Installing a New Router
For the past 10 years I have been using a Linksys WRT54GL 1.1 router in my LAN. Yes, 10 years. I prefer not to fix things that are not broken.
A few days after buying the WRT54GL I installed DD-WRT. The last DD-WRT update for this router was in 2010. As the router has only 16 MB of RAM, many of the additional features touted in DD-WRT are unavailable. I am not complaining — fewer features usually means better security.
Some time ago I bought an Asus RT-A66U router. The specs are notably different with 128 MB flash and 256MB DDR2 RAM, Gigabit ports, USB ports, dual band, and support for 802.11ac.
I decided to finally install this new router. I would demote the WRT54GL to the role of emergency backup.
DD-WRT is available for the RT-A66U router. A DD-WRT interface would provide me a significant degree of familiarity.
Initially I want to provide the Asus firmware a shakedown and test. If that proved frustrating then I would try the Asuswrt-Merlin firmware. DD-WRT firmware will remain an option.
The change log for the Asuswrt-Merlin firmware indicates some of the improvements have been backported to the Asus firmware.
I have good notes and screen captures of my DD-WRT configuration with the WRT54GL. Backups too. That said, I anticipate that configuring the Asus router like-for-like using the Asus firmware will be a challenge because of the differing interfaces.
I have DD-WRT configured with the following:
- JFFS
- Wireless
- Guest wireless
- VLANs
- Traffic monitoring
- SSH
- Custom scripts
The WRT54GL is configured to use my LAN server for DNS name searches. One feature I want to explore with the new router is adding a VPN server to the LAN.
A “feature” I do not want is auto-updating or phoning home. I do not know whether I can control that. While I appreciate good products I detest the current mindset among vendors to data mine the Hell out of everybody. I am a human, not a product.
Other than a user manual PDF, the Asus router comes with the typical installation CD that is useless for Linux users.
While I have not kept abreast of router technology, I am aware of past exploits with the Asus firmware. I presume most or all of these problems have been fixed. The moral of the story is these exploits reveal that the more features a person enables the increased likelihood of exposing the device to possible exploits.
I downloaded the latest firmware from the Asus web site.
A Kill-A-Watt meter test showed the device uses about 10 to 12 watts. The router requires about 60 seconds to boot. The WRT54GL uses about 7 watts and about 90 seconds to boot.
One usability defect is the LEDs are on top of the router. When placed on a high shelf, the user is unable to view the LEDs as would be the case with front view LEDs. The LEDs are the typical fad blue. While the device can be mounted vertically, this results in the cables being exposed and is not cosmetically pleasing.
I connected the router to my laptop. I did not connect the WAN port. That way the device could not phone home — if that was actually part of the design. Before connecting to the world I wanted to explore the configuration options to disable unnecessary features and determine whether the device does phone home.
The RT-AC66U firmware greeted me with a dialog that I did not have the bane of the web enabled in my web browser. Okay, not a serious hit because DD-WRT requires the bane of the web too. The difference is I trust DD-WRT. I do not yet know whether I can trust the Asus firmware.
After I enabled JavaScript I saw a Welcome screen.
I am not fond of dark themes.
There are four options. The top option is Skip Setup Wizard. The remaining three options are 1) Check Connection, 2) Internet Setup, and 3) Router Setup. The Welcome screen has a single Go
button. As I was not yet connected to the outside world, selecting this button resulted in an error message and a new Manual Setting
button.
Hardly conclusive, but the firmware seems designed to phone home.
Selecting the Manual Setting
button found me in a new page to configure the router’s login name and password. I perused through a few more pages but eventually the wizard stalled because I was not connected to the outside world.
Hardly conclusive, but the firmware seems designed to phone home.
At that point I selected the Skip Setup Wizard option. After selecting this option to bypass the wizard, I was prompted to configure the wireless encryption. A nice gesture I suppose, but so much for “skipping” the wizard.
I selected the Go
button to ignore the request for encryption passwords. As a side note, from that point forward there is a yellow icon at the top right of every page that flashes to remind the user that no wireless password has been set. Perhaps if the user wants to provide an open access point that flashing can be disabled, but I did not look further.
Overall I found the Asus interface confusing. I am sure several afternoons of tinkering would get me more familiar. Ten years of familiarity with DD-WRT plays a role in my confusion, but nonetheless I do not find the Asus interface straightforward.
The default Asus firmware update page showed the firmware version was 3.0.0.4.376_3707. No such version appeared on the Asus web site. I performed a backup and then flashed to the latest version 3.0.0.4.380-3831.
After updating I was thrown into a new login page. The new page would not let me log in until I enabled cookies. Cookies? On a router? WTF. I was not feeling good about this firmware.
The new page required me to change the password. This is a good gesture for many people.
An nmap scan showed the LAN side had the following default ports open:
- 53
- 80
- 515
- 9100
- 9998
I do not have a bench setup to scan the WAN side ports. Online port scanners are unreliable because the WISP uses NAT. Besides, I was not ready to connect the device online. I was determined not to let the device phone home in any manner. I had sufficient suspicion that the firmware phoned home.
After updating the firmware I looked for an option to prevent phoning home. That is, auto-updating. I found nothing obvious.
I use NoScript. When I enabled JavaScript for the router IP address, I noticed in the NoScript menu an option to temporarily allow JavaScript with nw-dlcdnet.asus.com. This is an Asus download content delivery network URL. Several router configuration pages connect to this URL, some don’t. While this is not a direct phone home design, merely adding the URL in various configuration web pages means there will be contact with the mother ship.
Looking through the Merlin firmware feature list revealed nothing about stopping this. Searching the web revealed nothing.
I found no options to configure a VLAN. Searching the web revealed nothing. I concluded that VLANs are not supported. For me this is an important missing feature. I could buy a managed switch to create VLANs, but I like the firmware convenience with less mess and fewer cables.
My short session implied I would need to use DD-WRT to obtain VLAN support.
My short session implied I would need to use DD-WRT to protect my privacy.
I refuse to play this game of vendors tracking me. In hindsight I should have known better. Vendors these days seem incapable of selling products without data mining or tracking.
I miss the days of simply throwing away useless warranty cards, the old snail method of tracking people through junk mail lists.
I remembered my wounds with respect to wordpress.com. I was not going down this road again.
I installed DD-WRT.
That is, I tried to. I received a dialog that due to “certification requirements” the firmware I tried to install was incompatible. This led to wasting time on the web reading about various vendors and their compliance efforts with the FCC mandate to limit radio transmission power. Basically, how they are locking the firmware.
Surfing the web indicates many people struggling to install third party firmware on Asus routers.
Had I not immediately updated the Asus firmware I would have avoided the problem.
Fortunately I found a new DD-WRT firmware that had been updated recently. I was able to successfully install that firmware.
The DD-WRT interface looked familiar to my WRT54GL router. At least the DD-WRT developers are not card-carrying members of the “change for the sake of change” club. The RT-AC66U has several more tabs of features, but otherwise everything looked unchanged. Probably because of more modern hardware, the DD-WRT interface seemed snappier on the RT-AC66U than the WRT54GL. I always thought the DD-WRT interface on the WRT54GL was sluggish.
Unlike the Asus firmware, an nmap scan showed the DD-WRT LAN side had the following default ports open:
- 53
- 80
After temporarily enabling telnet, I logged in for a nice surprise. The free
command showed about 30 KB of RAM being used — and about 206 KB free. A big difference from the WRT54GL.
While JavaScript is needed to use the DD-WRT interface, there are no cookies and to my knowledge nothing phones home. There are no data mining efforts. Unlike the Asus firmware, I have access to VLANs. Like the Asus firmware, DD-WRT supports OpenVPN, which I look forward to testing. Unlike the WRT54GL, DD-WRT for the Asus router supports OpenVPN rather than only PPTP.
I have tested the PPTP option on the WRT54GL. Everything worked but I was uncertain about the security of PPTP.
Despite similarities, I cannot update the RT-AC66U from a WRT54GL backup. I used my laptop next to my office desktop to configure the new router with the same settings of the existing router.
Unlike the unfamiliarity of the Asus firmware, I need only focus on new DD-WRT features.
I understand that the Asus developers are targeting people with little to no computer experience. This would explain some of the internal online links to Asus web sites.
Despite this seemingly sincere goal, I have no way to monitor the Asus router for what might actually be phoning home. Perhaps there are no such connections. Yet my cynical view is the firmware provides a covert way at least to know who is using the product. The requirement for cookies is absurd and implies tracking. Any phone home connection raises suspicion. Period.
The simple lesson learned is never trust any vendor who provides any kind of firmware. When buying any such hardware these days, presume there is an effort in some form or manner to data mine users.
That said, at least the Asus folks allow third party firmware. For about an hour I thought I had bought a brick and would have to try to sell the device.
Odd to me is that if vendors really want to reduce costs, why they don’t use free/libre firmware. Probably because they then would be unable to snoop.
I have no special allegiance to DD-WRT, but I avoid tracking and have VLAN support. My 10 year experience with DD-WRT on my WRT54GL indicates the firmware works. I think that is all anybody ever really wants.
Posted: Usability Tagged: General
Category:Next: The Nightmare of the Internet of Things
Previous: The Art Of Deception