DD-WRT on Cisco Linksys WRT610n router

-
Although I have purchased my WRT-610n router (pretty much the same as the newer E3000) many months ago, only recently was I forced to install the Linux firmware on it – mostly due to lack of time and procrastinating. This is primarily due to some issues with my Internet connectivity, which I am hoping could be solved with a better router.

dd-wrt linksys wrt610n

Prior to flashing the router with the custom firmware, I spent some time to playing with the shipped one and its settings. The router seemed fine and I saved my settings to an external file.

I am lucky to have several additional routers, so I can play with my Linksys router without disrupting my Internet activity. To start, with the Router connected to the Internet, I downloaded the firmware to flash and also the latest firmware from Linksys, just in case (links below).

In preparation of the flashing, I read the wiki and documentation provided by the dd-wrt website and downloaded all the necessary firmware. In particular, I discovered the following “Known Issues”:

  • Unstable WLAN, esp when wl1 radio & WPA are enabled – only in rev. 1, I have rev. 2
  • 10 MB fails causing WoL – I don’t use either
  • a bunch of problems related to older versions of the firmware which do not concern me, as I’ll be using the latest version
  • Site Survey and Wizviz Survey do not work for 5 GHz band – minor inconvenience / they don’t even exist in regular firmware
  • No TFTP recovery – not really an issue any more; there are several ways to recover
  • 5 GHz channels – keep in mind regulatory limits for clients as they are not restricted on device

The above issues, though minor, will most likely be all resolved by the time the final release becomes available.

I then disconnected everything from the router and plugged in only my laptop (containing the saved firmware) in the 1st slot. First on the to-do list before messing with the firmware is what they call a 30-30-30 reset, which will erase any settings and return the router to factory settings. Here’s how it works:

  1. With the unit powered on, press and hold the reset button on the back of unit for 30 seconds
  2. Without releasing the reset button, unplug the unit and hold reset for another 30 seconds
  3. Plug the unit back while STILL holding the reset button a final 30 seconds (beware if you have an Asus unit)

This is obviously quite difficult to perform, so make sure you are in a comfortable position, and bring up the clock on your computer screen so that you can make sure you wait the full 30 seconds.

With that out of the way, we are ready to perform the actual upgrade:

  • a. Flash the personalized firmware through the Linksys Web GUI.
  • b. After a couple minutes you should see an "Update Completed Successfully" Screen.
  • c. Wait...at least three minutes after that just to be safe.
  • d. Do a power cycle of the router. (Unplug the cord, count to 10 and plug it back in.)
  • e. Wait for the lights to return to normal, usually about 2 minutes.
  • f. Do a HARD reset (again!). Wait. Check for the password page and login to change the password.
  • g. After you have DD-WRT on the router you can then flash the latest mega build (2nd in the table below).

With the router equipped with the shiny new firmware, it’s time to start configuring it. I will be presenting what needs to be done in each setup page; for items organized by projects, visit the official tutorial page (linked in sources).

1. Setup

Under the first tab, we have 7 sub-tabs.

1.1 Basic Setup

I will use Automatic Configuration (DHCP); STP stands for Spanning Tree Protocol and it’s not something to worry about in a SOHO network. I then change the Router Name to something friendlier and also change the Local IP from the default. I would like to configure the router with Static DNS (different than what I get from my ISP), such as Google’s Public DNS 8.8.8.8 or 8.8.4.4 or OpenDNS’ 208.67.222.222 (or 220), so I enter them into the static DNS fields. I also enable the NTP client, change the time zone to EST (GMT-5), and the server to 0.cc.pool.ntp.org – replace cc with your country code or omit it altogether.

It’s important to understand that changing the DNS server to OpenDNS may incur some small performance penalty with content delivered by specialized networks such as Akamai, who may use the location of the DNS server to determine which server will service your request.

1.2 DDNS Service

dd-wrt with DNS-O-MaticMy IP address does not really change unless I change my MAC address on the Internet facing side and I don’t plan to do that often, so I have no need for DNS Service – unless I go away for an extended period of time. In that situation, I would probably use DNS-O-Matic which allows updating multiple services (from wiki):

  1. Follow instructions for basic setup above.
  2. Setup an account with OpenDns and Enable dynamic IP update under the settings tab on the OpenDNS website. Also enable any filtering options you want.
  3. Log into DNS-O-Matic. It shares the same username and password for OpenDNS.
  4. Add OpenDNS as a service on DNS-O-Matic
  5. Also add account information for any other Dynamic DNS providers you have.
  6. Now click the "Update Info" radio button
  7. On the DDNS tab under Setup in dd-wrt set DDNS Service to Custom.
  8. Set DYNDNS Server to updates.dnsomatic.com
  9. Fill in your Username and Password for OpenDNS/DNS-O-Matic
  10. Set Host Name to all.dnsomatic.com (to update multiple hosts, use hostname1 -a hostname2 -a hostname3 -a hostnameN)
  11. Put /nic/update?hostname= in the URL text box. If that doesn't work, use: http://updates.dnsomatic.com/nic/update?hostname= (change to https if badauth error from dnsomatic).
  12. Apply

1.3 MAC Address Clone

I made note of the original MAC address and cloned my laptop. This should help if I’m ever asked by tech support to connect my computer straight to the Internet in that my IP will stay the same and no additional variables will be thrown into the problem to be solved.

1.4 Advanced Routing, VLANs, Networking, EoIP Tunnel

Nothing to change here, I’m only using one router.

2. Wireless

2.1 Basic Settings

Personally, I always disable SSID Broadcast and just make sure I use a SSID that I can remember. I also change the default channel to an empty one – something the neighbours are not using. I have an iPhone and an iPod, so I always enable BG-Mixed. If you have devices using N wireless, you might want to enable wl1 similarly perhaps using a different SSID; if not, disable it.

2.2 Radius

You need this if you plan on using WPA Enterprise, but it really is overkill for a home network.

2.3 Wireless Security

Choose WPA 2 Personal Mixed with TKIP+AES for maximum compatibility, unless you know for sure that all your devices are capable of WPA2 and AES in which case you should choose that combination. AES is more secure but it might impose a performance penalty. Either way, make sure your WPA Shared Key is as long, as varied and as random as possible.

2.4 MAC Filter

I generally setup a MAC filter to disallow all devices except mine to connect wirelessly. I know all their MAC addresses; if you don’t for yours, it should be inconspicuously printed on the device.

3. Services

3.1 Services

I entered all the fixed IP addresses on my LAN in “Static Leases”, making enough fields with Add first. Then, in DNSMasq, I wrote strict-order in the Additional DNSMasq Options text box to have the DNS servers to be queried in the order they're listed rather than randomly. I also enabled SSHd, pasted my public key previously generated with Puttygen and changed the default port from 22 to a port number higher than 1024; however, if you plan to use your router for SSH tunneling to bypass firewalls at a remote location, you might want to set that port to 443. Since I have yet to login, I allowed login by password for now but I will probably disable it once I ensure that login with PKI works. Disabling telnet can be done at this point.

I have also enabled the SES button to turn the radio on or off and to be off at boot-up, as all my connections, except for the iPod and iPhone are wired. What I would really like to see is a custom script that turns on radio 1 on first press (b/g) and radio 2 (N) on the second – remains to be seen. As wireless is usually the greatest security hole, this is bound to make the network safer.

4. Access Restrictions

You may block certain sites in many ways, such as in your hosts file on the local computer, through a proxy, through OpenDNS, through your computer firewall or even through the router’s firewall. Some people choose to block many adsites, others only doubleclick.net and pagead*.googlesyndication.com. Whichever your fancy, here’s how you use your router for this purpose:

  1. Give your rule a name.
  2. Click Edit list of clients and add the MAC addresses you want impacted by the rule, and / or add the IP of the wanted clients, or the IP range, Apply Settings, then Close, then Enable the rule you have created.
  3. Filter (Deny) for "Internet access during selected days and hours."
  4. In "Website Blocking by URL Address" add the domain names you want blocked, such as doubleclick.net
  5. In the section "Website Blocking by Keyword" you can block sites based on keywords, but I would advise against it, as it is very broad.
  6. Apply settings.

Note that you may also choose to Allow instead only the sites and keywords you specify. The first rule has the highest priority, so if you have a mix of Allow’s and Deny’s, ensure that your first rule allows everything for the authorized MAC’s, IPs etc.

A more complex ad-blocking strategy involves Pixelserv, which would replace ads with a definable image, speeding up browsing. Alternatively, squid could be installed.

6. Administration

6.1 Management

Once you got a hang of SSH, you might want to disable HTTP altogether. Enabling HTTPS, though safer, uses up far more resources. I have also enabled the info site, password protected it and masked the MACs, though this last one may not be necessary (will see). Finally, once I am convinced that SSH autologin works I will enable remote SSH access and enter the same port as in the Services tab. The login should be root / password, though as long as I have putty with me with the private key, I should not have to enter it. Disabling login / password removes the possibility of brute force attacks making access far more secure.

Note that even though you disabled the Web Interface on the WAN side, you can still connect to it via SSH Local Port Forwarding. In the SSH client (e.g., Putty) you can set up a Local port forward to destination router:80 (assuming that the router web interface on your LAN is left at default, which is port 80). Once the SSH connection is up, you fire up your browser and navigate to your own machine’s source port – i.e., http://localhost:PORT, where PORT is the port you set for SSH on your router. You will be then connected to the Web Interface of your router through a secure tunnel.

6.3 Commands

To intercept DNS request from improperly configured clients, I entered

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to `nvram get lan_ipaddr`
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to `nvram get lan_ipaddr`

in the Command Shell field. Note that the second line is identical to the first, except that udp is replaced with tcp. If you want only requests from a specific IP address /range to be intercepted, enter it right after br0:

iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

or, with the OpenDNS substitution

iptables -t nat -I PREROUTING -i br0 -s 192.168.1.128/25 -p udp --dport 53 -j DNAT --to 208.67.222.222

Bonus: Tunneling

putty-sshTo set up the tunnel when at the remote location, in Putty follow these steps, starting from your regular session with the private key (from the wiki):

  1. Go to the Connection -> SSH -> Tunnels section.
  2. Type 8080 into the Source port.
  3. Click on the Dynamic radio button to make it a dynamic tunnel that will act as a SOCKS proxy server.
  4. Click on the Add button to add it to the list of forwarded ports. It will appear as D8080 in the list.

With a command line client you would have to issue:

ssh root@[SSH server's IP or domain name] -p 443 -D 8080

Note that a command line connection can easily be moved into the background. To use the tunnel, you need to configure your browser at the remote location to use SOCKS Proxy settings at localhost 8080. To verify that you are indeed surfing through your router at home, go to a “what is my IP” site such as whatsmyip.org to see that your IP address is indeed your home address.

I hope you can replicate all the above easily on your router as well. Trying to focus on what I consider essential is bound to have left out some important steps, so if you have questions, visit the dd-wrt wiki links below or simply ask in the comment section.

Future projects:

There are many other things that can be done but I’m not interested in: IPTV, NoCatSplash, 4dummies, smartphone-as-modem, wiki-rss, wiki-kai, wiki-VPN-gaming, VLAN (def, config, bridging, detached, sep), wiki-xbox, wiki-psp, wiki-snmp, wiki-iptables-prevent,

Sources / More info: wiki-knwn-issues, wiki-install, cisco-wrt610n, wiki-tuts, wiki-ntp, wiki-FON, Peacock-FAQ, XP wizard, Mac wizard, wiki-OpenDNS, forum-dno-selective, wiki-ssh, forum-ssh-pf, wiki-button, mvps-hosts, hosts-file, wiki-url-block, wiki-ssh-tunneling, wi-fip-tuts,

File (all 2010-08-09) – v24 preSP2 [Beta] Build 14896 (rec) Size / link
Linksys WRT610n v2.0 Firmware: Special file for flashing via TFTP 3,29 MB
NEWD K2.6 Big Generic 6,82 MB
NEWD K2.6 VoIP Generic (will play with it eventually) 3,97 MB

PDFs: [Upgrade Instructions] [EULA] [Data Sheet] [Warranty] [User Guide]

Comments

Aidan100 said…
Nice write up, I'm considering switching to dd-wrt but...

is it stable?
5/10/2012 2:06 am
InBonobo said…
It is definitely stable, running like a charm. Back when I installed it the Tomato project did not support this router, but now it does and it also supports more. Search for TomatoUSB, it's supposedly friendlier to beginners.
5/10/2012 9:03 am
Post a Comment

Popular posts from this blog