Y-router configuration adds additional security to your home network

June 10, 2015 – 8:58 PM

I’m helping someone reconfigure their home network and realized that I never posted about the Y-router configuration.  Most folks have a home modem that is leased from their ISP and most of these newer modems have built-in router functionality and provide both LAN and WLAN connectivity, but this modem is public facing and can be potentially taken over by a bad actor via the WAN connection or from the wireless connection.  When/if this happens, none of your traffic can be trusted.  The key defense here is network isolation.  If somebody does take over your public-facing device or your wireless network, all of your other traffic is at risk of exposure as well.  Even the hard-wired devices that you think are secure.  A simple, not zero-cost unfortunately, change to your network can provide all of the isolation that you will need.  Most of us have an extra router or two laying around from past upgrades.  If not, they are pretty cheap overall and worth the extra cost once you understand the benefits that you will receive from it.  The basic idea is to have a total of 3 routers and configure them in a “Y” configuration as shown here:

The idea here is that each router is of course a different network (by design) and therefore provides complete isolation between the wired network and the wireless network and they simply cannot talk to each other.  If somebody does take over your wireless network, your wired network traffic remains private and secured.  If the public-facing router gets compromised, the attacker (or malware or whatever) cannot travel backwards to compromise your internal networks.  Total network isolation for the cost of a couple of additional home routers and about an hour of your time.

Note: Never forget to do the basics to secure your public-facing router such as change the default admin passwords to something secure (use LastPass or another password manager to make truly secure passwords), block inbound ICMP, turn off “remote management” from the WAN, disable any unnecessary services, etc.  There are many resources out there to help you.