I had a DD-WRT router that was dropping a lot of packets. I got a lot of errors and that caused poor playback in Netflix and especially MLB.tv. It wasn’t a bandwidth issue. My wireless network connection was just too noisy. I had to adjust my DD-WRT TX power to fix it.
I picked up a couple of refurbished Linksys EA6200 routers this past weekend. For whatever reason, DD-WRT isn’t officially supported on them, though it does seem to be a popular DD-WRT router. A lot of people make the upgrade far more difficult than they need to. With some simple hacks, Linksys EA6200 DD-WRT installation is pretty straightforward.
I came up with an 18-step process that I simplified just as much as I could. Unlike some methods I’ve seen, I don’t have you editing any binary files or creating custom startup scripts.
I set up a DD-WRT router on Charter’s Spectrum broadband, and had a hard time getting it to work. It wouldn’t pull an IP address on the WAN side, or it would pull a 192.168 address rather than a Charter public address.
I’ve been using and recommending DD-WRT for years, but it’s getting harder to find inexpensive routers to run DD-WRT. Many inexpensive routers now use non-Broadcom chipsets that DD-WRT and other third-party firmware don’t support well, or at all.
But there’s still a way to get inexpensive, compatible routers that isn’t likely to change any time soon.
I spent some time over the weekend playing with Pfsense, and I can’t say much about it other than it does what it says. I didn’t throw a ton of hardware at it–the best motherboard I have laying around is a late P4-era Celeron board, and the best network card I could find was, believe it or not, an ancient Netgear 10/100 card with the late, lamented DEC Tulip chipset on it. Great card for its time, but, yeah, nice 100-megabit throughput, hipster.
A couple of my college buddies posted a link to an Ars Technica article about Linksys routers getting hacked. Sorry I didn’t find it myself, I’m prepping for a job interview. Excuses, excuses, I know.
Researchers have been doing this kind of stuff for at least a year, but now we’re seeing the bad guys do it. It was just a matter of time, because bad guys are going to attack whatever is easiest to attack, and consumer routers are direct-connected to the Internet and their security isn’t really all that much better today than it was when Linksys released its first router in 2000.
What’s worse is that two of the affected models, the Linksys E1000 and E1200, are no longer supported by Linksys. The answer is DD-WRT. Visit the linked page, type in the name of your router, check the version (it’s on a sticker), then load DD-WRT like you would load Linksys firmware. If you’re not comfortable doing it, a computer-savvy friend or acquaintance can do it in half an hour for you. I’m running DD-WRT on two routers myself, and put it on my mother-in-law’s router, and find there’s no comparison between it and anything any of the manufacturers are shipping from the factory.
Is its security perfect? Probably not, but it doesn’t even have the feature this exploit is using. And turning off undesirable features is the beginning of good security.
I found a couple of old Linksys WRT54G routers and decided to load DD-WRT on them. The first one, an abandoned-by-Linksys WRT54GS model, gave me some trouble, which led me to buying a TP-Link unit to run DD-WRT on. The second unit, which was a vanilla WRT54G, still had firmware available on Linksys’ site, so the upgrade was somewhat straightforward–it went by the book, at least. I installed the latest Linksys firmware, then installed the DD-WRT mini build, then upgraded to the full build.
After getting DD-WRT running on it, I configured it to behave as an access point on channel 6. I was surprised at how strong the signal was. Years ago, I ran a pair of WRT54G routers, and they struggled to cover the house. It’s possible that was due to age, or perhaps I was getting too much interference from my neighbors since we were probably all running our wireless on the default channel in those days because none of us knew better.
As for my WRT54GS, when I tried to upgrade it, I got a nice message stating, “Upgrade are failed!” Nice. Too bad it didn’t add “All your base are belong to us.” That’s when I learned you need to install the last Linksys upgrade first, then upgrade from that. So I downloaded that from some forum, tried flashing that, and received the same message. So I set it aside, figuring I bricked the unit. A few days later, after getting the WRT54G running, I fired up the GS, visited its configuration page, and… found DD-WRT running on it! Upgrade are failed? More like all your upgrade are belong to ME.
In all honesty, I probably got lucky. It’s always best to go by the book on things like this.
The WRT54G is limited, of course, to 802.11b and 802.11g (54 megabits max) but as a complement to a more modern router, it still has a few tricks left. If you have one laying around, it won’t cost anything aside from about 30 minutes’ worth of effort to load DD-WRT on it and see what it can still do for you.
And if you don’t happen to have one laying around, it’s not hard to find a used WRT54G. I find them at estate sales, garage sales, and rummage sales pretty frequently because a lot of people set them aside when they either buy newer, faster routers or their ISP forces them into an all-in-one unit. Don’t pay too much for it, because it’s aging technology, but I’d say they’re worth grabbing for $5 or less.
I see the advice going around, again, to disable the Windows firewall and rely on an external router, the justification being that it makes your computer “invisible.” It doesn’t. Only IPV6 can do that–and then, only if you don’t use it for anything.
The trouble with that advice is that there are botnets targeting routers. Routers are nothing special; they’re small computers running Linux on an ARM or MIPS CPU, typically outdated versions with old vulnerabilities that can be exploited by someone who knows what to look for. One example of this is the Aidra botnet. Typically Aidra is used to attack outside targets, but it’s not outside the realm of possibility for an infected router to turn on and attack the machines it’s supposed to protect. And if you’ve turned off your firewall, then you have no protection against that. Continue reading The trouble with routers→