Hi, I’m expanding my opsec guide and came across a problem, can you verify this information, what should I add/remove? I can’t find anything that goes deep into this.

# Network Security

Your home network is the backbone of your digital life. If it's compromised, you're done. First off, ditch those ISP provided routers. They come with backdoors, shitty firmware, and vulnerabilities you don't want anywhere near your network. Instead, grab a GL.iNet router, a pfSense box, or any device that supports OpenWRT.

Next, consider using OpenWRT or OPNsense. Open source firmware gives you more control and better security. Change those default credentials as soon as you can. Also, disable remote management (WAN access to the router admin panel). Set up a guest network for all that IoT junk (smart TVs, Alexa, whatever if you use them but you shouldn't.)  to keep them away from your main network.

Firewall & Network Segmentation:
Use VLANs to separate your trusted devices from the untrusted ones. Block outbound connections from devices that don't need internet access, and restrict LAN-to-WAN access wherever possible. Think about it as building walls in your house - keep the sketchy shit away from your private stuff.


Network Traffic Monitoring:
Set up your traffic monitoring tools like Wireshark or Zeek to watch what's going on. Get familiar with monitoring your inbound and outbound packets, because if you're not looking, someone else is. These tools will help you notice anomalies, like strange connections or devices that shouldn't be on your network.

DNS Security:
Forget about Google DNS (8.8.8.8) and Cloudflare (1.1.1.1). They might seem secure, but they're not. Use Quad9 (9.9.9.9) for better privacy, or even better, self-host unbound. Encrypt DNS traffic with DoH (DNS-over-HTTPS) or DoT (DNS-over-TLS). This is critical if you want to stop your ISP or a third party from snooping on what websites you're visiting.

WiFi Security Best Practices:
For basic WiFi security, ditch outdated tech like WEP, and don't settle for WPA2 if you can get WPA3. WPA3 is the way to go it's more secure. If you're still stuck on WPA2, make sure you're using WPA2-AES. No TKIP. Ever. Hiding your SSID? It's a placebo effect, doesn't really do jack for security, but it'll keep the basic scanners out. Name your SSID something unique - don't be that guy using "Comcast_xxxx" or your street address. Change the default SSID to something random. Disable WPS. It's a weak-ass vulnerability waiting to be exploited.

For extra measures, MAC address filtering isn't foolproof but adds a bit of extra resistance. Rotate your WiFi passwords regularly, and make them long. If you're feeling paranoid enough to go next level, implement EAP-TLS for enterprise-grade encryption (this is serious business). Use tools like arpwatch or Kismet to monitor connected devices. You don't want anything unexpected showing up on your network.

Tor for router:
Routing all your WiFi traffic through tor is a terrible idea if you want speed. It'll slow you down to a crawl and make you suspicious. Also, data leaks are inevitable if you're not careful. Instead, set up selective routing - route only specific traffic through tor, like your most sensitive stuff. Want to be a ghost? Set up a dual router system: one router for your standard traffic, and another dedicated to tor traffic. This messes with your traffic patterns and makes you harder to track.

Check your logs regularly - firewall, system, DNS requests.

IoT Devices:
Don't even think about putting your personal devices on the same network as your IoT trash. IoT devices are like the dumb, vulnerable kids you'd leave in the parking lot - easy targets for attackers. Also, change all your default router settings. Disable any unused services. Physically secure your router too - lock that shit up. Don't let anyone get physical access to your router - they can reset and bypass everything you just set up. Always assume your ISP is logging your traffic. If they're not, you're probably in the wrong dimension.