Using the DD-WRT firewall

Last Updated on November 25, 2018 by Dave Farquhar

I get a lot of questions about the DD-WRT firewall. There’s a lot of talk out there that goes deep into theory and advanced firewall usage, but what if you just want to know how to set up your firewall to protect your network and open up a few ports?

Here’s how to set that up.

Note: If you have multiple DD-WRT boxes running as access points like I do, only the one directly plugged into the Internet needs to be configured this way. Disable the SPI firewall on your internal access points.

Enabling the DD-WRT firewall

dd-wrt firewall
The first step is to enable the DD-WRT firewall, which you’ll find on the Security tab under the heading SPI Firewall.

First, make sure the firewall is enabled on your Internet-facing DD-WRT router. Navigate to Security, Firewall, and check the box next to SPI Firewall.

This poorly explained setting keeps Internet traffic off your local network.

For the most basic home use, where you’re just connecting to sites on the Internet used by a simple web browser and you don’t have anything reaching in, you can actually stop here.

Enabling port forwarding

In this DD-WRT screenshot, I’m forwarding ports 80 and 443 to an internal web server.

But if you’re interested in firewalls, it’s likely you want to do more with your DD-WRT firewall.

The logical next step is to forward some ports. Navigate to NAT/QoS, Port Forwarding. Click Add, then fill in the blanks and check Enable. I have HTTP and HTTPS set up pointing to my web server. In the screenshot above, I should have forwarded TCP, not both protocols. Click Save when you’re done.

Web servers are probably the most common thing. If you wanted to run your own mail server, you’d probably want to forward TCP port 25. You may have some games that require a particular port. The interface lets you document and set those up here.

You can also do ranges of ports if a game or application needs multiple ports. That’s the next tab over, Port Range Forwarding.

DHCP reservations

Chances are your systems use DHCP. This makes it much easier to manage TCP/IP. But the firewall needs IP addresses, not host names. To accommodate both, set up DHCP reservations so your server or servers always get the same IP address. It’s handy to be able to manage all of your IP addresses in one place.

First, find the MAC address, hostname and IP address of the computer you want to get the same IP address every time. Navigate to Status, LAN and scroll down to Active Clients to find them.

Enter DHCP reservations, also sometimes called static leases, here on the DD-WRT Services tab.

Navigate to Services, then to Services and scroll down to DHCP Server. Click Add, then fill in the MAC address, hostname and IP address of the computer you want to get the same IP address every time. You don’t have to do this for all your computers, just the ones you want to let talk through the firewall.

And that’s really all you need for a basic DD-WRT firewall. You can get a lot fancier if you want, but it’s best to start simple first, then build up.

Further reading

Now that you have your firewall configured, please see my guide for securely configuring the rest of DD-WRT. If you need a new router, here’s some advice on finding new DD-WRT compatible routers. You can also use DD-WRT as a network print server for an inexpensive USB printer without network capability.

If you found this post informative or helpful, please share it!
%d bloggers like this: