The question “How do I set up a Firo Masternode on my home internet” comes up a lot in support chat. The answer is, “YOU SHOULDN’T.” There are some good reasons why too.
One: If you have to ask, there is a good chance you are leaving yourself vulnerable to exploitation.
Two: There are MANY different consumer routers available, all with different interfaces to interact with. Some have features you need, some have features you don’t want to use, and some don’t even have the ability to port forward.
Three: If your Masternode server were to get hacked and someone were to get a foothold into your network, they could easily try to gain access to other computers on your “Trusted Network” potentially even the computer that holds your crypto wallets.
The BEST option if you want to self host would be to call your Internet Service Provider and see if you can buy a block of IP addresses (business internet plan).
That being said, this isn’t the most practical idea for someone with only one Firo Masternode.
Your best options for a router will be in this order:
Business Router/Firewall > Open Source Router/Firewall > Gaming Router/Firewall > Basic Consumer Router >= ISP Provided Router > Cheap Router/Access Point (Probably won’t have required services)
Personally I use an Open Source pfSense Router, which is packed with amazing tools and security features. You can use a x86_64 based computer with an Ethernet Network Interface Card to build a pfSense router if you have the parts. Otherwise you can buy something that will work online.
THIS GUIDE IS INTENDED TO INFORM I DO NOT TAKE ANY RESPONSIBILITY IF SOMETHING GOES WRONG WITH YOUR SETUP AND YOU GET HACKED
READ IT ALL SO FAR? STILL NOT WORRIED?
In this guide I will give an example of a cheap router (TP-Link AC750 Wifi Travel Router) that you SHOULD NOT use if you plan on hosting from home, and a gaming router (TP-Link ARCHER C5400X) that you could use if you choose. I will be going over some do’s and dont’s, as well as describing why you should or shouldn’t.
UNSAFE ROUTER EXAMPLE
Tp-Link AC750 (This Item is actually an access point not a router. It seemed like a good example of what NOT to use.)
I consider this router a bad idea due to its lack of features and bad default security.
This router also has no option to port forward or create a DMZ, you couldn’t use it even if you wanted to.
For starters this router by default has the username and password admin:admin. It also doesn’t require you to change the default log-ins.
USB File/Storage/Media Sharing is Enabled by default
With these features enabled and no username:password change all someone would need to do to get access to another computer in your home would be plug in a USB with a payload and share it to another PC of yours, potentially gaining access and persistence.
Amazingly the setup wizard had no requirement to change my default user. Instead you have to go to USB Settings of all places, to change your user settings.
SAFER ROUTER EXAMPLE
TP-Link Archer C5400X
This router is a bit better, but due to some TP-Link vulnerabilities it could still prove to be hazardous. This is the case for MANY consumer level routers. Which is why i recommend using an open source or business router.
NOTE: I will be going over how to set up this router for your Firo Masternode, it has all of the features needed as well as anti-virus protections and decent default settings. I will walk through each service provided on this router. If you don’t have that service on your router skip that step.
NOTE: This router was not connected to my WAN during writing, so some values that would auto fill are set to 0.0.0.0
The bottom of your router will have a tag with information on it, such as default password and username as well as the URL or IP address to access the web portal.
These are some of the tools available on the C5400X-Archer, MANY more than what were available on the AC750
When you first log into your C5400X it requires you to set up a password. None is set by default.
NETWORK
Most items on the Internet page should be filled in by default. If you would like you can change the host name to whatever you like, but it isn’t required. Leave everything else alone, unless you are required to
If your ISP locks in the router MAC address used to connect to services you might want to do a MAC Clone, this will spoof the MAC address of the C5400X to the MAC address you provide. Read the documentation for more details if this is something you need to do. Otherwise you can call your ISP and get update to the correct MAC address on their end.
Here you can change your routers IP address for you LAN. Usually its easiest to leave it at 192.168.0.1 or 192.168.1.1. This is your gateway address.
If you want, you can change this to anything that starts with 192.168.X.X, if your not sure what to do if you make that change, leave this alone.
IPTV feature allows you to manage network traffic to ensure high-quality streaming for services such as live TV streaming or on-demand video services.
Be cautious of the services you use, otherwise usually safe.
This isn’t needed for a Masternode. Turn it off if you’re positive you don’ use services that need it.
DHCP is what provides your devices with a dynamic IP address when you connect them to your network. Unless you plan to manually give each device in your home an IP address, leave this on.
The address pool is which IP addresses are reserved for dynamic routing.
Lease time is how long the device will keep the IP address.
You can change this to anything in the range of 192.168.0.2 - 192.168.0.254 to make static routing easier, and not have to guess at which addresses are available, its nice to leave yourself a few IP address which can’t be used by DHCP. The range in the picture will provide you with 100 dynamic IP address (100 - 199) and 153 static IP address (2 - 99, 200 - 254). If you don’t want or need that many use 192.168.0.2 - 192.168.0.199 or something similar. As you can see at the bottom of the picture, the Debian computer that I connected to the router got the DHCP address of 192.168.0.100, the first address in my address pool.
Default Gateway is how your router talks to WAN, there is no need to change this.
Primary and Secondary DNS will default to your ISP’s DNS.
Some other examples of what you could use are
8.8.8.8
8.8.4.4 For Google DNS servers.
1.1.1.1
1.0.0.1 For Cloudflare DNS servers.
Dynamic DNS is a paid service and won’t be covered.
OPERATION MODE
Operation mode should be set to “Router”.
WIRELESS
This is where you will set up your WiFi SSID and passwords. Make sure any smart connections are turned OFF. Leave all other values at auto unless you know you need to change them for a specific reason. Do this for ALL WiFi bands. You can name them anything you want, it helps to label if they are 2.4GHz or 5.0GHz as each has a different use case. Make sure your passwords are good and change them for each band for added security. Please note that “Hidden SSIDs” can still be seen, just not as easily. Using this can lead to connection issues. It’s your choice if you want to use this or not.
WPS is horrible for security, it allows devices to connect at the push of a button or with a 8 character numeric pin, we will turn this off in a later step.
If you want to turn off your WiFi at certain times of the day you can create a schedule to do so. If you have any smart devices connected to WiFi they will not receive a signal during these hours.
Guest Network
Plan on having friends of family over?
Set up a guest network to provide internet to your guests, with an easier to hand out password. DO NOT allow guests Access each Other, or the Local Network. Each guest on the network should be isolated to themselves. Keeping your home network and other guests safer from attack on your LAN.
You should only need a 5.0GHz band for your guest network. 2.4GHz is more for devices that remain stationary. Create a good name and easier to remember and hand out password. TURN OFF YOUR GUEST NET WHEN NOT IN USE!
USB SHARING
This will allow you to attach an external storage device for sharing data across your network.
There are better safer ways to do this, I recommend disabling ALL USB sharing.
Server for printing services, can help your devices find your printers more easily.
Not required, and usually not the most secure. If this isn’t something you absolutely need, disable it.
Time machine is an automated backup service, you shouldn’t need this there is minimal reason to back up the router consistently, unless you want to store the logs. Back up your configuration with the backup service usually provided with your router after each configuration change and/or update.
Parental Controls
These are nice if you have children, you can select a device and restrict it from certain online content as well as give that device times for use.
QoS
Use these if you want to give certian devices or services priority over others. Nice for gaming, streaming, VoIP, Masternode, PC, etc…
Security
If its free enable it, otherwise your choice.
If you have the option for SPI (Stateful Packet Inspection) Firewall use it.
Pings on WAN port allow for external pings to your External IP address. Leave off.
Pings on LAN allow your devices to ping the router. This is helpful to ensure connectivity from your device, you can turn it off if you don’t plan to use it but you don’t need to.
It’s a good idea to turn on Access Control.
Whitelist denies all traffic unless the device is added. (More secure)
Blacklist allows all traffic unless the device is added. (Easier)
NOTE: Your MAC address is provided by the manufacturer of your network interface device. It can be spoofed.
Best practice would be to use your whitelist and add each device IP and MAC address individually. You will have to do this for every device and each new device you connect to your network. This makes it so someone can’t just plug in a device to your router and have full access to you LAN.
IP and MAC Binding is a good idea for your static devices. With this enabled your router will check that the IP and MAC address of the device match your entry. If not it won’t allow traffic.
For example: The MAC address of the Debian Computer being used is D8-5E-D3-88-6F-7F at the IP address 192.168.0.100. With ARP_Binding enabled if someone were to plug in a different computer with a different MAC address, it would not allow traffic unless that user were to spoof their MAC address to your EXACT MAC address. Pairs nicely with Whitelist Access Control
NAT Forwarding
If you don’t know what these services are, or don’t use them, disable all ALG’s and Passthrough’s
Don’t use this service, it isn’t what you want for a Firo Masternode. This is good for http, pop, ftp, etc…
Port Triggering is NOT Port Forwarding
Don’t use this service for your Firo Masternode.
DMZ considers ALL ports on the selected device OPEN for inbound connections, this is where you will want to put your Firo Masternode. To prevent unauthorized access you set up your Firewall on the server itself. Add your Masternode to the DMZ AFTER you have configured your Static IP Address and Firewall on the Masternode.
Disable this… unless you absolutely need it.
You can read more about it here How to fix your self hosted masternode. (Error. Could Not Connect to X.X.X.X:8168)
IPV6
Unless you plan to use IPV6 disable this.
VPN Server
Use this if you want to set up a VPN to connect directly to your router from any network. It will generate a certificate for you that you can download to your laptop to connect to your home router on the go.
This isn’t required. So I won’t be going over how to set it up.
Don’t use this service. Weak security and many vulnerabilities. Considered Obsolete.
Smart Life Assistant
For if you want Alexa to be even more in your business.
Smart Tools
Ensure you have the correct time and timezone.
NTP (Network Time Protocol) is a protocol that allows the synchronization of system clocks. There is no need to change this.
Nice to turn off LEDs at certain times.
Example: Router is in your bedroom and you like it to be dark.
Tool for testing network connections on your router.
Look up ping and traceroute for more information.
Keep your Firmware up to date to patch known bugs and vulnerabilities.
Back up after each configuration change and before/after each Firmware update.
It’s not a bad idea to have your router reboot weekly, during your sleep hours. This can help clear your routers cache and keep your speeds and bandwidth optimal.
You can change your password here. Use your own judgement on length and how long you use the same password, an 8 character password can be cracked in under 24 hours. Some people say change your password every 30 days, some say change it every year. I personally think 3 to 6 months is the sweet spot between security and annoying.
Shows you everything that is going on with your router. Good to keep an eye on your logs and make sure unauthorized devices aren’t gaining access to your network. As well as trouble shooting router issues.
Traffic chart for your devices.
That’s a run down of the TP-Link C5400X-Archer Router. If this isn’t your exact router the options will generally be the same on all routers, if they are available on said router. If you don’t have complete confidence that you are doing don’t do it!!! PLEASE DONT POST SENSITIVE DATA in forums or Discord/Telegram
An Admin or Volunteers will NEVER DM you without consent in public chat.
Keep an eye out that it is the actual user and not an imposter.
THIS GUIDE IS MEANT FOR INFORMATIONAL PURPOSES IF YOU MAKE A MISTAKE AND GET HACKED IT IS DUE TO YOUR OWN MISCONFIGURATION
GOOD LUCK!
Stay Safe!