Configuring DD-WRT

I have decent notes and backups of my Linksys WRT54GL DD-WRT configuration. I also have a check list of sorts.

When I started configuring my Asus RT-AC66U from scratch I realized my documentation was insufficient. DD-WRT is a complex firmware. DD-WRT for the RT-AC66U contains additional features I have seen never before with the WRT54GL. I hadn’t configured DD-WRT from scratch in many years. I was rusty with configuring some of the features. Enabling and configuring various features often requires modifying options in more than one location in the web interface.

One thing is for certain. The DD-WRT wiki and forum is filled with old and obsolete information. Confusing information. Conflicting information. Even finding the correct firmware version for a router is an uphill exercise. The web interface built-in help leaves much to be desired. Finding correct information is a frustrating effort.

Time to update my documentation by rewriting them as a “DD-WRT From Scratch” exercise.

On the WRT54GL I have DD-WRT configured with the following:

  • JFFS
  • LAN wireless
  • Guest wireless
  • DNS
  • DHCP
  • VLANs
  • Traffic monitoring
  • SSH
  • Custom scripts

A feature I did not use on the WRT54GL is a VPN because only PPTP is available. DD-WRT on the RT-AC66U supports OpenVPN, which I want to use.

I use static IP addresses in my LAN. I have both NFS and Samba configured on my LAN server to allow connections only from within a specific range of the subnet. I configure DD-WRT not to provide DHCP addresses. When testing and enabling DHCP, DD-WRT assigns addresses outside the preconfigured range. This design prevents curious house guests from trying to snoop the server and private files. My network laser printer is assigned an IP address within the approved subnet range and is therefore unavailable to house guests.

I use dnsmasq on my LAN server to provide DNS lookups and name caching. I use dnsmasq for blocking undesirable URLs. I configure DD-WRT to use the LAN server for DNS. That means if the LAN server is unavailable then most devices connected to the router will stall. The LAN server is scheduled to power down at night when no client systems are running.

While the RT-AC66U has more memory than the WRT54GL, I am not going to move the dnsmasq URL blocking scheme to the new router. On the LAN server I run a weekly cron job to update the block list. I would need to move and test that script on the new router. Or scp the final file to the router. While the new router probably can handle the overhead, I prefer not to fix things that are not broken.

I have a static public IP address assigned from the ISP.

The point to this exercise is to create documentation that helps me configure various DD-WRT options but in an efficient and methodical manner. Along the way I will create backup snapshots.

My approach looks something like the following:

  • Configure admin information and management.
  • Enable JFFS.
  • Enable SSH and copy public keys.
  • Configure the ISP information.
  • Configure the wired interface.
  • Configure the wireless.
  • Configure guest wireless.
  • Configure VLANs.
  • Copy and enable custom scripts.
  • Configure remaining tweaks.

Preliminary Settings

I wanted to bench configure as much as possible before finally replacing the WRT54GL. To retain an Internet connection while configuring the RT-AC66U, I used my Lenovo T400 laptop to connect to the new RT-AC66U router. I used my office desktop already connected to the existing WRT54GL router. In this manner I compared configuration settings.

    Router Management
      Router Username: xxxxxxxxxx
      Router Password: xxxxxxxxxx
    Web Access
      Enable Info site: Disable
    Remote Access
      Web GUI Management: Disable
      SSH Management: Disable
      Telnet Management: Disable
      Allow Any Remote IP: Enable
    Boot Wait
      Boot Wait: Enable
      Cron: Enable
      802.1x: Enable
    Reset Button
      Reset Button: Enable
      Routing: Enable
    JFFS2 Support
      JFFS2 Support: Enable
      Clean JFFS2: Disable
    Language Selection
      Language: English
    CIFS Automount
      Common Internet File System: Disable
    Apply Settings
    Keep Alive
      Disable all.
    Schedule Reboot
      At a set Time: 02:34 Everyday
    Wake-On-LAN daemon
      WOL daemon: Disable
    Apply Settings
      SPI Firewall: Enable
    Additional Filters
      Filter Proxy: Disable
      Filter Cookies: Disable
      Filter Java Applets: Disable
      Filter ActiveX: Disable
    Block WAN Requests
      Block Anonymous WAN Requests (ping): Enable
      Filter Multicast: Enable
      Filter WAN NAT Redirection: Disable
      Filter IDENT (Port 113): Enable
      Block WAN SNMP access: Disable
    Impede WAN DoS/Bruteforce
      Limit SSH Access: Enable
      Limit Telnet Access: Enable
      Limit PPTP Access: Enable
      Limit FTP Access: Enable
    Connection Warning Notifier
      Warning Notifier: Disable
      Log: Disable
    Apply Settings
    Services Management
      DNSMasq: Enable
      Local DNS: Enable
      No DNS Rebind: Enable
      Query DNS in Strict Order: Enable
      Add Requestor MAC to DNS Query: Disable
    IP over DNS Tunneling
      nxtx Daemon: Disable
    PPPoE Relay
      Relay: Disable
    SES / AOSS /EZ-SETUP / WPS Button
      Turning off radio: Disable
    RFlow / MACupd
      RFlow: Disable
      MACupd: Disable
      SNMP: Disable
    Secure Shell
      SSHd: Enable
      SSH TCP Forwarding: Disable
      Password Login: Disable
      Port: 22
      Authorized Keys: (copied and pasted)
    System Log
      Syslogd: Disable
      Telnet: Disable
    The Onion Router Project
      TOR: Disable
    WAN Traffic Counter
      ttraff Daemon: Enable
      Client: Disable
    Apply Settings

I enabled strict query order to ensure the router always first checked the LAN server, which is running DNSMasq and my blocking strategy.

I rebooted the router to ensure none of the configurations caused boot problems.

ISP/WAN/LAN Settings

The router was not yet connected to the ISP. I was still configured using default IP addresses. I needed to configure DD-WRT for the ISP and LAN.

    Basic Setup
    WAN Connection Type
      Connection Type: Static IP
      WAN IP Address:
      Subnet Mask:
      Static DNS 1: LAN server IP address
      Static DNS 2: LAN server IP address
      Static DNS 3: LAN server IP address
    Optional Settings
      Router Name: xxxxxxxxxx
      Host Name: xxxxxxxxxx
      STP: Enable
    Router IP
      Local IP Address:
      Subnet Mask:
      Local DNS: LAN server IP address
    Network Address Server Settings (DHCP)
      DHCP Type: DHCP Server
      DHCP Server: Disable
      Start IP Address:
      Maximum DHCP Users: 50
      Client Lease Time: 1440 minutes
      Use DNSMasq for DHCP: Enable
      Use DNSMasq for DNS: Enable
      DHCP-Authoritative: Disable
      Forced DNS Redirection: Disable
    Time Settings
      NTP Client: Enable
      Time Zone: A local time zone
      Server IP/Name: An NTP pool address:
    Apply Settings

Except for testing I do not use DHCP at the router. Configuring the Start IP Address requires temporarily enabling DHCP, applying the settings, then disabling DHCP.

Using the LAN server IP address as the sole DNS server ensures all connections use my LAN server and blocking scheme.

As I was not yet connected to the ISP, the router time remained incorrect.

This was a good time for a backup snapshot. I rebooted as a test. Next I cycled the power to the router as another test.

LAN Wireless Settings

I use the same subnet as my wired LAN.

Configuring the LAN wireless was kind of a go-no-go point. After configuring I would need to connect to the ISP and disable the WRT54GL. Otherwise the two routers would conflict. I could have created new SSID names, but I wanted to retain the old names.

    Basic Settings
    Physical Interface wl0
      Wireless Mode: AP
      Wireless Network Mode: Mixed
      Wireless Network Name (SSID): xxxxxxxxx
      Wireless Channel: 11
      Wireless SSID Broadcast: Enabled
      Network Configuration: Bridged 
    Physical Interface wl1
      Wireless Network Mode: Disabled
    Apply Settings

    Wireless Security
    Physical Interface wl0 SSID
      Security Mode: WPA2 Personal
      WPA Algorithms: AES
      WPA Shared Key: A pass phrase
    Apply Settings

As I am unfamiliar with dual band wireless, I initially disabled the Physical Interface wl1 wireless interface.

This was another good time for a backup snapshot. I rebooted as another test.

I powered off and swapped the two routers. After booting the RT-AC66U I confirmed I could connect using wired with both my office desktop and laptop.

I could not connect the laptop using wireless. The existing NetworkManager configurations were set to the old router, such as BSSID/MAC addresses. A few adjustments in the NetworkManager dialogs and I could connect with wireless. I rebooted the laptop to ensure wireless remained functional.

I could browse the web using wired or wireless, but running an iperf wireless test was discouraging. I run hourly cron jobs to record iperf results with respect to my LAN. A nominal monitoring tool only and not meant to test actual throughput. The laptop has an Intel 5100 AGN wireless controller and should be able to use 802.11n. In addition to the device name, the iwconfig command showed IEEE 802.11abgn.

With the WRT54GL only supporting 802.11abg, my average wireless speeds have been about 21 Mbps. That speed is typical with 802.11g. With the RT-AC66U I was seeing iperf results of half that speed. The RT-AC66U supports up to 802.11ac. With the RT-AC66U I expected no slower than the previous average and hopefully something faster.

Lots of tinkering and surfing the web revealed little. I installed an older Build 25697 v24 SP2. No change. I updated the DD-WRT firmware to the latest beta release. No change.

My WAN/ISP connection speeds with the RT-AC66U were about the same as with the WRT54GL. My iperf tests using wired were a tad faster with the RT-AC66U. Only wireless was problematic.

In the end the best I accomplished was configuring the wl0 2.4 GHz radio for G-Only and the wl1 5 GHz radio for N-Only. With that configuration I saw wireless 2.4 GHz connection speeds at about the same as with the WRT54GL.

Using the 5 GHz band always resulted in poor speeds barely bumping 10 Mbps. Reading around the web indicates that running both 802.11g and 802.11n on the same router might reduce overall throughput. Living rurally I do not have to worry about neighborhood interference. I again disabled the 5 GHz radio (Wireless Network Mode: Disabled). Tinkering with 802.11n would have to wait until another day.

Guest Wireless Settings

For house guests with wireless devices I use a different subnet from the LAN, An isolated guest wireless network requires 1) a virtual interface, 2) a bridge, 3) a separate DHCP server, and 4) some iptables firewall rules. With a dual band router, a new virtual device may be added to either physical interface. In my case, I wanted to use wl0. For me the virtual interface is wl0.1.

Thanks to Alex Laird for providing this information.

    Basic Settings
    Wireless Physical Interface wl0
      Virtual Interfaces: Add button
      Wireless Network Name (SSID): xxxxxxxxxx
      Wireless SSID Broadcast: Enable
      AP Isolation: Disable 
      Optimize Multicast Traffic: Disable 
      Network Configuration: Bridged
    Apply Settings

    Wireless Security
    Virtual Interfaces wl0.1
      Security Mode: WPA2 Personal
      WPA Algorithms: AES
      WPA Shared Key: A pass phrase
    Apply Settings

    Create Bridge: Add button
      Name: br1
    Apply Settings

    Assign to Bridge br1: Interface wl0.1
    Apply Settings

    Network Configuration br1
      Label: Guest Wireless
      Multicast forwarding:  Disable 
      Masquerade / NAT: Enable 
      Net Isolation:  Disable 
      Forced DNS Redirection: Disable
      IP Address:
      Subnet Mask:
    Apply Settings

    Multiple DHCP Server
      Add button
      DHCP 0: br1 - Guest Wireless
    Apply Settings

      # Enable NAT on the WAN port to correct a bug in builds over 17000.
      iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

      # Allow guest bridge access to Internet.
      iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

      # Block access from br0 to br1.
      iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

      # Block access from br1 to br0.
      iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

      # Deny guest network access to router services.
      iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
      iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
      iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
      iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
    Save Firewall

I added some DNSMasq options to support the guest wireless network.

    Services Management
      Additional DNSMasq Options:
        # Enables DHCP on br1
        # Set the default gateway for br1 clients
        # Set the DHCP range and default lease time of 24 hours for br1 clients

This is another good moment for a backup snapshot and rebooting the router.

I now had the LAN wired and wireless networks configured as well as a guest wireless network.

VLAN Settings

I wanted two VLAN ports. I use one VLAN port to isolate my Windows box. I use the other VLAN for temporary systems, such as when I work on another person’s computer. On the WRT54GL I was using the built-in hardware switch ports 3 and 4.

      vlan0: No ports, no bridge assignment
      vlan1: Ports 1,2 enabled, Bridge: LAN
      vlan2: Port W(AN), Bridge: None
      vlan3: Port 3, Unbridged LAN
      vlan4: Port 4, Unbridged LAN
      Link Aggregation on Ports 3 and 4: No
    Apply Settings

    Network Configuration vlan3
      Label: VLAN-Windows Computer
      Bridge Assignment: Unbridged
      Masquerade / NAT: Enable
      IP Address:
      Subnet Mask:
    Network Configuration vlan4
      Label: VLAN-Spare
      Bridge Assignment: Unbridged
      Masquerade / NAT: Enable
      IP Address:
      Subnet Mask:
    Apply Settings

    Multiple DHCP Server
      Add button
      DHCP 1: vlan3 - VLAN-Windows Computer
    Apply Settings
      Add button
      DHCP 2: vlan4 - VLAN-Spare
    Apply Settings

      # Allow VLAN traffic.
      iptables -I INPUT -i vlan3 -j ACCEPT
      iptables -I FORWARD -i vlan3 -o br0 -m state --state NEW -j ACCEPT
      iptables -I FORWARD -i vlan3 -m state --state NEW -j ACCEPT
      iptables -I INPUT -i vlan4 -j ACCEPT
      iptables -I FORWARD -i vlan4 -o br0 -m state --state NEW -j ACCEPT
      iptables -I FORWARD -i vlan4 -m state --state NEW -j ACCEPT
    Save Firewall

I added some DNSMasq options to support the VLAN networks.

    Services Management
      Additional DNSMasq Options:
      # Enables DHCP on vlan3
      # Set the default gateway for vlan3 clients
      # Set the DHCP range and default lease time of 24 hours for vlan3 clients

      # Enables DHCP on vlan4
      # Set the default gateway for vlan4 clients
      # Set the DHCP range and default lease time of 24 hours for vlan4 clients

Connecting to one of the VLANs showed the default route and Primary DNS as and an assigned IP address in the same subnet. No sign of my LAN DNS server IP address, which is what I wanted.

Loose Ends and Tweaks

I use some custom scripts that I wrote myself or downloaded from the web.

      Additional Cron Jobs
      */1 * * * * root sh /jffs/etc/config/

I used scp to copy files to the router:


I remain dissatisfied with the external RT-AC66U indicators. I much prefer the front-view indicators of the WRT54GL. Seems the Asus engineers chose style over function. Or perhaps they were overruled by the marketing wonks, who usually have no clue about function.

On my to-do list are configuring a VPN and fixing the 802.11n problems.

Posted: Category: Tutorial, Usability Tagged: DD-WRT

Next: Using Unique SSIDs

Previous: Installing CentOS 7