

The vpn with the ftp set to local is an excellent idea i wouldnt've have thought it by myself. I wonder how to connect devices (cameras, nvr, ..) to this setup though 😅 The way you explained the vlan setup was like delivering a K.O. to me though. Sad i didn't pay attention in the networking classes 😂