Posted: Sun Dec 23, 2018 14:36 Post subject: New - learning about wrt - any advice
Ho-lee-cow. I typed a long post and the forum detected it as something and BAM! lol.. all gone. Okay, will copy it down this time just in case
I am posting this while I read as much of the forum as possible. Not asking for someone to hand me an answer, but figured to outline it here so I do not have to re-type it 40 times.. just 2, it seems .. lol...actually .. 3
First off, been hearing about dd-wrt a long time, just never really "bit-the-bullet" till now.
About a year and a half ago, I got booted off my home PC a couple times.. made me go "hrm" so, went to the house and saw someone was logged in. That will wake ya up...
So, I locked it down, somewhat...but I still am getting brute force attacked by evidence in my event logs. They are not "on" the pc but, I have a new PC.. and 3 Asus routers, so figured it is time to learn more and lock it down right.
So, while I browse the forums and try things out, here is what I have and what I am trying to do and need to do.. and any insight is appreciated.
Beforehand, thank you all for any help. I know you do not have to, and I am willing and able to do a lot on my own, but experience is more valuable and I will gladly take any advice.
I have 2 PCs, about to have 2 more when the kids get theirs for Christmas.. heh (they got so many viruses the last time I decided to wait till I had a plan).
I have 10 IP cameras (we had a lot of tools stolen a month or so ago.. and a few acres, so added a lot of wifi cams...wifi is not an issue out here.. the attacks are not from around here.. heh)
I have a single wifi printer.. it can be usb, but prefer wifi for the wife's ipad.
A few kindles, a few apple products.
My biggest neds are:
- RDP to my PC. I am a dba.. telework.. so I vpn OUT.. and I RDP back in. I have 7 licenses for VPN accounts.. but have not installed them yet except when I need to download something onto one PC.. heh.. torrent.. and then turn it off. I have a friend that has everything with a vpn, but I was worried I would get somewhere and be unable to rdp back.
Games.. not many.. but Rift.. and a couple other games.. would like to be able to do so.
NAS - I own two. Synology does the cams.. Qnap does plex.
That is about it.
I was thinking of having the Asus RT-AC3200 be my external router, than having an Asus RT-AC66U_B1 have a VPN to that router, and have IT handle the dhcp of the computers and wifi?
Not sure any of that will matter, but I had 3 routers.. so figured to put them to good use.
I just want the login attempts on my new PC to stop... and try to block them at the router. It seems that the router is overwhelmed with the attack. I log into it and it auto-refreshes a lot and half the devices disappear every refresh then come back off and on.
Anyway, going to get more coffee, then will start reading and learning again.
Please don't leave a port open on your router for RDP. That is asking for trouble. At least use something like Teamviewer--a personal account is free.
Oh, and the back button can be your friend for those lost posts--most of the time. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Thu Dec 27, 2018 7:28 Post subject:
make sure your CAM's are not broadcasting outside of your LAN...so cut their WAN side use...very often those cheap CAM's are full of spy/malware
use this rule if you have cams on br0 or adapt this rule to your case...
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p tcp -s ip of camera -j DROP
and do not have GUI on WAN port...
disable telnet and use only SSh on different port, secured with key file _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Maximum number for multiport is 15 ports per command.
I think this firewall command is for: If you don't want to host a server on those ports. So, it should prevent remote administration from strangers on the internet.
This may be redundant since the firewall has probably dropped incoming requests for these ports anyway.
Bonus:
Set DHCP auto ip address range below ...126 (50-100 is fine)
Give work computer fixed address above ...126
Anything above ...126 doesn't have the limit applied.
This prevents router lockup/slowdown from too many simultaneous connections. That command is masked to apply the limit 200 concurrent per each client. It looks like a firewall command; however, -I are startup commands. For use when family and work are on the same router, along with IOT's, smarthouse and all the modern stuff that doesn't always do fair play. _________________ R6250 with fan on; wifi off
R6300.1 mips DD-WRT 42617 Giga AP
WNR3500Lv2 DD-WRT 33525 K3 Giga
E3000 5ghz multicast AP DD-WRT 33525 K2.6
WRT54GSv2 long range AP HyperWRT 15
2 WR841Nv9 DD-WRT 33006 AP