Have I setup DD-WRT correctly?

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
deez444
DD-WRT Novice


Joined: 01 Apr 2021
Posts: 3

PostPosted: Thu Apr 01, 2021 18:07    Post subject: Have I setup DD-WRT correctly? Reply with quote
Hi,

Had problems installing on a netgear 8500 but got it working thanks to

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1169279#1169279

it was worth it.

I would like to say that Im not an IT professional and new to ddwrt I have done research

But I need some help and before I get flamed I searched the forum and it did not get answers.

1 there seems to be updates to ddwrt very frequently should I update everytime? Is there a way to say with a build if it works for you? How to you know if there is a critical / vulnerability and you must update to the newest firmware?

2 how do you setup an isolated guest wifi and isolated guest vlan on a LAN port?

3 Misc questions My set up is my ISPs re-branded ARRIS cable modem / router in modem mode to a Broadcom h/w ddwrt

Ignore WAN DNS ON or OFF? is this something to do with DNS leaks on VPNs? If so is this vpn on ddwrt or on your PC?

WAN Connection type is auto config dhcp in ddwrt, advanced routing tab is gateway? Router mode kills the internet connection? Am I using the correct settings? Will the ddwrt firewall still work in gateway mode?

SPI firewall – I want max protection but for things to still work without a lot hassle, which options should I select?

Log management – what do you do to the firewall log to work? Log levels? Options dropped,
rejected, accepted?

Dynamic routing interface – is disabled? Is this importatnt?

Remote access from any IP is ticked? Should I disable it?

uPNP is disable? Will torrents still work?

Im looking for the securest settings while still being functional anything I should do?

Many, many thx to anyone who can help even a little, it is appreciated.
Sponsor
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Thu Apr 01, 2021 19:18    Post subject: Re: Have I setup DD-WRT correctly? Reply with quote
deez444 wrote:
Hi,

Had problems installing on a netgear 8500 but got it working thanks to

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1169279#1169279

it was worth it.

I would like to say that Im not an IT professional and new to ddwrt I have done research

But I need some help and before I get flamed I searched the forum and it did not get answers.

Lots of questions! I'll take a few and let someone else who knows more about them take others.
Quote:
1 there seems to be updates to ddwrt very frequently should I update everytime? Is there a way to say with a build if it works for you? How to you know if there is a critical / vulnerability and you must update to the newest firmware?

You do not need to update every time. I typically update at intervals of four to six months. You should only update after reading the new-build thread(s) of interest in the forum associated with your router. (I don't know your router so can't say which that is.) You'll find there that some builds are too buggy (for your particular router perhaps) to use. All of us are beta testers all the time. Ignore the router database, as it is not well maintained.
Quote:
2 how do you setup an isolated guest wifi and isolated guest vlan on a LAN port?

The wifi part of the question is the easier one. Take a look at the third post at https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1217070, which is my attempt to answer that question.

VLANs, on the other hand are very hardware specific. You'll need to find a discussion on setting them up for your particular router or router family. The required techniques can very hugely, so don't just grab the first thing you see for any router and run with it. (My sig below has a link to the VLAN method for the modern Linksys WRT... routers, but don't try it with anything else!)
Quote:
3 Misc questions My set up is my ISPs re-branded ARRIS cable modem / router in modem mode to a Broadcom h/w ddwrt

Ignore WAN DNS ON or OFF? is this something to do with DNS leaks on VPNs? If so is this vpn on ddwrt or on your PC?

Most people wanting to set up DNS through their VPNs or even just wanting to be sure their explicit choices of DNS providers are used will want to ignore WAN DNS. It's a fairly new setting though, and we managed without it. It's not critical, as the ISP DNS servers are always last in line behind the VPN-provided DNS and any DNS servers you list in Basic Setup. Check the box and they won't be in line at all. If you want the sequence strictly observed - try the first one and only when it fails try the next one, etc. - enable Strict Order in the DNSMasq section in GUI>Services>Services.
Quote:
WAN Connection type is auto config dhcp in ddwrt, advanced routing tab is gateway? Router mode kills the internet connection? Am I using the correct settings? Will the ddwrt firewall still work in gateway mode?

Unless you are configuring multiple routers to work together (sounds like you are not), stick with the default Gateway mode. I believe Router has no WAN functioning or firewall, but that's because there's an assumption that you have a primary router taking care of those things.
Quote:
SPI firewall – I want max protection but for things to still work without a lot hassle, which options should I select?

Enable SPI Firewall for sure. I also check the four "Impede WAN DoS/Bruteforce" boxes, but I'm no expert there.
Quote:
Log management – what do you do to the firewall log to work? Log levels? Options dropped, rejected, accepted?

Looks like these choices have evolved since I last look. Just figure for now that you can ignore it unless you have trouble. More important is the System Log section of GUI>Services>Services. Enable the system log daemon at least. You can try also enabling the kernel log (they go to the same place) if you are a glutton for punishment or a linux kernel guru and are curious. Last time I tried, I found I did need kernel logging in order to get the Firewall logging on the other tab to do anything. If the kernel is logging and you enable logging dropped packets, you'll get a line in the system/kernel log for every dropped packet. Useful if you are dealing with trouble. I don't use it routinely. And don't ever enable logging of Accepted packets, or your log will be buried with them.
Quote:
Dynamic routing interface – is disabled? Is this i... [accidental delete]

I've never used anything on that tab.
Quote:
Remote access from any IP is ticked? Should I disable it?

Most people should disable all three remote management interfaces - GUI, ssh, and telnet - as these are specifically referring to access from outside your network, from users somewhere across the internet. Disable them and you'll still have access from your own network provided you enable it in GUI>Services>Services. If you disable remote access, it won't matter what "any IP" is set to, as it will be ignored. If you DO need remote access for some reason, it's best to allow it from a specific IP only if you can, if you can do your remote management from a fixed IP address. There are lots of baddies on the internet trying to break into open routers to corrupt them. Make it hard.
Quote:
uPNP is disable? Will torrents still work?

No idea. Never torrented.
Quote:
I'm looking for the securest settings while still being functional anything I should do?

Use a really good random password for the router itself, like 12 characters of nonsense, set in GUI>Admin>Management. Then set up ssh (Secure Shell in GUI>Services>Services) to use encryption keys for authorization, and once it is working (there's a wiki), disable password login with ssh and disable telnet altogether. Some suggest changing the default ssh port from the default of 22. Other say it's not worth the bother because the bad guys do port scans. I do it anyway. Pick a five-digit number below 65536 (i.e. stick to large 16-bit unsigned integers). In any case, ssh with keys is the secure way to access the router. That doesn't protect the GUI though, hence the strong password. If you are comfortable with iptables you can also add a firewall command (GUI>Admin>Commands) to restrict admin access to a specific interface, ideally one that only you can use. On my system that's br0, but for you maybe wlan0.1 (a VLAN) or whatever:
Code:
AdminIF=br0
SSH_PORT=$(nvram get sshd_port)
iptables -I INPUT ! -i $AdminIF -p tcp -m multiport \
  --dports $SSH_PORT,telnet,http,https \
  -j REJECT --reject-with tcp-reset

Quote:
Many, many thx to anyone who can help even a little, it is appreciated.

Final note: A guest network is not just for guests. If you set it up with both AP isolation ("guests" isolated from each other) and Net Isolation ("guests" isolated from the main network br0), then that network is the ideal place for you and your family to be connected when you don't need to interact with printers or other devices, because then malware on one machine can't reach out and infect another machine. Malware needs time to poke around the net. Give it as little net to poke as you can, and give it as little poking time as possible.

Also, give some thought to choosing DNS providers. I like Quad9 DNS (quad9.net) at 9.9.9.9 because don't log (other than city level) they screen out a million or so malware domains. Cloudflare 1.1.1.1 is popular because they are fast and don't (AFAIK) log, but they don't filter anything either. Adguard DNS (adguard.com, Products, Other, AdGuard DNS) filters malware and advertising and ad trackers, and doesn't log, but isn't the fastest. There are choices out there that go further and also filter out "adult" entertainment sites. Adguard has an option to add that.

Once you are settled down on the basics and are looking for the next step, you can use (GUI>Services>Services>DNSMasq) Encrypt DNS to use DNSCrypt (dnscrypt.info) to encrypt DNS queries and replies to some providers. The menu in dd-wrt is old, and many of the options there are hobby sites or not there or now only working with newer DNSCrypt protocols (dd-wrt builds in an older DNSCrypt implementation because the new one is simply too large). But the menu includes Adguard, and it should work. Also, with some work you can use some DNSCrypt-equipped providers that are not in the menu. See my sig for how to do this for Quad9. The writeup is a bit old now, but my Quad9 code from that setup still works for me. (The adguard menu item though has changed from adguard adguard-dns to adguard-dns-ns1.)

Some people get all excited over DNSSEC (enable all three in the DNSMasq section: Cache DNSSEC data, Validate DNS Replies (DNSSEC), and Check unsigned DNS replies), but only a few percent of websites have digitally signed DNS entries, so it's not real important at present, and it will slow DNS somewhat. In the US no major banks have DNSSEC-signed DNS entries, for example. I did find three VPN providers who sign their websites: AirVPN (airvpn.org), PIA (privateinternetaccess.com) and Mullvad (mullvad.net). I do like that for a vpn site, as I'd hate to give my VPN-account login credentials to a fake site.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.


Last edited by SurprisedItWorks on Sat Apr 03, 2021 20:16; edited 1 time in total
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Thu Apr 01, 2021 19:31    Post subject: Reply with quote
Use port forwarding, port range forwarding or port triggering with UPnP disabled for your Linux distros.

https://wiki.dd-wrt.com/wiki/index.php/Port_Forwarding
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Thu Apr 01, 2021 19:56    Post subject: Reply with quote
Also if you have security as a priority, have a look at this discussion on choosing your router IP and subnet with security in mind: https://routersecurity.org/ipaddresses.php

Basically, malware often assumes 192.168.1.1 or at least that it ends in .1, and if you go your own way, you can make it more difficult or even impossible, depending on the malware sophistication, for it to find your router. And identifying the router means going after its admin interfaces, etc.
ThaCrip
DD-WRT User


Joined: 05 May 2008
Posts: 338

PostPosted: Sat Apr 03, 2021 5:42    Post subject: Reply with quote
Quote:
uPNP is disable? Will torrents still work?


I always leave UPNP disabled as it's more secure this way.

what I do is setup the computer running the torrent client to a specific IP and I make it so it's NOT in the DHCP range, which by default will be between 192.168.1.100-149 (or so). so for example... you could setup your computer running the torrent client at a static IP of 192.168.1.99 (this is done on the computer itself). then at this point in DD-WRT go to...

NAT / QoS > Port Forwarding. then basically...

-Protocol = TCP
-Port from = for example... 11111
-Port to = for example... 11111
-IP address = the IP you used on the computer running the torrent client. so using the example I listed above it would be 192.168.1.99
-Enable = *check the box*

then make sure it's saved/applied etc. this will help ensure that the torrent client always works on that specific computer since the IP address won't change since you set it up as a static IP. because if you use the default way to get a IP address for your computer it will use DHCP and this might change, which if it does, the torrent client will no longer function properly since your IP address of your computer always need to be on 192.168.1.99 in the example I gave above for the torrent to function properly.

NOTE: whatever you choose for the "port 'from/to'" they need to be the same. since your only opening one port on the DD-WRT router for the torrent client.

NOTE: and obviously... you need to setup your torrent program itself to use the port you opened in DD-WRT. so in the example I listed above you would setup your torrent program to use the port 11111.

_________________
Primary Router: Linksys WRT54GS v1.1 /w dd-wrt.v24_mini_generic (r46640 May 13th 2021) ; new Panasonic capacitors Feb 11th 2020 | Backup Router: Linksys WRT54GS v6 /w dd-wrt.v24_micro_generic (r46640 May 13th 2021)
deez444
DD-WRT Novice


Joined: 01 Apr 2021
Posts: 3

PostPosted: Sat Apr 03, 2021 17:35    Post subject: Re: Have I setup DD-WRT correctly? Reply with quote
thank you to all who replied much appreciated your effort
Display posts from previous:    Page 1 of 1
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum