Any one use DD-WRT here?

Discussion in 'Technical Corner' started by flhrci, Jan 18, 2020.

  1. flhrci

    flhrci Final Approach

    Joined:
    Jan 26, 2007
    Messages:
    5,465
    Location:
    Ashville, OH
    Display Name:

    Display name:
    David
    My router is around 4.5 years old and not getting updates any more. Was wondering if DD-WRT, besides refreshing the router, would have more security protection, being newer. Free is cheaper than a new router.


    David
     
  2. Stephen Poole

    Stephen Poole Pre-takeoff checklist

    Joined:
    Jun 12, 2018
    Messages:
    313
    Location:
    Birmingham, Alabama
    Display Name:

    Display name:
    Professor31
    Yes, it works well. Go to their website and make sure your specific model is supported.
     
    Jim_R likes this.
  3. schmookeeg

    schmookeeg Pattern Altitude

    Joined:
    Nov 6, 2008
    Messages:
    1,559
    Location:
    Hipsterdelphia PDX
    Display Name:

    Display name:
    Mike Brannigan
    Ever used it? DD-WRT is insanely "full featured", and I think would smoke any consumer router.

    Make sure your router model is one of the "very compatible" ones. There's an online database on their site.

    If you like tuning networking, I think you'll love it. Give it a whirl.
     
    Jim_R likes this.
  4. Spring Ford

    Spring Ford Pre-takeoff checklist

    Joined:
    Jul 11, 2018
    Messages:
    292
    Display Name:

    Display name:
    SpringFord
    I have never used dd-wrt but came close once or twice.

    Check the hardware VERSION too. Some manufacturers have changed the entire internals between versions retaining nothing but the case, even changing the manufacturer of chipset used. This can mean the difference between compatibility with dd-wrt and otherwise.
    e.g.
    Linksys WRT54G

    v 6.0 supported - Broadcom
    v 7.0 not possible to support - Atheros
    v 7.2 supported - Broadcom
     
    schmookeeg likes this.
  5. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    52,007
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    What specifically is the router doing?

    If it’s doing nothing more than NAT and isn’t allowing outside connections to itself or other devices, there’s nothing any update will do to add any more “security” to it.
     
  6. flhrci

    flhrci Final Approach

    Joined:
    Jan 26, 2007
    Messages:
    5,465
    Location:
    Ashville, OH
    Display Name:

    Display name:
    David
    mainly concerned that I would have less security with DD-WRT.

    I want patch support I guess and maybe some advanced features. I already looked and my router can take the change. Thanks for the info so far!

    David
     
  7. flhrci

    flhrci Final Approach

    Joined:
    Jan 26, 2007
    Messages:
    5,465
    Location:
    Ashville, OH
    Display Name:

    Display name:
    David
    Working properly and aging. LOL
     
    denverpilot likes this.
  8. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    52,007
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Depends more on what you do with it than that software.

    Vast majority of commercial routers are using the same supposedly audited code as in DD-WRT.

    OpenSSL had a massive hole in it a number of years ago.

    It’ll all have many more. It’s all reactive now.

    But again. If the router isn’t doing anything but NAT and no outside connections, it’s not a security device. It just ends up being one because you can’t route from a public network address to a private one unless you specifically allowed that traffic.

    Or something tunnels outside with a two way connection, which is specifically what most browser based malware attempts to do. And browser security is worse by orders of magnitudes over simple networking devices.

    It’s basically worthless to load DD-WRT on it unless the original criteria of my question was met. If it’s accepting outside connections, quite a bit more needs to be known.
     
  9. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    52,007
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Better than me. LOL.
     
    WannFly, Kenny Phillips and flhrci like this.
  10. flhrci

    flhrci Final Approach

    Joined:
    Jan 26, 2007
    Messages:
    5,465
    Location:
    Ashville, OH
    Display Name:

    Display name:
    David
    You also drive a Subaru now. :D
     
    denverpilot likes this.
  11. schmookeeg

    schmookeeg Pattern Altitude

    Joined:
    Nov 6, 2008
    Messages:
    1,559
    Location:
    Hipsterdelphia PDX
    Display Name:

    Display name:
    Mike Brannigan
    I think the standard internet security these days is to lob grenades at your enemies from behind 7 firewalls. DD-WRT can help with ~14% of your needs. :D

    I think DD-WRT updates far more often than the typical linksys firmware update. Certainly for a 4.5 year old one.

    Before I was running it, I had punched open ports for things like RDP, Web, FTP... icky OpSec on my part, I should've been pwned a few times over. I used DD-WRT to shut those all down and run OpenVPN instead and give my laptops a VPN profile to remote into my home box instead.
     
    denverpilot likes this.
  12. Stephen Poole

    Stephen Poole Pre-takeoff checklist

    Joined:
    Jun 12, 2018
    Messages:
    313
    Location:
    Birmingham, Alabama
    Display Name:

    Display name:
    Professor31
    Excellent point.

    If there's anything more confusing that LinkSys and D-Link model numbers, I've never met it. I've even run across cases where you're told, "if it's between serial numbers 10000-20000, use this; otherwise, use that." :confused:
     
  13. asicer

    asicer En-Route

    Joined:
    Jan 1, 2015
    Messages:
    4,990
    Display Name:

    Display name:
    asicer
    DD-WRT? Or OpenWRT?

    How do you know you haven't?;)
     
    denverpilot likes this.
  14. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    52,007
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
  15. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    52,007
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
  16. wsuffa

    wsuffa Touchdown! Greaser!

    Joined:
    Feb 22, 2005
    Messages:
    22,478
    Location:
    DC Suburbs
    Display Name:

    Display name:
    Bill S.
    I used it on a couple of routers. I've pulled them for a Security appliance & moving a couple of applications to the cloud.
     
  17. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    52,007
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    [​IMG]

    Security appliance! :)
     
    wsuffa and flhrci like this.
  18. Kevin Holbrook

    Kevin Holbrook Pre-Flight

    Joined:
    Jan 20, 2019
    Messages:
    32
    Display Name:

    Display name:
    Jkevin
    I used DD-WRT and OpenWRT for a number of years. They are something of an upgrade, but are more about flexibility and custom configuration rather than security or reliability per se.

    About 3 years ago I got rid of all of the consumer stuff for routing and wifi and went with Ubiquiti. Best move I have ever made. I spent about 4-6 hours learning the system. I now have 12 wireless access points spread over our family farm (3 houses, a barn, swimming pool, outdoor areas between them) with continuous wifi throughout the area. One of the homes is over 1800' from the router; this is not even an extreme case for the system.

    The router has been up and running 802 days 11 hours continuously with no down time. Security updates or configuration changes are done on the fly with no interruption of wired or wireless service. The wifi is a hybrid of wired and wireless / mesh, so if an access point goes down, wireless devices just have to talk to another access point over slightly longer distances. I get a notification, and fix the problem. I had one access point just die, they mostly get unplugged accidentally. Lost one pressure washing the house. To add a new node, I just plug it in, wait about 5 minutes, open the app and provision the access point, and it's done.

    Before doing this change, I was tech support for internet access for the three families on the farm and got lots of calls for help.

    If you don't need something as extensive, their Amplifi system is great for access in one building. Mesh satellites ensure great wifi throughout the home.
     
    Jim_R and MuseChaser like this.
  19. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    52,007
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Ubiquiti makes good APs for a reasonable price. Their “mesh” stuff however, consistently ranks in the below average speed and latency numbers compared to competitors.

    The best way to use their stuff is to simply buy the pro line of APs and let user devices roam them with minor tweaks to power output to cover only the portion of the building that each AP should, so the user devices switch APs correctly by location.

    Been using their stuff for close to a decade now professionally. The mesh is garbage intended to slap something to market to compete with Orbi and the like, which do it better.

    They’ll probably slowly update their firmware and hardware to do it right, but the current mesh products are sub-standard.

    They’re also not security related.

    Their security routers are a hot mess with most of the configurations needed, only available at their oddball command line. Which is fine if you’re clueful and understand their command line.

    Also EXTREMELY important to watch their forums before accepting automatic firmware updates to their gear. They’re notorious for bad software QA and major features break completely all the time at firmware releases. Their attitude is pretty much a shrug and and “oops” and a month or more for a fix.

    At least most of their product line can be downgraded, but it’s a waste of time compared to just watching the dumpster fire from afar in their forums until their other customers they lit on fire, manage to put out the flames on large business deployments.

    Great gear. Great software if you stick to specific versions. Mesh product is meh.
     
  20. Jim_R

    Jim_R Cleared for Takeoff PoA Supporter

    Joined:
    Feb 17, 2010
    Messages:
    1,350
    Display Name:

    Display name:
    Jim
    I'm not a network security guy...more a modestly-tech-savvy consumer who has time to dabble a bit. I don't currently use DD-WRT, but I did inherit a box of older routers once, and embarked on a project to deploy them in a homebrew mesh configuration to improve wifi connectivity in my sister's large two-storey house. Of the five routers I inherited, three were not good fits for DD-WRT, one could handle the "mini" version of the firmware, and one could handle the full version, but only up to a certain release date (beyond which the firmware size exceeded the EEPROM capacity of the router). I was able to install the firmware on the two routers, and follow instructions I found in a blog somewhere to get them set up as APs to extend the wifi range comfortably throughout the whole house.

    That configuration worked well for about 5 or 6 years. Aside from an occasional router lockup that could be solved with a simple power cycle, there were no problems.

    Last year, my sister got a new router from her cable provider, and for some reason they changed the SSID and password, and of course that broke the link to the APs I had set up. I thought it would be a simple matter to retrace my original steps and update the setup in the APs, but for whatever reason I could never get it to work. At that point I did some Googling and realized that consumer devices to do this job had come a long way, and so I just went and bought a couple of TP-Link devices for about $25 each that took about 10 minutes to set up and work better than my previous DIY rig.

    Two things I learned from that experience:
    • As others have noted, the donor router that will be getting the DD-WRT firmare is the primary determinant in how satisfied you will be with the result. Choose a router that is fully compatible with the latest version of DD-WRT and is actively supported. The DD-WRT user forums are very helpful in figuring that part out.
    • DD-WRT provides fantastic customization capability in setup--far more than is typically available in standard router firmware. A small part of that flexibility applies to security, but mostly it's other technical stuff like configuring for router or AP mode, specifying which wifi channel(s) the router will broadcast on, diagnostic information on device performance, enabling/inhibiting radios, enabling/inhibiting usage at certain times of day (which I guess can be security-related), etc.