Secure large home network

Let’s face it: many home networks are set up haphazardly. The birth of internet, the availability of broad-band internet connection at residential areas, and the proliferation of Wi-Fi encouraged the set up of Local Area Network (LAN) at homes. To spread it even wider, consumer-grade networking equipments are making it easier to set up such home network, by merging functions that usually belong to separate devices in corporate-grade equipments. In the following sections, we’ll look into each functionalities that have been squeezed into single device, and how to set it up properly in large home networks

Large home network


This modulator-demodulator function is only needed when the home broad-band internet connection is provided via analog channel such as cable television or DSL (Digital Subscriber Line) over analog telephone lines. The modem converts the analog signal coming in from the analog channel to digital signal in the home network and vice versa. If the internet connection is to be used by single computer, a broad-band modem such as cable modem or DSL modem should be enough. A modem acts as virtual network adapter


Photo by Jan Krat��na
Photo by Jan Krat��na

When there is more than one computers in the home that need to connect to the broad-band internet, then a router is needed to route the data from the internet (modem virtual network adapter) to home network (another network adapter) and vice versa. To do that, one of the most important functions of a router is Network Address Translation (NAT). What does NAT do? It has something to do with IP (Internet Protocol) addressing. To identify which network adapter is talking to which in simultaneous communication, each network adapter needs to be assigned an IP address. IP address is used to identify network adapters in the internet as well as inside companies and at home. To minimise the reservation of IP address for internal company network and homes, especially before the invention of IP version 6 (IPv6), specific range of IP addresses have been reserved for such use by Internet Engineering Task Force (IETF) through their Request For Comment (RFC) 1918. NAT translates these reserved private IP addresses to a public IP address that can be understood by internet, so that communication between internet and home network can be established.

A router contains routing table that tells which IP addresses lie on which side of its network adapters. Hence, it also prevents data packet from crossing over unnecessarily (from home network to internet and vice versa). In Open System Interconnection (OSI) model, a router routes communication at layer 3.

Photo by Stratsan
Photo by Stratsan

Fire-wall is a specific type of router that also checks the data communication being routed. It can filter communication from/to certain IP addresses and from/to certain ports and lately it can even check whether the data packet being routed was indeed requested by the receiving party in a mechanism called Stateful Packet Inspection (SPI). It is advisable to enable the fire-wall basic functionality as well as SPI functionality in the device

One more safety precaution: change the management pass-word of the router! When asking for pass-word, the router normally says what router model it is, so it is very easy for intruder to search the internet for the default management user name and pass-word and start messing around with the router set up.

Dynamics Host Configuration Protocol (DHCP) server

Photo by Paul Szustka
Photo by Paul Szustka

A DHCP server automatically assigns IP address to network adapters that request it within the network. It goes without saying then that no 2 or more network adapters within the same network should have the same IP address, because that will confuse communication. It also goes without saying that within a network, there should only be 1 DHCP server, because otherwise 2 or more DHCP servers will start giving out same IP address to 2 or more network adapters in the segment, and communication will not work very well, except if the DHCP scope (which DHCP server can give out addresses within which range) of each server is carefully set up not to overlap each other.

Let’s talk more about IP addressing. Depending on the size of company or home network, 3 address ranges have been reserved for private use by IETF, as mentioned above. For the smallest size, there’s class C private IP address range from to, enough for maximum of 65,534 network adapters. Why only 65,534 adapters and not 65,536? Because the first and last addresses in the range can’t be used as they’re already reserved for other purposes. This address range can be further subdivided into sub-network by way of sub-net mask, say a sub-net mask of will create sub-network for 254 network adapters. Effective IP addressing in home network can also increase security. Most home network set up by lazy administrators will use the or ranges. To increase security, home network can choose sub-net not usually used by other people, say This will add additional hurdle to intruders

While we’re on this topic, it’s good to point out that it’s a good idea to have an IP address planning, such as below:

  • 1-20 for network infrastructure like broad-band router and access points
  • 21-30 for servers
  • 31-40 for network printers
  • 41-50 for desktops
  • 51-100 for laptops

The network infrastructure, servers, network printers, and maybe desktops should be given fixed IP addresses, so DHCP server will only serve the laptops, for example

Photo by Janet Burgess
Photo by Janet Burgess

DHCP server also helps home computers find the internet by way of telling which IP address the nearest Domain Naming Service (DNS) is at and which IP address the gateway is at. DNS helps translate the host name of the server (say to IP address and vice versa. Why? Because it’s easier for us to remember host names then IP address, but it’s easier for computer to locate other computers using IP address than host name. Now, usually the broad-band router will just give out its own private IP address as nearest DNS server. Is it because it can also act as DNS server? No. The broad-band router is merely acting as DNS relay, meaning it merely relays the DNS request to the real DNS server on the internet. How does the broad-band router know which one of the DNS server on the internet to use? It is usually assigned to the router by the broad-band Internet Service Provider (ISP) upon connection. How about gateway? Gateway here refers to the router that knows where to find other computers when it can’t be found locally, or in case of home network, this is simply the private IP address of the broad-band router. So, say when a home computer tries to connect to an internet server at IP address and can’t find that address in your home (of course it’s not there), it will ask the gateway to help locate and connect to it


Photo by Josep Caldentey
Photo by Josep Caldentey

To make it easier for homes to connect their multiple computers to internet, many consumer-grade broad-band router has also been equipped with switch. Switch helps by automatically switching on and off the temporary dedicated communication bridge between network adapters connected to it. This helps reduce data packet collision during communication (2 or more network adapters sending data at the same time) in your home network, and increase communication efficiency. To do that, it remembers which Media Access Control (MAC) address is connected to which of its ports. What is MAC address? MAC address is globally unique address that is given to each network adapter upon manufacturing. In Open System Interconnection (OSI) model, a router routes communication at layer 2

Access point

Access points help connect wired portion of the network to the wireles portion. The network covered by the access point is identified by Service Set IDentification (SSID). In large home network with multiple access points, for maximum portability, use the same SSID in all access points. Also, to prevent eavesdropping of the wireless communication, encrypt it, if possible using the Wi-Fi Protected Access 2 (WPA2) encryption. It is also a good idea to change the management pass-word of all the access points in the home network


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s