Guide to Securing Your Home Wi-Fi Network & Ad Blocking

Securing your home Wi-Fi requires multiple protection layers. Change default router credentials, enable WPA3 encryption (or WPA2 minimum), and update firmware regularly to patch vulnerabilities. Create a separate guest network to isolate visitors from your devices. For comprehensive protection, implement network-wide ad blocking with Pi-hole, then add device-specific blockers like uBlock Origin (browsers), NextDNS (cross-platform), or AdGuard (mobile). These measures protect against unauthorized access, malware, tracking, and intrusive advertisements across your network.

Understanding Router Security Basics

Your router serves as the gateway between your home network and the internet, making it the first line of defense against cyber threats. Most security breaches begin with poorly configured routers using factory default settings that attackers can easily exploit.

Finding Your Router’s IP Address:

Before configuring your router, you need to find its IP address to access the admin panel:

On Windows:

1. Method 1 – Command Prompt:
   • Press Windows Key + R to open Run dialog
   • Type cmd and press Enter
   • Type ipconfig and press Enter
   • Look for “Default Gateway” under your active network connection (usually Ethernet or Wi-Fi)
   • The IP address listed (e.g., 192.168.1.1) is your router’s address
2. Method 2 – Settings:
   • Open Settings (Windows Key + I)
   • Go to Network & Internet
   • Click on your connection type (Wi-Fi or Ethernet)
   • Click “Properties”
   • Scroll down to find “Default gateway” under IPv4
3. Method 3 – Control Panel:
   • Open Control Panel
   • Go to Network and Internet → Network and Sharing Center
   • Click on your active connection
   • Click “Details”
   • Look for “IPv4 Default Gateway”

On Mac:

1. Method 1 – System Settings:
   • Click the Apple menu → System Settings (or System Preferences on older macOS)
   • Click “Network”
   • Select your active connection (Wi-Fi or Ethernet) from the left sidebar
   • Click “Details” or “Advanced”
   • Go to the “TCP/IP” tab
   • Look for “Router” – this is your router’s IP address
2. Method 2 – Terminal:
   • Open Terminal (Applications → Utilities → Terminal)
   • Type netstat -nr | grep default and press Enter
   • The IP address in the “Gateway” column is your router’s address
3. Method 3 – Quick Option Key Method:
   • Hold the Option key and click the Wi-Fi icon in the menu bar
   • Look for “Router” in the connection details

Initial Router Configuration:

• Access your router’s admin panel by typing its IP address (typically 192.168.1.1 or 192.168.0.1) into a web browser
• Immediately disable WPS (Wi-Fi Protected Setup)—despite its convenience, this feature contains fundamental security flaws that allow hackers to crack your network password in hours
• Disable remote management unless absolutely necessary, as this feature opens your router’s admin panel to the internet, creating an unnecessary attack vector

Essential Security Features:

• Ensure your router’s firewall is enabled and set to block unsolicited incoming connections
• Review the router’s connected devices list regularly to identify any unauthorized access—unfamiliar devices indicate your network may be compromised

Creating Strong Passwords and Encryption

Default router passwords like “admin” or “password” are public knowledge, published in online databases that hackers reference. Change both your router’s admin password and your Wi-Fi network password immediately after setup.

Admin Password Requirements:

• Use a unique password of at least 16 characters
• Combine uppercase, lowercase, numbers, and symbols
• Store this in a password manager since you’ll rarely need it

Wi-Fi Password Strategy:

• Requires complexity while remaining shareable with legitimate users
• A passphrase using 4-5 random words (like “correct-horse-battery-staple”) provides excellent security while being memorable

Encryption Protocols:

• WPA3 is the current gold standard, offering individualized data encryption and protection against brute-force attacks
• If your router doesn’t support WPA3, WPA2-AES is acceptable
• Never use WPA, WEP, or “open” networks, as these can be cracked in minutes
• Check your router specifications or consider upgrading if you’re limited to outdated protocols

Keeping Firmware Updated

Router firmware contains the operating system that manages all network functions. Manufacturers regularly release updates patching security vulnerabilities, but unlike phones or computers, routers don’t automatically notify users about available updates.

Update Best Practices:

• Check your router manufacturer’s website monthly for firmware updates
• Enable automatic updates if your router supports this feature
• The update process typically involves downloading a file and uploading it through the router’s admin panel
• Some modern routers include one-click update buttons within their interfaces
• Set a recurring calendar reminder to check for updates quarterly at minimum

Firmware Download Pages by Router Brand:

• ASUS – Search by model number to find firmware updates and driver downloads
• TP-Link – Enter your router model to access firmware downloads and documentation
• NETGEAR – Select your product to download the latest firmware and software
• Linksys – Search for your router model to find firmware updates and support articles
• D-Link – Access firmware downloads and product documentation by model
• Ubiquiti – Download UniFi, EdgeRouter, and AmpliFi firmware updates
• Google Nest WiFi / Google WiFi – Automatic updates; check current version in Google Home app
• NETGEAR Orbi – Dedicated support page for Orbi mesh systems
• Zyxel – Firmware and documentation by product category
• ARRIS / Surfboard – Router support and firmware downloads
• Cisco – Business and home router support (requires free account for downloads)
• MikroTik – RouterOS firmware updates and software downloads

Why Firmware Updates Matter:

• The KRACK attack in 2017 affected millions of routers until firmware patches were released
• The VPNFilter malware in 2018 infected over 500,000 routers with outdated firmware
• These attacks could have been prevented with timely updates

Setting Up Guest Networks

Guest networks create a separate Wi-Fi access point that isolates visitors from your primary network and connected devices. This separation is critical—you wouldn’t give visitors physical access to your computer, so why grant them network access to your smart home devices, NAS storage, or computers?

Guest Network Configuration:

• Most modern routers include guest network functionality in their settings
• Enable this feature and configure it with a different password from your main network
• Enable AP (Access Point) isolation, which prevents guest devices from communicating with each other
• This stops a compromised guest device from attacking others on the same network

Beyond Guest Usage:

• Place IoT devices (smart TVs, cameras, thermostats) on the guest network
• These devices often have poor security and can become entry points for attackers
• Network segmentation limits damage if an IoT device is compromised
• Hackers gain access only to the isolated guest network, not your computers and phones containing sensitive data

Guest Network Setup Instructions by Router Brand:

• ASUS – Step-by-step guide to enable and configure guest networks on ASUS routers
• TP-Link – Instructions for setting up guest network access on TP-Link wireless routers
• NETGEAR – How to set up guest WiFi on NETGEAR Nighthawk and other routers
• Linksys – Guide to creating a guest network on Linksys Smart WiFi routers
• D-Link – Setting up guest WiFi zones on D-Link routers
• Ubiquiti UniFi – Complete guide to guest networks and portal configuration for UniFi systems
• Google Nest WiFi / Google WiFi – How to set up a guest network using the Google Home app
• NETGEAR Orbi – Guest network setup for Orbi mesh WiFi systems
• Zyxel – Instructions for configuring guest WiFi on Zyxel routers
• ARRIS / Surfboard – Enable guest network on ARRIS Surfboard routers and gateways
• MikroTik – RouterOS Hotspot system for guest access and authentication

Network-Wide Ad Blocking with Pi-hole

Pi-hole provides network-level ad and tracker blocking by functioning as your DNS server, filtering malicious and advertising domains before any device receives them. Unlike browser extensions, Pi-hole protects all devices on your network—smartphones, tablets, smart TVs, and IoT devices.

What You’ll Need:

• Raspberry Pi (Pi 3, 4, or 5 recommended; starting at $35) or any existing computer with minimal resources
• MicroSD card (8GB minimum, 16GB+ recommended)
• Power supply for your Raspberry Pi
• Ethernet cable (recommended for stable connection) or WiFi
• Computer for initial setup

Step-by-Step Pi-hole Installation:

Step 1: Prepare Your Raspberry Pi

1. Download Raspberry Pi Imager (available for Windows, macOS, and Linux)
2. Install and launch Raspberry Pi Imager
3. Insert your microSD card into your computer
4. In Raspberry Pi Imager:
   • Click “Choose Device” and select your Raspberry Pi model
   • Click “Choose OS” and select “Raspberry Pi OS (64-bit)” under Raspberry Pi OS (other)
   • Click “Choose Storage” and select your microSD card
5. Click the gear icon (⚙️) or “Edit Settings” to configure advanced options:
   • Enable SSH (for remote access)
   • Set username and password
   • Configure WiFi settings (if not using Ethernet)
   • Set locale settings (timezone, keyboard layout)
6. Click “Save” then “Write” to flash the OS to your microSD card
7. Once complete, insert the microSD card into your Raspberry Pi and power it on
8. Connect via Ethernet cable to your router (recommended) or ensure WiFi is connected

Step 2: Access Your Raspberry Pi

1. Find your Raspberry Pi’s IP address:
   • Directly from the Raspberry Pi (if you have a monitor and keyboard connected):
     • Log in with the username and password you set during imaging
     • Type hostname -I and press Enter (the IP address will be displayed)
     • Or type ip addr show and look for the inet address under eth0 (Ethernet) or wlan0 (WiFi)
     • Or type ifconfig and look for the inet address (may need to install: sudo apt install net-tools)
   • From your router: Check your router’s connected devices list (DHCP client list), or
   • Using a network scanner: Use Angry IP Scanner or Advanced IP Scanner to scan your network
2. Connect via SSH:
   • Windows: Use PuTTY or Windows Terminal (built-in)
   • macOS/Linux: Open Terminal and type: ssh username@[IP-ADDRESS]
3. Enter your password when prompted

Step 3: Install Pi-hole

1. Update your system packages:
   sudo apt update && sudo apt upgrade -y
2. Run the Pi-hole automated installer:
   curl -sSL https://install.pi-hole.net | bash
3. Follow the installation wizard:
   • Select your network interface (usually eth0 for Ethernet or wlan0 for WiFi)
   • Choose your upstream DNS provider (Google, Cloudflare, OpenDNS, or custom)
   • Select blocklists (default lists are recommended to start)
   • Choose whether to install the web admin interface (recommended: Yes)
   • Choose whether to install the web server lighttpd (recommended: Yes)
   • Enable query logging (recommended: Yes)
   • Select privacy mode for FTL (default is fine)
4. Note the admin password displayed at the end of installation (you can change it later)
5. Note your Pi-hole’s IP address (e.g., 192.168.1.100)

Step 4: Set Static IP Address (Important!)

1. Your Pi-hole needs a static IP address so your router always knows where to find it
2. Configure static IP on your router (preferred method):
   • Log into your router’s admin panel
   • Find DHCP reservation or static IP settings
   • Reserve the current IP address for your Raspberry Pi’s MAC address
3. Or configure static IP on the Raspberry Pi:
   sudo nano /etc/dhcpcd.conf
   Add these lines at the end (adjust for your network):
   interface eth0
static ip_address=192.168.1.100/24
static routers=192.168.1.1
static domain_name_servers=1.1.1.1 8.8.8.8
   Save (Ctrl+X, Y, Enter) and reboot: sudo reboot

Step 5: Configure Your Router to Use Pi-hole

Update your router’s DHCP server to use Pi-hole as the DNS server. This ensures all devices on your network automatically use Pi-hole for ad blocking.

Router-Specific DHCP/DNS Configuration Guides:

• ASUS – Configure LAN DHCP server and DNS settings
• TP-Link – Set up DNS server on TP-Link routers
• NETGEAR – Change DNS server settings on NETGEAR routers
• Linksys – Configure DNS settings on Linksys Smart WiFi
• D-Link – Change DNS server settings on D-Link routers
• Ubiquiti UniFi – Configure DHCP name server in UniFi Network settings (Settings → Networks → Edit Network → DHCP Name Server)
• Google Nest WiFi / Google WiFi – Set custom DNS servers in Google Home app (Note: Limited DNS options)
• NETGEAR Orbi – Configure DNS server on Orbi mesh systems
• Zyxel – Configure DHCP and DNS settings on Zyxel routers
• ARRIS / Surfboard – Change DNS servers on ARRIS devices
• MikroTik – Configure DHCP server DNS settings in RouterOS

General Router Configuration Steps:

1. Log into your router’s admin panel (typically 192.168.1.1 or 192.168.0.1)
2. Navigate to DHCP settings (may be under LAN, Network, or Advanced settings)
3. Find DNS server settings (may be called “DNS Server,” “Primary DNS,” or “Name Server”)
4. Enter your Pi-hole’s IP address as the Primary DNS server (e.g., 192.168.1.100)
5. Leave Secondary DNS blank or use a backup like 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google)
6. Save settings and reboot your router
7. Restart your devices or wait for DHCP lease renewal (typically 24 hours, or disconnect/reconnect from WiFi)

Step 6: Access Pi-hole Admin Interface

1. Open a web browser and navigate to: http://[PI-HOLE-IP]/admin (e.g., http://192.168.1.100/admin)
2. Log in with the admin password from the installation
3. To change the admin password: pihole -a -p via SSH

Step 7: Update and Manage Block Lists

Pi-hole’s effectiveness depends on maintaining current blocklists. Here’s how to manage them:

Update Existing Block Lists:

1. Via Admin Interface:
   • Go to Tools → Update Gravity
   • Click “Update” to refresh all blocklists
2. Via Command Line:
   pihole -g
3. Set up automatic updates with a cron job:
   sudo crontab -e
   Add this line to update weekly (Sundays at 3 AM):
   0 3 * * 0 pihole -g

Add Additional Block Lists:

1. In the Admin Interface, go to Group Management → Adlists
2. Add blocklist URLs in the “Address” field
3. Click “Add” then “Save”
4. Update Gravity to apply new lists: Tools → Update Gravity → Update

Recommended Additional Block Lists:

• The Firebog – Curated collection of reliable blocklists organized by category (ads, tracking, malicious)
• RegEx Filters – Pattern-based blocking for more aggressive filtering
• OISD Blocklist – Comprehensive, regularly updated blocklist with low false positives
• The Block List Project – Specialized lists for malware, ransomware, tracking, and ads

Whitelist Management:

Some legitimate domains may be blocked inadvertently. To whitelist:

1. Go to Whitelist in the Admin Interface
2. Enter the domain name (e.g., example.com)
3. Add a comment explaining why (optional but recommended)
4. Click “Add to Whitelist”
5. Via command line: pihole -w example.com

Maintenance and Troubleshooting:

• Update Pi-hole: pihole -up
• Restart Pi-hole: pihole restartdns
• View status: pihole status
• Temporarily disable: pihole disable 5m (disables for 5 minutes)
• Check logs: Query Log in Admin Interface or pihole -t for tail mode

Key Features:

• Maintains blocklists containing millions of known advertising, tracking, and malware domains
• When a device requests a blocked domain, Pi-hole returns a null response, preventing the connection
• Web interface displays real-time statistics showing blocked queries, most active devices, and most blocked domains
• Whitelist legitimate domains that were inadvertently blocked
• Add custom blocklists for additional protection

Benefits:

• Blocks ads in mobile apps, smart TV interfaces, and embedded advertising where browser extensions cannot reach
• Speeds up browsing by preventing large advertising files from downloading
• Reduces bandwidth consumption—users typically report 15-20% reductions in network traffic

Device-Level Ad Blocking Solutions

While network-wide blocking provides baseline protection, device-specific solutions offer additional customization and work outside your home network when traveling.

Browser Extensions:

uBlock Origin remains the gold standard for browser-based ad blocking.

• Open-source, lightweight, and doesn’t participate in “acceptable ads” programs that whitelist certain advertisers
• Install it on Firefox, Chrome, or Edge
• Provides comprehensive webpage ad blocking, including YouTube video ads and social media sponsored content
• Advanced users can enable additional filter lists for anti-malware, privacy protection, and regional filters

System-Wide Mobile Blocking:

AdGuard and NextDNS provide system-level blocking on iOS and Android devices.

• AdGuard: Uses local VPN technology (your traffic isn’t actually routed through external servers) to filter content across all apps
• NextDNS: Operates as a cloud-based DNS filtering service with customizable blocklists, parental controls, and detailed analytics
• Both solutions work on cellular data when you’re away from your Pi-hole-protected home network

Desktop Applications:

For Windows and macOS, AdGuard’s desktop applications filter system-wide traffic.

• Block ads in applications beyond just web browsers
• Include HTTPS filtering to block encrypted ads
• DNS filtering for malware protection
• Parental control features

Defense in Depth Strategy:

• Layer these device-specific solutions with network-wide blocking
• Pi-hole catches threats at the network perimeter
• Device-level blockers provide granular control and protect devices when traveling
• This redundancy ensures comprehensive coverage across all scenarios

Sources

• Pi-hole – Network-wide ad blocking
• Wi-Fi Alliance – WPA3 Security
• CISA – Securing Your Home Network
• uBlock Origin Official Site
• AdGuard – System-wide ad blocking
• NextDNS – Cloud-based DNS filtering
• UK National Cyber Security Centre – Router Security Guidance
• Raspberry Pi Foundation
• KRACK Attacks – WPA2 Vulnerability
• Cisco Talos – VPNFilter Malware Analysis