When netglance flags issues on your network, this playbook provides step-by-step fixes grouped by category. Each section addresses a specific problem type with actionable remediation steps.

DNS Issues¶

Changing DNS Resolvers¶

1. At the router level (affects all devices):
2. Open your router's admin panel (usually 192.168.1.1 or 192.168.0.1)
3. Log in with your admin credentials
4. Navigate to Settings > DNS or Internet > DNS
5. Replace ISP-provided DNS with preferred resolvers:
   • Cloudflare: 1.1.1.1 and 1.0.0.1
   • Quad9: 9.9.9.9 and 149.112.112.112
   • Google: 8.8.8.8 and 8.8.4.4
6. Save and reboot the router

7. Run netglance dns check to confirm resolution works

8. Per-device on macOS:

   networksetup -setdnsservers Wi-Fi 1.1.1.1 1.0.0.1
   networksetup -getdnsservers Wi-Fi  # verify

9. Per-device on Linux:

10. Edit /etc/resolv.conf or use systemd-resolved
11. Add nameserver 1.1.1.1 and nameserver 1.0.0.1

Enabling DNS-over-HTTPS (DoH)¶

1. On macOS:
2. System Preferences > Network > Wi-Fi > Advanced > DNS
3. Click the + button under DNS Servers
4. Add: 1.1.1.1 and 1.0.0.1

5. Enabled DoH by default for Cloudflare (macOS 14+)

6. On Linux:

7. Edit /etc/systemd/resolved.conf:

   DNS=1.1.1.1 1.0.0.1
   DNSSECMode=yes
   DNSOverTLS=yes

8. Restart: sudo systemctl restart systemd-resolved

9. Via browser (Firefox, Chrome):

10. Settings > Privacy & Security > DNS over HTTPS
11. Select your resolver or custom endpoint

Fixing DNS Leaks When Using a VPN¶

1. Verify the leak:

   netglance dns check

   If it reports queries leaking outside your VPN tunnel, proceed.

2. Force DNS through VPN:

3. Open your VPN app settings
4. Find DNS Settings or Custom DNS
5. Enable "Force DNS through VPN tunnel"
6. Set DNS to your VPN provider's servers or Quad9 (9.9.9.9)

7. Reconnect to VPN

8. Disable IPv6 if needed:

9. If leak persists, your VPN may not fully support IPv6
10. On macOS: System Preferences > Network > Wi-Fi > Advanced > TCP/IP > Configure IPv6 > Off

11. On Linux: echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf && sudo sysctl -p

12. Verify the fix:

    netglance dns check

Enabling DNSSEC Validation¶

1. At the router level:
2. Admin panel > Settings > DNSSEC
3. Enable DNSSEC validation

4. Save and reboot

5. On Linux:

6. Edit /etc/systemd/resolved.conf:

   DNSSEC=yes

7. Restart: sudo systemctl restart systemd-resolved

8. Verify:

   netglance dns check

   Look for "DNSSEC: enabled" in output.

WiFi Issues¶

Upgrading to WPA3 (or WPA2/WPA3 Transitional)¶

1. Check router capabilities:
2. Log in to admin panel
3. Navigate to Wireless > Security or WiFi > Authentication

4. If WPA3 is available, select it; otherwise use WPA2/WPA3 (Mixed)

5. Set a strong passphrase (25+ characters, mixed case, numbers, symbols):

6. Router admin panel > WiFi settings
7. Update the pre-shared key (PSK)

8. Save and reconnect all devices

9. Verify:

   netglance wifi scan

   Look for "WPA3" or "WPA2-PSK/WPA3-PSK" in the security column.

Optimizing WiFi Channel¶

1. Scan for interference:

   netglance wifi scan

   Note neighboring SSIDs and their channels.

2. Select least-congested channel:

3. 2.4GHz band: Use channel 1, 6, or 11 (non-overlapping)
4. 5GHz band: Try DFS channels (120–144) if available and uncontested

5. Avoid channels close to neighbors' networks

6. Change channel:

7. Router admin panel > Wireless > Channel
8. Apply change and reboot

9. Reconnect devices

10. Verify:

    netglance wifi scan

Disabling WPS (WiFi Protected Setup)¶

1. Log in to router admin panel
2. Navigate to Wireless > Security or WiFi > Advanced
3. Find WPS and set to Disabled
4. Save and reboot
5. Verify in netglance output (no WPS vulnerabilities reported)

Setting Up a Guest Network for IoT Devices¶

1. Create guest network:
2. Router admin panel > Wireless > Guest Network
3. Enable guest network
4. Give it a descriptive name (e.g., Home-IoT)

5. Set a strong passphrase

6. Isolate guest traffic:

7. Look for Guest Network Isolation or AP Isolation

8. Enable isolation so guest devices can't access main network

9. Connect IoT devices to the guest network (not your primary WiFi)

10. Verify isolation:

    netglance discover

    Devices on guest network should appear separately or with restricted connectivity to primary network.

Port and Service Issues¶

Identifying and Disabling Unused Services¶

1. Scan for open ports:

   netglance scan <target-ip>

   Note which ports/services are exposed.

2. For each unwanted service, identify and disable:

3. SSH (port 22): Disable remote login or restrict to specific IPs
4. SMB (ports 139, 445): Disable file sharing or restrict to LAN only

5. HTTP (port 80): Disable web server if not needed

6. On macOS (disable SSH):

   sudo systemsetup -setremotelogin off

7. On Linux (disable SSH):

   sudo systemctl disable ssh
   sudo systemctl stop ssh

Configuring Host Firewalls¶

1. On macOS (pf firewall):
2. System Preferences > Security & Privacy > Firewall
3. Click Firewall Options

4. Check "Block all incoming connections" (or configure rules via pfctl)

5. On Linux (iptables/firewalld):

   sudo systemctl enable firewalld
   sudo systemctl start firewalld
   sudo firewall-cmd --permanent --add-service=http
   sudo firewall-cmd --reload

6. Verify:

   netglance scan <your-ip>

Closing Router Ports¶

1. Disable UPnP (prevents apps from auto-opening ports):
2. Router admin panel > Advanced > UPnP
3. Set to Disabled

4. Save and reboot

5. Remove port forwarding rules:

6. Router admin panel > Port Forwarding or Virtual Server
7. Delete any rules you don't recognize

8. Save

9. Disable remote management:

10. Router admin panel > Administration or Advanced > Remote Management

11. Set to Disabled

12. Verify:

    netglance scan <router-ip>

VPN Issues¶

Fixing DNS Leaks with VPN¶

See DNS Issues > Fixing DNS Leaks When Using a VPN above.

Enabling IPv6 Leak Protection¶

1. Check if your VPN supports IPv6:

2. Consult your VPN provider's documentation

3. If not supported, disable IPv6 system-wide:

4. macOS: System Preferences > Network > Wi-Fi > Advanced > TCP/IP > Configure IPv6 > Off

5. Linux: Add to /etc/sysctl.conf:

   net.ipv6.conf.all.disable_ipv6 = 1
   net.ipv6.conf.default.disable_ipv6 = 1

   Then run: sudo sysctl -p

6. Verify VPN app settings:

7. Look for IPv6 Leak Protection toggle and enable it

Verifying VPN Kill Switch¶

1. Test kill switch functionality:
2. Enable VPN kill switch in your VPN app settings
3. Disconnect from VPN

4. Confirm your ISP DNS is NOT leaking: netglance dns check

5. If kill switch isn't working:

6. Update your VPN app to the latest version
7. Reinstall and reconfigure from scratch
8. Contact VPN provider support

Device Management¶

Identifying and Removing Unknown Devices¶

1. List connected devices:

   netglance discover

2. For each unknown device:

3. Check the MAC address against a vendor lookup (usually shown in netglance output)
4. Ask household members if they recognize it

5. Check your router's admin panel for the device name

6. Remove unauthorized devices:

7. Option 1: Change your WiFi passphrase (forces reconnect, unknown devices drop)
8. Option 2: Router admin panel > Wireless > MAC Filter > Block the MAC address
9. Option 3: Router admin panel > Connected Devices > Disconnect/blacklist

Network Segmentation with VLANs¶

1. Create a separate IoT VLAN:
2. Router admin panel > Wireless > Guest Network or Advanced > VLAN
3. Create a new network (e.g., Home-IoT)

4. Enable VLAN isolation

5. Set up firewall rules (advanced):

6. Prevent IoT devices from accessing your primary LAN
7. Allow IoT devices outbound to internet

8. Example (Linux): sudo firewall-cmd --permanent --new-zone=iot && sudo firewall-cmd --reload

9. Move IoT devices to the isolated network

10. Verify isolation:

    netglance discover

Updating Firmware¶

1. Check for router firmware updates:
2. Router admin panel > Administration > Firmware Update or System > Updates
3. Click "Check for Updates"
4. If available, download and install

5. Router will reboot automatically

6. Update access points and mesh nodes:

7. Use the manufacturer's app or web interface

8. Check for updates regularly (monthly)

9. Update IoT devices:

10. Check each device's app or web interface for firmware updates

Setting Up Static DHCP Leases¶

1. Identify devices to pin:
2. Router admin panel > Connected Devices or DHCP Client List

3. Note the MAC address and current IP

4. Create static lease:

5. Router admin panel > DHCP > Static Leases or Advanced > DHCP Reservation
6. Add: MAC address → desired IP (e.g., 192.168.1.100)

7. Save and reboot

8. Verify:

   netglance discover

Certificate Issues¶

Understanding Self-Signed Certificate Warnings¶

1. Determine if the certificate is yours:
2. Check the certificate subject (CN field)

3. If it's your home server's hostname, it's safe to ignore

4. Temporarily trust the certificate (macOS):

5. Open the certificate file in Keychain Access
6. Right-click > Get Info
7. Expand "Trust" section

8. Set "When using this certificate" to Always Trust

9. Or, create a local CA and sign certificates:

10. Use mkcert (easiest): mkcert -install && mkcert localhost 192.168.1.100
11. Add the generated .crt to your system's trusted root CAs

Renewing Expiring Certificates¶

1. Identify expiring certificates:

   netglance tls check <server-ip>:<port>

2. Renew via Let's Encrypt (if public domain):

   certbot renew --force-renewal

3. Renew self-signed certificates:

   openssl req -x509 -newkey rsa:4096 -out cert.pem -outform PEM -keyout key.pem -days 365 -nodes

4. Update the server to use the new certificate files

5. Verify:

   netglance tls check <server-ip>:<port>

Getting Help¶

If a remediation doesn't work or you're unsure about a step:

• Run netglance --help to see all available commands
• Run netglance <module> --help for module-specific options
• Check the Documentation for detailed command syntax