I watched the episode “Planning your network layout” and figured this would be useful for anyone who has an unused consumer WiFi/Router laying about. I was amazed at the feature-rich options available.
from: What is DD-WRT? - DD-WRT Wiki
DD-WRT is third party firmware released under the terms of the GPL for many Wi-Fi 4 and Wi-Fi 5 wireless routers based on a Broadcom or Atheros chip reference design.
DD-WRT is great. I used it some time ago on an older access point I used to use, but ultimately decommissioned that one in favor of a more powerful unit, but I did enjoy DD-WRT while I was using it.
I’ve been using dd-wrt with Linksys WiFi routers for a long time (15+ years). dd-wrt has served me well all these years.
I am about to follow the footsteps of @jay in that I am about to upgrade from a consumer-grade WiFi router to a commercial-grade AP (access point).
I used open firmware on consumer routers for many years. I migrated to unifi a few years ago:
I started with a $90 USG and a $180 dollar AP with my old 5 port netgear router. The new AP went into my office. The old consumer routers were relegated to AP duty in the family room and my garage workshop.
It worked a treat. I didn’t upgrade again until I put in 2 cameras so my 80-year-old mom could see who was at the front and back door on her phone when the dog started barking. No sense climbing the stairs if she didn’t need to.
The last time I looked, there was nothing compared to the $90 USG that was available at the starter level.
If provided the funding to use a business-class or prosumer network device (with support), I do prefer this approach for production use.
I found that using these open firmware options helped me better understand the full capability of these tools, and get experience with complex UI’s similar those found in business-class devices. When I upgraded my homelab to 8-port smart switches from Cisco and Netgate, I found no trouble navigating the UIs due to my experience with the open firmware I’ve used previously.
Let’s talk about why dd-wrt and openWRT exists.
From one stand-point of security, the biggest issue is that in the consumer market. These devices are put out there for a very short lifecycle. By that I mean that Linksys, for example, will make a WiFi router and will provide support for that device, basically, until a new version of the hardware comes out. At that point, most vendors drop support for previous models. So, the vendor has a development cycle, of say 1 year. The problem is that most consumers don’t upgrade every year and we end up with devices out there that are no longer receiving any type of security updates.
I found a similar issue with dd-wrt. Before I purchased a device, I confirmed that it was supported by dd-wrt. I purchased the device and installed dd-wrt. It ran great and provided me with many additional features that the OEM firmware did not include. Over time, I noticed that as newer versions of the dd-wrt firmeare, for my specific device, contained different features and that some versions worked better with specific features. In my case, the older version ended up being more stable and worked better, but at a point in time…was no longer supported from a security update standpoint.
That specific issue directed me to start looking at openWRT as an alternative, but during this same time I lost my job due to a company re-org and decided to rebuild my home lab to help me work on some new certifications and skills. This is when I decided to move from consumer-grade to commercial-grade devices. The cost for some of this was really not that much more. I did decide spent a little extra on some devices.
I looked at the Unifi USG, but it does not include the features I wanted, ie deep packet inspection at full GB line speed. If you ever move to GB internet, the USG will slow your connection down quite a bit, I don’t recall how much. Also, with Unifi’s security history, I didn’t want to get pulled down into their proprietary solution too far. I do like their AP’s though, and you can self-host the required network controller. I don’t put ANY information into Unifi’s cloud.
I ended up with a layer-3 switch and a full GB line speed router (router being a separate device from the wireless AP), and Unifi FlexHD AP. These specific devices have the features that allow me to build the skills I use at work for network monitoring and Python-based network automation scripting.
I do like dd-wrt and openWRT, your experience may be very different from mine.
That is great information. Security maintenance for the firmware is an often over-looked piece of cyber security defense in-depth (i.e. multi-layer). The historical perspective you provide is really valuable context.
If you want the scary version, think about WiFi enabled dvd/blu-ray players and WiFi enabled cameras that never get any updates. These are frequent targets when threat actors select hosts to be used during the creation of a bot-net.
I went overboard with routers, and haven’t fully settled on the final layout for my home lab. I have an EdgeRouter 6P, Netgate 3100 and a UDM Pro. I really like the ideal of using pfSense, but also like the fact that I can wrap things up in / on the UDM Pro.
My old Router was an cheap E2100 (Cisco re-branded Netgear I think it is) that I tried several times to re-flash with WRT but it would not accept it no matter what I tried. I finally gave up on it and went with EdgeRouter 6P initially, then the other two. I have two ISP’s at present, StarLink and ViaSat. I can’t ditch ViaSat until the contract expires; well I could but, I’d be paying for nothing. That’s why I started looking at dual WAN capable routers and kinda went a bit overboard.
Like @Mr_McBride mentions, IoT devices are scary in the security space. I want all those things on a VLAN that has no ability for outbound traffic to the internet. I’m no network engineer that’s for sure, but, the more I read about the horror stories, the more paranoid I get about securing my home network.
How do to like the ER-6P?
I’m not a network engineer either, but I do support network engineers directly at work, so I’ve learned the network side over time. I do have experience managing and support Cisco switches, but no experience with routing (excluding VLAN routing).
If one needs a descent switch/router combo that has just a few PoE ports, then the ER-6P is an ideal candidate. If you don’t mind splitting out the components (Switch, Router, Firewall) I think the Unifi Switch and Netgate Firewall/Router combo is a better way to go as pfSense just seems more “polished” than the ER-6P.
With the addition of Homelab equipment, more PoE needs, and advanced routing desires, I soon realised the ER-6P couldn’t do all I needed it to.
For a simple home network with just a couple AP’s, I think it’s a far better option than the box-standard stuff that most of us start off with.
Agreed. I’m running OPNsense on an intel NUC with 4 Intel GB NICs.
I bought a managed 8-port Netgear PoE to run all of my RPis.
We demoted our Netgear 6700V3 from router to WAP and put a Protectli FW4B in its place. It works far better and with vastly better support. Since we run all our PCs, Pis, NASes, etc on a wired network, we put the WAP on its own physical network (separate interface on the FW4B, and firewalled to not allow traffic to the LAN). The only WIFI devices we have our our phones anyway, no “smart” devices, but once those become unavoidable, they have a place to go where they can’t get up to as much mischief and can be easily blocked off from the Internet, too.
The real threat, IMHO, is the move by Amazon and others to create “mesh” networks of their own devices that operate on their own frequency set and connect to each other independent of our own network. They can form mesh networks across neighborhoods and even whole cities that we can’t firewall off, short of turning our home into a SCIF.
Rob Braxman has a number of interesting videos on the subject.
That is scary. Only one amazon device in my house, a FireHD-8 tablet. I used FireTools to rip out all of the Amazon and Google crap. Nothing left but the base Android OS.