Uses of Openwrt/DDwrt - Open firmwares for router. Simplified


cute.bandar

Well-Known Member
Adept
Oct 7, 2010
274
70
67
31
Routers (wifi 'creator') have a default operating system called 'firmware' . OpenWrt / DD-wrt are open source community made replacement linux base Operating system for routers.

This a guide of these open firmwares. Their Advantages / Disadvantages and Uses.

Summary: Turn your router to always on micro linux computer. Install programs that can serve files, play media , ssh , irc chat server and so much more. Its beautiful!


Common Uses:

- Attach a 3g USB dongle to router.
- ad blocking for whole network or specific devices.
- custom guest SSID : Not common/easy to setup. But very cool. Create a custom wifi SSID. Any one who connects to it can be set to be restricted to specific things only! A folder on a device, just the internet, specific websites and so on..
- Increase wifi power/range: Be very careful to not fry your router.
- Complete Access control: Set when and which device can connect to what .
- If USB port : Attach storage, access from any device. Download torrents!
Remember complete access control ? So limit certain adult folders on the USB drive (or any drive) to be visible to just my PC :D
- Measure Bandwidth being used, by which device and when.
- Limit bandwidth

Security
- most default firmwares are rarely updated, have major security holes.
- issues exists in certain wifi features itself! (Google 'wps security' ), many default firmwares do not address them, can have zero options to turn these security holes off.
Open firmware: - more regularly updated. - complete control to turn off any security risk 'feature'
- DNS hijacking prevention for the whole network - dnscrypt

Advanced Uses:
- securely access your network remotely .
- port forwarding.
- custom scripts: Write your python script and make to do what you wish. Notifications for new device connections, wifi attacks, Downtime, or anything you can imagine.
- Log everything.
- run a server. ftp, irc ..

Disadvantages:
- For those who like tinkering.
- Risk of bricking router. EXACT ROUTER MODEL MUST BE SUPPORTED!
- Can be difficult to install and configure. Depends on router and your command line, linux skill.

There is a lot more. Most of it actually goes over my head...

Please point if anything is incorrect here.
 

netant

Well-Known Member
Adept
Oct 12, 2012
294
110
82
Security
- most default firmwares are rarely updated, have major security holes.
true, many put a backdoor to control it remotely ( which we can see in Huwai router by airtel) and a hidden call home feature.
Almost everyone does it except Linksys, ruckus.
 

vivek.krishnan

If you cant see the green dot, I'm offline :P
Veteran
Dec 18, 2009
7,458
1,672
253
Ghatkopar, Mumbai
plus.google.com
The main advantages are

1. Users wanting to get more out of the hardware/Software addons - giving more benefits which are not supported by the stock firmware - for example, the stock fw may allow USB for printing/ftp, but not allow for torrents. This allows the router to do this, freeing up the computer to be kept on 24x7, saving power.

2. Security conscious - the fw is rarely updated, hence may have holes like KRACK etc. In such cases, the custom fw, will be usually built with these patches integrated. Apart from this, the stock fw may not allow secure access or lack some secure protocols. This allows for more secure access/etc.

3. Power users/hardware addons - some routers are quite powerful, but lack the drivers/modules for certain case scenarios. Per say, attaching a USB audio out. These are edge cases, which are not covered in point 1.
 
  • Like
Reactions: tommy_vercetti

nimod

Well-Known Member
Adept
Jan 7, 2013
613
342
102
more..
I used mr3020's open gpio pads to attach an i2c oled display.
 

cute.bandar

Well-Known Member
Adept
Oct 7, 2010
274
70
67
31
^ hardware mods/addons is kind of a broad definition. Its nice to know specific use cases :)
 

vivek.krishnan

If you cant see the green dot, I'm offline :P
Veteran
Dec 18, 2009
7,458
1,672
253
Ghatkopar, Mumbai
plus.google.com
^ hardware mods/addons is kind of a broad definition. Its nice to know specific use cases :)
I am not against it - but in general, rarely do people do hardware addons/mods. You will find a lot of people buying the ASUS N13U B1/USB routers (I too was one of them) only to flash with ddwrt/openwrt and install transmission, which is a software mod, technically, but not a lot who want to setup the MR3020 as a RFID scanner (I know someone who did)
 

nimod

Well-Known Member
Adept
Jan 7, 2013
613
342
102
I am not against it - but in general, rarely do people do hardware addons/mods. You will find a lot of people buying the ASUS N13U B1/USB routers (I too was one of them) only to flash with ddwrt/openwrt and install transmission, which is a software mod, technically, but not a lot who want to setup the MR3020 as a RFID scanner (I know someone who did)
certainly there are too many possibilities.

i soldered a usb hub to mr3020 and installed openwrt on a USB flash drive.
two gpios and lots of installation space; now i have too many possibilities.
 

netant

Well-Known Member
Adept
Oct 12, 2012
294
110
82
:hearteyes:updates:- in post #17


I flashed OpenWrt in my archer today... I’m too much confused ‍♂.
Its overwhelming and very complicated to find something and configure.
Hardly any good YouTube video tutorials, majority is clickbait. It’s said openWrt had a wealth of documentation.. I’m struggling to find proper documentation in lede as well as wrt site. . IRC is helpful but again no one will help step by step.

It took me almost 3hours to get the Adblock working, non of the documents listed the dependencies .
Adblocking is not very efficient as its DNS based and filters list are very limited. For example HPhost filter list , has over 45k domain but wrt version has only 12,000ish.
Doesn’t block YouTube/Facebook/LinkedIn ads at all. Setting AdGuard dns was proving better ad blocking.
I’m sure I’m missing something in configure Adblock.

@cute.bandar @vivek.krishnan @nimod please help me by pointing any good links of documentation which is well explained for beginner if you know.

I’m trying to achieve following things at the beginning.
  1. Security of this router from external world (wan interface). After flashing I only configured pppoe and wifi radios. Firewall settings are non existent, and are too complicated. So everything is is in default.
  2. Block ads and tracking. - DONE (using the default adblock , with StevenBlack host. and few other built in filter like, youtube block list& easylist. total 60k domains, using more will impact the router. using this is very light on my router and free memory came down to 68% from 75% without adblock. This providing me a average adblock but NOT close to what i am expecting. tested almost 15 adblock lists but unable to tame facebook & youtube video ads :(. So as of now im good with this, and moving my focus to other things, but later on i will figure out another solution like pihole etc,)
  3. Use DNScrypt, Ressolving Dns over https/encrypted.
  4. Hide my internet traffic from the isp. They should only see the encrypted traffic and should not sniff my packets.
  5. IP reservation in DHCP based on my devices MAC address (I’m yet to higher out where is address reservation and lease time settings). - DONE ! settings found under - network (Tab) ---> DHCP and DNS
  6. Unable to find how to configure guest network.
  7. Few schedules:
    1. Turn off wi-fi radios after 10:00pm every night and again turn on at 7:00am. - done ( https://www.gargoyle-router.com/phpbb/viewtopic.php?t=2064)
    2. Disconnect the internet after 10:30pm (reject any request to auto dial and connect the PPPoE). --- DONE !!
    3. Reboot the router at 6am, Connect to Internet, update Adblock list and reboot at 6:30am, before enabling wifi at 7am. - done! ( command - sleep 70 && touch /etc/banner && reboot, /etc/init.d/adblock reload)
  8. Administrate devices, and guest network.
    1. For example block any Facebook activity in the network regardless, website or via fb app in mobiles.
    2. Let’s say Instagram can only be accessed between 10am to 5pm.
    3. Certain devices can only have access to LAN and not internet (media servers).

I have listed down few things which I’m trying to achieve so that people can hint me to the right direction.

Else, I will flash back to tplink back .. I was feeling more secure in my previous configurations and had more control over the router. And will install piHole to block ads.

Thanks.

Edit:
Paging @rajil.s as well.
 
Last edited:

vivek.krishnan

If you cant see the green dot, I'm offline :P
Veteran
Dec 18, 2009
7,458
1,672
253
Ghatkopar, Mumbai
plus.google.com
I flashed OpenWrt in my archer today... I’m too much confused ‍♂.
Its overwhelming and very complicated to find something and configure.
Hardly any good YouTube video tutorials, majority is clickbait. It’s said openWrt had a wealth of documentation.. I’m struggling to find proper documentation in lede as well as wrt site. . IRC is helpful but again no one will help step by step.

It took me almost 3hours to get the Adblock working, non of the documents listed the dependencies .
Adblocking is not very efficient as its DNS based and filters list are very limited. For example HPhost filter list , has over 45k domain but wrt version has only 12,000ish.
Doesn’t block YouTube/Facebook/LinkedIn ads at all. Setting AdGuard dns was proving better ad blocking.
I’m sure I’m missing something in configure Adblock.

@cute.bandar @vivek.krishnan @nimod please help me by pointing any good links of documentation which is well explained for beginner if you know.

I’m trying to achieve following things at the beginning.
  1. Security of this router from external world (wan interface). After flashing I only configured pppoe and wifi radios. Firewall settings are non existent, and are too complicated. So everything is is in default.
  2. Block ads and tracking.
  3. Use DNScrypt, Ressolving Dns over https/encrypted.
  4. Hide my internet traffic from the isp. They should only see the encrypted traffic and should not sniff my packets.
  5. IP reservation in DHCP based on my devices MAC address (I’m yet to higher out where is address reservation and lease time settings).
  6. Unable to find how to configure guest network.
  7. Few schedules:
    1. Turn off wi-fi radios after 10:00pm every night and again turn on at 7:00am.
    2. Disconnect the internet after 10:30pm (reject any request to auto dial and connect the PPPoE).
    3. Reboot the router at 6am, Conner to Internet, update Adblock list and reboot at 6:30am, before enabling wifi at 7am.
  8. Administrate devices, and guest network.
    1. For example block any Facebook activity in the network regardless, website or via fb app in mobiles.
    2. Let’s say Instagram can only be accessed between 10am to 5pm.
    3. Certain devices can only have access to LAN and not internet (media servers).

I have listed down few things which I’m trying to achieve so that people can hint me to the right direction.

Else, I will flash back to tplink back .. I was feeling more secure in my previous configurations and had more control over the router. And will install piHole to block ads.

Thanks.

Edit:
Paging @rajil.s as well.
1. Security - By default it is blocked for WAN access, so nothing needs to be done (AFAIK)
2. Block ads - lookup PiHole on openwrt. This might help - https://github.com/mrkno/pi-hole-lede-openwrt
3. DNS over HTTPS - you can use this as a guide - https://blog.cloudflare.com/dns-over-tls-for-openwrt/

When you look at 2 and 3, you should also disable all DNS requests over port 53.

4. Hiding traffic from ISP - you will need to setup a VPN.
5. open the DHCP server settings and do the needful.
6. Wifi - on the wifi page. Add a 2nd network.
7 .Schedules - CRON job.
8. 1. FB - null routing (ASN) or DNS blackhole, 2. Instagram - same as FB with a cron job, 3. firewall rules.

@rajil.s @cyberwarfare @tommy_vercetti your inputs...
 

vivek.krishnan

If you cant see the green dot, I'm offline :P
Veteran
Dec 18, 2009
7,458
1,672
253
Ghatkopar, Mumbai
plus.google.com

tommy_vercetti

Well-Known Member
Adept
Apr 20, 2006
1,275
195
157
42
Sion/Vikhroli/Airoli/Navi Mumbai
www.boricha.org

netant

Well-Known Member
Adept
Oct 12, 2012
294
110
82
I think DD-WRT and Tomato also offer similar functionalities
ASUS in undoubtedly has the best stock firmware, it as provided almost every control to its user via its advance setting.
openWRT, on other hand its CLI friendly. its definitely not for general average users. it has endless possibilities but one has to install that module first ( which is a mystery for new users) and again finding and configuring that module is again is a puzzle.

i need to play around lot with this software to understand it, a very steep learning curve :(
 

cisco_tech

Well-Known Member
Section Mod
Aug 25, 2005
1,222
199
152
33
Ahmedabad
I am not sure if you can setup Diversion or AB-solution with skynet on OPENWRT.
I am running above setup on AC68U Asus merlin firmware.
I will try to dig up tomorrow. Should be possible on OPENWRT or ddwrt firmwares too.
 
  • Like
Reactions: netant

rajil.s

Well-Known Member
Adept
Apr 19, 2011
396
77
66
44
Looks like you have most things sorted out.

  • Security of this router from external world (wan interface). After flashing I only configured pppoe and wifi radios. Firewall settings are non existent, and are too complicated. So everything is is in default.
Network>Firewall lets you do port forwards and allows you to open router ports (e.g. ICMP). What else are you looking for?

  • Block ads and tracking.
You can use the Adblock package to do this. However, be aware that Adblock needs quite a bit of RAM, so if you have a spare computer lying around better to run pi-hole on it.
Use DNScrypt, Ressolving Dns over https/encrypted.
Documentation is here.

  • Hide my internet traffic from the isp. They should only see the encrypted traffic and should not sniff my packets.
Install openvpn and set it up to route all or some of your traffic over it. VPN will most likely reduce your Internet speed though.
  1. IP reservation in DHCP based on my devices MAC address (I’m yet to higher out where is address reservation and lease time settings). - DONE ! settings found under - network (Tab) ---> DHCP and DNS
  2. Unable to find how to configure guest network.
Simply create new SSID in Network>Wifi. You can create multiple SSIDs. If you want to disallow Guest network to connect to your LAN network, you will need to create a new zone. Follow the detailed instructions here.
  1. Few schedules:
    1. Turn off wi-fi radios after 10:00pm every night and again turn on at 7:00am. - done ( https://www.gargoyle-router.com/phpbb/viewtopic.php?t=2064)
    2. Disconnect the internet after 10:30pm (reject any request to auto dial and connect the PPPoE). --- DONE !!
    3. Reboot the router at 6am, Connect to Internet, update Adblock list and reboot at 6:30am, before enabling wifi at 7am. - done! ( command - sleep 70 && touch /etc/banner && reboot, /etc/init.d/adblock reload)
Openwt is miles ahead of that Tplink firmware. No sense in going back to stock.
 

netant

Well-Known Member
Adept
Oct 12, 2012
294
110
82
reverted back to stock - click to see why in post #23

Looks like you have most things sorted out.
Openwt is miles ahead of that Tplink firmware. No sense in going back to stock.
True, it has endless possibilities.
I began to tame openWRT slowly, but i need more time to research and configure to achieve everything i wanted. thats the reason i'm documenting my finding in this thread so that any new user who made the jump to openWRT don't not have to struggle.

As of now all my basic requirement is taken care of and i have updated my post https://techenclave.com/community/threads/uses-of-openwrt-ddwrt-open-firmwares-for-router-simplified.187786/#post-2164475 accordingly.


Tasks completed:
  1. All Automating tasks - Done
  2. IP reservation in DHCP - Done
  3. Adblock - Done ( there is a huge scope of improvement, will revisit later to kill YouTube and Facebook video ads. i wil start form this post - https://paul.is-a-geek.org/2015/06/dns-based-adblock-using-openwrt-opendns-and-dnsmasq/)
  4. Guest network - re-planned my network and discovered its not my immediate requirement hence removing it from my wish list.


To-do (next things to focus, mostly related to security. And other advance setup.)
  • Privacy
    (my original expectation #4, but rephrased, as what i exactly want to achieve) DNS crypt is because of this point. Here it goes in details:
    • whenever i search in google, its shows my exact home location including my apartment name in "From your Internet address". I thought ACT has double NAT and may provide some privacy but its exact opposite. All my devices use DuckDuckGo by default but the disguised Android surveillance devices in network calling back home to google every time. I want to stop this level of geo location tracing. im not sure how to achieve that, system wide paid VPN is not an option. tested few openVPN client in windows, overall speed is heavily impacted plus trouble using few services like food delivery and cab booking in network. Looking for finding an alternative, may be some Transparent proxy via privoxy, squid or something.
    • All desktop browsers in my network is behind a paid proxy and configured using patters based proxy via FoxyProxy. for example when i order food it will connect me to my ISP directly to broadcast the city name. So i'm shorted in web browsers .. looking for a lan-wide solution on privacy, im ok if its broadcast my city name, but i don't want it to reveal my apartment name.
  • DNSCrypt part - this is my weakest knowledge area. need lots of research to understand this and implement. waiting for @cisco_tech for more inputs.
  • Disable IPv6 completely form the router. (i have disabled it in all available section in LuCI, but wanted to disable system wide to save resources.
  • Research on the firewall system and configure it to block any unwanted intrusion from WAN interface. and also to restrict few of my LAN devices to access only LAN and not Internet.
  • Advance level of automation in entire network. (will do them slowly, once all the security things are taken care of. I am aware of the path to walk and would be super fun if i achieve them.)
    • Shut-down my home server in night after 10:30pm (or wait till it became inactive), and start again 7am in the morning via WoL .... low hanging fruit.
    • In night if the only device active in the network is my TV streaming form my NAS, then shut down WAN to disconnect internet. -- exciting thing to automate :)
    • Disconnect WAN if no wireless client connected for 1hr.
 
Last edited:
  • Like
Reactions: nimod

netant

Well-Known Member
Adept
Oct 12, 2012
294
110
82
ok at the very beginning i forget to mention the signal quality after openWRT.
My entire home network is N-only and with stock wireless power setting of openwrt.
based on site survey my channels are manually set to 2.4ghz channel = 11 & 5ghz = 48.

based on my 24 hours observation,
It's looks better over stock tplink firmware.... no 5Ghz signal dropping so far. even with higher beacon interval of 300. TP-Link was set on 100 and failed to deliver stable signal.
I will fiddle with higher becon of 500 and check if signals are stays stable.

after 3 walls inSSIDer recording a stable signal of about -65db in a stationary old dell laptop ( in both 5ghz + 2.4ghz). This spot was above -70db earlier with frequent signal drop.

the farthest corner of my house is recorded about -79db (4 walls), which was a dead spot earlier.
 
Last edited:
  • Like
Reactions: nimod

ReVo_007

#techie
Section Mod
Apr 28, 2010
849
41
48
Kolkata
True, it has endless possibilities.
I began to tame openWRT slowly, but i need more time to research and configure to achieve everything i wanted. thats the reason i'm documenting my finding in this thread so that any new user who made the jump to openWRT don't not have to struggle.

As of now all my basic requirement is taken care of and i have updated my post https://techenclave.com/community/threads/uses-of-openwrt-ddwrt-open-firmwares-for-router-simplified.187786/#post-2164475 accordingly.


Tasks completed:
  1. All Automating tasks - Done
  2. IP reservation in DHCP - Done
  3. Adblock - Done ( there is a huge scope of improvement, will revisit later to kill YouTube and Facebook video ads. i wil start form this post - https://paul.is-a-geek.org/2015/06/dns-based-adblock-using-openwrt-opendns-and-dnsmasq/)
  4. Guest network - re-planned my network and discovered its not my immediate requirement hence removing it from my wish list.


To-do (next things to focus, mostly related to security. And other advance setup.)
  • Privacy
    (my original expectation #4, but rephrased, as what i exactly want to achieve) DNS crypt is because of this point. Here it goes in details:
    • whenever i search in google, its shows my exact home location including my apartment name in "From your Internet address". I thought ACT has double NAT and may provide some privacy but its exact opposite. All my devices use DuckDuckGo by default but the disguised Android surveillance devices in network calling back home to google every time. I want to stop this level of geo location tracing. im not sure how to achieve that, system wide paid VPN is not an option. tested few openVPN client in windows, overall speed is heavily impacted plus trouble using few services like food delivery and cab booking in network. Looking for finding an alternative, may be some Transparent proxy via privoxy, squid or something.
    • All desktop browsers in my network is behind a paid proxy and configured using patters based proxy via FoxyProxy. for example when i order food it will connect me to my ISP directly to broadcast the city name. So i'm shorted in web browsers .. looking for a lan-wide solution on privacy, im ok if its broadcast my city name, but i don't want it to reveal my apartment name.
  • DNSCrypt part - this is my weakest knowledge area. need lots of research to understand this and implement. waiting for @cisco_tech for more inputs.
  • Disable IPv6 completely form the router. (i have disabled it in all available section in LuCI, but wanted to disable system wide to save resources.
  • Research on the firewall system and configure it to block any unwanted intrusion from WAN interface. and also to restrict few of my LAN devices to access only LAN and not Internet.
  • Advance level of automation in entire network. (will do them slowly, once all the security things are taken care of. I am aware of the path to walk and would be super fun if i achieve them.)
    • Shut-down my home server in night after 10:30pm (or wait till it became inactive), and start again 7am in the morning via WoL .... low hanging fruit.
    • In night if the only device active in the network is my TV streaming form my NAS, then shut down WAN to disconnect internet. -- exciting thing to automate :)
    • Disconnect WAN if no wireless client connected for 1hr.
Going through the last part of the automation that you want to attain, you will have to use a watchdog or a continous script, I dont think we can handle that on a event basis. I would really love to know if we can program it to be event driven than counter driven.
 

netant

Well-Known Member
Adept
Oct 12, 2012
294
110
82
Update:
Wireless speed is not consistent. The content which I was able to stream to my tv (connected in 5ghz N-network) flawlessly, now is shuttering. Not even 720p content playing without hiccups. In this scenario both client and router distance and environmental interferences are constant.

:(

Got few lines of code in google search to improve, like burst and compression.. those are even makin it worst.

Any suggestions?