[ Skip to main content ]
1 3 3 7 4 2 0 6 6 6 1 3 3 7 4 2 0 6 9 6 6 6 1 3 3 7 4 2 0 6 6 6 4 2 0 1 3 3 7 6 9 6 6 6 4 2 0 1 3 3 7 6 9 6 6 6 4 2 0 6 9 1 3 3 7 6 6 6 4 2 0 6 9 1 3 3 7 6 6 6 4 2 0 6 9 6 6 6 1 3 3 7 4 2 0 6 9 6 6 6 1 3 3 7 4 2 0 6 9 1 3 3 7 6 6 6 4 2 0 6 9 1 3 3 7 6 6 6 4 2 0 6 9 1 3 3 7 6 6 6 6 9 4 2 0 1 3 3 7 6 6 6 6 9 4 2 0 1 3 3 7 6 6 6 4 2 0 1 3 3 7 6 6 6 6 9 4 2 0 1 3 3 7 6 6 6 6 9 4 2 0 6 9 1 3 3 7 4 2 0 6 6 6 6 9 1 3 3 7 4 2 0 6 6 6 6 9 1 3 3 7 6 6 6 6 9 4 2 0 1 3 3 7 6 6 6 6 9 4 2 0 1 3 3 7 6 6 6 4 2 0 6 9 1 3 3 7 6 6 6 4 2 0 6 9 1 3 3 7 6 6 6
GUIDE NETWORK ROUTER

ROUTER_SECURITY

Secure your home network. FritzBox, AVM, and general router hardening. WiFi security, firewall, remote access.

INTERMEDIATE FRITZBOX FOCUSED NETWORK HARDENING
Router Security

WHY ROUTER SECURITY IS YOUR FIRST DEFENSE

Your router is the gateway to your entire network. If compromised, attackers can:

  • Monitor all traffic: See every website you visit, even with HTTPS
  • Inject malware: Replace downloads with malicious versions
  • Access devices: Exploit vulnerable devices on your network
  • Use your network: Route illegal activity through your connection

STEP 1: ROUTER BASICS (ALL ROUTERS)

CHANGE DEFAULT CREDENTIALS IMMEDIATELY

Routers ship with default passwords like "admin/admin" or "admin/password". These are publicly known and the first thing attackers try.

Common defaults to change:

  • β€’ admin/admin
  • β€’ admin/password
  • β€’ admin/1234
  • β€’ root/admin

UPDATE FIRMWARE

Router firmware contains security updates. Outdated firmware = known vulnerabilities.

AUTOMATIC UPDATES

  • β€’ Enable if available
  • β€’ Set to check daily
  • β€’ Reboot when prompted

MANUAL UPDATES

  • β€’ Check manufacturer site monthly
  • β€’ Download from official source only
  • β€’ Verify checksums

DISABLE REMOTE MANAGEMENT

Remote management lets you access router settings from outside your network. It's rarely needed and often exploitable.

  • βœ“
    Disable: "Remote Admin", "Web Access from WAN", "Remote Management"
  • βœ“
    If needed, use VPN + LAN access instead
  • βœ“
    Never enable telnet (use SSH if needed)

STEP 2: WIFI SECURITY

USE WPA3 (OR WPA2-AES)

WPA3 is the latest WiFi security protocol. If unavailable, WPA2-AES is minimum.

WPA3

Best. Use if available.

WPA2-AES

Acceptable minimum.

WEP/WPA-TKIP

Broken. Never use.

ENABLE GUEST NETWORK

Guest WiFi isolates visitors from your main network. They get internet but no access to your devices.

  • β€’ Separate password for guests
  • β€’ Isolates guest devices from LAN
  • β€’ Use for IoT devices when possible
  • β€’ Can be on timer (disable when not in use)

SHOULD YOU HIDE YOUR SSID?

Short answer: No. Hiding your SSID doesn't add security.

  • β€’ Hidden networks are still visible to anyone with WiFi tools
  • β€’ Devices "probe" for hidden networks, revealing them anyway
  • β€’ Can cause connection issues
  • β€’ Your security comes from WPA3 + strong password, not hiding

STEP 3: FRITZBOX HARDENING (AVM)

FritzBox routers are popular in DACH regions. They're generally secure out of the box, but these settings improve security:

FRITZBOX SECURITY SETTINGS

Access via fritz.box or router IP

Home β†’ Network β†’ Network Settings

  • β€’ Enable "Airtime Fairness" (prevents WiFi hogging)
  • β€’ Disable WPS (push button has vulnerabilities)

Home β†’ System β†’ FRITZ!OS Users

  • β€’ Change default "fritz" password
  • β€’ Create separate user for guests
  • β€’ Disable unwanted services (NAS, media server)

Home β†’ Internet β†’ Permit Access

  • β€’ Disable "MyFRITZ" if not used
  • β€’ Review port forwarding rules
  • β€’ Disable incoming connections unless required

Home β†’ Home Network β†’ Mesh

  • β€’ Review mesh/repeater settings
  • β€’ Only allow known devices

MYFRITZ REMOTE ACCESS

MyFRITZ allows remote access to your router. It's convenient but adds attack surface.

  • β€’ If you don't need remote access: DISABLE IT
  • β€’ If needed: Use unique, strong password
  • β€’ Consider VPN instead of MyFRITZ

KEEP FRITZ!OS UPDATED

FritzBox updates are automatic but check manually:

Home β†’ System β†’ Update

  • β€’ Check for new FRITZ!OS
  • β€’ Enable automatic updates
  • β€’ Review changelog for security fixes

STEP 4: DNS SETTINGS IN ROUTER

Change your router's DNS to block ads/malware at the network level. All devices benefit.

CLOUDFLARE

1.1.1.1
1.0.0.1

QUAD9

9.9.9.9
149.112.112.112

ADGUARD

94.140.14.14
94.140.15.15

Set in: Internet β†’ DNS Settings (varies by router)

STEP 5: FIREWALL RULES

Most routers have SPI firewall enabled by default. Verify and configure:

  • β€’ Ensure "SPI Firewall" or "Stateful Packet Inspection" is ON
  • β€’ Block incoming ICMP ping requests (prevents network discovery)
  • β€’ Review port forwarding - only forward what's absolutely necessary
  • β€’ Enable "Stealth Mode" if available (drops unsolicited packets)

STEP 6: IOT DEVICE ISOLATION

IoT devices (smart bulbs, cameras, speakers) are notoriously insecure. Isolate them:

GUEST NETWORK

Put IoT on guest WiFi. Can't access main network.

VLAN (if supported)

Create VLAN for IoT. Advanced but more flexible.

SECURITY CHECKLIST

ADVANCED: CUSTOM FIRMWARE

For advanced users, custom firmware like OpenWrt or DD-WRT provides more control:

OPENWRT

  • β€’ Full Linux environment
  • β€’ Active development
  • β€’ Supports many routers
  • β€’ Steep learning curve

DD-WRT

  • β€’ User-friendly interface
  • β€’ Broad hardware support
  • β€’ VPN server/client built-in
  • β€’ Check compatibility first

WARNING: Installing custom firmware can brick your router. Only attempt if you know what you're doing and your router is supported.

FAQ / TROUBLESHOOTING

❓ I don't have a FritzBox β€” does this still apply?

The principles apply to any router: change default credentials, disable UPnP/WPS, update firmware, use WPA3, and segment IoT devices. Specific menu paths differ. OpenWrt and pfSense are great alternatives with more transparency.

❓ Is WPA2 still safe in 2025?

WPA2-AES (CCMP) is still considered secure for most home use. WPA3 adds better protection against brute-force and forward secrecy. If your devices support WPA3, use it. Otherwise WPA2-AES is fineβ€”never use WEP or WPA-TKIP.

❓ I turned off UPnP but my games complain about NAT type

Either set up explicit port forwarding (forward the specific UDP/TCP ports for the game to your console/PC's static IP), or enable UPnP only. UPnP risk is real but most home users accept it for gaming convenience. Pick your trade-off consciously.

❓ Should I change my router's default DNS?

Yes. Your ISP's DNS can log queries and is often hijacked for ads. Use encrypted DNS: 1.1.1.1 (Cloudflare), 9.9.9.9 (Quad9 with malware filter), or set up DoH/DoT in your router settings if supported.

❓ My ISP router has no settings β€” what now?

Put your ISP router in bridge/modem mode and add a proper router behind it (a FritzBox, OpenWrt box, or a used enterprise-grade router). This unlocks all the controls you need.

❓ How do I test if my ports are really closed?

From outside your network (mobile data or a server), run nmap <your-public-ip> or use ShieldsUP!. Only the ports you explicitly forwarded should show as "open."

❓ Can I trust my VPN provider's router app?

For pure tunneling: usually yes. Don't enable "kill switch" features built into the router's VPN appβ€”those are often less reliable than per-app kill switches. Run the VPN client on the devices that need it, not at the router level, for critical privacy.

❌ NEED HELP?

Router setup varies wildly by brand. Ask in manufacturer-specific forums or OpenWrt community.