Configuring DD-WRT
I have decent notes and backups of my Linksys WRT54GL DD-WRT configuration. I also have a check list of sorts.
When I started configuring my Asus RT-AC66U from scratch I realized my documentation was insufficient. DD-WRT is a complex firmware. DD-WRT for the RT-AC66U contains additional features I have seen never before with the WRT54GL. I hadn’t configured DD-WRT from scratch in many years. I was rusty with configuring some of the features. Enabling and configuring various features often requires modifying options in more than one location in the web interface.
One thing is for certain. The DD-WRT wiki and forum is filled with old and obsolete information. Confusing information. Conflicting information. Even finding the correct firmware version for a router is an uphill exercise. The web interface built-in help leaves much to be desired. Finding correct information is a frustrating effort.
Time to update my documentation by rewriting them as a “DD-WRT From Scratch” exercise.
On the WRT54GL I have DD-WRT configured with the following:
- JFFS
- LAN wireless
- Guest wireless
- DNS
- DHCP
- VLANs
- Traffic monitoring
- SSH
- Custom scripts
A feature I did not use on the WRT54GL is a VPN because only PPTP is available. DD-WRT on the RT-AC66U supports OpenVPN, which I want to use.
I use static IP addresses in my LAN. I have both NFS and Samba configured on my LAN server to allow connections only from within a specific range of the subnet. I configure DD-WRT not to provide DHCP addresses. When testing and enabling DHCP, DD-WRT assigns addresses outside the preconfigured range. This design prevents curious house guests from trying to snoop the server and private files. My network laser printer is assigned an IP address within the approved subnet range and is therefore unavailable to house guests.
I use dnsmasq on my LAN server to provide DNS lookups and name caching. I use dnsmasq for blocking undesirable URLs. I configure DD-WRT to use the LAN server for DNS. That means if the LAN server is unavailable then most devices connected to the router will stall. The LAN server is scheduled to power down at night when no client systems are running.
While the RT-AC66U has more memory than the WRT54GL, I am not going to move the dnsmasq URL blocking scheme to the new router. On the LAN server I run a weekly cron job to update the block list. I would need to move and test that script on the new router. Or scp the final file to the router. While the new router probably can handle the overhead, I prefer not to fix things that are not broken.
I have a static public IP address assigned from the ISP.
The point to this exercise is to create documentation that helps me configure various DD-WRT options but in an efficient and methodical manner. Along the way I will create backup snapshots.
My approach looks something like the following:
- Configure admin information and management.
- Enable JFFS.
- Enable SSH and copy public keys.
- Configure the ISP information.
- Configure the wired interface.
- Configure the wireless.
- Configure guest wireless.
- Configure VLANs.
- Copy and enable custom scripts.
- Configure remaining tweaks.
Preliminary Settings
I wanted to bench configure as much as possible before finally replacing the WRT54GL. To retain an Internet connection while configuring the RT-AC66U, I used my Lenovo T400 laptop to connect to the new RT-AC66U router. I used my office desktop already connected to the existing WRT54GL router. In this manner I compared configuration settings.
Administration
Management
Router Management
Router Username: xxxxxxxxxx
Router Password: xxxxxxxxxx
Web Access
Enable Info site: Disable
Remote Access
Web GUI Management: Disable
SSH Management: Disable
Telnet Management: Disable
Allow Any Remote IP: Enable
Boot Wait
Boot Wait: Enable
Cron
Cron: Enable
802.1x
802.1x: Enable
Reset Button
Reset Button: Enable
Routing
Routing: Enable
JFFS2 Support
JFFS2 Support: Enable
Clean JFFS2: Disable
Language Selection
Language: English
CIFS Automount
Common Internet File System: Disable
Apply Settings
Save
Keep Alive
Disable all.
Schedule Reboot
At a set Time: 02:34 Everyday
WOL
Wake-On-LAN daemon
WOL daemon: Disable
Apply Settings
Save
Security
Firewall
SPI Firewall: Enable
Additional Filters
Filter Proxy: Disable
Filter Cookies: Disable
Filter Java Applets: Disable
Filter ActiveX: Disable
Block WAN Requests
Block Anonymous WAN Requests (ping): Enable
Filter Multicast: Enable
Filter WAN NAT Redirection: Disable
Filter IDENT (Port 113): Enable
Block WAN SNMP access: Disable
Impede WAN DoS/Bruteforce
Limit SSH Access: Enable
Limit Telnet Access: Enable
Limit PPTP Access: Enable
Limit FTP Access: Enable
Connection Warning Notifier
Warning Notifier: Disable
Log
Log: Disable
Apply Settings
Save
Services
Services Management
DNSMasq
DNSMasq: Enable
Local DNS: Enable
No DNS Rebind: Enable
Query DNS in Strict Order: Enable
Add Requestor MAC to DNS Query: Disable
IP over DNS Tunneling
nxtx Daemon: Disable
PPPoE Relay
Relay: Disable
SES / AOSS /EZ-SETUP / WPS Button
Turning off radio: Disable
RFlow / MACupd
RFlow: Disable
MACupd: Disable
SNMP
SNMP: Disable
Secure Shell
SSHd: Enable
SSH TCP Forwarding: Disable
Password Login: Disable
Port: 22
Authorized Keys: (copied and pasted)
System Log
Syslogd: Disable
Telnet
Telnet: Disable
The Onion Router Project
TOR: Disable
WAN Traffic Counter
ttraff Daemon: Enable
Zabbix
Client: Disable
Apply Settings
Save
I enabled strict query order to ensure the router always first checked the LAN server, which is running DNSMasq and my blocking strategy.
I rebooted the router to ensure none of the configurations caused boot problems.
ISP/WAN/LAN Settings
The router was not yet connected to the ISP. I was still configured using default IP addresses. I needed to configure DD-WRT for the ISP and LAN.
Setup
Basic Setup
WAN Connection Type
Connection Type: Static IP
WAN IP Address: 192.168.100.100
Subnet Mask: 255.255.255.0
Gateway: 192.168.100.1
Static DNS 1: LAN server IP address
Static DNS 2: LAN server IP address
Static DNS 3: LAN server IP address
Optional Settings
Router Name: xxxxxxxxxx
Host Name: xxxxxxxxxx
STP: Enable
Router IP
Local IP Address: xxx.xxx.xxx.xxx
Subnet Mask: 255.255.255.0
Gateway: xxx.xxx.xxx.xxx
Local DNS: LAN server IP address
Network Address Server Settings (DHCP)
DHCP Type: DHCP Server
DHCP Server: Disable
Start IP Address: xxx.xxx.xxx.129
Maximum DHCP Users: 50
Client Lease Time: 1440 minutes
WINS: 0.0.0.0
Use DNSMasq for DHCP: Enable
Use DNSMasq for DNS: Enable
DHCP-Authoritative: Disable
Forced DNS Redirection: Disable
Time Settings
NTP Client: Enable
Time Zone: A local time zone
Server IP/Name: An NTP pool address:
Apply Settings
Save
Except for testing I do not use DHCP at the router. Configuring the Start IP Address requires temporarily enabling DHCP, applying the settings, then disabling DHCP.
Using the LAN server IP address as the sole DNS server ensures all connections use my LAN server and blocking scheme.
As I was not yet connected to the ISP, the router time remained incorrect.
This was a good time for a backup snapshot. I rebooted as a test. Next I cycled the power to the router as another test.
LAN Wireless Settings
I use the same subnet as my wired LAN.
Configuring the LAN wireless was kind of a go-no-go point. After configuring I would need to connect to the ISP and disable the WRT54GL. Otherwise the two routers would conflict. I could have created new SSID names, but I wanted to retain the old names.
Wireless
Basic Settings
Physical Interface wl0
Wireless Mode: AP
Wireless Network Mode: Mixed
Wireless Network Name (SSID): xxxxxxxxx
Wireless Channel: 11
Wireless SSID Broadcast: Enabled
Network Configuration: Bridged
Physical Interface wl1
Wireless Network Mode: Disabled
Apply Settings
Save
Wireless Security
Physical Interface wl0 SSID
Security Mode: WPA2 Personal
WPA Algorithms: AES
WPA Shared Key: A pass phrase
Apply Settings
Save
As I am unfamiliar with dual band wireless, I initially disabled the Physical Interface wl1 wireless interface.
This was another good time for a backup snapshot. I rebooted as another test.
I powered off and swapped the two routers. After booting the RT-AC66U I confirmed I could connect using wired with both my office desktop and laptop.
I could not connect the laptop using wireless. The existing NetworkManager configurations were set to the old router, such as BSSID/MAC addresses. A few adjustments in the NetworkManager dialogs and I could connect with wireless. I rebooted the laptop to ensure wireless remained functional.
I could browse the web using wired or wireless, but running an iperf wireless test was discouraging. I run hourly cron jobs to record iperf results with respect to my LAN. A nominal monitoring tool only and not meant to test actual throughput. The laptop has an Intel 5100 AGN wireless controller and should be able to use 802.11n. In addition to the device name, the iwconfig command showed IEEE 802.11abgn.
With the WRT54GL only supporting 802.11abg, my average wireless speeds have been about 21 Mbps. That speed is typical with 802.11g. With the RT-AC66U I was seeing iperf results of half that speed. The RT-AC66U supports up to 802.11ac. With the RT-AC66U I expected no slower than the previous average and hopefully something faster.
Lots of tinkering and surfing the web revealed little. I installed an older Build 25697 v24 SP2. No change. I updated the DD-WRT firmware to the latest beta release. No change.
My WAN/ISP connection speeds with the RT-AC66U were about the same as with the WRT54GL. My iperf tests using wired were a tad faster with the RT-AC66U. Only wireless was problematic.
In the end the best I accomplished was configuring the wl0 2.4 GHz radio for G-Only and the wl1 5 GHz radio for N-Only. With that configuration I saw wireless 2.4 GHz connection speeds at about the same as with the WRT54GL.
Using the 5 GHz band always resulted in poor speeds barely bumping 10 Mbps. Reading around the web indicates that running both 802.11g and 802.11n on the same router might reduce overall throughput. Living rurally I do not have to worry about neighborhood interference. I again disabled the 5 GHz radio (Wireless Network Mode: Disabled). Tinkering with 802.11n would have to wait until another day.
Guest Wireless Settings
For house guests with wireless devices I use a different subnet from the LAN, 192.168.3.1. An isolated guest wireless network requires 1) a virtual interface, 2) a bridge, 3) a separate DHCP server, and 4) some iptables firewall rules. With a dual band router, a new virtual device may be added to either physical interface. In my case, I wanted to use wl0. For me the virtual interface is wl0.1.
Thanks to Alex Laird for providing this information.
Wireless
Basic Settings
Wireless Physical Interface wl0
Virtual Interfaces: Add button
Wireless Network Name (SSID): xxxxxxxxxx
Wireless SSID Broadcast: Enable
AP Isolation: Disable
Optimize Multicast Traffic: Disable
Network Configuration: Bridged
Apply Settings
Save
Wireless Security
Virtual Interfaces wl0.1
Security Mode: WPA2 Personal
WPA Algorithms: AES
WPA Shared Key: A pass phrase
Apply Settings
Save
Setup
Networking
Create Bridge: Add button
Name: br1
Apply Settings
Assign to Bridge br1: Interface wl0.1
Apply Settings
Network Configuration br1
Label: Guest Wireless
Multicast forwarding: Disable
Masquerade / NAT: Enable
Net Isolation: Disable
Forced DNS Redirection: Disable
IP Address: 192.168.3.1
Subnet Mask: 255.255.255.0
Apply Settings
Multiple DHCP Server
Add button
DHCP 0: br1 - Guest Wireless
Apply Settings
Save
Administration
Commands
# Enable NAT on the WAN port to correct a bug in builds over 17000.
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
# Allow guest bridge access to Internet.
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
# Block access from br0 to br1.
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
# Block access from br1 to br0.
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
# Deny guest network access to router services.
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
Save Firewall
I added some DNSMasq options to support the guest wireless network.
Services
Services Management
DNSMasq
Additional DNSMasq Options:
# Enables DHCP on br1
interface=br1
# Set the default gateway for br1 clients
dhcp-option=br1,3,192.168.3.1
# Set the DHCP range and default lease time of 24 hours for br1 clients
dhcp-range=br1,192.168.3.102,192.168.3.150,255.255.255.0,24h
This is another good moment for a backup snapshot and rebooting the router.
I now had the LAN wired and wireless networks configured as well as a guest wireless network.
VLAN Settings
I wanted two VLAN ports. I use one VLAN port to isolate my Windows box. I use the other VLAN for temporary systems, such as when I work on another person’s computer. On the WRT54GL I was using the built-in hardware switch ports 3 and 4.
Setup
VLANs
VLAN
vlan0: No ports, no bridge assignment
vlan1: Ports 1,2 enabled, Bridge: LAN
vlan2: Port W(AN), Bridge: None
vlan3: Port 3, Unbridged LAN
vlan4: Port 4, Unbridged LAN
Link Aggregation on Ports 3 and 4: No
Apply Settings
Save
Setup
Networking
Network Configuration vlan3
Label: VLAN-Windows Computer
Bridge Assignment: Unbridged
Masquerade / NAT: Enable
IP Address: 192.168.40.1
Subnet Mask: 255.255.255.0
Network Configuration vlan4
Label: VLAN-Spare
Bridge Assignment: Unbridged
Masquerade / NAT: Enable
IP Address: 192.168.50.1
Subnet Mask: 255.255.255.0
Apply Settings
Multiple DHCP Server
Add button
DHCP 1: vlan3 - VLAN-Windows Computer
Apply Settings
Add button
DHCP 2: vlan4 - VLAN-Spare
Apply Settings
Save
Administration
Commands
# Allow VLAN traffic.
iptables -I INPUT -i vlan3 -j ACCEPT
iptables -I FORWARD -i vlan3 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan4 -j ACCEPT
iptables -I FORWARD -i vlan4 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan4 -m state --state NEW -j ACCEPT
Save Firewall
I added some DNSMasq options to support the VLAN networks.
Services
Services Management
DNSMasq
Additional DNSMasq Options:
# Enables DHCP on vlan3
interface=vlan3
# Set the default gateway for vlan3 clients
dhcp-option=vlan3,3,192.168.40.1
# Set the DHCP range and default lease time of 24 hours for vlan3 clients
dhcp-range=vlan3,192.168.40.102,192.168.40.150,255.255.255.0,24h
# Enables DHCP on vlan4
interface=vlan4
# Set the default gateway for vlan4 clients
dhcp-option=vlan4,3,192.168.50.1
# Set the DHCP range and default lease time of 24 hours for vlan4 clients
dhcp-range=vlan4,192.168.50.102,192.168.50.150,255.255.255.0,24h
Connecting to one of the VLANs showed the default route and Primary DNS as 192.168.40.1 and an assigned IP address in the same subnet. No sign of my LAN DNS server IP address, which is what I wanted.
Loose Ends and Tweaks
I use some custom scripts that I wrote myself or downloaded from the web.
Administration
Management
Cron
Additional Cron Jobs
*/1 * * * * root sh /jffs/etc/config/traffic.sh
I used scp to copy files to the router:
/jffs/etc/profile
/tmp/root/.profile/profile
/jffs/etc/config/rc_startup.startup
/jffs/etc/config/rc_startup.wanup
/jffs/etc/config/traffic-repair.sh
/jffs/etc/config/traffic.sh
/jffs/etc/authorized_keys
/tmp/root/.ssh/authorized_keys
/jffs/etc/hosts
/tmp/hosts
/jffs/etc/dnsmasq.conf
/tmp/dnsmasq.conf
I remain dissatisfied with the external RT-AC66U indicators. I much prefer the front-view indicators of the WRT54GL. Seems the Asus engineers chose style over function. Or perhaps they were overruled by the marketing wonks, who usually have no clue about function.
On my to-do list are configuring a VPN and fixing the 802.11n problems.
Posted: Category: Tutorial, Usability Tagged: DD-WRT
Next: Using Unique SSIDs
Previous: Installing CentOS 7