Any one use DD-WRT here?

flhrci

Final Approach
Joined
Jan 26, 2007
Messages
5,932
Location
Groveport, OH
Display Name

Display name:
David
My router is around 4.5 years old and not getting updates any more. Was wondering if DD-WRT, besides refreshing the router, would have more security protection, being newer. Free is cheaper than a new router.


David
 
Ever used it? DD-WRT is insanely "full featured", and I think would smoke any consumer router.

Make sure your router model is one of the "very compatible" ones. There's an online database on their site.

If you like tuning networking, I think you'll love it. Give it a whirl.
 
make sure your specific model is supported.

I have never used dd-wrt but came close once or twice.

Check the hardware VERSION too. Some manufacturers have changed the entire internals between versions retaining nothing but the case, even changing the manufacturer of chipset used. This can mean the difference between compatibility with dd-wrt and otherwise.
e.g.
Linksys WRT54G

v 6.0 supported - Broadcom
v 7.0 not possible to support - Atheros
v 7.2 supported - Broadcom
 
What specifically is the router doing?

If it’s doing nothing more than NAT and isn’t allowing outside connections to itself or other devices, there’s nothing any update will do to add any more “security” to it.
 
What specifically is the router doing?

If it’s doing nothing more than NAT and isn’t allowing outside connections to itself or other devices, there’s nothing any update will do to add any more “security” to it.
mainly concerned that I would have less security with DD-WRT.

I want patch support I guess and maybe some advanced features. I already looked and my router can take the change. Thanks for the info so far!

David
 
mainly concerned that I would have less security with DD-WRT.

Depends more on what you do with it than that software.

Vast majority of commercial routers are using the same supposedly audited code as in DD-WRT.

OpenSSL had a massive hole in it a number of years ago.

It’ll all have many more. It’s all reactive now.

But again. If the router isn’t doing anything but NAT and no outside connections, it’s not a security device. It just ends up being one because you can’t route from a public network address to a private one unless you specifically allowed that traffic.

Or something tunnels outside with a two way connection, which is specifically what most browser based malware attempts to do. And browser security is worse by orders of magnitudes over simple networking devices.

It’s basically worthless to load DD-WRT on it unless the original criteria of my question was met. If it’s accepting outside connections, quite a bit more needs to be known.
 
I think the standard internet security these days is to lob grenades at your enemies from behind 7 firewalls. DD-WRT can help with ~14% of your needs. :D

I think DD-WRT updates far more often than the typical linksys firmware update. Certainly for a 4.5 year old one.

Before I was running it, I had punched open ports for things like RDP, Web, FTP... icky OpSec on my part, I should've been pwned a few times over. I used DD-WRT to shut those all down and run OpenVPN instead and give my laptops a VPN profile to remote into my home box instead.
 
Check the hardware VERSION too.

Excellent point.

If there's anything more confusing that LinkSys and D-Link model numbers, I've never met it. I've even run across cases where you're told, "if it's between serial numbers 10000-20000, use this; otherwise, use that." :confused:
 
32000889073b020d3f9cbeaadf4f0141.jpg
 
I used it on a couple of routers. I've pulled them for a Security appliance & moving a couple of applications to the cloud.
 
I used DD-WRT and OpenWRT for a number of years. They are something of an upgrade, but are more about flexibility and custom configuration rather than security or reliability per se.

About 3 years ago I got rid of all of the consumer stuff for routing and wifi and went with Ubiquiti. Best move I have ever made. I spent about 4-6 hours learning the system. I now have 12 wireless access points spread over our family farm (3 houses, a barn, swimming pool, outdoor areas between them) with continuous wifi throughout the area. One of the homes is over 1800' from the router; this is not even an extreme case for the system.

The router has been up and running 802 days 11 hours continuously with no down time. Security updates or configuration changes are done on the fly with no interruption of wired or wireless service. The wifi is a hybrid of wired and wireless / mesh, so if an access point goes down, wireless devices just have to talk to another access point over slightly longer distances. I get a notification, and fix the problem. I had one access point just die, they mostly get unplugged accidentally. Lost one pressure washing the house. To add a new node, I just plug it in, wait about 5 minutes, open the app and provision the access point, and it's done.

Before doing this change, I was tech support for internet access for the three families on the farm and got lots of calls for help.

If you don't need something as extensive, their Amplifi system is great for access in one building. Mesh satellites ensure great wifi throughout the home.
 
Ubiquiti makes good APs for a reasonable price. Their “mesh” stuff however, consistently ranks in the below average speed and latency numbers compared to competitors.

The best way to use their stuff is to simply buy the pro line of APs and let user devices roam them with minor tweaks to power output to cover only the portion of the building that each AP should, so the user devices switch APs correctly by location.

Been using their stuff for close to a decade now professionally. The mesh is garbage intended to slap something to market to compete with Orbi and the like, which do it better.

They’ll probably slowly update their firmware and hardware to do it right, but the current mesh products are sub-standard.

They’re also not security related.

Their security routers are a hot mess with most of the configurations needed, only available at their oddball command line. Which is fine if you’re clueful and understand their command line.

Also EXTREMELY important to watch their forums before accepting automatic firmware updates to their gear. They’re notorious for bad software QA and major features break completely all the time at firmware releases. Their attitude is pretty much a shrug and and “oops” and a month or more for a fix.

At least most of their product line can be downgraded, but it’s a waste of time compared to just watching the dumpster fire from afar in their forums until their other customers they lit on fire, manage to put out the flames on large business deployments.

Great gear. Great software if you stick to specific versions. Mesh product is meh.
 
I'm not a network security guy...more a modestly-tech-savvy consumer who has time to dabble a bit. I don't currently use DD-WRT, but I did inherit a box of older routers once, and embarked on a project to deploy them in a homebrew mesh configuration to improve wifi connectivity in my sister's large two-storey house. Of the five routers I inherited, three were not good fits for DD-WRT, one could handle the "mini" version of the firmware, and one could handle the full version, but only up to a certain release date (beyond which the firmware size exceeded the EEPROM capacity of the router). I was able to install the firmware on the two routers, and follow instructions I found in a blog somewhere to get them set up as APs to extend the wifi range comfortably throughout the whole house.

That configuration worked well for about 5 or 6 years. Aside from an occasional router lockup that could be solved with a simple power cycle, there were no problems.

Last year, my sister got a new router from her cable provider, and for some reason they changed the SSID and password, and of course that broke the link to the APs I had set up. I thought it would be a simple matter to retrace my original steps and update the setup in the APs, but for whatever reason I could never get it to work. At that point I did some Googling and realized that consumer devices to do this job had come a long way, and so I just went and bought a couple of TP-Link devices for about $25 each that took about 10 minutes to set up and work better than my previous DIY rig.

Two things I learned from that experience:
  • As others have noted, the donor router that will be getting the DD-WRT firmare is the primary determinant in how satisfied you will be with the result. Choose a router that is fully compatible with the latest version of DD-WRT and is actively supported. The DD-WRT user forums are very helpful in figuring that part out.
  • DD-WRT provides fantastic customization capability in setup--far more than is typically available in standard router firmware. A small part of that flexibility applies to security, but mostly it's other technical stuff like configuring for router or AP mode, specifying which wifi channel(s) the router will broadcast on, diagnostic information on device performance, enabling/inhibiting radios, enabling/inhibiting usage at certain times of day (which I guess can be security-related), etc.
 
Back
Top