Setting up your home network for privacy in 90 minutes

You bought the router, plugged it in, and never opened the admin page again. That is fine — most people do exactly that. But the defaults on a 2026 consumer router are not what you want them to be, and ninety minutes of one-time setup will fix the majority of the problems an attacker on your block (or your ISP, or a compromised IoT device in your living room) could exploit.

This is a model-agnostic walkthrough. Your router will phrase things differently — "WPA3-Personal" might be called "WPA3 SAE" or "Wi-Fi 6 Security" — but every setting below exists in some form on every consumer router shipped in the last five years. Block out a Saturday morning. Make coffee. Open admin.

Step 1: Update the firmware (10 minutes)

Router firmware ships with bugs. Some of those bugs are remote-code-execution bugs. Vendors patch them; nobody installs the patches. This is the single highest-leverage change you can make.

1. 1Open your router admin page (usually 192.168.1.1 or 192.168.0.1; check the sticker on the bottom).
2. 2Find the menu titled Administration, System, or Maintenance.
3. 3Click Firmware Update or Check for Updates.
4. 4Apply the update. The router will reboot. Do not unplug it during this.
5. 5Enable automatic firmware updates if the option exists.

Step 2: Change the admin password (5 minutes)

Default admin credentials are public. Search "<your router model> default password" and you will find them. The router-admin password and the Wi-Fi password are two different things — both need to be changed.

1. 1In Administration or System, find Admin Password or Login Password.
2. 2Set a 16+ character random password from your password manager.
3. 3If your router supports two-factor admin login, turn it on.
4. 4Save. You will be logged out. Log back in with the new password.

Step 3: Lock down Wi-Fi (15 minutes)

Three settings matter here: encryption, WPS, and SSID broadcast. Get them right once and forget about them.

• Encryption: WPA3-Personal if all your devices support it; WPA3/WPA2 Mixed Mode if you have older hardware. Never WPA, never WEP, never Open.
• WPS: off. WPS is a protocol that lets you connect devices by pushing a button — it has been broken since 2011 and never properly fixed.
• SSID broadcast: leave it on. Hiding the SSID does not hide the network from anyone with a $20 USB adapter, and it makes your phone broadcast its name everywhere it goes. Net loss.
• Wi-Fi password: 20+ characters. Random. Stored in your password manager. Share via QR code, never typed.

Step 4: Disable UPnP and remote admin (5 minutes)

UPnP lets devices on your network punch holes in your firewall without asking you. It is convenient. It is also how a compromised game console or smart bulb opens your network to the public internet. Turn it off.

1. 1Find Advanced Settings or NAT Forwarding.
2. 2Disable UPnP (sometimes called "Universal Plug and Play" or "Auto Port Forwarding").
3. 3Find Remote Management or WAN Access. Disable it. You should never administer your router from outside your house.
4. 4If a specific game or app breaks, manually forward only the port it needs. This happens less often than the internet would have you believe.

Step 5: Set a privacy-respecting DNS resolver (10 minutes)

By default, your router uses your ISP's DNS, which means your ISP sees every domain you visit. Change this once at the router level and every device on your network benefits.

Pick one. All three are good options:

• NextDNS (configurable, good filtering, free tier covers most homes): 45.90.28.0 / 45.90.30.0
• Quad9 (blocks known-malicious domains, no logging, Swiss-based): 9.9.9.9 / 149.112.112.112
• Cloudflare (fast, no logging, no filtering): 1.1.1.1 / 1.0.0.1

1. 1In your router admin, find Internet Settings or WAN.
2. 2Set DNS mode to Manual.
3. 3Enter the primary and secondary IPs of your chosen resolver.
4. 4Save and reboot the router.
5. 5Test: visit dnsleaktest.com from a connected device and confirm your chosen resolver shows up.

Step 6: Create a separate IoT network (20 minutes)

Your smart fridge does not need to talk to your laptop. Your camera does not need to talk to your work phone. Put the cheap, never-updated, sketchy-firmware devices on their own network where they cannot reach anything that matters.

On most consumer routers this is called "Guest Network." It is not a true VLAN, but it does isolate clients from your main LAN, which is the part that counts.

1. 1In Wi-Fi Settings, enable Guest Network.
2. 2Name it something obvious like "House-IoT" (not "Guest" — you will use this for years).
3. 3Enable client isolation or "Allow guests to see each other and access my local network" set to OFF.
4. 4Set a long random password.
5. 5Move every smart bulb, plug, camera, doorbell, fridge, scale, and TV onto this network. Yes, all of them. Yes, even the expensive ones.

Step 7 (optional): Pi-hole or AdGuard Home (15 minutes)

A network-level ad blocker eats trackers for breakfast. AdGuard Home runs on a Raspberry Pi, an old laptop, or a $35 mini-PC. Once installed, you point your router's DNS at it and every device — including your phone, your TV, and your kid's tablet — gets ads stripped before they hit the wire.

1. 1Flash a Raspberry Pi with Raspberry Pi OS Lite.
2. 2Run the AdGuard Home installer: curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
3. 3Open http://<pi-ip>:3000 and complete setup. Use a strong admin password.
4. 4In your router DNS settings, replace the public resolver from Step 5 with the Pi's IP. AdGuard Home will forward to your chosen upstream.
5. 5Watch the dashboard. The first time you see what your smart TV phones home about, you will not go back.

Step 8 (optional): VPN on the router

Putting a VPN on the router protects every device on the network — including the ones that cannot run VPN apps (TVs, consoles, doorbells). PlanetProxy provides WireGuard configs from the dashboard; load them into a router that supports WireGuard (Asus running Merlin, GL.iNet, OpenWRT, pfSense) and the entire LAN routes through the tunnel.

That is the whole list. Eight steps, ninety minutes, and a network that is not embarrassing. Bookmark this page; check back in a year and re-run the firmware step. Everything else stays.