Categories
Configuracion routers Tutoriales

How to troubleshoot access to the router if we cannot enter

Some of you may wonder if it is important to be able to access the router’s settings. The answer is a resounding yes, since having access to the router gives us many possibilities. Therefore, before we begin to explain how to fix this problem, we are going to briefly show you what advantages it offers us to have access to the router.

Why do I want to access the router settings?

If we cannot enter the router configuration we are losing a lot of things. At that moment we become a simple user or client, the only thing that can do is enjoy your Internet connection as long as there are no problems. However, if we take charge of our connection and take control, things change. This, for example, is the configuration screen with an overview of the Fritz! Box 7530:

In this case, on the right hand side, it offers us a vision of the connected equipment and the active services. On the other hand, on the left, we have the typical sections, local network, Wi-Fi, diagnostics and more. A priori, some may think that they are only interested in two or three things, but there are many more. Regarding the configuration of the Internet and the local network, it will allow us to:

  • Configure the DHCP that assigns the IPs to our liking and put the DNS servers that we want.
  • Establish a specific IP for our devices.
  • Open ports for certain programs to work, such as P2P types or to create a server.
  • View connected devices.

Regarding Wi-Fi, we can change the password or set a different channel. We could also activate or deactivate WPS, create a network for guests or configure the timer so that the Wi-Fi turns on and off at a certain time.

In addition, they usually allow a series of basic diagnostics to be carried out and they usually have an event viewer with the most relevant events. Nor should we forget that there we have a section to make a backup copy of our configuration, to be able to restore it later. And finally, they also have a section to update the firmware. It is usually done by pressing a button that searches for updates or with a previously downloaded file. As you have seen, accessing the router configuration gives us a great variety of opportunities.

How to access router settings

Normally the way to access a router is very simple. Following three simple steps we would enter the router configuration. First we open an Internet browser. Then, we write the IP of our router also known as a gateway. In third place we put the password and we enter the router configuration through the web. This, for example, would be the configuration screen of an ASUS RT-AX89X router:

As we explained previously, here we can configure Wi-Fi, open ports and more. However, there may come a time when we cannot access the router’s configuration and that is when the problems and headaches begin.

Causes why we cannot access the router

In the previous section we have seen that two elements are required to enter the router configuration. If we fail to type either of the two into our Internet browser, we will not have access. As you may have already guessed, these two elements are:

  • IP of your router.
  • User and password or router password.

The way of acting in each case would be totally different depending on what is known, just one or none. Next, we will explain what we can do to be able to access the router based on the two previous elements.

Solution to the problem of access to the IP of our router

A symptom that something does not work when we want to access the router’s configuration is that it almost immediately does not ask us to enter the password. Then a screen like this will appear:

At that moment a screen will appear indicating «Can’t access this website«. A common thing is that, because of the rush, we enter the wrong IP. Another reason that the router is turned off or we are not conveniently connected by network cable or Wi-Fi. If we can surf the Internet, we can rule out the latter. On the other hand, if we surf the Internet and the router does not respond, it is most likely that we are setting the IP wrong.

How can we find out the IP of the router in Windows

Now it is time to find out the IP of the router so that by entering our password we can access it. The way to do it is very simple, for this we will go to the Windows Start Menu. There we write Symbol of the system or CMD and we press enter. Next, we get a window where we can execute commands. In this case the one we have to put is:

ipconfig /all

Once written, press enter and it will show us these results

There we have to look for the Default Gateway which corresponds to the IP of the router. As you can see, the IP of the router is 192.168.1.1 and previously we could not enter because we put a different 192.168.0.1. Then, already putting the correct password, we can access the router configuration without problems.

Also the command Ping It can help us to know if the router is active and if there is a problem. Simply type ping, the IP of the router and press enter as in the following example:

Solution to access problem when password is wrong

On other occasions, we correctly enter the IP of the router but when entering the password, it gives us an error message. This would be an example:

Here you can see that we have entered the password wrong and that we have to wait a few moments to enter it again. That does not mean that you know your password, perhaps you have entered it wrong. A typical failure is having the caps lock activated or having confused some uppercase letter with lowercase. Once it is verified that we do not know it, we will have to look at other alternatives. Then it’s time to check the sticker that comes under the router:

Here you can find the router password and the Wi-Fi password of the 2.4 GHz and 5 GHz bands. It should also be noted that it does not always offer us all the data, so you have to consult the manufacturer’s or supplier’s manual. router. However, if we have changed it, we have to resort to the factory reset and the router will leave us with the values ​​that appear on the sticker.

The last solution: do a factory reset

At the moment we need to access the router configuration, and we cannot do it, the most effective solution is usually to do a factory reset. Either because we do not know the password or they have changed the access port. The only thing to keep in mind is that we will have to configure it again. In the routers of the operators it is not usually necessary to enter the connection data but in those of other manufacturers that we buy to replace them because they have more features. Basically, once the router is configured, three things are usually done for greater security:

  1. Change the router password.
  2. Set other passwords to the Wi-Fi bands.
  3. Open ports if necessary.

This is the back of a router:

Generally, on the back we find a button that says RESET. Then we insert a pen, a pin or a needle and hold it for about 13 seconds until we see that it restarts when all the lights go out. From that moment on, we will have the default values ​​that come on the sticker or in the router’s instruction manual.

Categories
Configuracion routers Tutoriales

What is the IP address to enter the router according to the brand

How to enter the router and configure it

We may have a router and we are interested in changing some parameters, such as the name of the Wi-Fi network, the password or opening the ports. For this, the normal thing is that we have to enter through the browser, from our computer. It is a simple and fast process, but we will have to know what is the IP address that we must put.

Our advice is to always change the factory settings. We should never leave the network name or the Wi-Fi key, for example. We must even put another password to enter the device. But for this we will have to access it. We will have to go into the settings. There we can also change some parameters that can help us improve performance.

The process basically consists of putting the IP address in browser and later put the access key to the router. That password, by the way, it is advisable to change it and never leave the factory default. We will therefore need to know what that IP address is.

The problem is that there is no one generic address for all models. Each brand usually uses a different one, although it is true that many of the main ones use the same default gateway, which is usually 192.168.1.1. However, we are going to show what it is in each of the main router brands on the market.

What is the IP address to enter the router according to the brand

As we have indicated, each of the brands and models of routers they may have one IP address to access the different device. Many of them do share the same, but it is not something that happens in all of them. Therefore, we must know which is the specific gateway to enter the router. So we can configure it correctly and get to improve some parameters so that it works better and of course more securely at all times.

We are going to show a list with the main brands and what is the IP address to access. We will see that in most cases the generic address to enter is repeated. Keep in mind that in some brand there may be more than one option, since it would vary depending on the specific model that we are using:

  • 3Com: 192.168.1.1
  • Airlink: 192.168.1.250 or 192.168.1.1
  • Airlive: 192.168.1.254
  • Apple: 10.0.1.1
  • Asus: 192.168.1.1
  • Aztech: 192.168.1.1
  • Belkin: 192.168.1.1
  • Cisco: 192.168.1.1
  • Dell: 192.168.1.1
  • D-Link: 192.168.0.1
  • Google: 192.168.86.0
  • Huawei: 192.168.3.1
  • Linksys: 192.168.1.1
  • Microsoft: 192.168.2.1
  • Motorola: 192.168.0.1
  • Movistar: 192.168.1.1 or 192.168.0.1
  • Netgear: 192.168.1.1
  • Sitecom: 192.168.0.1
  • Synology: 192.168.1.1
  • Tenda: 192.168.0.1
  • TP-Link: 192.168.1.1
  • Ubiquiti: 192.168.1.1
  • ZTE: 192.168.0.1
  • Zyxel: 192.168.1.1

How to know the gateway of any router

We have shown what is the ip address to access the main models of routers on the market. However, we may have a different one and our brand is not on this list that we have put. We can find out in a simple way which is the default gateway and be able to enter to carry out configurations.

To do this in Windows we can find out in a very simple way. We have to go to Start, enter the Command Prompt and execute the command ipconfig. This shows us a large amount of information related to our network, the router and the network card that we are using.

Within all the data that it shows us, we will see a section called Default Gateway. Just that is the IP address that we have to execute in the browser to be able to enter the router and configure it correctly. That data will appear to us no matter what router we are using.

In our case, as you can see in the image above, the default gateway to enter the router is 192.168.1.1. It is precisely the most common address, since there are many devices that have this IP to be able to access and carry out the configuration that we want to improve power, maintain security, update the device … In short, there are many actions that we have at our disposal when we access the router.

In case we do not want to carry out these steps with the Windows command line or we are from another device and we do not know how to find out, we can always do a search in Google. We would need to know the exact model of the device and later find what the default gateway is. In this way we can enter correctly and carry out any configuration that is necessary for the device to work well, to improve security or avoid any errors that may appear. It is essential that we always have control over our equipment, especially those connected to the network.

Some routers allow access from an application

It is becoming more and more common for modern routers to have a mobile application through which we can easily access. To do this, you simply have to register with the account details, the operator, etc. Normally they ask us for the ID and name of the user, as well as a code that comes to us by SMS to register.

From the program we can carry out some basic actions. They do not usually have a wide range of options, and for this we would have to access from the browser. But we could take it into account for something quick, such as changing the Wi-Fi password or any change in the network name.

Therefore, we can also count on the possibility of enter the router from the mobile application that many usually have. A free and perfectly accessible software so that users have faster access from anywhere, without even knowing what the default gateway is.

Categories
Configuracion routers Tutoriales

How to capture all network traffic in pfSense to detect problems

Why do I want to capture network traffic?

Taking a network traffic capture is very important to detect possible communication problems. Let’s imagine that a specific computer must send or receive a certain traffic and it does not receive it, it is possible that a rule in the firewall is preventing it, or that the problem is not in the firewall but in the switches that we have connected. It is very normal to have the switches configured with certain ACLs to further protect the network, and we could even activate different types of countermeasures for DoS attacks that could occur in the local network. In the event that the traffic is not reaching the pfSense, it is possible that the problem is in the “middle”, that is, in the switches, therefore, it will help us to rule out configuration problems and see all the traffic flow .

If we have some type of communication problem, and we cannot find where the problem may be, we must rule out that it is a problem with the firewall / router itself with pfSense, and then go to review the different switches that we have in between. This is where the «Packet capture» of pfSense comes in, which will allow us to capture all the traffic of a certain network interface.

How “packet capture” works in pfSense

The traffic capture device is installed by default in the pfSense operating system, we will not have to install it through the list of available software that we have the possibility to install. We must go to the section of «Diagnostics / Packet Capture»To see the available configuration options.

In this section we will have different configuration options, to “fine tune” the packet capturer, something fundamental to not capture absolutely all the network traffic, but only the traffic that we specifically select.

The first thing we must is the «Interface«, Here we must choose the physical or logical interface (if you use VLANs) to use in capturing the packets.

The pfSense operating system allows us to enable “promiscuous mode”. In “non-promiscuous mode” the system will capture only traffic direct to the host that passes through a given interface. In the “promiscuous mode” we will enable the sniffing mode, and it will capture all the information that the network adapter sees, however, it is possible that the hardware you use in pfSense does not support this functionality.

We can also choose and filter if we want IPv4, IPv6 or both network protocols.

Next, we must choose which protocol we want to capture, we can capture any protocol (Any), or filter by ICMP, TCP, UDP and much more.

Other available options are the possibility of choosing the “Host address” option. This option allows us to capture only the traffic that has as its origin or destination a specific IP address or MAC address (if it is directly connected to the same subnet). If we do not put anything, it will capture all the packets that travel through the interface, without filtering by IP or MAC at all.

We can also configure the source or destination port if we use TCP and / or UDP, ideal for only capturing the traffic that interests us. All application layer protocols make use of specific source and destination ports, for example, if we want to capture HTTP traffic, we will put port 80 and filter by TCP, since it is what the HTTP application layer protocol uses .

In “Packet Length” we will have to put 0 to capture all the frames and not limit by frame size, and in “Count” it is advisable to put 0 to capture all the traffic until we stop it manually, by default it is the value of 100 which could be very little depending on the equipment in question.

In the “Level of detail” section we can make the network capture show us at the bottom with more or less detail, but in most cases what we will do is download the data capture and examine it carefully in programs like Wireshark.

In our case, we are going to capture the traffic of our smartphone to check what data we are sending to the Internet, we will filter by “Any” protocol and any port, that is, we will capture all the traffic that goes to or comes from 10.11.1.4.

In this example, we will capture with any packet length, but with a maximum of 100 packets. The level of detail is “normal”, and we click on “Start” to begin data capture.

While the packet capturer is running, we will see that it will show us a “Stop” button and just below we will see “Packet capture is running”.

When we click on «Stop», it will show us when the capture has started and when it has stopped. We can see the screenshot just below, but we have very little information because the level of detail was “normal”. In the vast majority of cases, it is best to click on “Download Capture” and download the data capture for later analysis.

As we have the Wireshark program installed, what we will be able to do is open this capture directly to examine the capture in detail.

As you can see below, we have all the data capture in Wireshark and we can see all the incoming and outgoing traffic to our smartphone.

As you have seen, capturing the traffic with pfSense is really easy and simple, and it will allow us to detect possible communication problems of the different equipment, and rule out configuration problems of the switches, the pfSense or directly in the PCs.

Categories
Configuracion routers Tutoriales

Install and configure iperf3 in pfSense for speed testing

In RedesZone we have been using the popular iperf2-based jperf program for many years, but the new version of iperf3 is completely different from the second version, therefore, they are not compatible with each other. iperf3 will allow us to measure the performance of a local network in LAN, and we can even perform LAN-WAN tests and also WiFi easily and quickly, without depending on external Internet speed meters, everything will stay in our own home local network. This iperf3 tool allows the use of the TCP, UDP and SCTP protocols to perform performance tests, and it is also compatible with IPv4 and IPv6 networks.

Why install iperf3 on pfSense?

pfSense is a firewall-oriented operating system, which can also do router functionalities, both in “advanced” home environments and in small and medium-sized businesses. When we have a router-on-stick network architecture, and pfSense itself manages all the VLANs that we have in the network, it is possible that the trunk link between the pfSense and the main switch falls short.

Thanks to the possibility of installing iperf3 in the pfSense, we can check the maximum speed that we will achieve in a local network computer, taking into account the cabling from the beginning to the end, the power of the hardware where we have installed pfSense and if it really is capable of managing the traffic that we throw at it. When in pfSense we have multiple services, such as hundreds of rules in the firewall, an IDS / IPS configured in the LAN and / or WAN, or utilities like ntopng to see all data flows in real time, it is possible that the performance of the pfSense not suitable for lack of power, and we have to fine-tune the different rules. It is in these cases when iperf3 takes center stage, both to measure performance on the local network and also to measure inter-vlan routing performance.

To install it, we simply have to go to the “System / Package Manager” section, in the “Installed Packages” section we will have all the packages currently installed, by default this tool is not installed.

We go to the section «Available Packages»And we will search for« iperf », and proceed to install it like any other tool.

Once installed, we can see in the “Installed Packages” section that we already have it, specifically we have the iperf3 3.9 version.

Once installed, now we will have to run it.

How iperf3 works in pfSense

In the section of “Diagnostics»We can run both the iperf3 client and the server. If we run the client, on our computer we will have to configure the iperf3 server, and vice versa, if we configure the iperf3 server in pfSense, on our computer we will have to configure the iperf3 in client mode to perform all the performance tests.

Both tools, both the client and the server, can be accessed from the «Diagnostics» menu, but later from either of them we will be able to access the client and server.

Client

In the graphical user interface menu we will have the main configuration options that the iperf3 client has:

  • Server IP
  • Server TCP or UDP port
  • TCP or UDP protocol
  • Output format, bits / sec or bytes / s.

And other options related to the buffers that we can leave empty so that it takes the default values. Once we have entered all the data for the iperf3 server that is already running, click on “Run iperf client” and the performance test will be run.

Here we only have to get in whenever our team acts as an iperf3 server, and we want to check the download speed. Normally in a wired network we are in a Full-Duplex environment, so the download and upload speed should be the same, unless there is a network with a lot of download or upload use, which then we could have differences.

Server

In the graphical user interface menu we will have the main configuration options that the iperf3 server has:

  • Server TCP or UDP port
  • Output format, bits / sec or bytes / sec

A very important detail is that the iperf3 server will detect if we are sending TCP or UDP traffic and will act accordingly, by default port 5201 is used as is usual in iperf3. Other options available in the server section is the «Interval» that will indicate the bandwidth, jitter and losses in real time.

Once we have configured these three parameters, we click on “Run iperf Server” and we can start launching performance tests from our client PC.

An important detail is that, if the iperf3 server or client is activated, it will be shown in the main menu in the status of the different services. It is advisable not to leave the iperf3 running if we are not going to be performing performance tests, as we have right now:

In the iperf3 client that we run on the PC, whether with Windows or Linux operating system, we must put the following command:

iperf3.exe -c 192.168.1.1 -P 50 -p 5201 -f g -t 5
./iperf3 -c 192.168.1.1 -P 50 -p 5201 -f g -t 5

  • -c 192.168.1.1: works in client mode with the defined IP.
  • -P 50: we send a total of 50 TCP connections
  • -p 5000: we use port 5000, the default is 5201
  • -fg: we show the speed in Gbps
  • -t 5: we launch the test for 5 seconds.

Depending on the options we want to configure, we will modify the values ​​behind the arguments. We hope that with this little tutorial you will know how to get the most out of iperf3 in pfSense, and check the speed in the local network and in the inter-vlan communication.

Categories
Configuracion routers Tutoriales

Configure HTTPS and SSH web access in pfSense with maximum security

The two main accesses that we have to the administration of the pfSense operating system are via the web and via SSH. In the first case, pfSense is configured by default to use the HTTP protocol on port 80, a protocol that is not secure because authentication and data exchange is done without encryption, therefore, it is a mandatory requirement to configure the HTTPS protocol. to have the maximum possible security. The same happens with the SSH server incorporated in the operating system, it is advisable to make some changes in the configuration to have the best possible security, because via SSH we can configure any internal aspect of the operating system, and we must protect these two accesses against external intrusions .

Web management configuration with HTTPS

To configure the HTTPS protocol, we must go to the «System / Advanced«, And in this menu we will see the« Admin Access ». We can choose between the HTTP and HTTPS protocol, it is advisable to always use the HTTPS protocol to ensure our communications and also their integrity. When we activate the HTTPS protocol, we must choose an SSL / TLS certificate, which is already created by default with the operating system, however, we can create a new one without problems and even renew it.

In this menu we can also choose the TCP port to use, if we do not put anything, the default port of the HTTPS protocol is always 443. We can also choose the maximum number of concurrent users managing pfSense, by default it is 2 but we can upload it if we have various administrators. The rest of the configuration options must be with the values ​​that we put below, all of them are the default parameters and they are perfectly.

In the section of “System / Certificate Manager»Is where we can see the SSL / TLS certificate used by the HTTPS web server, we can renew it at any time, delete it, export the public key and also the private key. In principle, we should not touch this, but if we do, we can renew it or edit the name of the certificate itself.

If we enter “Page information” with any browser, we can see that the connection is encrypted with TLS 1.3, the latest available protocol that gives us the best security and performance in secure connections.

Regarding the certificate data, pfSense creates a 2048-bit RSA-based certificate, which is typical in these cases where we have a web server with HTTPS. If we want to change this security, we must create a CA (Certification Authority) and later a server certificate that hangs from said CA, in this way, we can make use of longer RSA and even elliptical curves (ECDSA), finally , we can configure the hash algorithm to use.

In the case of renewing the digital certificate corresponding to the web server, we simply have to go to the “System / Certificate Manager” section, click on renew the webconfigurator certificate and click on the “Renew or Reissue” button to generate it again.

As you have seen, configuring HTTPS is really easy and simple, this will allow us to authenticate via the web safely.

Administration configuration via console with SSH

The secure SSH protocol will allow us to remotely enter the administration of the pfSense operating system via the console. We will have different types of authentication:

  • SSH public key
  • Password or public key (one or the other)
  • Password and public key (both)

We will also have the possibility to enable forwarding on the SSH server, to perform SSH Tunneling, for example. Finally, we can modify the listening port of the SSH server, in the case of this protocol it is TCP 22, but we can change it, in fact, for security reasons it is advisable to change the default port of the SSH server.

Once we have configured the authentication, we must configure the users that can authenticate in the SSH server, and also what SSH keys these users have. If we click on the hyperlink where it says “user” it will take us directly to “System / User Manager”, and here we can add a new user with different permissions. In our case, we have added a new user that belongs to the “admins” group.

If we create a new user or edit it, we can configure different parameters. In our case, we have added it to the admins group, as you can see in the following image:

To be able to log in to pfSense via SSH, we must give it the corresponding permission in the “Effective Privileges” section, of all the list of permissions that a user can have, it must have the following:

  • User – System: shell account access

Once you have this permission, we can log into the operating system with your username. Depending on what we have chosen when authenticating the user, we will have to perform an additional action:

  • SSH public key: we must create it
  • Password or public key (one or the other): we can use the configured key, or the SSH public key if we create it.
  • Password and public key (both): we will use the configured key plus the SSH public key, it is necessary to create it.

As the safest thing for authentication is “SSH public key” or “Password and public key (both)”, we must create SSH keys.

Create SSH keys with Puttygen

We are currently using a Windows 10 operating system, the easiest way to create SSH keys is to use the program «Putty Key Generator»That you can download completely free of charge. No installation is necessary, when downloading the program we will run it and see the following menu:

Here we can configure different types of SSH keys, RSA and DSA are the most common and well-known, but it is advisable to use keys such as ECDSA and also Ed25519 that use elliptical curves. In our case, we have used Ed25519, we select it and click on «Generate».

Once we click on generate, we must move the mouse to create randomness and that the keys are generated correctly. Now we can see in the upper part the public key that we will have to paste in the pfSense user created previously. We can configure a comment in the key, and also a password to decrypt the private key when connecting, this increases security. If someone is able to steal our private key, they will not be able to use it unless they have the passkey of the generated private key.

Once we have the generated key, we click on “Save public key” and also on “Save private Key” to have the pair of keys always at hand. We must remember that the public key is the one that we must copy to the user, as you can see:

Once the SSH server is fully configured in pfSense, we are going to show you how to connect with the popular Putty program.

Connect to pfSense with Putty and SSH key

We open the Putty program and go to the “Connection / SSH / Auth” section and go to the “Private key file for authentication” section, and click on “Browse” to load the private key that we have previously saved.

Now we go to the “Session” section, we put the IP address and the port of the SSH server in pfSense, once filled in, we click on “Open”.

Now it will tell us that the connection is not cached, so it is the first time we connect. We must click on “Yes” to connect.

It will ask us for the username of the login, we put the username associated with this SSH key created:

And as soon as we enter the username, it will indicate that the authentication is correct and we will be able to start executing commands via SSH in the pfSense operating system. In this example we have only used public key, we have not used the combination of password and SSH public key, but you can also use it without problems, the only thing that will ask us for the password when connecting.

Now that we have correctly configured the SSH server, we are going to see some additional configurations.

Login protection and console management options

In the section of “System / Advanced»We can configure the protection of the login, in principle, the configuration that comes by default is very good to block attackers who continuously try to connect to the SSH server. If we exceed the value of 10 in a time of 1800 seconds, access attempts will be blocked for 120 seconds.

At the bottom where we have the «Pass list» we can put public IP addresses that we do allow to pass these protections, this is necessary for services like UptimeRobot that every so often is trying to verify that the SSH or web server is up.

Other configurations that we should make is the “Console menu” section, it is advisable to protect it through an access password. Not only will we need to have physical access to the pfSense team, but it will also ask for password authentication for root.

Before we finish, we would like to discuss additional protective measures.

Rules on the firewall and use IDS / IPS

pfSense is a really powerful and advanced firewall-oriented operating system, thanks to the different rules that we can configure in the different interfaces, we will have the possibility to allow or deny access to both the web server and the SSH server. A good security practice is not to allow access via web or SSH over the Internet, if we need to manage pfSense remotely, a good practice is to connect via VPN to one of the multiple VPN servers that pfSense allows (OpenVPN, WireGuard, IPsec …), and later enter via web or SSH, but not expose both services to the Internet, even if we have protected them correctly.

In the event that you have no choice but to expose both services (for some reason), our recommendation is that you install and configure an intrusion detection and prevention system, such as Snort or Suricata. In this way, you will have more control over the connections that are made, and automatically block possible brute force attacks, denial of service, etc.

The same happens if we want to allow or deny access in the different VLANs that we can create, the most normal thing is that a network defined as “Guests” never has access to the pfSense administration panel, either via web or SSH. This must be done through the “Firewall / Rules” section, setting rules for addresses or networks of origin and destination in pfSense itself, as is usually done.

We hope that with these recommendations you will be able to correctly protect both web and SSH access to pfSense.

Categories
Configuracion routers Tutoriales

What is it and what is it for in a WiFi router

AP Isolation: isolation in WiFi network

AP Isolation is a feature of routers that allows wireless clients to be isolated from each other. If a WiFi client tries to connect to the Internet, with a wired computer or with a local NAS server that is connected via cable, it will be able to communicate without any problem, everything will work. If this same WiFi client tries to communicate with another wireless device within the same WiFi network, communication will be denied, communication is not allowed because What AP Isolation does is isolate the wireless clients from each other, with the aim that they cannot communicate with each other.

Although this function is usually available and configured by default in the guest WiFi network of routers, there are some manufacturers that in their firmware also allow this very interesting functionality to isolate wireless clients from each other. For example, if we have an ASUS router we should go to the section «Advanced / Wireless / Professional Configuration«, And we can enable the AP Isolation for the main WiFi network, either in 2.4GHz or 5GHz, since ASUS will allow us to configure it individually by frequency band.

In the case of other highly advanced and recommended routers, such as the AVM FRITZ! Box, we also have this configuration option available for the main network. In this case, if we activate AP isolation, it will affect both frequency bands (which would be normal, we are interested in making this option available in both bands). The configuration in this router is very simple, we activate the advanced configuration of the router in the upper right part, and we go to the «Wi-Fi / Security» section and we can see the option of «The active wireless devices displayed here will be able to communicate with each other “, if we disable this option then we will be enabling AP Isolation.

The most normal thing is that the router does not have the AP Isolation by default in the main network, so that the wireless clients can communicate with each other.

We also have this same configuration option available in professional access points and WiFi controllers, usually this is called “Guest WiFi” when configuring an SSID.

By default, when we enable a guest WiFi network on our router, we will always have AP Isolation enabled, in fact, we may not even have the option to allow their communication between them, but this will depend on the firmware of the router in question.

Net Isolation: isolation in wired and WiFi network

The Net Isolation is a characteristic of the routers that allows to isolate the wireless and wired clients so that they cannot communicate with each other. If a WiFi client tries to communicate with a NAS server located in the main LAN, it will not be able to communicate because it will be isolated, the same happens if we have a wired client configured in a wired guest network, it will not be able to communicate with the main network.

Depending on the firmware of the router, we have mainly two policies:

  • Communication using ebtables / iptables is denied between connected computers.
  • A new subnet is created isolated from the main subnet, this method is the most elegant, to have all the “guest” clients in a new subnet.

For example, in the case of ASUS routers, the first option is used, ebtables / iptables are used to limit the communication of the different computers of the guest WiFi network with the main network. In the event that we are interested in having them access the LAN, we can always configure it «Intranet access” in the section of “General / Guest Network«.

In the case of AVM FRITZ! Box routers, the configuration of the Wi-Fi and wired guest network is much more elegant and gives us more possibilities. For example, we can configure a private guest WiFi network, or create a public (open) WiFi network with authentication in a captive portal.

In this guest WiFi network, we can also enable or not the AP Isolation. We must bear in mind that AVM FRITZ! create a new subnet separate from the main one to accommodate all the guests, and we could allow there to be communication between them without problems. By default we have the best security, that is, we have AP Isolation enabled. If we want to disable it, we must click on the option “WiFi devices can communicate with each other.”

This AVM FRITZ! It also allows us to configure the LAN4 port for the guest network, it will have access to the Internet but not to the main local network. This is ideal for connecting one or more computers (using a switch) to the guest network and completely separate from the main network. In the section “Local network / Network / Network configuration” you can see this very interesting configuration.

In the same section as the previous one, but at the bottom, we can click on “IPv4 addresses”. Here we can change the subnet range of the main local network, and also of the secondary one that we have discussed previously. As you can see, the current network configuration is as follows:

  • Primary local network: 192.168.188.0/24
  • Guest network: 192.168.189.0/24

And between them, routing is not activated, therefore, from the guest WiFi network we will not be able to communicate with the main network, we will have fully isolated wireless and wired clients.

As you have seen, depending on the router used and its firmware, we will have more or less configuration options regarding AP Isolation and Net Isolation. Here is a short summary of both terms:

  • AP Isolation activated + Net Isolation activated: there is isolation between the WiFi clients (they cannot communicate) and access to the main network is not allowed.
  • AP Isolation activated + Net Isolation deactivated: there is isolation between the WiFi clients (they cannot communicate) and access to the main network is allowed.
  • AP Isolation disabled + Net Isolation enabled: WiFi clients can communicate with each other, but access to the main network is not allowed.
  • AP Isolation disabled + Net Isolation disabled: WiFi clients can communicate with each other and access to the main network is allowed.

Depending on what interests us, in some routers we can make all these configurations. We hope that this guide has helped you and that you have clarified the concepts of AP Isolation and also Net Isolation.

Categories
Configuracion routers Tutoriales

How to use an old router to improve WiFi and expand coverage

What should I keep in mind if I use a router as a WiFi AP?

Nowadays it is very normal that all the rooms in our home have RJ-45 rosettes, in fact, you yourself could throw a network cable to wire at least one room that is as far as possible from the current router. WiFi repeaters are very useful for expanding wireless coverage, but unless you spend more than 100 euros on a simultaneous triple band WiFi repeater, the performance you will get will be really low. For this reason, if you have a wired room on the other side of the main router that also acts as a WiFi access point, it would be ideal if you could reuse your old router and have WiFi coverage.

The main idea is to use this old router as a second access point in our home or workplace, to be able to reach with coverage where the main router is not able to reach. To do this, we must take into account the following:

  • We will not have WiFi roaming between the main router and the old one, because it is not a WiFi Mesh system with the corresponding standards to allow it.
  • We will have to configure the secondary router depending on how the main router is configured.
  • The network name (SSID), security type and the WPA2 or WPA3 access password must be exactly the same on both routers. This is so that mobile devices such as smartphones, tablets or laptops connect to one network and another and “force” a roaming, although we will notice the cut in the WiFi wireless connection.
  • The interconnection between the main router and the secondary router must be done via Ethernet network cable, because normally old routers do not have the WiFi repeater functionalities.

Once we know all the requirements and aspects to take into account, we are going to see what configurations we must make in the old router.

Configuration of the old router in WiFi access point mode

We must configure the old router in a very similar way to the main router, since both must be in the same subnet. It does not matter if our old router is ADSL, it is a cable modem or a neutral router, in all of them the configuration is exactly the same. Before connecting the old router to the current local network with the main router, we must perform a series of configurations.

IP and Subnet Settings

Normally all routers use the typical network 192.168.1.0, where we can access via cable or WiFi to the administration via web through the IP address 192.168.1.1. We must make sure that the main router and the old router that we are going to reuse, make use of exactly the same subnet, otherwise, we will have problems with connectivity.

Another aspect that we must take into account is the router’s administration IP address, normally all routers use 192.168.1.1, and this is a problem because we cannot have the same access IP address in both routers. We must configure the routers in the following way:

  • Main router: in the LAN we must have configured the IP 192.168.1.1 with subnet mask 255.255.255.0 or also known as / 24.
  • Secondary router: in the LAN we must have a different IP that is within the same subnet, and that is outside the DHCP range of the main router. That is, if the DHCP range of the main router goes from IP 192.168.1.30 to 192.168.1.254, then we can put the IP 192.168.1.2. It is very important to put an IP within the same subnet, and use the same subnet mask.

There are some cases where the main router’s DHCP server goes from IP 192.168.1.2 to 192.168.1.254, so we don’t have any IP available. In this case, we must go to the main router configuration and change the DHCP IP range so that everything works correctly.

DHCP server configuration on the old router

Once we have configured the IP address of the old router, what we must do in this old router is to disable the DHCP server. We will have a single DHCP server in the network, which will be the main router that manages the Internet connection. It is very important that in this old or secondary router we deactivate the DHCP server, otherwise, we could have problems because if we are assigned an IP of the secondary router, the gateway will be incorrectly configured, and at the local network level we will have connectivity, but not from face internet.

WiFi network configuration

The configuration of the WiFi network in the two routers must be exactly the same, except in the WiFi channels used to avoid interference with ourselves. In this case, if the main router we have it configured in the following way:

  • SSID: RedesZone_2.4GHz
  • Security type: WPA2-PSK
  • Password: RedesZone-Password-Access
  • Channel: 3
  • SSID: RedesZone_5GHz
  • Security type: WPA2-PSK
  • Password: RedesZone-Password-Access
  • Channel: 40

The secondary router must be configured exactly the same, but changing the WiFi channels so that there is no interference.

Wired network connection

Once we have configured all the previous parameters, we can connect the old router to the local network and we will have WiFi coverage without any problem. We must connect a network cable from the main router to any LAN port, or from a switch that we have at home (which, in turn, is connected to the main router on a LAN port) to any LAN port of the old router.

ASUS RT-AX88U Gigabit ports and connections

It doesn’t matter which port you connect it to, the most important thing is that it is connected to the LAN port, and if your router has an RJ-45 WAN port, leave it free without connecting.

What about routers that have access point mode?

On the market there are routers such as the ASUS or AVM FRITZ! Box that allow us to configure them as a WiFi access point, to do just this in the tutorial. When we configure it in access point mode, the IP address will be automatically obtained from the DHCP server of the main router, and later we can configure the WiFi wireless network as we want.

In essence, a router in AP mode does exactly the same thing that we have done manually if the router does not have this function. The router will automatically obtain an IP within the main subnet, and later we can configure the SSID, security and WPA2 key in the router, finally, we will have to connect a network cable to the LAN port of the router so that everything works well. It is possible that in AP mode, the Internet WAN port (if we are talking about a neutral router) is also enabled as a LAN, but this depends on the router manufacturer and model.

What about routers with a WiFi repeater function?

There are routers that also have the WiFi repeater function, such as the ASUS or AVM FRITZ! Box. This function does exactly the same as a normal WiFi repeater, it will take the WiFi network from the main router, and repeat it to extend the coverage. The problem is that we will lose half the bandwidth in this “jump”, because the interconnection network is carried out via WiFi and not via cable, therefore, it would be better to interconnect them by cable.

Of course, the best option to have full coverage in our home is to have a WiFi Mesh system, where we will have WiFi roaming and also band-steering. However, if we want to reuse our old router we can also do it and with optimal performance.

Third-party firmware on the old router

If your old router supports third-party firmware such as DD-WRT, OpenWRT or Tomato among others, you can install these advanced firmwares and configure your router directly in WiFi access point mode, obtaining the IP of the network automatically via DHCP client, and later configure the WiFi wireless network. If a certain model of router with the manufacturer’s firmware does not support AP mode, it is very possible that, if you install one of these firmwares that are compatible, you will have the functionalities of a WiFi access point or WiFi repeater.

As you have seen, configuring an old (or new) router as an access point to have greater WiFi coverage wherever we are going to connect is really easy, and we can get it done in about 15 minutes.

Categories
Configuracion routers Tutoriales

How to configure WPA3 on the Wi-Fi router and connect securely

Before starting with our complete tutorial to configure WPA3 in the home router, and how to connect with our computer, smartphone or tablet, we must know that there are several types of WPA3 currently, and the firmwares of the routers incorporate all these options to select them. Depending on the chosen security mode, we will have to fill in more or less information in the router and also in the wireless client, therefore, it is very important to keep it in mind.

  • WPA3-Personal: this method is the typical one that we will use in the domestic environment, we will put a unique password and with this key all wireless devices will be connected. This is what is known as PSK (Pre-Shared Key), or pre-shared password. In this configuration mode the router will use only WPA3-Personal, devices not compatible with WPA3 will not be able to connect to the router or AP.
  • WPA3-Enterprise: this method is when we have a RADIUS server for the authentication of the different users with username / password and with a digital certificate. This connection method will be available especially in companies, since normally a home user will not install a RADIUS server at home.
  • WPA2 / WPA3-Personal: This method is a transition option, it allows the router to accept connections with WPA2-Personal security (with pre-shared key) and with WPA3-Personal simultaneously. Wireless clients always select the most secure option by default, but this option allows unsupported wireless clients to connect successfully without problems.

Configure WPA3-Personal on the Wi-Fi router

At this time, the main brands of home wireless routers such as ASUS and AVM FRITZ! Box, have incorporated the possibility of configuring the new protocol to provide their customers with the best possible wireless security. Other manufacturers such as Aruba or D-Link have also incorporated this WPA3 protocol in their professional access points managed from the cloud.

The first thing we have to do is check if my Wi-Fi wireless router supports this new protocol, most ASUS routers have incorporated this function for some months, in the case of the AVM FRITZ! Box, they are currently in an update process of all its models, but devices such as the FRITZ! Box 7590 and 7530 already support this protocol.

To check if the router supports this type of security, we must enter the web configuration menu of the same, through its default gateway, it will normally be 192.168.0.1 or 192.168.1.1, although in the case of ASUS, we can Put router.asus.com and it will take us directly to the router’s administration website. In the case of the AVM FRITZ! Box, just put “fritz.box” in the navigation bar and we will enter.

Once inside, we have to go to the section «Wireless / Security«, In the case of ASUS, we can change the configuration directly from the main menu, in the section« System status »and by clicking on each of the two frequency bands, we can easily change the security.

If we want to see in more detail the options available globally, we must go to the “Wireless” section, and here we will also see everything related to the security of the Wi-Fi wireless network. A very important aspect is that this router supports WPA2 / WPA3-Personal, to support equipment that is not compatible.

In the case of ASUS, if we have an AiMesh Wi-Fi network, we will have to select yes or yes the WPA2-Personal mode or the WPA2 / WPA3-Personal mode, since this Wi-Fi Mesh system does not currently support WPA3-Personal only. The firmware itself will warn us of this, if we want AiMesh it is necessary to activate backward compatibility, selecting WPA2 / WPA3-Personal.

In the case of AVM routers, they only support WPA2 / WPA3-Personal, they do not support only WPA3-Personal, so we will have backwards compatibility. This is essential because we are in a transition moment between one protocol and another, and we will always have to support older equipment that is not compatible.

To configure the WPA3 protocol, we must go to the section of «Wi-Fi / Security / Encryption«, As you can see here:

If you have another brand of routers, WPA3 security must be available in the security section, if we do not have a drop-down where to select this option, it means that it simply is not compatible (yet) with this protocol, and you have to wait for a new firmware where it does support it.

On D-Link Wi-Fi Mesh systems, such as the COVR-1102 and the recently released COVR-1103, the WPA2 / WPA3-Personal menu looks like this:

In the case of the D-Link, it does not support WPA3 only like the ASUS, it is exactly the same as the FRITZ! Box, it allows both protocols.

Connect to the Wi-Fi router with WPA3 and the computer

In order to use WPA3 in our wireless client, either with Windows PCs or with mobile devices, we must do two actions:

  • Forget the Wi-Fi network to which we have previously connected, this step is necessary because internally it has been saved with WPA2 security, and it will continue to use this protocol. If we select WPA2 / WPA3 it will not give us an error because it will connect with WPA2, but if we select WPA3 only, it will give us an error.
  • Reconnect to the Wi-Fi network again by entering the usual password.

In addition to this, we must meet a total of three fundamental requirements to connect with WPA3-Personal:

  1. We must have an operating system compatible with WPA3, the latest versions of Windows 10, Mac and Linux are supported. If you have older versions, it may not be compatible, you should read the official WPA3 compatibility documentation to find out.
  2. The Wi-Fi card must be compatible with the WPA3 protocol, there are old cards that are not compatible. We must investigate the technical specifications of the card, and if there is no information, we can always try ourselves.
  3. We must have the latest available drivers installed on our computer, this will ensure that, if the card supports it, we can connect to WPA3 networks without problems.

Once we meet these three requirements on PCs, we can try to connect to the Wi-Fi wireless network with the WPA3 security protocol.

In Windows operating systems, in the Wi-Fi section we can see that we are perfectly connected to a Wi-Fi network with the usual WPA2-Personal protocol:

We have to go to the section “Manage known networks” to delete the remembered Wi-Fi network, we proceed to click on our Wi-Fi network and click on “Stop remembering.” Now we will have to connect again to the Wi-Fi wireless network.

Once we have connected, if everything has gone correctly, we will have connectivity without problems and in the state of the Wi-Fi wireless network we will be able to see that we are indeed using WPA3-Personal without problems.

As you have seen, we have been able to connect without problems.

Connect to the Wi-Fi router with WPA3 and the smartphone or tablet

In the case of mobiles or tablets, everything is simpler, our smartphone or tablet must have the latest version of the Android or iOS operating system, and we will try to connect to the Wi-Fi wireless network with WPA3.

  • If we have selected WPA3-Personal only and we cannot connect, it means that it is not supported, either by the internal chipset of the device, or by the version of the operating system.
  • If we have selected WPA2 / WPA3-Personal, and you can connect, you must check if you are connected in WPA2 mode or in WPA3 mode. This can be seen from the status of the Wi-Fi network of the smartphone or tablet, and also from the wireless registration in the router, since it will indicate whether the client has connected via WPA2 or via WPA3.

As you have seen in this tutorial, today having WPA3 security in our home is very simple to better protect our wireless communications, but we must take into account a series of very important aspects to be able to connect without problems.

Categories
Configuracion routers Tutoriales

How to Block ICMP Request Ping on Router’s Internet WAN

Normally firewall oriented operating systems such as pfSense or OPNSense come with all traffic blocked by default, this means that if someone tries to ping our public IP from outside, they will drop the packet automatically. There are home and carrier routers that allow us to configure your firewall, and we even have a specific option to block ping on the Internet WAN.

We must remember that it is not advisable to block all ICMPs, but only those that correspond to the “ping”, that is, the ICMP Echo Request (request) and the ICMP Echo Reply (response). Some types of ICMP are essential for the proper functioning of the network, especially if you work with IPv6 networks.

What happens if we block the ping on the Internet WAN?

Everything will continue to work as usual, the only difference is that if someone from the outside (from the Internet) “ping” our public IP address, the router will not answer. Depending on how we have the router configured, it is possible that not even a port scan will be able to detect if the host (the router) is up or not. If we do not have any service running on the router facing the WAN, and we do not have any open ports on the router, by default all ports will be closed and from the outside they will not be able to communicate with us, in this way, we could pass « unnoticed ”, is what is called security by darkness.

Although we have disabled the ping on the Internet WAN, we will be able to ping Internet hosts without any problem, without having to open ports or do anything at all, because the only thing we are doing with this is blocking the firewall. any ICMP Echo Request that reaches us from the router. Normally routers use Linux operating system inside to work, and they make use of iptables, the rule that they incorporate is the following:

iptables -A INPUT  -p icmp --icmp-type echo-request -j DROP

This rule blocks any ICMP echo-request that goes directly to the router itself, the -j DROP indicates that it will directly delete said packet without “saying” anything to the sender, that is, we discard the packet.

A very important aspect is that we should always block the ping on the WAN, but not on the LAN, since, if we block the ping on the LAN, we will not be able to ping ourselves against the default gateway of our computer (which is router), to detect any possible failure.

Although many models and brands of routers support blocking the ping on the Internet WAN, today in RedesZone we are going to give you two examples of how to block the ping on the WAN in ASUS routers and also in any router from the manufacturer AVM FRITZ! Box.

Block ping (ICMP Echo-request) on ASUS routers

In ASUS routers, both in the manufacturer’s firmware and in Asuswrt-Merlin, the process is exactly the same. We must go to the firmware configuration menu, in the «Firewall / General»And configure the firewall as follows:

  • Do you want to enable the firewall: Yes
  • Do you want to enable DoS protection: Yes
  • Type of registered packages: None. If we want to debug all the packets that pass through the firewall, we can do it, but it is not recommended to always have it activated because it will consume router resources.
  • Do you want to respond to the ping request from the WAN: No.

As you have seen, it is really easy to disable ping from the Internet WAN. Regarding IPv6 settings, ASUS router has any incoming traffic blocked, so you should explicitly allow it in the settings menu.

Block ping (ICMP Echo-request) on AVM FRITZ! Box routers

In the routers of the German manufacturer AVM we can also block the typical ping on the Internet WAN, to do so, we must go to the main menu of the router. In the upper right part where the three vertical points appear, click on «Advanced mode»To have all the configuration options.

Once this is done, we go to «Internet / Filters / Lists«, And we go down until we find the option«Firewall in stealth mode«. We enable it and click on apply changes.

This option allows you to reject all requests from the Internet as we have explained, and it is within everyone’s reach to do so.

Thanks to this blocking of the ping in the Internet WAN, in order to locate our host (router) on the Internet, they must perform a port scan to see if we have any service running, either on the router or on a NAS server on our network local.

Categories
Configuracion routers Tutoriales

How to Update a Router’s Firmware and Software: Tips and Tricks

Methods to update the router firmware

A decade ago there was only one way to update the firmware of the router, and it could be somewhat complicated for users because it was done completely “manually”, today we have automatic methods that allow us to download and update the firmware, and in question In 3 minutes we will have the new update installed without complicating our lives. Currently this manual method is still valid, but we also have others that we are going to explain below.

No warnings, manual firmware download and web update

This method consists of entering the official website of our router periodically, going to the “Support” or “Help” section, and seeing which is the latest version of the firmware that has been published. On some occasions, we will have to enter the US website and not the Spanish one, since it is very possible that the website has not yet been updated with the latest firmware version, therefore, we should check the different websites of the same manufacturer to see in which we have the latest version. This process is manual since we will have to do it monthly, to check whether or not we have a new firmware update. Once we have found the new firmware, we download it to our PC for later update.

To update the firmware of a router, Wi-Fi repeater or PLC manually, we will have to enter the configuration menu via web of its firmware, go to the “Administration” section and we will have to see the “Update” option or similar. Here we will have to click on the “Browse” or “Load” button, select the firmware that we have previously downloaded and click on “Accept”. In these moments the firmware will be transferring to the router for subsequent update, this process usually lasts a maximum of 3 minutes, once the router has been updated, it will restart automatically and we will have Internet connectivity again and we will have the latest version of the firmware .

Notice of a new firmware version and manual update

This method consists in that it is the router itself that will notify us that there is a new version of the firmware, since it continuously checks the manufacturer’s servers to detect a change in it. Once you have notified us of this, we can enter the manufacturer’s official website, go to the “Support” or “Help” section and download the latest version of the firmware. If it is not on the product’s Spanish website, we can try get through the US website, however, we will be sure that there is a new update since the router itself has warned us.

Notice of a new firmware version, automatic download and manual update

This method consists in that it is the router itself that will notify us that there is a new firmware version, it will be able to download it completely automatically, and then we will carry out the “manual” update by simply clicking on “accept”. This process is one of the best because we will only have to accept or deny the update of the new firmware, without having to search the official website, download it and later update it manually. This process is semi-automatic and is one of the most used today by manufacturers.

Automatic firmware update

This method consists in that it is the router itself that will connect to the manufacturer’s servers at a certain time (mainly at night), it will be able to download it completely automatically, and then it will perform the firmware update itself, without intervention of the user. This update method is ideal to always have the latest version available, and all this automatically, ideal for users who do not know how to update the firmware or who are not aware of the latest versions of their firmware.

So you can update the firmware of the router

Updating the router firmware can be a tedious process if it is old and only has the manual update option, or very easy to do if you have the latest update methods. However, it is very important to enter our router and see what type of firmware update we have available. Regardless of the firmware update method, the first thing we must do is enter the router configuration through the web.

In order to know the IP address of our router, you must follow the following steps:

  1. Start menu.
  2. CMD + Enter.
  3. We put the command ipconfig / all.

So, it will show us these results:

ipconfig gateway

Here we see that our gateway is 192.168.1.1. As an example we are going to use the AVM FRITZ! Box router that we are using. Then we open our internet browser, write 192.168.1.1 and press the Enter key.

Next, what we have to do is put the password of our router. In the case of Internet operators, it usually comes on a sticker that comes underneath. In RedesZone we recommend changing it unless, because you have a TV service, do not let it do so.

Once the web access to the router is guaranteed using our password, we are in the router’s configuration menu. Now our objective will be to locate the section where the firmware is updated. In the case of FRITZ! Box routers, the section to update can be found at System.

There we see several sections, the one that matters to us in this case is that of Upgrade, which is the one we are going to press.

This is the screen where the firmware is updated and the first thing it does is show us information about the version we have installed.

In this case we find the group of routers that download the firmware by themselves. To do so we simply have to click on Find a FRITZ! OS again and follow the instructions.

In the rest of routers, it is practically the same, we have to get to a similar screen. In it we will also see the firmware version and we will find a button that is usually called Update Firmware. We press it, select the path where the file that we have downloaded is located and wait for the operation to complete.

In the case of routers from the manufacturer ASUS, we have the following options, and that is that if we have an AiMesh network, we can also update the different nodes almost automatically. We can load the firmware manually, or download it automatically to always have the latest update easily and quickly.

The manufacturer D-Link has also done a great job in terms of the firmware update policy, now we have the possibility of fully automatic update available, as you can see here:

As you have seen, depending on the manufacturer and model of the router, we will have one update method or another, but we will always have the completely manual update method available in case some type of error occurs.

In recent months, the possibility of updating the router’s firmware directly from the official app for Android or iOS smartphones has become fashionable, this method is the same as the one you would perform via the web in the firmware, but directly from the application. This method is also very easy to perform and highly recommended to do, as the router will automatically download and install the latest firmware version.

Tips and tricks if you are going to update the firmware

If you are going to perform a firmware update, you must take into account some very important aspects:

  1. If you are going to download the firmware from the manufacturer’s website, it has to be the firmware of the exact model. Normally if you put another firmware, the router will detect that it is not the correct firmware, and the update will fail, but the router will not be unusable.
  2. If you are going to update the firmware, we recommend that you make a backup of the current configuration you have, especially the Static DHCP configuration and the open ports configured in the router.
  3. It is recommended to update by cable, although if you do it via Wi-Fi it will also work without problems, since this process is done via the web (HTTP or HTTPS) and we use the TCP protocol which is reliable, therefore, the router will not receive a packet corrupt if there is interference.
  4. You should not shut down or restart the router while it is updating. The firmware update process typically takes between two and 4 minutes. It is best to do nothing and wait for the router or repeater to reboot.
  5. We must remember that a firmware update does not mean losing the current configuration of the router.

Finally, we recommend that you reset the router (restoration to factory settings) once every three new versions of the firmware, since, on many occasions, they have important changes and if we do a reset, the operation of our router will be optimal.