Saturday, March 28, 2009

Linksys & DD-WRT Tinkering

I actually performed this upgrade quite a while ago. Just trying to play catch-up with some documentation.

In this post I cover installation, general setup, OpenDNS, and Dynamic DNS.

DD-WRT is a free firmware upgrade for most consumer routers. It adds a great deal of functionality and control to your router that otherwise might not be available.

I was in need of a wireless router and knew I wanted to put DD-WRT on it, so I bought a Linksys WRT54GL - reported to be the most compatible and easiest to upgrade. And indeed it is.


Following the instructions on the install page for WRT54GL I was able to flash the firmware without any problems and had a new, stable, and better router. (Each router install is different depending on the model. Instructions for other routers can be found here.)

After I had been using it for a few months a new version was released so I performed an upgrade to v24-sp1. The following setup instructions are specific to v24-sp1.


When making changes in the setup I found that it works best if, after making all the changes needed on a page, click the Save button, then click the Apply Settings button. If you don't click on the Save button then the changes made will be lost if you change pages. And I have run into problems of the router hanging and not responding if I click on Apply Settings before clicking on Save. (In these cases the router continues to function but doesn't respond to the web interface, even days later. Only a reboot snaps it out of this state.)

Some of the changes I made to the router setup are as follows (your needs may vary):

Administration - Management
Obviously, the first thing to do is change the default password.

Wireless - Basic Settings
Wireless mode - AP
Wireless network mode - mixed
Wireless Network Name (SSID) - (change this, don't leave it as default)

I had originally set Wireless SSID broadcast to Disable (for additional security), but our Wii game console can't find wireless networks that aren't broadcasting the SSID, so I had to change it back to Enable.

Wireless - Wireless Security
Security mode - WPA Personal
WPA Algorithms - TKIP
WPA Shared Key - ************* (Right - like I'm giving this out, but be sure to set it and remember it. If you forget it then you can unmask it.)

Wireless - Advanced Settings
The TX power can be changed here. It's default is 70 and I left it there. But it can be boosted for better performance if necessary. The older version used to recommend a max, but I can't remember what it was. 100 I think. But it can be cranked up to 251mW which is probably not a good idea.

Services - Services

DHCP Server
The router has a built in DHCP server, but in addition to leasing dynamic IPs I wanted it to lease static IPs to the known computers on the network. I looked up each computer's MAC address under Status - LAN and assigned each one a static IP address. This way each computer can continue to use DHCP (for easier setup) but use a static IP so I can find them on the network.

DNSMasq - Enable
Local DNS - Enable
Additional DNSMasq Options: strict-order

These settings are for use with OpenDNS. See below.

RFlow / MACupd
This service is for use with RFlow Collector. I've got a Windows server setup with RFlow Collector that I can use to monitor network and internet traffic. Yes, I snoop on my own network. I do this mainly because I can (like most things I do) and because I'm curious. Also partially because if I experience network problems it's another place to look when troubleshooting.

RFlow - Enable
Server IP - (enter server IP here)
Port - 2055 (default)
MACupd - Enable
Server IP - (same as above)
Port - 2056 (default)
Interface - LAN & WLAN
Interval - 10

On the server side I had to setup MySQL and RFlow Collector. Instructions here.

To view the logs I created a Microsoft Access front-end that imports the data from the MySQL tables (shared over an ODBC link) with queries that help to make sense out of it.

Secure Shell
I want to be able to SSH into the router. This is for a variety of reasons: troubleshooting, remote network access, etc. With a dynamic DNS service (more on that later) I could SSH from anywhere in the world with internet access.

SSHd - enable
SSH TCP Forwarding - Disable
Password Login - Disable
Port - (changed) I did not leave these as the default 22 for security reasons
Authorized Keys - (enter public key here)

A few notes: I used public key authentication instead of password authentication here. Again, for security reasons. Without password authentication the router can't be hacked by guessing the password. The one disadvantage is that without my private key, I can't get into it either. More information on this and how to setup public/private key pairs can be found here.

NAT/QoS - Portforwarding
I have a webserver (that I'm really not doing anything noteworthy with at the moment, but have plans) so I use portforwarding to make the webserver visible to the internet.

Application - webserver
Port from - 80
Protocol - Both
IP Address - (IP address of webserver)
Port to - 80
Enable - check


In order to filter internet content and be somewhat in control of what my kids have access to on the internet, I decided to use OpenDNS for DNS service instead of the default DNS my ISP provides.

After creating an OpenDNS account I made the following setup changes:

Setup - Basic Setup
Static DNS 1 -
Static DNS 2 -
Use DNSMasq for DHCP - check
Use DNSMasq for DNS - check
DHCP-Authoritative - check

To plug one of the holes used to get around these DNS filters I added the following command to the firewall:
Administration - Commands
iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

In order to take full advantage of OpenDNS's filter capabilities, the router's WAN IP address needs to be registered with the OpenDNS account. But if the IP address changes (which is likely to happen with most ISPs) then the filter won't work. OpenDNS has a client-side application you can run on your computer that auto-updates the IP address with OpenDNS, or you can take advantage of the built-in functions of DD-WRT to do the same thing. See below.

Dynamic DNS

In addition to updating my dynamic IP address with OpenDNS, I wanted to have a human usable domain name to see my webserver or SSH to my router whenever I'm away from the network. So I need a domain name and a dynamic DNS service to keep track of my IP address.

First I registered a domain name with DynDNS (it's free). DD-WRT has the ability to interface with DynDNS and auto-update my IP address with them directly, but I also needed to register my IP with OpenDNS. The router can't manage both at the same time.

That's where DNS-O-Matic comes in, an awesome service, also provided by OpenDNS, that can update your dynamic IP with several dynamic DNS providers. After setting up my DNS-O-Matic account to forward my IP to both OpenDNS and DynDNS, I just need to setup the router for the one service.

Following the instructions from DNS-O-Matic:

Setup - DDNS
DDNS Service - Custom
DYNDNS Server -
Username - (enter username)
Password - (enter password)
Hostname -
URL - /nic/update?
Force Update Interval - 10 (default)


DD-WRT has so much more functionality that I'm not using. It's a very interesting and exciting platform to play around with.

No comments:

Post a Comment