| From: David Collier-Brown via talk <talk@gtalug.org> | To: UU <u-u@unixunanimous.org>, GTALUG Talk <talk@gtalug.org> I don't think that it is great to post a message once to two public mailing lists. It can lead to odd entanglements. It's fine to separately post the same message to two lists. I'm violating this suggestion with this message. | I have a Rogers-supplied router and cable modem package, which twice has shown | significant usage when I was out, once with the original unit and once with | their replacement Cisco. That makes me suspicious of the current state of | authentication for wi-fi schemes (and I use the term "schemes" advisedly: they | used to horribly leaky (;-)) Wow. Interesting. If it were me, I'd try to figure out who was doing this. But in reality that's probably more work than it is worth. | What's a good approach? I have considered | | * MAC address lists, MACs a so spoofable. Why bother? If I remember correctly, OSX now has a feature that lets you use a random MAC on your wireless just to avoid other people tracking you. | * no wi-fi (strictly wired doesn't work with solid concrete walls), I don't imagine your threat models are so severe that this matters. But for the paranoid: even traffic analysis (without decryption) reveals a lot. | * a second router with a more secure protocol (/is/ there such a | protocol? And will my wife's Mac speak it?)) I think that the best compromise for most individuals who care even a bit is: - Turn off the modem's WiFi and put it in bridge mode. You may have to repeat this after a power failure or a (generally unannounced) firmware update. Why: Rogers has 100% control of the modem (remote provisioning, firmware updates). They have (if they choose) access to your LAN unless you put something between the modem and the LAN. - use your own wireless router. Choose one that has a decent radio and is well supported by OpenWRT. Run OpenWRT on it. Why: firmware from the manufacturers is crappy in known and unknown ways. Other third party firmware providers are badly constituted (dictatorships, NDAs, glued together bits of binary stuff). - alternatively use a little PC and install whatever amuses you as software to make it a router. Why not: takes more resources than just using OpenWRT on consumer router hardware. Cost, time, electricity, noise, heat, risk of misconfiguring, maintenance effort. Why: more flexible, more controllable. Sometimes better performance. Can perform server roles (email, web, ...). This is what I do. I run CentOS an two of my three consumer-grade internet connections. I run Fedora 28 on the other -- that adds to the maintenance burden (so many updates!). - alternative: <https://omnia.turris.cz/en/> I'd like this to be a great solution but I don't know whether it is. It's not as inexpensive as I'd like. One of my connections is gigabit from Rogers. Ordinary wireless routers cannot pass 1G though unless proprietary NAT hardware acceleration is used. That hardware is not supported by OpenWRT. Even if it were, there are serious restrictions on what can be done to the packet before it gets punted to the software path. My little PC solution seems to handle gigabit just fine. I use Zotac ZBoxes that come with two gigabit ethernet ports (only a few do). My gigabit gateway is an RI323Nano (out of production). My others (untested for gigabyte throughput) are both CI321NANO. These cost me about the same as an expensive router. I don't use them for providing WiFi. I use a couple of consumer WiFi routers as (just) APs. As for WiFi passwords: make them long and replete with entropy. I use the mkpasswd command that is part of the expect package. Don't use the magic button on the router to make the password crap easier: it can make you vulnerable. Typing these is very error-prone so I use a USB flash drive to carry them to a new system.