DD-WRT–Linux based router firmware

I figured I would “nerd out” a little for this article and talk about a program that can unlock the capabilities of your home router. The program is named DD-WRT. It is a Linux based OpenSource firmware that can be put on quite a few WLAN routers and embedded systems. It has a graphical user interface much like what your router probably has right now. One big difference is that this software will take advantage of every possible feature your router can do. You may be asking yourself “Can my router do all these wonderful things?”. There is one easy way to find out. Go to www.dd-wrt.com and select “Router Database”. Type in the first three letters or numbers of your router’s model number and it will most likely find the name of your exact router. Once you have selected your router it will say yes, not possible, no, or wip. Wip is “Work in progress”.  For my particular router, I had to use the router recovery program from Asus since they check the firmware to make sure it is from Asus before it tries to install the firmware. Therefore the firmware from DD-WRT isn’t recognized by the firmware updater on the stock router. Once I loaded the special restore file it pulled up with the new DD-WRT control panel. One thing I like very much about the interface is that every setting has a description to the right so you know exactly what each change you can make does.

DD-WRTSome options that you may not have had before are throughout the control panel. Some of the fun is browsing around and checking out all the new possibilities. However, one setting I did not see explained well was STP which is “Spanning Tree Protocol”. This is a method for dynamically calculating the best spanning tree of a computer network without loops. You would need this if you are using your router in a mesh network with multiple repeaters or an ad hoc network. Most likely you would leave this option off. The rest of the options on the basic setup page are fairly straightforward and have an explanation in the help page. Take a look at the DDNS tab under setup and you will see that even if your router supported this before there are many more choices available now. DD-WRT has very advanced features for bridging networks. With my particular router I am using, I have the option to set my router to be an Access Point, Client, Ad hoc router, repeater, or repeater bridge. If your router does not currently support SPA or WPA wireless encryption it might be interesting to see if DD-WRT would give you the new and safer wireless encryption. If you are into tuning your wireless network for performance you will have almost every option available in the new wireless routers. You can set video and audio to have priority over the wireless when streaming movies and music. You can set a schedule so your wireless network is only on when you are home, which I think is a very nice security feature.

In the Services tab you will see the option to turn off your wireless radio, turn on SSH, or turn off telnet. By default your WAN traffic counter is on so you can look at a history of your usage on the internet. Something that most likely your old router did not have is VPN support. They usually will allow you to turn on VPN pass-through so you can access VPN servers outside of your network. DD-WRT allows you to set your router as a VPN server to securely connect to the internet on your laptop while on the road. It connects to your home router through an encrypted tunnel and then goes to the internet. This way if you are at an airport, coffee shop, or hotel all the traffic will be encrypted and people will be unable to see your passwords, e-mail, or browsing traffic. This software also allows you to set your router as a VPN client to a remote location making a private network between the remote router and your router. If you have a USB port on your router you will still have the ability to use a storage device or printer on that port. Another tab is Hotspot, which most likely you will not be using. This allows businesses such as coffee shops to set up a hotspot that would require some special step to gain access. This would allow them to charge a fee for internet access. You can also add AnchorFree which would put ads in the browser so the person providing internet can make some money from giving out free internet access.

Your security tab has pretty standard options such as an SPI firewall and the ability to filter out proxies, cookies, java applets, and ActiveX. You can also set what people out on the internet will see when they look for your router. By default people cannot ping your router. You can turn on logs and tune what level it will retain. If you want to know everything that happens and set your log level to high it will fill up very quickly. You can have it tell you every dropped connection, rejected connection, and successful connection. I suggest you leave this on low to that the log will make sense.

DD-WRT-blockThe Access Restrictions tab allows you to limit internet access to certain computers during set times. This is great if you have kids that you don’t want getting on the internet late at night. Although your child would have limited internet access on his/her computer, you would still have full internet access on yours. This is one advantage over turning your whole wireless connection off. Another wonderful feature is “Blocked Services”. You can block certain programs from accessing the internet without having to know what ports they use. You can block Skype, bit torrent, chat clients, and many many more services. With a single checkbox you can turn off all of the file sharing (P2P) protocols. You can also block any website that has particular words in them or by certain addresses. This is an extremely powerful feature for limiting high-bandwidth application use.

With NAT/QoS you will be able to set port forwarding options. This allows you to remotely connect to a device inside of your home or business network that you want to have access to while you are at a different location. If you have a IP cam that has its own IP address on your network you would be able to use port forwarding to be able to connect to your camera and see it remotely. You can also set a port range rather than individual ports. You will most likely want to turn on UPnP on your router. UPnP allows applications on your computer to open up ports on the router dynamically. When you are not using the program it will close down those ports, which ends up being more secure. You can also go in and remove ports that you do not want open. DMZ allows you to set one computer or device on the network that all incoming traffic will be forwarded to. It stands for Demilitarized Zone and is good if you are running a server that needs to act like it is directly on the internet without any sort of firewall or routing. The final option in this category is QoS. You have the ability to give priority to certain services, networks, or individual computers. You can set certain bandwidth limits on the devices and it has an option to optimize for gaming. If you do not have multiple users on the internet at the same time you don’t really need to worry about this that much.

Lets geek out on the Administration tab for a moment. When you go to the IP address of your router there is an information page that comes up automatically. If you do not want others having access to this information you have the ability to require a password to view that page. You also can turn on HTTPS whenever you are accessing the router. On this page you can set whether people outside of your network can access the Web GUI, SSH, or Telnet.  Since DD-WRT is based on Linux you have the ability to set cron jobs. Cron jobs are commands that can be run at certain increments or times. You could have it ping a certain address or do some simple task every hour, day, or even every second if you wish.

As you can tell DD-WRT is packed full of features. The status tab has tons of statistics of exactly what your router is doing. If upgrading the firmware of your router seems like a big task, you may want to be careful in doing something as advanced as changing the operating system of your router. If you have an extra-old router you can play around with, I encourage you to learn the software with that device. You may also want to download the latest firmware from your router manufacturer before doing all this so that if something doesn’t work right, you can reload your stock firmware onto the router and be back up and running on the internet. Feel free to check out www.dd-wrt.com and do some reading in the forums regarding your particular router. You will see some of the roadblocks others have run into while setting up and running a similar device.

About Brian Aldridge

I am a software developer and podcaster. Catch me weekly on Infection - The Survival Podcast at https://infectionpodcast.com

Leave a Reply