SurprisedItWorks DD-WRT Guru
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
|
Posted: Thu Apr 01, 2021 19:18 Post subject: Re: Have I setup DD-WRT correctly? |
|
deez444 wrote: | Hi,
Had problems installing on a netgear 8500 but got it working thanks to
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1169279#1169279
it was worth it.
I would like to say that Im not an IT professional and new to ddwrt I have done research
But I need some help and before I get flamed I searched the forum and it did not get answers. |
Lots of questions! I'll take a few and let someone else who knows more about them take others.
Quote: | 1 there seems to be updates to ddwrt very frequently should I update everytime? Is there a way to say with a build if it works for you? How to you know if there is a critical / vulnerability and you must update to the newest firmware? |
You do not need to update every time. I typically update at intervals of four to six months. You should only update after reading the new-build thread(s) of interest in the forum associated with your router. (I don't know your router so can't say which that is.) You'll find there that some builds are too buggy (for your particular router perhaps) to use. All of us are beta testers all the time. Ignore the router database, as it is not well maintained.
Quote: | 2 how do you setup an isolated guest wifi and isolated guest vlan on a LAN port? |
The wifi part of the question is the easier one. Take a look at the third post at https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1217070, which is my attempt to answer that question.
VLANs, on the other hand are very hardware specific. You'll need to find a discussion on setting them up for your particular router or router family. The required techniques can very hugely, so don't just grab the first thing you see for any router and run with it. (My sig below has a link to the VLAN method for the modern Linksys WRT... routers, but don't try it with anything else!)
Quote: | 3 Misc questions My set up is my ISPs re-branded ARRIS cable modem / router in modem mode to a Broadcom h/w ddwrt
Ignore WAN DNS ON or OFF? is this something to do with DNS leaks on VPNs? If so is this vpn on ddwrt or on your PC? |
Most people wanting to set up DNS through their VPNs or even just wanting to be sure their explicit choices of DNS providers are used will want to ignore WAN DNS. It's a fairly new setting though, and we managed without it. It's not critical, as the ISP DNS servers are always last in line behind the VPN-provided DNS and any DNS servers you list in Basic Setup. Check the box and they won't be in line at all. If you want the sequence strictly observed - try the first one and only when it fails try the next one, etc. - enable Strict Order in the DNSMasq section in GUI>Services>Services.
Quote: | WAN Connection type is auto config dhcp in ddwrt, advanced routing tab is gateway? Router mode kills the internet connection? Am I using the correct settings? Will the ddwrt firewall still work in gateway mode? |
Unless you are configuring multiple routers to work together (sounds like you are not), stick with the default Gateway mode. I believe Router has no WAN functioning or firewall, but that's because there's an assumption that you have a primary router taking care of those things.
Quote: | SPI firewall – I want max protection but for things to still work without a lot hassle, which options should I select? |
Enable SPI Firewall for sure. I also check the four "Impede WAN DoS/Bruteforce" boxes, but I'm no expert there.
Quote: | Log management – what do you do to the firewall log to work? Log levels? Options dropped, rejected, accepted? |
Looks like these choices have evolved since I last look. Just figure for now that you can ignore it unless you have trouble. More important is the System Log section of GUI>Services>Services. Enable the system log daemon at least. You can try also enabling the kernel log (they go to the same place) if you are a glutton for punishment or a linux kernel guru and are curious. Last time I tried, I found I did need kernel logging in order to get the Firewall logging on the other tab to do anything. If the kernel is logging and you enable logging dropped packets, you'll get a line in the system/kernel log for every dropped packet. Useful if you are dealing with trouble. I don't use it routinely. And don't ever enable logging of Accepted packets, or your log will be buried with them.
Quote: | Dynamic routing interface – is disabled? Is this i... [accidental delete] |
I've never used anything on that tab.
Quote: | Remote access from any IP is ticked? Should I disable it? |
Most people should disable all three remote management interfaces - GUI, ssh, and telnet - as these are specifically referring to access from outside your network, from users somewhere across the internet. Disable them and you'll still have access from your own network provided you enable it in GUI>Services>Services. If you disable remote access, it won't matter what "any IP" is set to, as it will be ignored. If you DO need remote access for some reason, it's best to allow it from a specific IP only if you can, if you can do your remote management from a fixed IP address. There are lots of baddies on the internet trying to break into open routers to corrupt them. Make it hard.
Quote: | uPNP is disable? Will torrents still work? |
No idea. Never torrented.
Quote: | I'm looking for the securest settings while still being functional anything I should do? |
Use a really good random password for the router itself, like 12 characters of nonsense, set in GUI>Admin>Management. Then set up ssh (Secure Shell in GUI>Services>Services) to use encryption keys for authorization, and once it is working (there's a wiki), disable password login with ssh and disable telnet altogether. Some suggest changing the default ssh port from the default of 22. Other say it's not worth the bother because the bad guys do port scans. I do it anyway. Pick a five-digit number below 65536 (i.e. stick to large 16-bit unsigned integers). In any case, ssh with keys is the secure way to access the router. That doesn't protect the GUI though, hence the strong password. If you are comfortable with iptables you can also add a firewall command (GUI>Admin>Commands) to restrict admin access to a specific interface, ideally one that only you can use. On my system that's br0, but for you maybe wlan0.1 (a VLAN) or whatever: Code: | AdminIF=br0
SSH_PORT=$(nvram get sshd_port)
iptables -I INPUT ! -i $AdminIF -p tcp -m multiport \
--dports $SSH_PORT,telnet,http,https \
-j REJECT --reject-with tcp-reset |
Quote: | Many, many thx to anyone who can help even a little, it is appreciated. |
Final note: A guest network is not just for guests. If you set it up with both AP isolation ("guests" isolated from each other) and Net Isolation ("guests" isolated from the main network br0), then that network is the ideal place for you and your family to be connected when you don't need to interact with printers or other devices, because then malware on one machine can't reach out and infect another machine. Malware needs time to poke around the net. Give it as little net to poke as you can, and give it as little poking time as possible.
Also, give some thought to choosing DNS providers. I like Quad9 DNS (quad9.net) at 9.9.9.9 because don't log (other than city level) they screen out a million or so malware domains. Cloudflare 1.1.1.1 is popular because they are fast and don't (AFAIK) log, but they don't filter anything either. Adguard DNS (adguard.com, Products, Other, AdGuard DNS) filters malware and advertising and ad trackers, and doesn't log, but isn't the fastest. There are choices out there that go further and also filter out "adult" entertainment sites. Adguard has an option to add that.
Once you are settled down on the basics and are looking for the next step, you can use (GUI>Services>Services>DNSMasq) Encrypt DNS to use DNSCrypt (dnscrypt.info) to encrypt DNS queries and replies to some providers. The menu in dd-wrt is old, and many of the options there are hobby sites or not there or now only working with newer DNSCrypt protocols (dd-wrt builds in an older DNSCrypt implementation because the new one is simply too large). But the menu includes Adguard, and it should work. Also, with some work you can use some DNSCrypt-equipped providers that are not in the menu. See my sig for how to do this for Quad9. The writeup is a bit old now, but my Quad9 code from that setup still works for me. (The adguard menu item though has changed from adguard adguard-dns to adguard-dns-ns1.)
Some people get all excited over DNSSEC (enable all three in the DNSMasq section: Cache DNSSEC data, Validate DNS Replies (DNSSEC), and Check unsigned DNS replies), but only a few percent of websites have digitally signed DNS entries, so it's not real important at present, and it will slow DNS somewhat. In the US no major banks have DNSSEC-signed DNS entries, for example. I did find three VPN providers who sign their websites: AirVPN (airvpn.org), PIA (privateinternetaccess.com) and Mullvad (mullvad.net). I do like that for a vpn site, as I'd hate to give my VPN-account login credentials to a fake site. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Last edited by SurprisedItWorks on Sat Apr 03, 2021 20:16; edited 1 time in total |
|
SurprisedItWorks DD-WRT Guru
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
|
Posted: Thu Apr 01, 2021 19:56 Post subject: |
|
Also if you have security as a priority, have a look at this discussion on choosing your router IP and subnet with security in mind: https://routersecurity.org/ipaddresses.php
Basically, malware often assumes 192.168.1.1 or at least that it ends in .1, and if you go your own way, you can make it more difficult or even impossible, depending on the malware sophistication, for it to find your router. And identifying the router means going after its admin interfaces, etc. |
|