Hello router folks, so some years ago I did flash this linksys E3200 ....and then few years later again with the update I could find after the "heartbleed" issue.
Some I'm not a router person, just a basic linux person running Fedora/Debian.
And yet I see my router on the VPNfilter list ; and that apparently 30/30/30 is not advisable as a reset option; assuming that it is even "a good idea" for this VPNfilter talk ?
I can manage WebGUI stuff; I see that I have ddwrt v24-sp2(3/25/13)big build 21061 installed at present
I did try to read around this forum and look at the router database, however, over a number of days, I don't see that the 'router database' is operational, it just says 'down for maintainence'
I guess I could do the 'erase nvram' or is it 'nvram erase' via the command line, but have no idea on the steps to do that.
I did see some wiki on the topic, but I can't understand the language.
Lastly, I see that the Talos and Bruce Schnier are saying something like if you router is on the list, it's too old (eg > 10 years) so just buy a new one. But, I'm wondering if that is more for folks whom are not running dd-wrt, I just live in an apartment, and don't need the greatest and latest Wifi coverage nor sophisticated networking, wouldn't know how to use it anyhow.
Under the GUI "security" I see ->block WAN requests all checked except "filter WAN NAT redirection" ; andunder "impeded WAN DoS" all checkboxes are checked.
SPI firewall is enabled
Log is disabled
Services->Services Telnet is enabled ; secure shell disabled ; but under Admin->management I see -> remote access web gui disabled; ssh management is disabled but grey not black, telnet disabled ; 'allow any remote IP" is enabled. ; cron is enabled.
Having said all this, I'd be happy to buy a new router for $50 or so ; even if I don't flash it with dd-wrt if there were any recommendations.
I apologize I don't speak router-ese much ..... thanks for any and all feedback cheers
thanks for the replies, but could you be more specific than "not good at all" ; do you mean from a security point of view or ; I am not a router person, pretty will use most settings at the default
my cable modem and provider are "up to 50mbit/sec" , yes.
I have no idea how to telnet into my modem and do the "nvram erase" .....which is what I was trying to say.
I'm a bit vague from reading on here it is really advisable, as they said "they've seen no evidence of DDWRT being effected" etc
thanks for the replies, but could you be more specific than "not good at all" ; do you mean from a security point of view or ; I am not a router person, pretty will use most settings at the default
my cable modem and provider are "up to 50mbit/sec" , yes.
I have no idea how to telnet into my modem and do the "nvram erase" .....which is what I was trying to say.
I'm a bit vague from reading on here it is really advisable, as they said "they've seen no evidence of DDWRT being effected" etc
ya sorry no idea what SFE is , are you saying the build recommended has it, and mine doesn't or something ?
could you be more specific than "not good at all" ; do you mean from a security point of view or ;
He did
q2xxI wrote:
I am not a router person, pretty will use most settings at the default
my cable modem and provider are "up to 50mbit/sec" , yes.
I have no idea how to telnet into my modem and do the "nvram erase" .....which is what I was trying to say. [...]
ya sorry no idea what SFE is , are you saying the build recommended has it, and mine doesn't or something ?
Correct. You don't need to be a 'router person', you just need to be willing to learn... and search. SFE provides better network speeds when the router is used as a gateway (the default). There's a link in my signature for details, but for your speeds it doesn't really matter, especially since the default is enabled anyway. As for the `erase nvram`, you can go to Administration->Commands and run `erase nvram && reboot`). _________________ #NAT/SFE/CTF: limited speed w/ DD#Repeater issues#DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo#
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
could you be more specific than "not good at all" ; do you mean from a security point of view or ;
He did
q2xxI wrote:
I am not a router person, pretty will use most settings at the default
my cable modem and provider are "up to 50mbit/sec" , yes.
I have no idea how to telnet into my modem and do the "nvram erase" .....which is what I was trying to say. [...]
ya sorry no idea what SFE is , are you saying the build recommended has it, and mine doesn't or something ?
Correct. You don't need to be a 'router person', you just need to be willing to learn... and search. SFE provides better network speeds when the router is used as a gateway (the default). There's a link in my signature for details, but for your speeds it doesn't really matter, especially since the default is enabled anyway. As for the `erase nvram`, you can go to Administration->Commands and run `erase nvram && reboot`).
So, I don't see the reason why I should flash to a newer build, and I want to remain polite.
So, I can only do erase nvram via telnet ? how do I navigate when I attempt to telnet in, maybe it will be obvious , but would hate to do things wrong.
And if I understand correctly if I were to flash a new build to the router, I should not do 30/30/30 which is what I did originally.
And lastly, again, is any of this likely have any point with regards to the VPNfilter thing, if one's router is on the list ...... or is ddwrt "probably ok" no matter what is done
what "doesn't really matter" for my "speeds" having SFE available? if so I guess that's another reason there is no reason for me to flash a newer build
If so, I'll just see if I can figure out how to telnet .
PS: I spend a few hours on this "reading and searching" today, thanks for your help
So, I don't see the reason why I should flash to a newer build, and I want to remain polite. [...]
what "doesn't really matter" for my "speeds" having SFE available? [...]
so is there instructions somewhere on how to do the telnet erase nvram. Or after I telnet login do I just enter it on the command line? [...]
if the 30/30/30 is no longer recommended, then I guess no one edits these howto's anymore?
The wiki's were created long ago back when 30/30/30 was gospel; and ARM routers (not the 3200) must not use it. For telnet, see here.
SFE can also reduce latencies a bit for some packets, so it is advised to use it when you can; policy-Based Routing and (maybe) QoS (uplink?) don't work with it.
Besides SFE accelerated NAT being added to k3.10+ builds since 33006, the broadcom krack fixes were in since 33772, but latest builds fix other wireless problems introduced w/ the (binary driver) krack fixes. And there have been many other vulnerabilities fixed since March 2013. _________________ #NAT/SFE/CTF: limited speed w/ DD#Repeater issues#DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo#
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
so telnet
Administration->Commands and run `erase nvram && reboot`
Well, that should work (w/o the backticks of course)...but for future reference, telnet is a protocol using port 23 (ssh uses port 22) to talk to a device using an application such as PuTTY.
Btw, the new build is looking good, and has some broadcom fixes. I flashed my E2500 (which is also nv60k like the E3200). Use this since k3x doesn't have a generic nv60k build; one must use the trailed build. _________________ #NAT/SFE/CTF: limited speed w/ DD#Repeater issues#DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo#
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
It is important to update or flash to a newer build because the stage 1 of VPNfilter is persistent, it doesnt disappear on reboots, Stages 2 and 3 are more like configuration settings so can be solve by executing a NVRAM erase, but if u dont get rid of the stage 1, those settings will appear again. Imagine this like if the kernel has a bug, u fix the bug and replace the old kernel with the new one, right?, so flashing a new build do that, a fresh copy of the OS that has not been compromised.
It is important to update or flash to a newer build because the stage 1 of VPNfilter is persistent, it doesnt disappear on reboots, Stages 2 and 3 are more like configuration settings so can be solve by executing a NVRAM erase, but if u dont get rid of the stage 1, those settings will appear again. Imagine this like if the kernel has a bug, u fix the bug and replace the old kernel with the new one, right?, so flashing a new build do that, a fresh copy of the OS that has not been compromised.
Plus, newer builds have fixes of other things...
OK, I'm convinced, somehow I thought ddwrt would be more secure than stock router firmware, which I imagine people hardly ever re-flash; I generally follow vulnerabilities, that make it to cryptogram or some folks on Twitter, but ...
anyway, I guess I just need to know once I've logged into dd-wrt via telnet
do I navigate somewhere or just do the erase nvram && reboot from the # prompt ?