All small office routers have feature sets that can be safely tweaked to do a better and more secure job. If a router has Wi-Fi built-in, much can be done to make things safer and faster still.

The tweaks I suggest may, however, rub against your organization’s policies on connectivity and use; check them first. Suggested changes shouldn’t violate the organization’s rules, but each organization arrives at policies from differing viewpoints and legal needs. I prefer to respect them, even when I disagree with them.

Some policies are designed to give conformity so that help desk and service personnel know what to do, given a set of problem symptoms. It actually makes life vastly more difficult for them if the underpinning assumptions they might have regarding your site’s installation and its characteristics are broken.

If you’re the administrator and have full responsibility for the network, I suggest that you document changes thoroughly, including using a screen capture program to document the webpage screens where you change items. That helps people who need the docs in your absence have a starting point of documentation to troubleshoot problems (since we all know that meltdowns happen when you are on vacation, lolling on a beach with a drink that has an umbrella in it).

The Assumptions

Every small office router emerges from the box in one of two states: pre-configured for your installation with settings that were changed from the factory settings of the router, or with the default factory settings. Rarely, routers that have been changed from factory settings have the changes documented; be pleasantly surprised when that’s the case.

Office routers have an even chance of being usable directly from the factory, after you connect them correctly into your office’s cabling plan, using the connection you were provided to the local data or broadband carrier’s jacks. It’s possible to have “plug and play” routers correctly sense everything and work the first time, supplying your office with the requisite Internet connectivity. This has only recently become the case, as “plug and pray” used to be the mantra, requiring calls to help desk support units to obtain various settings (and the occasional sacrifice of small animals and chanting of incantations).

Most every office router comes with a firewall, which is a program that attempts to keep the bad guys out. We suggest that it can also keep the good guys out, so check below regarding “Firewall Changes.” The office router, when equipped with Wi-Fi, can have a few settings changed that allow it to not only be faster, but a better neighbor in your office’s neighborhood, listed below as “Wi-Fi Alterations.”

First, however, some items that need to be changed from default settings. (If you’re allowed to do so, and again, remember to check with your local IT authorities to make sure you aren’t violating policies. You have been warned.)

Settings Changes Every Office Router Can Use

Each router is set up in one of three ways. The first way is to logon to its internal webpages, then follow “wizard” instructions. The second way is to insert a (usually Windows-based) program into a system connected to the router, which “finds” the router, and allows you to make either “wizard” or manual settings changes.

The third way to change settings is manually, and we want manually. “Manually” also means moving up and down through menus until you find an appropriate webpage that has the settings we’re going to change. This presumes that you’ve been able to find the webpages on the browser; instructions, sometimes called “quick start,” give you the initial instructions to logon to these pages.

Each router can store a log of its activities, so we want to turn this on first. It’s often a “system” menu change. Turn it on, because the log file keeps tabs on activity, including useful error messages for troubleshooting or for giving to a tech support person. Most routers have it turned off by default for reasons unknown.

Next, find out how to backup the unit’s configuration. Do this backup every time that you make even a single change. (Don’t cheat. One day, you will be glad you did this.) Then, put the backup file it generates (it’s tiny) onto an old but working USB flash drive; tape the USB drive to the router so you can find it again. After each session, update the flash drive with the new settings.

After you’re backed up and the logs are on, you need to decide The Big IPv6 question. IPv6 is the latest Internet addressing scheme, as the old scheme, IPv4, is running out of available Internet addresses. (For a more in-depth explanation, see IPv6: What the CIO Needs To Know.) You may have to enable your router to use IPv6. The method behind doing this is complex, and not within the scope of this article. However, if you see choices, and you are your own IT department, don’t enable IPv6 unless you’re told to do so; and if you are told to do so, the instructions will be explicit. Otherwise, leave it set to off.

Firewall Changes

The firewall keeps the bad guys out. The three basic ways that a firewall protects you is to hide the actual addresses of machines on your local network; to prevent outside computers from starting arbitrary conversations with computers on your network (called “stateful inspection”); and to manage user program relationships with computers outside the local network. Each router has its own options and variations.

Firewalls hide actual TCP/IP addresses through a process called Network Address Translation (NAT). Another router program can automatically give Internet addresses to computers when they start up; those addresses are different than the addresses that your office is given by your data communications or broadband provider. The firewall keeps track of which is who and what address.

Some programs don’t understand NAT, and require a “direct” relationship to a port (which is like an apartment number). The process of “opening a port” starts a relationship using “port forwarding,” wherein the firewall fools the external computer into delivering information back and forth between computers – and opening a “hole” that’s normally closed in the firewall.

VPNs One application that may need a firewall’s ports “opened” is a virtual private network, or VPN. If you set up a VPN, the network administrator for your branch or office usually gives you the settings needed to make the system work; they sometimes can be a bit arcane. If you’re trying to do this on your own network and aren’t bound by organizational restrictions, the quick education is simple. (See The Least You Need to Know about Setting Up a SOHO VPN for details.)

If you want to use the (now older) PPTP protocol, you need to find the selection in your router’s software (see getting to the router’s software) that allows a system to be proxied, or forwarded through the office router. Some office routers need to be moved from gateway to router mode. My strong suggestion is to use a search engine like Google to search using your router brand and model number, and “PPTP”. This is because it’s one of the most ticklish configurations in branch networking.

The IPSec protocol is a VPN protocol that’s used differently. If a router supports it (it’s search engine time again), the instructions will be clear as to how to perform this, and it involves a specific port, 443. If neither VPN protocols, PPTP, or IPSec is supported by the router (which may be the case with older routers), then an alternative logon method that’s VPN-like, machine-to-machine, can be performed with an application called LogMeIn.com that permits remote access.

Remote Desktop Access Barring the above VPN method and LogMeIn, you can enable Microsoft or Apple Remote Desktop (and the operating-system-neutral VNC) protocols by enabling the proxy of one TCP port (3389) and turning off any selection called “Block Anonymous Internet Requests,” which is what an RDP request is. This enables someone to use Remote Desktop Support software, to see someone’s screen, and use his mouse and keyboard.

Sometimes it’s necessary to set a port proxy for port 3389 to a specific machine, meaning only that machine (by its IP address) can be viewed, and another machine can be viewed only by either changing to that specific IP address, or by resetting the port proxy to the desired machine’s address.

Most all office routers use firewalls, and remote access is (or should be) blocked by the firewall. They need to be unblocked to let access through to host machines located on the office network. Several ports need to be open, and opening up only the ones associated with the equipment and software you’re using is advised. Here’s a quick table:

If you’re not sure, don’t open a port. An open port is a place where machines can be probed, and perhaps broken into inadvertently (for you).

Setting Wi-Fi Options

If your office uses Wi-Fi, several router options are very important to change. There are also many more selections that are rarely changed, with little or no impact on network performance.

Turn on your logs: Many office routers (and especially those with Wi-Fi access points) have system logs. When trouble occurs, you can learn a lot about the nature of the problem by looking at the logs—but only if they’re available. With almost all equipment, most logs must be turned on before they start recording activity. (You don’t want to learn that salient fact only after a system failure.) Sometimes the log entries are difficult or impossible to decipher, but they might provide a clue to a network consultant or other expert when the chips are down (pun intended).

Configure Wi-Fi security: The first setting to check is Wi-Fi security. You need some. If you don’t use security, anyone can access your network and the machines and peripherals on it. WEP security of any kind is as undesirable as no security at all. The preferred security method is WPA, and preferably WPA2; the WPA2 Personal method is fine and simple to install.

To use WPA, everyone needs to enter a password when accessing the network. Teach your users: Choose a long password with numbers and capital letters and lower case letters. Make it at least ten characters. It can be nonsensical like 77ToMatoepaSTe but it’s best to use no real words, even compound words separated by numbers.

When someone tries to logon the first time, she has to enter the password exactly. Teach your users: Don’t write down the password, and change it randomly, but once a month at minimum.

Hidden SSID: You can add a bit of security by hiding the name of the SSID, and making the SSID name something that’s random as well. The first time people logon, they need to know the SSID and to enter it manually into smartphones, tablets, notebooks, and so forth. Each operating system has a slightly different process for  entering in a hidden SSID name, but it’s easy enough. It’s a little tougher for your guests, but it’s a small layer of protection.

Use Upper N: Wi-Fi is popular, and in crowded areas, many channels are used. There are only three good channels for Wi-Fi at 2.4ghz (those used by 802.11b and 802.11g) but the upper band used, 5.3ghz, is very often free and clear and far faster than using the lower channels. Only Wi-Fi computers and access points that use 802.11a or 802.11n (with upper band) are compatible. Some access points allow simultaneous 801.11 in upper and lower bands, allowing just about any Wi-Fi device to work, but the upper band of 802.11a/n is preferred; it’s always faster, and rarely has to be shared with others in the neighborhood.

Never use 802.11b: The 802.11b protocols are rarely used, and if an access point/office router has it enabled, it can often slow down everything. If you’re using only 802.11g, the most common denominator in Wi-Fi devices, choose 802.11g only selections and if you have all 80.11n devices, choose of course, 802.11n only—especially the upper band if all devices are compatible.

Avoid single channel radio 802.11n routers: If you have a choice, and sometimes you do, avoid models that only have a single radio, yet support dual-band 802.11n. The single channel radio in some units spends a lot of time switching back and forth between bands, to the detriment of performance. Dual radio routers are slightly more expensive, but they perform more consistently.

Use cabling when possible: All of the Wi-Fi types are slower than most all of the modern cabled-type connections. Add lots of activity, and the difference becomes even more apparent. It’s true that running cables costs money; but using Ethernet cables provides extra security, is much less prone to security problems, and is almost inevitably faster than any Wi-Fi connection you make. Try it, if you don’t believe me.

Use Lower Band Channel 11: This is because most office routers with Wi-Fi use either channel 1 or 6 as their default channel, and people rarely change them. Channel 11 is the least used. In some countries, you may have the option of Channel 14, although it’s not used in the U.S. Use Channel 14 as its often never used and there’s no competition for it. Use it if you can, legally. The next best lower band channels are 3 and 4, and 8 and 9, the “tweener” channels.

Finally

Some quick finishing details are to turn off remote administration if it’s on; this resource can be hacked. Check your logs and send them to technical people to see if they freak out. Most network techs can read them and understand any concerns that are documented in them. Don’t watch their eyebrows as they read them, only the final assessment. Networks are hacked 24/7 randomly—every one of them, including yours. You aren’t exempt. Then remember to backup the configuration like a good geek, and put the USB flash drive with the final settings taped to the router. Then you’re done… until the next need for a configuration change comes along.

See also:

• The Least You Need to Know about Setting Up a SOHO VPN
• The Baseball Fan's Dream IT Job: CIO of the Arizona Diamondbacks
• 10 Indispensable NOC Tools for Linux and BSD