DD-WRT Step 4 Miscellaneous Settings

Spread the love

DD-WRT Step 4 – Miscellaneous Settings: SPI Firewall, logging, remote access and critical settings. Bonus, a quick tour of services offered by DD-WRT.

Which router does this guide cover?

This page will cover exclusively the router I have, but same principles apply for any other: Netgear® AC1900 – Nighthawk® Smart WiFi Router aka R7000:

R7000 GRAY Hero Transparent
Netgear® AC1900 – Nighthawk® Smart WiFi Router R7000

AC1900 Features:

  • AC1900 WiFi—600+1300 Mbps speeds
  • 1GHz Dual Core Processor
  • Dynamic QoS prioritizes network traffic for uninterrupted video streaming for applications like YouTube®, Netflix® & others
  • ReadyCLOUD® USB Access allows you to enjoy personal and secure cloud access to USB storage anytime, anywhere

Pre-requisites

Step 1 – Basic Configuration

Step 2 – Wireless Configuration

Step 3 – Upgrade Firmware

Useful Services to Enable

Link Layer Topology Discovery (LLTD)

image 46
image 35

This will help Windows 7 and other tools to discover the topology of your home network. Unfortunately, this nice map feature was actually removed in Windows 8, as discussed here and here:

image 36
LLTD mapping is gone since Windows 8. Bummer.

Security: SPI Firewall

It’s only used to block incoming traffic from WAN such as ping and SNMP. Leave everything else disabled as it can only filter traffic over http:

image 45

Also, limit SSH access upon Bruteforce/DoS detection (although we do not know the caps that trigger it):

image 47
  • Limit SSH Access: I use it so I recommend
  • Limit Telnet: telnet is NEVER open to the WAN
  • Limit PPTP Server Access: if you host a VPN Server
  • Limit FTP Server Access: if you host an FTP Server

Log Management

image 49

It’s always a good idea to know what’s going on: I only enable logging of Rejected connections. You can enable the others for debugging purposes.

UPnP

image 51

Always enable UPnP, so many devices such as smart TV, iPhone and IoT require it. It will only work if your WAN access is configured correctly tho. UPnP will work only in the following 2 cases:

  • Case 1: DD-WRT behind DOCSIS 3.x cable modem: You setup DD-WRT as Gateway and rock-n-roll!
  • Case 2: You happily got your PPP user/password and will setup DD-WRT to connect via PPPoE directly through the DSL model in bridge mode

Case 3: DD-WRT behind PPPoE DSL modem: both you and the modem will be NATed. Not possible with UPnP since DD-WRT WAN jack will see the private IP of the modem as the WAN address, instead of reporting your actual public IP.

image 60
Double NAT, Double Headache

When a device connected to router (that is in turn connected to another router) attempts to set up a port forward arrangement via UPnP, it ends up forwarded not to the greater internet but to the other router. This forwarding-dead-end means a wide range of applications and services–communication apps like Skype, smart home apps and hardware like your Nest thermostat, and music hardware like your Sonos music system–either outright fail or require a lot of annoying trouble shooting on your behalf to fix.

Web Access and Remote Access

No need to enable https unless you want to create a public access hotspot or share your network. Since DD-WRT will use a self-signe certificate, this will create another warning message from your browser.

image 52
  • Web GUI: Make sure to NOT enable Remote GUI Management. I really don’t know what kind of security is configured to protect you from DoS and bruteforce attacks.
  • SSH Management: enable it once you have configured SSH. If you need it.
  • Telnet: NEVER EVER enable remote telnet access.
  • Allow Any Remote IP: I sue that, but your needs may vary. You can limit remote access for all these services with an IP range.

Critical Features

image 53

Boot Wait is a feature you will hopefully never need. It introduces a short delay while booting (5s). During this delay you can initiate the download of a new firmware if the one in the flash rom is not broken. Obviously this is only necessary if you can no longer reflash using the web interface because the installed firmware will not boot. This needs more configuration once you have unlocked SSH access.

Reset Button

image 54
This feature controls the resetbuttond process. The reset button initiates actions depending on how long you press it.
  • Short press – Reset the router (reboot)
  • Long press (>5s) – Reboot and restore the factory default configuration.

NEVER disable this. You WILL need it, trust me.

802.1x

Unless you are stuck in 2001, this is only for Windows XP. Disable it.

image 55

JFFS2 Storage

Lets you use the free space on the internal flash drive as a mounted drive. Free space available varies widely among routers. Netgear AC1900 R7000 has around 100MB available.

image 56

I’ve usedit to install OPKG and Linux packages, but this is now highly discouraged. Read/Writes over the internal flash will fatigue the chip and once it fails, you can trash your router. Also, this internal storage gets corrupt over time. I had to reset the router 3 times in 2 years because of that. Big headaches when it happens on a Sunday evening with homeworks to rush before midnight… and it WILL happen, trust me.

In order to mount an internal File System, so you can install OPKG and other nice stuff (DNS AdBlocker project), use a USB stick instead! You will need a good quality USB stick, that has an internal UUID so you can automount it at startup. Good quality -I insist- I bricked 2 USB sticks (2GB each) over the span of 3 years.

Quick Tour of Services Offered

This tour is just about showcasing some of the available features and by no means how to configure and use them. As such, you can skip it and go directly to Step 5 – SSH Access DD-WRT

Access Restriction (Parental Control)

Most ISP and retail routers offer these options, but it’s good to know that DD-WRT also has them: you can block Internet access by schedule, by website (Roblox), protocol (P2P), or even keyword! JK, you cannot block by keyword since everything is served over https.

image 50
I tested it for you: yes it works!

DD-WRT UI over SSL and Remote Access

You can access your DD-WRT remotely if you enable SSL and change the http port. Make sure you know what you are doing!

image 38

DDNS

DDNS allows you to access your network using domain names instead of IP addresses. The service manager changing IP addresses and updates your domain information dynamically. You must sign up for services through DynDNS.org, freedns.affraid.org, ZoneEdit.com, No-IP.com, or other similar dynamic DNS service.

image 30

Indeed most of these DDNS services are free, they require you to confirm via email that you actually are using their services… every months! This is obnoxious and in a future post, I will show you how to create your own DDNS service with AWS and a simple PHP page.

MAC Address Clone

image 31

Some ISPs (please name them in the comments!) will require you to register your MAC address. If you do not wish to re-register your MAC address (why would they demand this after all), you can have the router clone the MAC address that is registered with your ISP.

Switch Config – VLAN

image 33
VLAN Setup offers Link Aggregation!

Link Aggregation can be setup on ports 3 & 4 for a happily doubled bandwidth! Possible application: RAID NAS

EoIP Tunnels

image 32

Ethernet over IP (EoIP) Tunneling enable you to create an Ethernet tunnel between two routers on top of an IP connection. The EoIP interface appears as an Ethernet interface. When the bridging function of the router is enabled, all Ethernet traffic (all Ethernet protocols) will be bridged just as if there where a physical Ethernet interface and cable between the two routers (with bridging enabled).
Network setups with EoIP interfaces :

  • Possibility to bridge LANs over the Internet
  • Possibility to bridge LANs over encrypted tunnels
  • Possibility to bridge LANs over 802.11b ‘ad-hoc’ wireless networks

IP over DNS Tunneling

Bypass Firewalls via DNS Tunneling thanks to an integrated NSTX daemon!

image 34

NSTX is just like the defunct Iodine, it’s a TCP/IP Tunnel over DNS. A future post will show you how to configure and use it to your advantage.

Tor Node!

image 37
You can be part of the Tor network natively!

Tor (The Onion Router Project) is installed since releases 42xxx. If you know what it is, a future post will show you how to check which version is isntalled and how to use it as a bridge/node!

Enterprise WiFi Security with Radius

image 39
FreeRadius

Radius is a logon server for remote access, much more secure than just PSK-TKIP-etc. It can be used for WiFi, VoIP, PAP and other technologies.

FreeRadius

FreeRADIUS is responsible for authenticating a third of all users on the Internet.

VPN Server/Relay/Client

DD-WRT embedds an OpenVPN Server/Daemon!

image 40

FTP/Samba/DLNA Server

image 41
So many options and services!

Hotspot Server

You can turn your router into a professional hotspot for your small business as well! Although you will also need a back-end server, which can also be installed on DD-WRT once you can access it via SSH.

image 42
You can have your hotspot portal managed by HotspotSystem.com. They provide free and pay-per-use hotspot solutions with billing. For more information please visit www.hotspotsystem.com

AdBlocking with Privoxy?

image 43
Privoxy cannot block Ads since they are served over https

I really don’t know why they keep Privoxy installed by default. This is uterly useless since Ads are served over https. For a real DNS Ad-blocker solution, see this project.

Wrapping up

Always backup your settings once you have a working configuration you are happy with!

You have now seen pretty much all the options and services that are available. You configured basic networking, setup the WiFi and the Firewall, and you are armed and ready to reset the router in case something goes off. Time for Step 5 – SSH Access DD-WRT!

5 1 vote
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x