DD-WRT Step 4 – Miscellaneous Settings: SPI Firewall, logging, remote access and critical settings. Bonus, a quick tour of services offered by DD-WRT.
Which router does this guide cover?
This page will cover exclusively the router I have, but same principles apply for any other: Netgear® AC1900 – Nighthawk® Smart WiFi Router aka R7000:
- AC1900 WiFi—600+1300 Mbps speeds
- 1GHz Dual Core Processor
- Dynamic QoS prioritizes network traffic for uninterrupted video streaming for applications like YouTube®, Netﬂix® & others
- ReadyCLOUD® USB Access allows you to enjoy personal and secure cloud access to USB storage anytime, anywhere
Step 1 – Basic Configuration
Step 2 – Wireless Configuration
Step 3 – Upgrade Firmware
Useful Services to Enable
Link Layer Topology Discovery (LLTD)
Security: SPI Firewall
It’s only used to block incoming traffic from WAN such as ping and SNMP. Leave everything else disabled as it can only filter traffic over http:
Also, limit SSH access upon Bruteforce/DoS detection (although we do not know the caps that trigger it):
- Limit SSH Access: I use it so I recommend
- Limit Telnet: telnet is NEVER open to the WAN
- Limit PPTP Server Access: if you host a VPN Server
- Limit FTP Server Access: if you host an FTP Server
It’s always a good idea to know what’s going on: I only enable logging of Rejected connections. You can enable the others for debugging purposes.
Always enable UPnP, so many devices such as smart TV, iPhone and IoT require it. It will only work if your WAN access is configured correctly tho. UPnP will work only in the following 2 cases:
- Case 1: DD-WRT behind DOCSIS 3.x cable modem: You setup DD-WRT as Gateway and rock-n-roll!
- Case 2: You happily got your PPP user/password and will setup DD-WRT to connect via PPPoE directly through the DSL model in bridge mode
Case 3: DD-WRT behind PPPoE DSL modem: both you and the modem will be NATed. Not possible with UPnP since DD-WRT WAN jack will see the private IP of the modem as the WAN address, instead of reporting your actual public IP.
When a device connected to router (that is in turn connected to another router) attempts to set up a port forward arrangement via UPnP, it ends up forwarded not to the greater internet but to the other router. This forwarding-dead-end means a wide range of applications and services–communication apps like Skype, smart home apps and hardware like your Nest thermostat, and music hardware like your Sonos music system–either outright fail or require a lot of annoying trouble shooting on your behalf to fix.
Web Access and Remote Access
No need to enable https unless you want to create a public access hotspot or share your network. Since DD-WRT will use a self-signe certificate, this will create another warning message from your browser.
- Web GUI: Make sure to NOT enable Remote GUI Management. I really don’t know what kind of security is configured to protect you from DoS and bruteforce attacks.
- SSH Management: enable it once you have configured SSH. If you need it.
- Telnet: NEVER EVER enable remote telnet access.
- Allow Any Remote IP: I sue that, but your needs may vary. You can limit remote access for all these services with an IP range.
Boot Wait is a feature you will hopefully never need. It introduces a short delay while booting (5s). During this delay you can initiate the download of a new firmware if the one in the flash rom is not broken. Obviously this is only necessary if you can no longer reflash using the web interface because the installed firmware will not boot. This needs more configuration once you have unlocked SSH access.
- Short press – Reset the router (reboot)
- Long press (>5s) – Reboot and restore the factory default configuration.
NEVER disable this. You WILL need it, trust me.
Unless you are stuck in 2001, this is only for Windows XP. Disable it.
Lets you use the free space on the internal flash drive as a mounted drive. Free space available varies widely among routers. Netgear AC1900 R7000 has around 100MB available.
I’ve usedit to install OPKG and Linux packages, but this is now highly discouraged. Read/Writes over the internal flash will fatigue the chip and once it fails, you can trash your router. Also, this internal storage gets corrupt over time. I had to reset the router 3 times in 2 years because of that. Big headaches when it happens on a Sunday evening with homeworks to rush before midnight… and it WILL happen, trust me.
In order to mount an internal File System, so you can install OPKG and other nice stuff (DNS AdBlocker project), use a USB stick instead! You will need a good quality USB stick, that has an internal UUID so you can automount it at startup. Good quality -I insist- I bricked 2 USB sticks (2GB each) over the span of 3 years.
Quick Tour of Services Offered
This tour is just about showcasing some of the available features and by no means how to configure and use them. As such, you can skip it and go directly to Step 5 – SSH Access DD-WRT
Access Restriction (Parental Control)
Most ISP and retail routers offer these options, but it’s good to know that DD-WRT also has them: you can block Internet access by schedule, by website (Roblox), protocol (P2P), or even keyword! JK, you cannot block by keyword since everything is served over https.
DD-WRT UI over SSL and Remote Access
You can access your DD-WRT remotely if you enable SSL and change the http port. Make sure you know what you are doing!
DDNS allows you to access your network using domain names instead of IP addresses. The service manager changing IP addresses and updates your domain information dynamically. You must sign up for services through DynDNS.org, freedns.affraid.org, ZoneEdit.com, No-IP.com, or other similar dynamic DNS service.
Indeed most of these DDNS services are free, they require you to confirm via email that you actually are using their services… every months! This is obnoxious and in a future post, I will show you how to create your own DDNS service with AWS and a simple PHP page.
MAC Address Clone
Some ISPs (please name them in the comments!) will require you to register your MAC address. If you do not wish to re-register your MAC address (why would they demand this after all), you can have the router clone the MAC address that is registered with your ISP.
Switch Config – VLAN
Link Aggregation can be setup on ports 3 & 4 for a happily doubled bandwidth! Possible application: RAID NAS
Ethernet over IP (EoIP) Tunneling enable you to create an Ethernet tunnel between two routers on top of an IP connection. The EoIP interface appears as an Ethernet interface. When the bridging function of the router is enabled, all Ethernet traffic (all Ethernet protocols) will be bridged just as if there where a physical Ethernet interface and cable between the two routers (with bridging enabled).
Network setups with EoIP interfaces :
- Possibility to bridge LANs over the Internet
- Possibility to bridge LANs over encrypted tunnels
- Possibility to bridge LANs over 802.11b ‘ad-hoc’ wireless networks
IP over DNS Tunneling
Bypass Firewalls via DNS Tunneling thanks to an integrated NSTX daemon!
NSTX is just like the defunct Iodine, it’s a TCP/IP Tunnel over DNS. A future post will show you how to configure and use it to your advantage.
Tor (The Onion Router Project) is installed since releases 42xxx. If you know what it is, a future post will show you how to check which version is isntalled and how to use it as a bridge/node!
Enterprise WiFi Security with Radius
Radius is a logon server for remote access, much more secure than just PSK-TKIP-etc. It can be used for WiFi, VoIP, PAP and other technologies.
FreeRADIUS is responsible for authenticating a third of all users on the Internet.
DD-WRT embedds an OpenVPN Server/Daemon!
You can turn your router into a professional hotspot for your small business as well! Although you will also need a back-end server, which can also be installed on DD-WRT once you can access it via SSH.
AdBlocking with Privoxy?
I really don’t know why they keep Privoxy installed by default. This is uterly useless since Ads are served over https. For a real DNS Ad-blocker solution, see this project.
Always backup your settings once you have a working configuration you are happy with!
You have now seen pretty much all the options and services that are available. You configured basic networking, setup the WiFi and the Firewall, and you are armed and ready to reset the router in case something goes off. Time for Step 5 – SSH Access DD-WRT!