linuxopen sourceweb developmentit technician

Home & Small Business Network Security Guide

Secure your home or small business network with this practical guide covering firewalls, VLANs, VPNs, and essential security best practices.

by Mohamed Chennani

When was the last time you audited the devices connected to your home or small business network? Most people assume a strong Wi-Fi password is enough, but modern threats—from compromised IoT gadgets to ARP spoofing—require a layered approach. Below are practical, low-cost steps you can implement today to lock down your network.

Segment Your Network with VLANs

The single most effective measure is separating trusted devices (laptops, phones) from untrusted ones (smart TVs, IP cameras, guest access). On a managed switch or router that supports VLANs (like a TP-Link Omada or Ubiquiti UniFi), create at least two VLANs:

  • VLAN 10 (Trusted): Your main workstations and servers.
  • VLAN 20 (IoT/Guest): Smart home devices and visitors.

Configure firewall rules to block VLAN 20 from initiating connections to VLAN 10, while allowing established responses. On a Linux-based router (pfSense, OPNsense), a simple rule looks like:

pass in on vlan20 from any to vlan10:network -> block

If you lack managed hardware, enable the guest network on your consumer router—it achieves similar isolation for most practical purposes.

Disable Unused Services and Change Default Credentials

Routers and switches ship with default admin logins and services like WPS, UPnP, and remote management enabled. These are attack vectors. Access your router’s web interface and:

  • Disable WPS and UPnP immediately.
  • Change the default admin username and password (do not reuse your Wi-Fi password).
  • Disable WAN-side administration (remote access from the internet).
  • If you need remote management, use SSH with key authentication instead of a web interface.

For a home lab or small office server, run a quick scan to see open ports:

nmap -sT -p- 192.168.1.1

Any service you don’t recognize or use should be disabled. On a Linux server, remove unnecessary packages with apt purge or systemctl disable.

Enforce DNS Filtering and Monitor Traffic

Free DNS services like Quad9 (9.9.9.9) or Cloudflare for Families (1.1.1.2) block malware and phishing domains automatically. Set them as your router’s primary and secondary DNS servers.

For deeper visibility, install a simple network monitor like ntopng or Pi-hole. Pi-hole not only blocks ads but logs every DNS query, letting you spot suspicious outbound traffic. After installation, check the query log for unknown devices phoning home:

pihole -q -l | grep -i unknown.device.local

If you see repeated queries to overseas IPs from an IoT camera, block that device’s internet access via its VLAN firewall rule.

Keep Firmware and Software Updated Automatically

Exploits against routers (like the 2023 TP-Link vulnerability) often target outdated firmware. Enable automatic updates on your router if available. For Linux-based routers, set up unattended upgrades:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

On managed switches, schedule a weekly reboot during off-hours to apply pending updates. For endpoints, enforce automatic updates for the OS and critical applications—do not rely on manual patching.

Conclusion

Network security doesn’t require enterprise budgets. By segmenting with VLANs, disabling defaults, filtering DNS, and automating updates, you reduce your attack surface by 80% or more. Start with one change today—your future self (and your clients) will thank you.