Home Network Security: Protect Your Wi-Fi, Devices, and Data

Your Home Network Is Probably Wide Open

Here is a question that should make you uncomfortable: when was the last time you logged into your router's admin panel? If the answer is "never" or "I do not know the password," you are in the same boat as roughly 80% of Indian households. And that boat has holes in it.

The average Indian home in 2026 has somewhere between 8 and 15 connected devices — smartphones, laptops, smart TVs, security cameras, smart speakers, robot vacuums, maybe a smart refrigerator. Each one of these devices is a potential entry point for attackers. And most people connect all of them to the same network with the default router password that the ISP technician set up two years ago.

I spent a weekend auditing my own home network last month. What I found was eye-opening: my smart TV was making connections to servers in three different countries, my cheap security camera was attempting to communicate with an IP address in Shenzhen every 30 minutes, and my ISP's router had UPnP enabled by default, essentially punching holes in my firewall automatically. None of this is unusual — it is the default state of most home networks.

The good news is that fixing this does not require a networking degree. It takes an afternoon of focused effort and some basic understanding of how networks work. Here is everything you need to do.

Step 1: Secure Your Router (The Foundation of Everything)

Your router is the gateway between your home and the internet. If it is compromised, everything behind it is compromised. Treat it like the front door of your house.

Change the Default Admin Credentials

This sounds obvious, but I cannot stress it enough. A shocking number of routers in India still use admin/admin or admin/password as their login credentials. Attackers scan for these constantly. Log in to your router (usually at 192.168.1.1 or 192.168.0.1 in your browser) and change both the username and password.

Use a strong password — at least 16 characters, mixing uppercase, lowercase, numbers, and symbols. Store it in a password manager (more on that later).

Update the Firmware

Router manufacturers regularly patch security vulnerabilities, but most routers do not auto-update. Check your manufacturer's website for the latest firmware version and update manually if needed.

How to check and update:

1. Log into your router admin panel
2. Look for a "Firmware Update" or "System Update" section (usually under Administration or Maintenance)
3. Compare your current version with the latest available
4. Download and apply the update
5. The router will restart — give it a couple of minutes

Some ISP-provided routers in India (like the ones from Jio, Airtel, and BSNL) have locked-down firmware that you cannot update yourself. In that case, consider buying your own router and using the ISP device in bridge mode. TP-Link Archer AX73, ASUS RT-AX86U, and Netgear Nighthawk RAX50 are all solid options under Rs 15,000 that support the latest security standards.

Use WPA3 Encryption

WPA3 is the latest Wi-Fi security standard, and it fixes several weaknesses in WPA2. The most important improvement is SAE (Simultaneous Authentication of Equals), which prevents offline dictionary attacks — the primary method used to crack WPA2 passwords.

To enable WPA3:

1. Open your router admin panel
2. Navigate to Wireless Security settings
3. Change the security mode from WPA2 to WPA3-Personal (or WPA2/WPA3 mixed mode for backward compatibility)
4. Set a strong passphrase — at least 12 characters

If your router does not support WPA3, it is time for a new router. WPA2 is still okay if you use a strong password, but WPA3 is measurably better.

Disable WPS and UPnP

WPS (Wi-Fi Protected Setup) is that button on your router that lets devices connect by pressing a physical button or entering a PIN. The PIN method has a known vulnerability that allows attackers to brute-force the connection in hours. Disable WPS entirely.

UPnP (Universal Plug and Play) allows devices on your network to automatically open ports on your router. This is convenient for gaming and video calls, but it also means malware on any device can open your network to the internet without your knowledge. Disable it and manually configure port forwarding for any applications that need it.

Step 2: Set Up VLANs for IoT Devices

This is where things get interesting. A VLAN (Virtual Local Area Network) is a way to create separate, isolated networks within your home network. Devices on one VLAN cannot communicate with devices on another VLAN unless you explicitly allow it.

Why does this matter? Because your smart light bulbs and cheap security cameras do not need access to your laptop or NAS drive. If a compromised IoT device is on its own VLAN, the attacker is contained and cannot pivot to your important devices.

A Practical VLAN Setup

You need a router that supports VLANs. Most consumer routers do not, but routers running OpenWrt, pfSense, or OPNsense firmware do. Some prosumer routers from ASUS, Ubiquiti, and TP-Link also support VLANs out of the box.

Recommended VLAN structure:

• VLAN 1 (Main): Your laptops, desktops, phones — trusted devices
• VLAN 2 (IoT): Smart home devices, cameras, speakers — isolated from main network
• VLAN 3 (Guest): For visitors — internet access only, no local network access

Internet
    |
  Router (with VLAN support)
    |
    +--- VLAN 1 (Trusted): Laptop, Phone, Desktop
    |         - Full internet access
    |         - Full local network access
    |
    +--- VLAN 2 (IoT): Smart TV, Camera, Alexa
    |         - Internet access (restricted)
    |         - No access to VLAN 1 or VLAN 3
    |
    +--- VLAN 3 (Guest): Visitor devices
              - Internet access only
              - No access to any other VLAN

If VLANs feel too complicated for now, most modern routers have a guest network feature that achieves a simplified version of this. Put your IoT devices on the guest network. It is not as configurable as VLANs but still provides meaningful isolation.

Step 3: DNS Filtering with Pi-hole or NextDNS

DNS (Domain Name System) is how your devices translate website names into IP addresses. By default, your ISP handles your DNS queries, which means they can see every website you visit. More importantly, default DNS provides zero filtering — malware domains, phishing sites, and ad trackers all resolve normally.

Option A: Pi-hole (Self-Hosted)

Pi-hole is a network-wide ad blocker and DNS filter that runs on a Raspberry Pi or any Linux machine. It intercepts DNS queries from all devices on your network and blocks requests to known ad servers, trackers, and malicious domains.

Setting up Pi-hole:

1. Get a Raspberry Pi (any model works; a Pi Zero 2 W is perfect and costs under Rs 2,000)
2. Install Raspberry Pi OS Lite
3. Install Pi-hole with a single command:

curl -sSL https://install.pi-hole.net | bash

4. During setup, choose your upstream DNS provider (Cloudflare 1.1.1.1 or Google 8.8.8.8)
5. Set your router's DHCP settings to distribute the Pi-hole's IP address as the DNS server for all devices

Pi-hole blocks roughly 15-30% of all DNS queries on a typical home network. Those are ads, trackers, and telemetry that you never asked for. Your browsing experience gets faster, your privacy improves, and malicious domains get blocked before they can load.

Option B: NextDNS (Cloud-Hosted)

If you do not want to maintain hardware, NextDNS is a cloud-based DNS filtering service that offers similar functionality. The free tier allows 300,000 queries per month (enough for a small household), and the paid plan (about $20/year) is unlimited.

NextDNS is configured through a web dashboard where you can:

• Enable blocklists (ads, trackers, malware, adult content)
• Whitelist specific domains
• View analytics of all DNS queries from your network
• Set up different profiles for different devices

To use NextDNS, change your router's DNS settings to the NextDNS IP addresses provided in your dashboard. Every device on your network will automatically use it.

Step 4: VPN Setup for Privacy

A VPN (Virtual Private Network) encrypts all traffic between your device and the VPN server. This prevents your ISP from seeing what you are doing online and protects you on public Wi-Fi networks.

Router-Level VPN

The most comprehensive approach is running a VPN on your router itself. This way, every device on your network is protected without installing VPN apps individually. Most routers running OpenWrt or DD-WRT support WireGuard or OpenVPN.

WireGuard is the newer protocol and is significantly faster than OpenVPN. It uses modern cryptography and has a much smaller codebase, which means fewer potential vulnerabilities.

# WireGuard configuration example (client)
[Interface]
PrivateKey = YOUR_PRIVATE_KEY
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25

VPN Recommendations for India

I personally use Mullvad because they do not require an email address or any personal information to sign up. You pay, you get an account number, you connect. No logs, no accounts linked to your identity. For privacy-focused users, this is the gold standard.

Step 5: Securing Smart Home Devices

Smart home devices are notoriously insecure. Many run outdated firmware, communicate over unencrypted channels, and phone home to servers with questionable security practices. Here is how to minimise the risk.

Before You Buy

• Research the manufacturer's security track record. Do they issue regular firmware updates? Have they had major breaches?
• Prefer devices that work locally (without cloud dependency). Devices that require cloud servers stop working if the company shuts down and are inherently less private.
• Check if the device supports Matter — the new smart home standard backed by Apple, Google, Amazon, and Samsung. Matter devices communicate locally by default and use end-to-end encryption.

After Setup

• Change default passwords immediately. Every smart device gets a unique, strong password.
• Disable features you do not use. If your smart TV has a microphone you never use, disable it.
• Put IoT devices on a separate network (VLAN or guest network, as discussed above).
• Block internet access for devices that do not need it. A smart light bulb that works locally does not need to call home. Block its internet access at the router level.
• Regularly check for firmware updates. Most smart home apps have an update section — check it monthly.

Step 6: Monitoring Your Network Traffic

You cannot protect what you cannot see. Monitoring your network traffic reveals which devices are communicating with external servers, how much bandwidth they use, and whether anything suspicious is happening.

Tools for Network Monitoring

• Pi-hole dashboard — If you set up Pi-hole, its web dashboard shows all DNS queries from all devices, including blocked queries.
• ntopng — A powerful network traffic analysis tool that runs on Linux. It shows real-time traffic flows, bandwidth usage per device, and application-level protocol analysis.
• Wireshark — For deep packet inspection when you need to investigate a specific issue. Not for continuous monitoring.
• Your router's built-in tools — Most routers have basic traffic monitoring. Check the admin panel for a "Traffic Monitor" or "Connected Devices" section.

What to look for:

• Devices making connections to unexpected countries
• Unusually high data usage from devices that should be idle
• DNS queries to known malicious domains (Pi-hole handles this)
• Devices attempting to connect to other devices on the network

Step 7: Password Managers and 2FA Everywhere

This is not strictly a network security measure, but it is foundational to your overall digital security. If an attacker compromises one of your passwords and you reuse that password across multiple services, everything falls.

Password Manager Recommendations

I recommend Bitwarden for most people. It is open-source, has been independently audited, works on every platform, and the free tier is genuinely sufficient. The paid version adds emergency access, advanced 2FA options, and 1GB of encrypted file storage.

Enable Two-Factor Authentication (2FA)

Enable 2FA on every account that supports it. Prioritise:

1. Email accounts — Your email is the master key to all other accounts (password reset emails)
2. Banking and financial services — UPI apps, investment platforms, bank portals
3. Social media — Instagram, X, Facebook, LinkedIn
4. Cloud storage — Google Drive, Dropbox, OneDrive
5. Password manager — Protect the vault that protects everything else

Use an authenticator app (Aegis on Android or Raivo on iOS — both open-source) rather than SMS-based 2FA. SMS can be intercepted through SIM swapping attacks, which are shockingly easy to pull off in India.

Step 8: Dealing with ISP Snooping

Indian ISPs can see every website you visit through your DNS queries and connection metadata. While the IT Act provides some framework for data protection, the practical reality is that ISP data handling in India is opaque at best.

What Your ISP Can See

• Every domain name you resolve (unless you use encrypted DNS)
• The IP addresses you connect to
• The timing and volume of your internet activity
• Metadata about your connections (though not the content if you use HTTPS)

How to Minimise ISP Visibility

1. Use encrypted DNS (DoH or DoT). Change your DNS to a provider that supports DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). Cloudflare (1.1.1.1) and Google (8.8.8.8) both support these. This prevents your ISP from seeing your DNS queries.
2. Use a VPN. A VPN encrypts all your traffic, so your ISP sees only that you are connected to a VPN server and nothing about what you are doing through it.
3. Ensure HTTPS everywhere. Modern browsers enforce HTTPS by default, but double-check. The HTTPS Everywhere browser extension is no longer necessary in 2026 since most browsers now default to HTTPS.

Step 9: Guest Network Best Practices

Every home should have a guest network. When friends or relatives visit and ask for Wi-Fi (which in India happens approximately every time anyone walks through your door), give them the guest network password instead of your main network.

Guest network configuration:

• Use a different SSID and password than your main network
• Enable client isolation (prevents guest devices from seeing each other)
• Disable access to local network resources (NAS, printers, etc.)
• Set bandwidth limits if your ISP plan has data caps
• Consider changing the password periodically

Most routers have a guest network feature built in. It takes two minutes to configure and prevents a compromised guest device from accessing your personal devices.

Step 10: Parental Controls

If you have children using devices on your home network, DNS filtering (Pi-hole or NextDNS) is your best tool for content filtering. NextDNS in particular has excellent parental control features — you can block adult content, social media, gaming sites, and specific apps at the DNS level, which works across all devices without installing software on each one.

Layered approach:

1. Network level: DNS filtering blocks inappropriate domains
2. Device level: Enable parental controls on the device (Screen Time on iOS, Family Link on Android)
3. App level: Individual apps like YouTube have their own restricted modes
4. Conversation level: No amount of technology replaces actually talking to your kids about online safety

The Complete Checklist

Here is a summary of everything covered, formatted as an actionable checklist:

• Change router admin username and password
• Update router firmware to the latest version
• Enable WPA3 encryption (or strong WPA2 passphrase)
• Disable WPS and UPnP
• Disable remote management
• Set up a guest network
• Set up DNS filtering (Pi-hole or NextDNS)
• Put IoT devices on a separate VLAN or guest network
• Change default passwords on all smart devices
• Install and configure a VPN (at least on mobile devices)
• Enable encrypted DNS (DoH or DoT)
• Set up a password manager and generate unique passwords for all accounts
• Enable 2FA on all critical accounts
• Review connected devices on your router monthly

You do not need to do all of this in one sitting. Start with the router hardening steps — those give you the biggest security improvement for the least effort. Then work through the rest over a few weekends. Each step makes your home network meaningfully more secure, and together they create a layered defence that is genuinely difficult to breach.

Your home network is worth protecting. The devices on it contain your financial data, your private conversations, your family photos, and your children's browsing activity. Spending an afternoon securing it is one of the best investments of time you will ever make.