Tuesday, February 3, 2015

Choosing a Wireless Router


Checklist for Wireless Networking
TP-LINK Archer C7

Very Important

  1. Don't settle for a "wireless gateway"
    A "wireless gateway" is an all-in-one device that combines a modem (cable or DSL) with a wireless router. They tend to be mediocre, poor performers, especially those supplied by Internet providers.
    1. Insist on a pure modem. Buy your own separate wireless router.
    2. Make sure the modem is configured in "bridge" (not routing) mode. Otherwise you can have "double NAT" problems.


  1. Simultaneous Dual Band
    The low 2.4 GHz band, commonly found in consumer-grade devices, is increasingly crowded, which can severely limit performance. The high 5 GHz band tends to be much less crowded, and will often provide much better performance. But don't just get a single band 5 GHz device, since some wireless devices only support 2.4 GHz, and avoid dual band devices with a single radio that can only work on one band at a time. In other words, not just dual band, but simultaneous dual band.
  2. 300 Mbps Speed
    Wireless "n" devices work at multiples of 150 Mbps (150 Mbps, 300 Mbps, 450 Mbps, etc), but most consumer wireless devices only support 150 Mbps or 300 Mbps, making 300 Mbps a good baseline, so choose a device with at least 300 Mbps speed on both bands (N600). If you choose a wireless "ac" device, anything greater than AC1750 is overkill.
  3. Gigabit Ethernet
    Although Fast (100 Mbps) Ethernet is comparable in real world performance to 300 Mbps wireless (actual wireless performance is usually much less than the advertised maximum), Gigabit (1000 Mbps) Ethernet provides much faster wired networking for not much more money and is otherwise good "future proofing".

Nice To Have

  1. Guest feature
    A guest feature is a separate wireless network for guests that lets them connect to the Internet but not to any of your own networked devices. It's a bad idea to give guests access to your own network.
  2. USB
    USB can be used to attach USB storage or USB printer to the wireless router for network access.

Recommendations non-Apple

    1. ASUS RT-AC87U
      Best. AC2400. Outstanding range and performance. High processing power for gigabit throughput. Excellent support.
    2. ASUS RT-AC68U
      Better. AC1900.
    3. ASUS RT-AC66U
      Very good
      . AC1750. All that most people need.
    4. TP-LINK Archer C7
      Best Buy.
      AC1750. All that most people need. 
    5. ASUS RT-N66U
      . N900.
    6. TP-LINK TL-WDR3600
      Good Buy. N600. Good range and performance.

    Recommendations Apple

    1. Apple AirPort Extreme
      If you're into Apple products, this is the wireless router to get. Expensive but Recommended. Save money safely with an Apple refurbished unit.
    2. Apple AirPort Time Capsule
      Essentially an AirPort Extreme with backup storage built in, so you can keep all your Apple devices backed up over your network. Highly Recommended. Get the largest size you can afford. Save money safely with an Apple refurbished unit.


    1. Update Firmware
      Check the support website for updated firmware before installing, and regularly thereafter (e.g., quarterly).
    2. Don't "cheap out"
      A cheap wireless router can reduce performance due to poor internal routing speed.
    3. Use WPA2 AES Security
      Identity theft is just one of the risks from getting hacked, and WEP "security" is essentially useless. Use a different (and equally strong) password for a Guest network.
    4. Set a Strong Password
      Use a random combination of 12 or more mixed case letters and numbers that you don't use for anything else, and do not use common words, names, numbers, etc.
    5. Don't fool yourself
      Network name (SSID) hiding and MAC address filtering are too easily circumvented to provide even minimal security, and they can lead to network problems, so don't use them.
    6. Network Backup
      Network storage is an excellent way to keep your devices backed up. Highly recommended. (WD My Cloud is a very good alternative to network storage on the wireless router.)
    7. Apple AirPort Express
      The AirPort Express is a great way to extend iTunes music to remote speakers.

     See Also


    1. How do you configure the WAN side connection of these wireless devices to work with a cable modem such as SB6121 or SB6141? I am confused why some routers appear to work on the WAN side with cable modems whereas other routers or firewalls do not appear to work, even when configured as DHCP clients to the cable modem.

      1. The SB6121 and SB6141 are pure cable modems, network bridge devices, that will work with any network device attached to the Ethernet port, including any wired or wireless router. The usual problem is that when a given device (like a computer) has been used on the modem it gets registered with the cable Internet account, and a different device (like a router) won't work on the account until the first device has been unregistered. In the case of Comcast, call for the modem to be reset.

      2. I usually overcome the problem you are referring to by cold booting the cable modem. Then it can work with a new MAC address of a new computer or router.

        As an example of a product that does not work, consider the Fortinet firewalls, older models like the 60A. If you put a cable modem on its external WAN interface, then configure the WAN interface as a DHCP client, it does obtain a public IP from the cable modem as well as a default gateway. But try to ping or traceroute from the console of the firewall, and it appears to be unable to get any packets out of the firewall on the WAN segment.

        I wonder if there is some kind of proprietary protocol - or non-standard use of ARP - on the cable modem, and maybe some routers are not aware of that and cannot work around it? For example, are the default gateways provided by the Arris SB6121 and SB6141 cable modems always on the same segment as the public IP address their DHCP servers hand out? If they are not on the same segment, then maybe some firewalls simply don't understand how to reach the default gateway, incorrectly assuming that an ARP will not work since the gateway is in a different segment from the public IP?

      3. 1. The connectivity issue is at the cable provider, not the modem, and while power reset of the modem will sometimes work, it doesn't always work. It's more reliable to have the provider reset.
        2. DHCP addresses come from the provider DHCP server, not the cable modem, which is just a network bridge.
        3. Many providers block ping as a security risk, so it's not a reliable way to test a connection.
        4. Any decent router will work properly on a DOCSIS cable modem.
        5. DOCSIS cable modems are standards compliant, do not use proprietary or non-standard network protocols on the LAN.
        6. The SB6121 and SB6141 are pure cable modems, network bridge devices, not gateways. The gateway is at the provider.
        7. "Assumption is the mother of all screw ups." [Wethern’s Law of Suspended Judgement]

      4. John, I follow your points, especially regarding bridge versus router in the cable modem.

        Are you saying that just because the DHCP server agrees to hand out an IP to a new device does NOT necessarily mean that the cable vendor is able to work with the new device's MAC address? Asking the cable vendor to reset the device guarantees that the new MAC will be accepted?

        Since you are saying ping and traceroute and not reliable, then what is reliable as a way to test a device connected to a cable modem? I tried traceroute at the console of the Fortinet, and what is strange there is the packets never leave I don't see any attempt to move packets upstream. The situation you describe would show a traceroute trying to get packets to the next host upstream and timing out. I don't see that at all.

        Can you think of any reason why a router would work with a DOCSIS cable modem using dynamic IP/gateway whereas a firewall would not? Several people are saying that we should put a router in front of the firewall in order to give the firewall a static IP to work against upstream, but this begs the question why the router works on the WAN side with the dynamic IP of the cable modem whereas the firewall itself does not.

      5. 1. A cable ISP does often control access by client MAC even when an IP address has been leased to that client by DHCP.
        2. ISP Support can often tell if a modem is working properly and what client device (MAC) has been registered to the account, in addition to being able to reset the modem and account as needed.
        3. If DHCP has worked, then the client device has access to the ISP network. Likewise DNS.
        4. Speed test to the ISP is another way to confirm connectivity when the ISP provides that capability, as many do.
        5. Connectivity to the Internet can be tested by trying connections to popular hosts like Google.
        6. When router A works properly with a popular, excellent cable modem, but router F does not, then the most likely culprit is router F, not the modem.
        7. If the router does work with some other service, then my guess is that it's not configured properly for the cable service.
        8. The unidentified Fortinet device is probably a combo firewall router, not just a pure firewall.
        9. This is an informational blog, not a tech support resource.

      6. With one of the ASUS NAT routers you recommended, the cable box immediately works. I did not reset the connection.

        So there is something in the Fortinet firewall/router that apparently just doesn't like how the cable modem works.

      7. Or the Fortinet is not configured correctly.

      8. It is likely that some configuration of the Fortinet works but the default does not, whereas the ASUS picked it up immediately and seems purpose built to work instantly with a cable modem.

        The Fortinet is a mystery because traceroutes from the console of the Fortinet do not get past Even with a misconfiguration, the traceroute should at minimum go out on a default route on *some* interface.

      9. Not necessarily. If the port on the Fortinet is not configured properly, packets won't go anywhere. If you want to troubleshoot it, snoop the network to see if the Fortinet is using DHCP and getting a proper response.

    2. Fortinet on WAN2 is set as a DHCP client and does acquire IP and gateway from the cable modem.

      1. Then you have some other configuration problem.

    3. Can you comment on why you like the ASUS routers so much?

      I have good experiences with hardware from ASUS myself, but I have only bought one router in my life, and that was about a decade ago, so I am keen to hear your reasoning about what makes a good router. (In other words, what quirks will a bad router typically have).

      1. Reliability, stability, support: ASUS generally uses higher quality components that are more reliable, does a better job with stable firmware, and has good support. Most router manufacturers take "reference designs" from Wi-Fi chipset vendors, add a case, minimally customize firmware, and cheapen as much as possible, which tends to make them less stable and reliable. That said, TP-Link does a pretty good job at a lower price point.