John's Musings

Yeah, Me Neither

Router Firmware - LEDE

Well, I bought a new router and that means I've got to exploit it for all it's worth. If you have even an inkling of network security awareness you know by now that home routers are by and large un-secure. Here's a good example of that. Not THREE days ago in the mail I received a shiny, new, refurbished Linksys WRT3200ACM router. State of the art, she is. One of the hottest, fastest, sexiest routers going right at the moment.

Look at what's in the news TWO days ago. Linksys router security story. Great. I had it a whole day and it's a security nightmare.

Think about this. This is the newest, biggest, and baddest router and it is about as secure as your son at Michael Jackson's Neverland Ranch.

Most of us are fairly router un-aware. Content to use the router the cable or satellite company gives you. Or at best buy a cheap router at Walmart then jump for joy when we plug it an and it works. It's usually hidden behind the TV never to be thought of again unless it breaks. Old hardware, running old software, hooked directly to the internet. What could go wrong?

There are some things you can do to mitigate. You can secure your network with a hardware firewall. There are several Open Source solutions for doing that and this isn't the blog for that scenario. However, that being said I run a pfSense appliance as my hardware firewall. It's very geeky to set up and in fact as you configure it you can be TOO restrictive which becomes a pain as well.

To really mitigate, or to at least improve the situation you can take your fancy router and install an Open Source Firmware on it. This essentially is a new operating system for the router. By and large they are Linux based. Because they are Open Source you have a community of people looking at them and patching up holes as they find them.

If you have a fancy new router and use the manufacturers firmware it probably has a fancy box which allows you to auto-update the firmware. And that's great right up to the point where I demonstrated above that the brand new, expensive as all get out router is basically Swiss cheese. With Open Source Firmware you're probably not going to have that fancy auto update box, nor do you want it because sometimes in the bleeding edge world of Firmware stuff breaks.

And if you're going to mess with Open Source Firmware I recommend you have TWO routers around in case one experiences some down time.

Now I haven't painted a very rosy picture here but the reality is that if you run said Open Sourced Firmware you are going to be more secure, have way better performance, and stability and you'll have community support. Try emailing Linksys or Netgear with a problem. You'll get an immediate email letting you know you're alive and then a crap answer 2 days later written by someone that knows less about routers than you do that you'll have to follow up on.

Also with Open Source Firmware you'll have the ability run programs that are not included in most manufacturers firmware. Things like Ad-Blockers, OpenVPN servers, proxy servers, DNSCrypt Proxy, guest networks, use your router for Home name it. I didn't even get close to covering all the bases there.

Here are some firmware choices you can use (provided your hardware is compatible).

OpenWRT - The granddaddy of the Open Source Firmware world. Started in around 2004 for the Linksys WRT54G routers (which is still a huge seller by the way) and sadly now just about a dead duck.

LEDE - Based on OpenWRT. Most of the developers didn't like the direction of OpenWRT and thought it was getting too closed. So they broke off and started their own thing which I just rediscovered.

DD-WRT - probably the firmware with the best name recognition and most popularity. Probably supports a lot more routers than all the other projects put together.

AsusWRT-Merlin - based on AsusWRT stock firmware. This is an amazing firmware but of course limited to Asus hardware and is ported to a few other routers. For example I run AsusWRT-Merlin on my NetGear R7000 Nighthawk router. It's awesome.

Tomato - There are a few forks of Tomato so i won't hot link anything. Shibby Tomato was a favorite of mine in years past but it sadly seems to be a dead duck as well.

Gargoyle - I don't have much experience with Gargoyle but I see it mentioned on the Forums quite a bit.

And of course there are more, probably many more but those are the most common ones.

So I have this shiny new Linksys (which is really Belkin) WRT3200ACM router and my go to firmware is and always has been DD-WRT however because this router uses a Marvel wifi chip and Marvel is NOT Open Sourced so much the wifi drivers on the Linksys WRT routers are usually CRAP for a year or so until the community hackers fix 'em up. For example I have a Linksys WRT1900ACS I got a little more than a year ago. It was a few months before DD-WRT got the drivers right. Now it just plain works, day in and day out, solid as a rock.

But the boys in OpenWRT and LEDE land always seem to compile the drivers in first before DD-WRT so what typically would happen was I'd hear about a new driver and I'd install OpenWRT and play around with a bit and then gravitate to DD-WRT later. Now that LEDE has spun off and I'm running a version of it I'm big time impressed with it. That is provided these wifi drivers hold up.

It's lean, mean, doesn't consume all the RAM and the LEDE developers are playing around with CPU scalability as well. They've really built a fine firmware. Right now the "Stable" branch still has the buggy wifi drivers in it but that will change soon and then I'll deploy this router as my main device.

One of the great tricks LEDE has is that I can change the power setting in the WiFi output. Yep, more power. More coverage. Because I am running behind a hardware firewall all I really need is a router that is:

a) Powerful

b) Stable

c) Fast

I don't require any other widgets. I do all my Ad Blocking, and Firewalling and VPN servers on my hardware firewall appliance. Here's a peek at the interface.

Simplistic. Not a lot of bells and whistles (although there are LEDE builds that have them) I end up getting EXACTLY what I need here. No more, and no less.

ME: Hardware Firewall to LEDE router which is secure

YOU: Cable modem to 5 year old router you've never updated.

Which one of us best stands a chance of not seeing our taxes on The Racheal Maddow Show?

Okay, here's how I did it and bear in mind I'm running a Development snapshot because of those drivers. The "Stable" version you just flash it from your Linksys firmware where you select the file and then flash. LEDE has a graphical interface, viewed in a browser, called LuCI.

The development snapshots don't gotta no LuCI (said in your best Ricky Ricardo voice). If you don't know who Ricky Ricardo or "Lucy" is just please leave now and never try to run Open Sourced Firmware.

Navigate to this page and download this file:

Make sure to get the squashfs-factory image file.

Now flash it from your Linksys firmware updater.

Once you flash it now open a terminal or Putty program and (in Mac OS X) type:

ssh -l root

You may need to adjust your IP address but the initial flash I believe always turns the router into

Once you get in it will bark at you for not having a password set. Just press on quickly.

At your terminal prompt run the following 4 commands, one at a time, and yes, you must be hooked to the internet.

opkg update

opkg install luci

/etc/init.d/uhttpd start

/etc/init.d/uhttpd enable

Reboot, and then point your browser to and Bob's your Uncle.

I think by and large though for a home router that you want wicked stability on you want to only run the stable releases however I'm stuck between a rock and an unstable place because of the Marvel Wifi Driver issue (which will be resolved soon, you'll see). In fact the super geeks are getting much closer to solving this problem. I'd estimate a couple more weeks and it'll be resolved.

Power. Stability. Speed. Reliability. AND SECURITY.

blog comments powered by Disqus