I have decent notes and backups of my Linksys WRT54GL DD-WRT configuration. I also have a check list of sorts.
When I started configuring my Asus RT-AC66U from scratch I realized my documentation was insufficient. DD-WRT is a complex firmware. DD-WRT for the RT-AC66U contains additional features I have seen never before with the WRT54GL. I hadn’t configured DD-WRT from scratch in many years. I was rusty with configuring some of the features. Enabling and configuring various features often requires modifying options in more than one location in the web interface.
One thing is for certain. The DD-WRT wiki and forum is filled with old and obsolete information. Confusing information. Conflicting information. Even finding the correct firmware version for a router is an uphill exercise. The web interface built-in help leaves much to be desired. Finding correct information is a frustrating effort.
Time to update my documentation by rewriting them as a “DD-WRT From Scratch” exercise.
On the WRT54GL I have DD-WRT configured with the following:
- LAN wireless
- Guest wireless
- Traffic monitoring
- Custom scripts
A feature I did not use on the WRT54GL is a VPN because only PPTP is available. DD-WRT on the RT-AC66U supports OpenVPN, which I want to use.
I use static IP addresses in my LAN. I have both NFS and Samba configured on my LAN server to allow connections only from within a specific range of the subnet. I configure DD-WRT not to provide DHCP addresses. When testing and enabling DHCP, DD-WRT assigns addresses outside the preconfigured range. This design prevents curious house guests from trying to snoop the server and private files. My network laser printer is assigned an IP address within the approved subnet range and is therefore unavailable to house guests.
I use dnsmasq on my LAN server to provide DNS lookups and name caching. I use dnsmasq for blocking undesirable URLs. I configure DD-WRT to use the LAN server for DNS. That means if the LAN server is unavailable then most devices connected to the router will stall. The LAN server is scheduled to power down at night when no client systems are running.
While the RT-AC66U has more memory than the WRT54GL, I am not going to move the dnsmasq URL blocking scheme to the new router. On the LAN server I run a weekly cron job to update the block list. I would need to move and test that script on the new router. Or
scp the final file to the router. While the new router probably can handle the overhead, I prefer not to fix things that are not broken.
I have a static public IP address assigned from the ISP.
The point to this exercise is to create documentation that helps me configure various DD-WRT options but in an efficient and methodical manner. Along the way I will create backup snapshots.
My approach looks something like the following:
- Configure admin information and management.
- Enable JFFS.
- Enable SSH and copy public keys.
- Configure the ISP information.
- Configure the wired interface.
- Configure the wireless.
- Configure guest wireless.
- Configure VLANs.
- Copy and enable custom scripts.
- Configure remaining tweaks.
I wanted to bench configure as much as possible before finally replacing the WRT54GL. To retain an Internet connection while configuring the RT-AC66U, I used my Lenovo T400 laptop to connect to the new RT-AC66U router. I used my office desktop already connected to the existing WRT54GL router. In this manner I compared configuration settings.
Administration Management Router Management Router Username: xxxxxxxxxx Router Password: xxxxxxxxxx Web Access Enable Info site: Disable Remote Access Web GUI Management: Disable SSH Management: Disable Telnet Management: Disable Allow Any Remote IP: Enable Boot Wait Boot Wait: Enable Cron Cron: Enable 802.1x 802.1x: Enable Reset Button Reset Button: Enable Routing Routing: Enable JFFS2 Support JFFS2 Support: Enable Clean JFFS2: Disable Language Selection Language: English CIFS Automount Common Internet File System: Disable Apply Settings Save Keep Alive Disable all. Schedule Reboot At a set Time: 02:34 Everyday WOL Wake-On-LAN daemon WOL daemon: Disable Apply Settings Save
Security Firewall SPI Firewall: Enable Additional Filters Filter Proxy: Disable Filter Cookies: Disable Filter Java Applets: Disable Filter ActiveX: Disable Block WAN Requests Block Anonymous WAN Requests (ping): Enable Filter Multicast: Enable Filter WAN NAT Redirection: Disable Filter IDENT (Port 113): Enable Block WAN SNMP access: Disable Impede WAN DoS/Bruteforce Limit SSH Access: Enable Limit Telnet Access: Enable Limit PPTP Access: Enable Limit FTP Access: Enable Connection Warning Notifier Warning Notifier: Disable Log Log: Disable Apply Settings Save
Services Services Management DNSMasq DNSMasq: Enable Local DNS: Enable No DNS Rebind: Enable Query DNS in Strict Order: Enable Add Requestor MAC to DNS Query: Disable IP over DNS Tunneling nxtx Daemon: Disable PPPoE Relay Relay: Disable SES / AOSS /EZ-SETUP / WPS Button Turning off radio: Disable RFlow / MACupd RFlow: Disable MACupd: Disable SNMP SNMP: Disable Secure Shell SSHd: Enable SSH TCP Forwarding: Disable Password Login: Disable Port: 22 Authorized Keys: (copied and pasted) System Log Syslogd: Disable Telnet Telnet: Disable The Onion Router Project TOR: Disable WAN Traffic Counter ttraff Daemon: Enable Zabbix Client: Disable Apply Settings Save
strict query order to ensure the router always first checked the LAN server, which is running DNSMasq and my blocking strategy.
I rebooted the router to ensure none of the configurations caused boot problems.
The router was not yet connected to the ISP. I was still configured using default IP addresses. I needed to configure DD-WRT for the ISP and LAN.
Setup Basic Setup WAN Connection Type Connection Type: Static IP WAN IP Address: 192.168.100.100 Subnet Mask: 255.255.255.0 Gateway: 192.168.100.1 Static DNS 1: LAN server IP address Static DNS 2: LAN server IP address Static DNS 3: LAN server IP address Optional Settings Router Name: xxxxxxxxxx Host Name: xxxxxxxxxx STP: Enable Router IP Local IP Address: xxx.xxx.xxx.xxx Subnet Mask: 255.255.255.0 Gateway: xxx.xxx.xxx.xxx Local DNS: LAN server IP address Network Address Server Settings (DHCP) DHCP Type: DHCP Server DHCP Server: Disable Start IP Address: xxx.xxx.xxx.129 Maximum DHCP Users: 50 Client Lease Time: 1440 minutes WINS: 0.0.0.0 Use DNSMasq for DHCP: Enable Use DNSMasq for DNS: Enable DHCP-Authoritative: Disable Forced DNS Redirection: Disable Time Settings NTP Client: Enable Time Zone: A local time zone Server IP/Name: An NTP pool address: Apply Settings Save
Except for testing I do not use DHCP at the router. Configuring the
Start IP Address requires temporarily enabling DHCP, applying the settings, then disabling DHCP.
Using the LAN server IP address as the sole DNS server ensures all connections use my LAN server and blocking scheme.
As I was not yet connected to the ISP, the router time remained incorrect.
This was a good time for a backup snapshot. I rebooted as a test. Next I cycled the power to the router as another test.
LAN Wireless Settings
I use the same subnet as my wired LAN.
Configuring the LAN wireless was kind of a go-no-go point. After configuring I would need to connect to the ISP and disable the WRT54GL. Otherwise the two routers would conflict. I could have created new SSID names, but I wanted to retain the old names.
Wireless Basic Settings Physical Interface wl0 Wireless Mode: AP Wireless Network Mode: Mixed Wireless Network Name (SSID): xxxxxxxxx Wireless Channel: 11 Wireless SSID Broadcast: Enabled Network Configuration: Bridged Physical Interface wl1 Wireless Network Mode: Disabled Apply Settings Save Wireless Security Physical Interface wl0 SSID Security Mode: WPA2 Personal WPA Algorithms: AES WPA Shared Key: A pass phrase Apply Settings Save
As I am unfamiliar with dual band wireless, I initially disabled the Physical Interface
wl1 wireless interface.
This was another good time for a backup snapshot. I rebooted as another test.
I powered off and swapped the two routers. After booting the RT-AC66U I confirmed I could connect using wired with both my office desktop and laptop.
I could not connect the laptop using wireless. The existing NetworkManager configurations were set to the old router, such as BSSID/MAC addresses. A few adjustments in the NetworkManager dialogs and I could connect with wireless. I rebooted the laptop to ensure wireless remained functional.
I could browse the web using wired or wireless, but running an
iperf wireless test was discouraging. I run hourly cron jobs to record iperf results with respect to my LAN. A nominal monitoring tool only and not meant to test actual throughput. The laptop has an Intel 5100 AGN wireless controller and should be able to use 802.11n. In addition to the device name, the
iwconfig command showed
With the WRT54GL only supporting 802.11abg, my average wireless speeds have been about 21 Mbps. That speed is typical with 802.11g. With the RT-AC66U I was seeing iperf results of half that speed. The RT-AC66U supports up to 802.11ac. With the RT-AC66U I expected no slower than the previous average and hopefully something faster.
Lots of tinkering and surfing the web revealed little. I installed an older Build 25697 v24 SP2. No change. I updated the DD-WRT firmware to the latest beta release. No change.
My WAN/ISP connection speeds with the RT-AC66U were about the same as with the WRT54GL. My iperf tests using wired were a tad faster with the RT-AC66U. Only wireless was problematic.
In the end the best I accomplished was configuring the wl0 2.4 GHz radio for
G-Only and the wl1 5 GHz radio for
N-Only. With that configuration I saw wireless 2.4 GHz connection speeds at about the same as with the WRT54GL.
Using the 5 GHz band always resulted in poor speeds barely bumping 10 Mbps. Reading around the web indicates that running both 802.11g and 802.11n on the same router might reduce overall throughput. Living rurally I do not have to worry about neighborhood interference. I again disabled the 5 GHz radio (
Wireless Network Mode: Disabled). Tinkering with 802.11n would have to wait until another day.
Guest Wireless Settings
For house guests with wireless devices I use a different subnet from the LAN,
192.168.3.1. An isolated guest wireless network requires 1) a virtual interface, 2) a bridge, 3) a separate DHCP server, and 4) some iptables firewall rules. With a dual band router, a new virtual device may be added to either physical interface. In my case, I wanted to use
wl0. For me the virtual interface is
Thanks to Alex Laird for providing this information.
Wireless Basic Settings Wireless Physical Interface wl0 Virtual Interfaces: Add button Wireless Network Name (SSID): xxxxxxxxxx Wireless SSID Broadcast: Enable AP Isolation: Disable Optimize Multicast Traffic: Disable Network Configuration: Bridged Apply Settings Save Wireless Security Virtual Interfaces wl0.1 Security Mode: WPA2 Personal WPA Algorithms: AES WPA Shared Key: A pass phrase Apply Settings Save Setup Networking Create Bridge: Add button Name: br1 Apply Settings Assign to Bridge br1: Interface wl0.1 Apply Settings Network Configuration br1 Label: Guest Wireless Multicast forwarding: Disable Masquerade / NAT: Enable Net Isolation: Disable Forced DNS Redirection: Disable IP Address: 192.168.3.1 Subnet Mask: 255.255.255.0 Apply Settings Multiple DHCP Server Add button DHCP 0: br1 - Guest Wireless Apply Settings Save Administration Commands # Enable NAT on the WAN port to correct a bug in builds over 17000. iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr` # Allow guest bridge access to Internet. iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT # Block access from br0 to br1. iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP # Block access from br1 to br0. iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP # Deny guest network access to router services. iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset Save Firewall
I added some DNSMasq options to support the guest wireless network.
Services Services Management DNSMasq Additional DNSMasq Options: # Enables DHCP on br1 interface=br1 # Set the default gateway for br1 clients dhcp-option=br1,3,192.168.3.1 # Set the DHCP range and default lease time of 24 hours for br1 clients dhcp-range=br1,192.168.3.102,192.168.3.150,255.255.255.0,24h
This is another good moment for a backup snapshot and rebooting the router.
I now had the LAN wired and wireless networks configured as well as a guest wireless network.
I wanted two VLAN ports. I use one VLAN port to isolate my Windows box. I use the other VLAN for temporary systems, such as when I work on another person’s computer. On the WRT54GL I was using the built-in hardware switch ports 3 and 4.
Setup VLANs VLAN vlan0: No ports, no bridge assignment vlan1: Ports 1,2 enabled, Bridge: LAN vlan2: Port W(AN), Bridge: None vlan3: Port 3, Unbridged LAN vlan4: Port 4, Unbridged LAN Link Aggregation on Ports 3 and 4: No Apply Settings Save Setup Networking Network Configuration vlan3 Label: VLAN-Windows Computer Bridge Assignment: Unbridged Masquerade / NAT: Enable IP Address: 192.168.40.1 Subnet Mask: 255.255.255.0 Network Configuration vlan4 Label: VLAN-Spare Bridge Assignment: Unbridged Masquerade / NAT: Enable IP Address: 192.168.50.1 Subnet Mask: 255.255.255.0 Apply Settings Multiple DHCP Server Add button DHCP 1: vlan3 - VLAN-Windows Computer Apply Settings Add button DHCP 2: vlan4 - VLAN-Spare Apply Settings Save Administration Commands # Allow VLAN traffic. iptables -I INPUT -i vlan3 -j ACCEPT iptables -I FORWARD -i vlan3 -o br0 -m state --state NEW -j ACCEPT iptables -I FORWARD -i vlan3 -m state --state NEW -j ACCEPT iptables -I INPUT -i vlan4 -j ACCEPT iptables -I FORWARD -i vlan4 -o br0 -m state --state NEW -j ACCEPT iptables -I FORWARD -i vlan4 -m state --state NEW -j ACCEPT Save Firewall
I added some DNSMasq options to support the VLAN networks.
Services Services Management DNSMasq Additional DNSMasq Options: # Enables DHCP on vlan3 interface=vlan3 # Set the default gateway for vlan3 clients dhcp-option=vlan3,3,192.168.40.1 # Set the DHCP range and default lease time of 24 hours for vlan3 clients dhcp-range=vlan3,192.168.40.102,192.168.40.150,255.255.255.0,24h # Enables DHCP on vlan4 interface=vlan4 # Set the default gateway for vlan4 clients dhcp-option=vlan4,3,192.168.50.1 # Set the DHCP range and default lease time of 24 hours for vlan4 clients dhcp-range=vlan4,192.168.50.102,192.168.50.150,255.255.255.0,24h
Connecting to one of the VLANs showed the default route and Primary DNS as 192.168.40.1 and an assigned IP address in the same subnet. No sign of my LAN DNS server IP address, which is what I wanted.
Loose Ends and Tweaks
I use some custom scripts that I wrote myself or downloaded from the web.
Administration Management Cron Additional Cron Jobs */1 * * * * root sh /jffs/etc/config/traffic.sh
I used scp to copy files to the router:
/jffs/etc/profile /tmp/root/.profile/profile /jffs/etc/config/rc_startup.startup /jffs/etc/config/rc_startup.wanup /jffs/etc/config/traffic-repair.sh /jffs/etc/config/traffic.sh /jffs/etc/authorized_keys /tmp/root/.ssh/authorized_keys /jffs/etc/hosts /tmp/hosts /jffs/etc/dnsmasq.conf /tmp/dnsmasq.conf
I remain dissatisfied with the external RT-AC66U indicators. I much prefer the front-view indicators of the WRT54GL. Seems the Asus engineers chose style over function. Or perhaps they were overruled by the marketing wonks, who usually have no clue about function.
On my to-do list are configuring a VPN and fixing the 802.11n problems.