A path to resilience through mostly technical protection measures
In order to raise a home network to a high level of security, technical measures beyond the basic configurations are essential. These range from the Securing the router on the most complete Verification of components up to the intelligent segmentation of the network and the planning of a failover. (or at least once a thought experiment, whether and how long you will be able to cope with a failure without it)
As mentioned in the previous post, we need to consider 100.% Say goodbye to security, there can be no truly completely achievable absolute security. So let's start with the psychologically important ‘Level92’ brand in order to achieve as much as possible with as little effort as possible.
Two-factor authentication (2FA) / Multi-factor authentication (MFA) for network (router) access:
- What it is: 2FA or MFA adds an additional layer of security that requires two different forms of identification: something the user knows (password) and something they own (e.g. a smartphone with an authenticator app).
- FritzBox support: Newer FRITZ!Box routers support 2FA for admin access both locally and remotely via MyFRITZ!. Older devices at least for the configuration change on the device as an optional variant to the phone or key press. Two-factor authentication is typically done via Authenticator apps, using the time-based one-time password (TOTP) method, such as: Google Authenticator or Microsoft Authenticator. Activation requires a one-time confirmation directly on the device.
- Speedport support: Speedport routers usually don't provide a direct 2FA for the local admin interface. However, telecom services connected to speedport routers, such as MagentaCLOUD, support two-factor authentication. This is an important difference that must be taken into account in the security strategy.
- Why it is important: 2FA/MFA effectively protects against unauthorized access, even if the password has been stolen or guessed. It is one of the most effective measures against phishing and brute force attacks.
- Practical implementation: Install a compatible Authenticator app on a mobile device and scan the QR code displayed by the router to link.
By the way, the push of a button when changing the setting on the Fritz.Box is already a form of MFA, you almost had to ‘prove’ that you are actually on site. This ensures that no one from outside can change the configuration.
For all those who have ever been with mom or dad via remote maintenance on the box and then make a confirmation on change, by the way, also a fine thing. ⁇
Network segmentation:
The art of isolation up to ‘Level 92’
Network segmentation is an advanced security measure that divides the home network into smaller, isolated segments (subnets). This is a crucial step on the Road to Safety as it significantly reduces the ‘blast radius’ of a potential attack. Even if a device is compromised in one segment, the attacker cannot easily access other, more sensitive segments.
Home Network vs. Guest Network: We all already know. The popular guest network is the simplest form of segmentation and the easiest for home users to implement. It allows visitors and potentially unsafe IoT devices (such as smart TVs, smart lights) to access the Internet without gaining access to the main private network with sensitive data or devices. Top it up!
On the other hand, it is more difficult and potentially no longer practicable for the home user to implement the Segmentation of the network via VLAN
VLANs or separate subnets for IoT / Smart Devices / Home Automation:
advantages: The isolation of IoT devices in a separate segment significantly increases security. If an IoT device (which is often less secure) is compromised, the attacker will not be able to directly access PCs, laptops, or NAS systems on the main network. This improves visibility and control of traffic.
Challenges for home routers: This is an important hurdle on the way to ‘Level 92’. Many consumer routers, such as the common FRITZ!Box models, do not support real VLANs directly on their internal LAN ports or WLAN SSIDs for internal network segmentation. While some FRITZ!Box models support VLAN IDs for WAN access (internet connection), this is not intended for the subdivision of the internal home network.
This leads to a common misconception that this function is easy to activate on standard routers. The illusion of simplicity in network segmentation is an important insight. The mere recommendation of ‘VLANs’ without illuminating these limitations would frustrate users, as the existing hardware often does not allow implementation.
Setting up subnets
Possibility also with Separate subnets We want to consider isolating individual areas in order to reduce the possible attack surfaces. It is more common in the professional network environment and usually not a viable option for the home user, especially not because the common available home routers do not Subnetting Support in the true sense but are designed for a common address range of usually a maximum of 253 devices in a common segment.
Why exactly 253? Good question! Here is the TL:DR answer: On the one hand, the first usable address x.x.x.1 of the 256 possible addresses available in the /24 home network for the router goes away and on the other hand, the first network address x.x.x.0 and the last x.x.x.255 are reserved for the so-called broadcast address. This ensures that the network segment works at all. Capturing these addresses with other devices, if the device allows the input at all, will inevitably lead to network errors.
It will be so detailed /24 CIDR system e.g. here described. The formerly common description was ‘subnet mask’ and usually looked like this in the home network: 255.255.255.0 -> basically /24 means the same thing.
Who has the ambitions read in and, where appropriate, relevant Suggestions for solutions Finding to implement in the network various helpful hints and tricks.
Solutions for home users:
Use of the host network as an ‘IoT network’: This is the most practical solution for most home users. This Guest network It can be used as a dedicated network for all smart home and IoT devices to isolate them from the main network.
My Level92 tip: The LAN devices that you do not trust can also be integrated into the guest network. In addition, there is the practical option in the Fritz.Box Guest network also on LAN port 4 ready to provide. Since the LAN guest network is then also isolated from the rest of the network, the elements worthy of protection are reliably shielded.
Use of a managed switch and VLAN-enabled access points: Real and robust VLAN segmentation often requires the use of additional hardware. A managed switch behind the router can split the traffic into different VLANs. VLAN-enabled access points (which could replace the AVM mesh repeaters) can then assign separate WLAN SSIDs to the respective VLANs. This represents an investment in hardware and configuration effort, but is the path to full ‘Level 99’ segmentation.
Using routers with enhanced functionality: Some more advanced home routers or small business routers provide native support for multiple separate SSIDs and subnets that allow logical segmentation. Ubiqiti or MikroTik come to mind spontaneously. With the big names you get that as well (Cisco & Co)
Port sharing and UPnP management
Disable UPnP: As mentioned above, UPnP should be disabled by default as it poses a significant security risk. It should only be activated when absolutely necessary for specific applications and ideally only temporarily.
Manual port sharing: If port shares are essential for certain applications (e.g. gaming servers, remote access to cameras), they should be manually configured. Only the absolutely necessary ports should be opened and limited to specific internal IP addresses. The router's built-in firewall features should be used to further restrict access.
VPN – Wireguard or IPSec?
The topic VPN, i.e. your virtual private network, would have definitely deserved its own complete article. Just a brief outline: A VPN encrypts all traffic and tunnels it securely into the home network, eliminating the need to open direct ports from the outside.
In addition, you could then also name various other possible options, but this leads today definitely too far. First of all, we limit ourselves to the basic handling and the difference between the two possibilities. For example, here is a great video:
Prefer VPN use: For secure remote access to home services (e.g. NAS, security cameras), a VPN connection via the router (if supported, as with many FRITZ!Boxes) or a separate VPN server is by far the most secure method.
DHCP settings for future extensions
Fixed IP addresses for critical devices: For devices such as NAS systems, smart home hubs or private servers that require a fixed IP address, it is advisable to either set them outside the DHCP range of the router or set up IP reservations in the DHCP server. This makes it much easier to manage, troubleshoot, and configure port shares or firewall rules because the IP address of these devices does not change.
Contingency plans and alternative access options: Your PlanB
A truly resilient home network at ‘Level 92’ is characterised not only by robust security measures, but also by the ability to remain operational in the event of a primary internet connection failure. Dependence on a single Internet connection carries significant risks, as a failure can paralyze home office, communication, and smart home functions. Therefore, an alternative access contingency plan is essential.
LTE/5G as a fallback
advantages: Mobile networks are widespread and offer good speeds in many regions. LTE/5G backup can be set up relatively quickly and provides a reliable alternative, especially in areas where traditional landline internet is slow or unreliable. It can be used as an automatic failover or as a manual backup.
disadvantages: Often associated with data volume limitations, which can lead to high costs with intensive use. Unlimited rates are more expensive. Network coverage and actual speed may vary by location.
implementing: Special LTE/5G routers with integrated failover function can automatically switch to the mobile network in the event of failure of the primary DSL/cable connection. Alternatively, a smartphone or tablet can be used as a mobile hotspot.
Satellite Internet:
advantages: Satellite Internet also provides connectivity in rural areas where fixed lines are not available. Newer systems such as Starlink offer significantly lower latencies and higher speeds compared to older satellite systems.
disadvantages: High acquisition costs for the hardware (satellite dish, router). Monthly costs can also be high. Latency can still be problematic for real-time applications such as online gaming or video conferencing. The connection is also prone to severe weather conditions such as thunderstorms or snowfall.
Wireless Last Mile (wireless last mile):
advantages: Radio-directional connections can deliver high bandwidths over longer distances and usually have low latencies. They are a good option if there are no fiber or cable connections available and there is a visual connection to a transmitting point.
disadvantages: Requires a direct line of sight between transmitter and receiver. Installation is often complex and requires special hardware. Broadcast solutions are less available to home users and are more likely to be offered by business customers or in specific regional initiatives.
Automatic solutions vs. out-of-the-box backups
Automatic failover routers: These routers are configured to detect a failure of the primary Internet connection and then automatically switch to a predefined alternative connection (e.g. LTE/5G). This minimizes network downtime and ensures business continuity in the home office or critical smart home functions. Named by way of example: Speedport router with additional hybrid and/or LTE in the name.
Level 92% Craft solution:
Fail notification, automatic switch to fallback
Charly has already given us this with a nice example. in the last post This variant may already be sufficient if manual access is not possible or desired. Whether and to what extent or with What hardware Then how you react can at least be perfectly adapted to your own needs. Clear case of thumbs up ⁇
Fail notification, manual switch
Maybe another variant will be enough for you. Failure notification with manual switch. This can then look like this:
Hands-on backups: These are preconfigured devices such as LTE sticks, mobile hotspots or even a (backup) smartphone. These require manual switching or activation by the user in the event of a failure. Although less seamless than automatic solutions, they provide a cost-effective and effective way to restore basic connectivity.
Use of a (backup) basic modem from the provider
An often overlooked aspect of the contingency plan is the provision of a simple basic modem from the ISP. Should your own router fail or have a complex malfunction, such a modem can establish a direct connection to the Internet. This allows at least the restoration of basic connectivity and the diagnosis of the problem with the main router. However, it is often forgotten that a basic modem has a completely different purpose from the Internet service provider, namely the possibility of differential diagnosis.
A device officially approved by the provider may be required in case of a fault diagnosis, as a provider likes to blame the customer for a malfunction or failure without a ‘provider’s own’ modem. Pushing the tactics to the hardware installed by the customer may seem understandable, but it quickly leads to frustration – just because no extended diagnostic options via a customer router have to be available that is far from the cause of a failure. Again, I think to myself, better you have and do not need it as different around. It's more relaxed. ⁇
Single Point of Failure
The typical SPOF in the home network is a single component whose failure can paralyze the entire network or parts of it. Put simply, it's a part that's so important that if it breaks, the whole system stops working. In the usual sense would be that the router, the modem or a central switch.
Depending on the setup and required access points, however, a single access point that ensures that the remote laptop, the tablet in the garden or the media server in the basement still have connection to the network can be the single point of failure. Even a single hard drive without data backup would fall into this category.
How to avoid this SPOF?
- Redundancy: Use redundant components such as two routers or two modems to compensate for a failure.
- Redundant connections: Use multiple Internet connections (e.g. DSL and LTE) or redundant cabling.
- Automatic failover: Configure your devices to automatically switch to an alternate connection or replacement service when a problem occurs.
- Regular backups: Backup important data regularly to avoid data loss in the event of a failure.
- Professional support: Consult a professional for complex network configurations or problems.
- Backups of configurations: Make regular backups of your router and network configurations to enable quick recovery in the event of a failure.
Again, of course, for the sake of fairness, it must be said that not everyone has to keep or heed all of the above elements. Especially in the home network, of course, the priorities are different.
In corporate IT, on the other hand, one would speak of a risk appetite in the assessment and, if necessary, weigh the acquisition and maintenance costs of such redundancies against the costs of a failure. Since there are often quite different sums in the game, a possible budget for a multiple double redundancy and also entire failover data centers is of course absolutely justified if necessary.
TL:DR for today?
Some people want an "Oh Shit – well, more time for the beer garden", others use a switch button, others would like a backup modem, others want an automatic fallback and who is dependent on high availability may even have a second line active 24/7. –
And every possibility is perfectly fine. What is enough for you is the SweetSpot.
EN 
DE 
ES 
FR 
IT