Question Recommend Home-Routers where you can DISABLE WiFi Admin Access?

[Thelps]

Hi all,

Can anyone recommend Home WiFi Routers that have the option to DISABLE Access to the Router Administration/Configuration via WiFi?

I already regularly change my Admin Password/WiFi Password.

I would really appreciate a router that lets me restrict Admin logins to ONLY a wired/cabled access method.

I live in a built-up area and local school likes to try to fiddle with my network remotely(!).

Much appreciate your responses..!

 

[Lutfij]

This might seem silly/farfetched, but if your password to the router is complex, you don't need to worry about intruders(let alone from schools). Don't tell me you're located near M.I.T.

 

[bill001g]

Most home users are too stupid to even change the wifi or admin passwords. That is why they generate random ones at factory and put a sticker on the router now days.

You will not see much in the way of actual security feature on a home router since there is little interest.

You might be able to load third party firmware like dd-wrt but the list of good routers that support third party firmware is not very large.

In general the problem is the wifi radios chips look like physical ethernet ports to the router chip. Then you have the problem that this varies between different chipset in the router. You would have to figure out what each device called the ports.
You then if you were lucky be able to use unix based commands that allow filtering ethernet packets based on ports. I think the command was something like ebtables.

I used to mess with this stuff but the unix command level stuff on routers is a massive pain. After recovering firmware images multiple times I kinda decided it was just too complex for me.

BUT
This would assume that someone has valid wifi access and you just wanted to prevent admin access. Say you didn't want your teen to disable the parental control rules but you have to let them use the internet.

In your case you have 2 level of passwords they would have to hack. They would first have to break into the wifi. Although WPA3 came out because in theory someone with a supercomputer could offline crack the WPA2 passwords it still almost a year to get simple common words passwords.
They when would have to brute force guess your admin password. That can't be done offline and would be mostly limited how fast your router cpu would accept input and they aren't very fast.

In general I wouldn't worry about it. If you are really concerned and your equipment support WPA3 use that. You could also setup a small radius server and use enterprise mode which is still considered uncrackable.

And since this is a long post and you are likely bored I will put the most important wifi thing here. Make sure WPS is disabled. This feature can easily be cracked by a cell phone. Again stupid lazy home users, this feature has been know to be crack for many years but vendors keep putting it on routers because of all the so called "smart" devices you configure by just pushing a button.

 

[mdd1963]

5 older (6 years old?) Linksys 1900ACS router allows admin via wifi to be enabled/disabled....

I'd think that would be a standard connectivity/administration setting...

 

[rcfant89]

I use a custom built Untangle router/NG firewall on a Zotac mini PC box. Looks like Arista has purchased Untangle, though.

Anyway, Config > Administration > "Restrict Administration Subnet(s):" allows you to specify what subnets can access your router. Simply spin up a "management subnet" and there ya go. Or, I assume you could solve the issue without subnetting in a round about way, i.e. "yourDesktopIpAddress/32" (would be a "subnet" of just that single IP address), I suppose?

I'm sure there are other ways to "skin the cat" but this is what I see after a 20 second search in my router.

I'd also suggest turning down your AP power. If the signal is traveling much farther than your own yard, it's probably way too high. Also, your wifi experience will be poor as well, because smaller devices won't be able to "talk back" to the router since they have lower power. It's better to have more APs operating at lower power for this reason. Better performance, and safer I suppose. I use mostly Unifi UAP-AC-Pros. You can get them second hand on ebay for dirt cheap.

Also, you could put your Wifi on a different subnet that routes ONLY to the internet, or set up multiple Wifi SSIDs (like Thelps and ThelpsGuest) and make the guest network only route to the internet. This is best because, if someone hops onto your wifi, they can access ALL your LAN devices under the right circumstances. This is best avoided.

So yeah, lots of stuff you can do. Main thing I'd recommend is Bitwarden, though. Set up passwords that are like 15 characters and use lots of symbols and stuff. And don't reuse any passwords. I was pretty bad about this for the longest time, but it really is easy with a good PW manager.

 

[gggplaya]

I use ubiquiti. All of my 2.4ghz networks are guest networks, they aren't capable of connecting to the lan to access the router settings or any other wifi device on the network. They're limited to only the internet, even if they do break in. 2.4ghz travels pretty far, into neighboring buildings.

Internal home wifi is 5ghz, which has limited range. So it physically restricts access unless people are right up against the walls of my house, it doesn't work in the driveway.

But with Ubiquiti UNIFI, you'll be alerted of bruteforce wifi attacks. It will also alert you when a "rogue" wifi access point is near your network. This is someone that sets up a router near your house with the same SSID you're using. When one of your devices or you yourself try to connect to it, you end up sending it your wifi password and that's how they get it.

 

[Thelps]

All excellent responses. Thank you so much all!

I would still be REALLY KEEN to find a router that lets you disable Log-In to the Administration Settings via WiFi in the admin control panel settings.

I'm actually kinda amazed such routers don't exist. It's a really useful feature if you're dealing with an environment where you're likely to undergo such a security breach. Manufacturers should really include this setting as standard.

Please, please, please let me know if you spot any that DO have the ability to disable Adminsitrative Login via all but a direct physical connection.

Thanks again for all the really excellent responses so far.

 

[nigelivey]

X / Y problem, set a complex password, not really an issue

 

[Ralston18]

This:

"I live in a built-up area and local school likes to try to fiddle with my network remotely(!)."

Likely you know "who" the local school is (URL, IP address) - correct?

Maybe some inbound firewall rules on your end to help block them out.

Not a full solution to the stated problem and requirements.

And really does not stop the attackers from trying,

Key is to prevent the attackers from getting into admin functions.