Router flashing, Tomato or DD-WRT or??

Chat about just about anything else
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
Locked
redlined

Router flashing, Tomato or DD-WRT or??

Post by redlined »

Currently using ISP modem+router combo, provider is Xfinity/comcast and I've long ago grown tired of their management interface (which forces user to make many settings through the Xfinity website, not local webinterface) Also going to split modem and router into separate hardwares buying a netgear CM1000 modem to deal with Xfinity. Still undecided on best router approach though.

and.. I want open firmware for managing the router. As with many things searched for on the internet one result is often simple information overload... and this topic is no exception :shock:

(so I come here to solicit your reviews, experiences and preferences!). The actual act of flashing the router is not a primary concern (i.e. bricking it) as I lean towards getting a current model router pre-flashed, if you have recommends for suppliers of such I'd also appreciate.

Basically I want network security and privacy foremost. Simple SPI firewall/iptables access and adjusting is needed, as is logging in great detail if desired. OpenVPN is a must and DoH DNS is required (although the latter can be accomplished on each client using dnscrypt-proxy). I'm also looking at the newer Wireguard protocol but think that is outside the scope of this search for flashed firmware unless I'm missing seeing it implemented in the open firmwares. Also considering setting up a Streisand server locally once I get modern laptop repaired and running as my main daily use and use old laptop for Streisand.

otherwise, interconnectivity for a minimum of a dozen connected devices: 3 LM19 laptops, 1 Win10 laptop (new roommate is warming to Mint though!;), 1 dualboot LM19/win7 desktop, 3 android cell phones, an HP Officejet pro printer and an NAS solution I'm also currently in the market for. Two of the laptops (and the cell phones) will use wifi, it's an older house (1950s built) and a little over 1000sf. None of us are avid gamers, however VIOP and high quality video streaming is necessary. Dynamic DNS and advanced port-forwarding is wanted.

Your thoughts and experiences appreciated!
Last edited by LockBot on Wed Dec 07, 2022 4:01 am, edited 1 time in total.
Reason: Topic automatically closed 30 days after creation. New replies are no longer allowed.
User avatar
Portreve
Level 13
Level 13
Posts: 4882
Joined: Mon Apr 18, 2011 12:03 am
Location: Within 20,004 km of YOU!
Contact:

Re: Router flashing, Tomato or DD-WRT or??

Post by Portreve »

I'll be happy to give my opinion, but I want to start off with something that's factual and common sense...

Not all routers are supported (or necessarily supportable) by these Linux-based community firmware. Also, not all hardware is created equal, and so it is absolutely in your best interest to do research first to make sure you own hardware worth using, and also worth putting either DD-WRT or Tomato on.

I have only used DD-WRT. I used to own a Buffalo B/G router (obviously pretty dated by today's standards) and I had at one point tried Tomato, but it was really too demanding on it. I also was not really much of a fan of Tomato's UI.

I don't know if DD-WRT is really quite as active as it used to be, so I will leave it to others who are more familiar with such matters to comment.

I've always loved DD-WRT, in all of its various aspects. It ran the doors off of any proprietary firmware I've used, it has such a professional and elegant interface, and frankly it was wonderful to have access to the extra features it brings to otherwise nerfed firmware-driven hardware.
Flying this flag in support of freedom 🇺🇦

Recommended keyboard layout: English (intl., with AltGR dead keys)

Podcasts: Linux Unplugged, Destination Linux

Also check out Thor Hartmannsson's Linux Tips YouTube Channel
User avatar
majpooper
Level 8
Level 8
Posts: 2084
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Router flashing, Tomato or DD-WRT or??

Post by majpooper »

Portreve wrote: Thu Nov 08, 2018 6:22 pm I'll be happy to give my opinion, but I want to start off with something that's factual and common sense...

Not all routers are supported (or necessarily supportable) by these Linux-based community firmware. Also, not all hardware is created equal, and so it is absolutely in your best interest to do research first to make sure you own hardware worth using, and also worth putting either DD-WRT or Tomato on.

I have only used DD-WRT. I used to own a Buffalo B/G router (obviously pretty dated by today's standards) and I had at one point tried Tomato, but it was really too demanding on it. I also was not really much of a fan of Tomato's UI.

I don't know if DD-WRT is really quite as active as it used to be, so I will leave it to others who are more familiar with such matters to comment.

I've always loved DD-WRT, in all of its various aspects. It ran the doors off of any proprietary firmware I've used, it has such a professional and elegant interface, and frankly it was wonderful to have access to the extra features it brings to otherwise nerfed firmware-driven hardware.
First of all I want to acknowledge what Porteve says here is good stuff and spot on. As well there are a ton of ways to to "skin this cat" and I am sure there are a ton of opinions. With all that said I will simply share my experience and what works well for me in accomplishing many of the objectives we have in common.

First I employ a Y router configuration for security - this means I have an "edge" router facing the ISP modem. Behind the edge router I have a wireless router (obviously for the wireless stuff like guests and iPhones etc.) and a seperate wired router for my PCs, Rokus, printer,VoIP etc. Three router in all. I installed dd-wrt on an old Linksys wireless router - this was no small feat (it literally took days) and would not do it again -and didn't - for my edge router I bought a brand new Linksys WRT router that was made to easily install dd-wrt and turned off the wireless/guest functions.

I also employ a PiHole server (an old Lenovo laptop running LMDE3) to handle DNS and utilise dnssec and DoH (which uses CloudFlare DNS servers) options. Probably overkill . . . well not probably. Of course it goes without saying that it is important to configure the routers with security in mind - turn off UPnP on the WAN side and remote access, keep the firmware updated and so on.

My routers help provide defence in depth and the PiHole privacy.
redlined

Re: Router flashing, Tomato or DD-WRT or??

Post by redlined »

Thank you Portreve, a decade back was when I last ventured into router flashing on an linksys using DD-WRT and as you mention I do recall the simple and clean interface. It was a good experience then and they are still quite active so that's looking good.

majpooper, thank you for the description of your setup. I was considering using my old laptop in a similar 'edge' setting and have been salivating over the Streisand server since coming across it a couple days ago. I had not heard of PiHole server though so am looking at that since Streisand doesn't incorporate dnscrypt or any DoH function and that is one recent addition to my security profile I will not downgrade. PiHole may be the better route (for noob me, for now) than trying to sort how to get something like dnscrypt+unbound Docker container set and running with Streisand. What I'm not finding on PiHole is it's (native?) support for dnssec and DoH, actually not finding a solid list of features so far :? It does look very comparable with current used dnscrypt-proxy and custom blacklist generated with dev's script mentioned here

Definitely have more reading to do on all this, besides stumbling across OpenWRT, also very active with added benefit of no closed/propietary stuff as harder look at DD-WRT and Tomato has...ugh, gotta get it sorted before black friday sales :mrgreen:
redlined

Re: Router flashing, Tomato or DD-WRT or??

Post by redlined »

Found PiHole how-to's on discourse

making progress 8)

thinking about getting a rPI device and put that as first hop from modem/WAN gateway, then laptop serving Streisand (the thought is too appealing:D), then add a switch for hard wired and wifi router Openwrt flashed for the rest (looking at refurb/restocks of zyxel nbg6817). Then if I need a fast baypass for ad blocker (pihole/dnscrypt-proxy) I can manual cord swap out of device and into laptop direct. One thing I realized is DoH will need to run from same hardware as pihole/unbound/whatever local DNS is running, if not then the adblocking will fail as it is a blacklist/sinkhole block (redirected to 127.0.0.1 as IP address resolved)- since dnscrypt-proxy is a full https protocol wrapper then the ad filtering cannot happen, it's all encrypted from local proxy to remote DNS, correct?

thanks again majp for opening this door! :D
User avatar
GS3
Level 8
Level 8
Posts: 2385
Joined: Fri Jan 06, 2017 7:51 am

Re: Router flashing, Tomato or DD-WRT or??

Post by GS3 »

It must have been a decade ago that I messed around with DD-WRT and I don't remember much. It worked but I never stuck with it. I have some vague memory of bricking some device.

I also messed for a while with pfsense which turns a pc into a router/firewall. It has more capabilities than DD-WRT, obviously, but I never really needed that much. But if you want something really powerful then pfsense might be worth a try.
Please do not use animated GIFs in avatars because many of us find them distracting and obnoxious. Thank you.
redlined

Re: Router flashing, Tomato or DD-WRT or??

Post by redlined »

GS3 wrote: Fri Nov 09, 2018 1:33 pm I also messed for a while with pfsense which turns a pc into a router/firewall. It has more capabilities than DD-WRT, obviously, but I never really needed that much. But if you want something really powerful then pfsense might be worth a try.
hi GS3!

Thank you for your response! I like what I see and can imagine it would be a FreeBSD journey much like my journey so far into Linux, new, exciting and at times intimidating and terminally intense... but I like what I read on it, looks very thoroughly documented and uses a web interface! I also see I can get dnscrypt-proxy to run on it covering my desire/requirement for DoH, very cool... also see that their packages includes a function (pfBlocker-NG) like pihole, which I'm really growing fond of that concept versus browser addons, modified hosts files and/or blacklist management that up to now has been a headache.

This will help me in considering features of routers as well, if I can offload all the heavy processing stuff (e.g. packet inspection, filtering, encryption etc) to a PC with as good or better proc/ram then it may be better to simply use pfsense at WAN gateway and drop a switch and wifi AP on the LAN side.
User avatar
GS3
Level 8
Level 8
Posts: 2385
Joined: Fri Jan 06, 2017 7:51 am

Re: Router flashing, Tomato or DD-WRT or??

Post by GS3 »

A friend of mine was in charge of the homeowner's association swimming pool and he mentioned it would be nice to have WiFi access at the pool so we took an unused PC and I configured pfsense. Some things I remember: We set up a captive portal so people in the pool needed to get a password but people nearby could not use the WiFi. Time and bandwidth were limited. Also the WAN side had two connections with load balancing. I played around with it for one summer and then forgot everything I learned but it seemed very powerful. We used an unused PC but I suppose that for serious bandwidth and complex processing you might need a more powerful machine. I am thinking of a major business setup.

I also wanted to setup a VPN at the router but I don't remember getting very far at all with that. I always wanted to set up a VPN server at the router level, not at the machine level.
Please do not use animated GIFs in avatars because many of us find them distracting and obnoxious. Thank you.
redlined

Re: Router flashing, Tomato or DD-WRT or??

Post by redlined »

yeah, VPN at router (LAN to WAN gateway) is what I primarily want, everything leaving my home network encrypted, hence the search for open firmwares and (other) options. I hadn't put much thought into using a dedicated PC to do this until majpooper mentioned pihole but the doors opened wide when considering saving workstation and even router managing all the various filtering and encrypting tasks- it sure would make this old laptop I now run LM19 on run much smoother!

about your experience with pfsense, how did you create the wifi access point? additional hardware attached to that PC or?
User avatar
GS3
Level 8
Level 8
Posts: 2385
Joined: Fri Jan 06, 2017 7:51 am

Re: Router flashing, Tomato or DD-WRT or??

Post by GS3 »

The pfsense router was located in the gym room and the access point was located outside and around a corner so I just ran Ethernet cable to the access point. For access point I had and have and tested several dedicated devices but most of the time I used and use just any old WiFi router that I use just as AP. I must have 15~20 of them unused and it's always good to find use for one of them.

I also remember playing a bit with power over Ethernet but never got really far. Just proved that it could be done.

I remember having to add several PCI Ethernet cards to the PC. I vaguely recall the on-board Ethernet port was not working right and I had one port for the LAN WiFi AP and two Ethernet ports for the WAN side, one went direct to a router and the other one to another router through WiFi. So this router's WAN sides were not directly the internet but other router's LAN. I hope that makes sense.
Please do not use animated GIFs in avatars because many of us find them distracting and obnoxious. Thank you.
redlined

Re: Router flashing, Tomato or DD-WRT or??

Post by redlined »

GS3, yes that makes sense, albeit a bit complicated for my vision of this mess I'm about to create :D However, it has helped as I now (re)consider flashing an old linksys router I have instead of looking to buy bigger/better/faster/more stuff I don't need, especially since I have old latops I can use for the heavy work I want done in the network security and privacy realm. I'm liking this path forward even more!
User avatar
GS3
Level 8
Level 8
Posts: 2385
Joined: Fri Jan 06, 2017 7:51 am

Re: Router flashing, Tomato or DD-WRT or??

Post by GS3 »

I bricked a Linksys router trying to DD-WRT it. I kept it for some time with the hope that I might be able to unbrick it but I finally tossed it after some time when it became clear I was never going to dedicate the effort. Since then I am reluctant to flash firmware.

I later bought a similar model with DD-WRT already installed and I used it for some time.

Then I discovered pfsense and played with that. Using a desktop machine meant I could add the additional Ethernet ports which I could not do in a laptop. One issue you might want to take into account is that a Linksys router uses only a fraction of the power of a full desktop computer.

At first I had a monitor and keyboard connected to the pfsense router but later I would access it remotely via the network.
Please do not use animated GIFs in avatars because many of us find them distracting and obnoxious. Thank you.
User avatar
majpooper
Level 8
Level 8
Posts: 2084
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Router flashing, Tomato or DD-WRT or??

Post by majpooper »

I used to run dnscrypt on each machine and was happy with it. I also run a VPN (PrivateTunnel) on each machine, VPNs can be finicky as to how they handle DNS but PrivateTunnel does not interfere and only uses there DNS resolvers if you don't configure anyone else's anywhere - so that is a plus. When I discovered PiHole I found plenty of info on how to configure dnscrypt on PiHole - just google "pihole dnscrypt" Not hard to do at all.

I played with PiHole on a VM - PiHole will run on any Debian based OS. Then I learned about unbound and gave that a try through my VPN - worked OK as well. But I finally settled on DoH - the caveat is DoH on PiHole uses Cloudflare (1.1.1.1) DNS servers. Since I like the work CloudFlare does I am happy with them - but I understand that who you pick for your DNS resolver is a personal choice. DoH on PiHole is pretty simple to configure as well - so is PiHole for that matter.
https://docs.pi-hole.net/guides/dns-over-https/

The last thing is DNSSEC is simply a DNS setting in PiHole.
redlined

Re: Router flashing, Tomato or DD-WRT or??

Post by redlined »

majpooper, thank you for that link- I am sold on PiHole and now seek a solution where I can run a distro that will allow me to offload the heavy processing stuff like filtering/black-white listing, ad blocking, packet inspection, encrypt LAN traffic, DoH and VPN to reduce processor and ram requirements on each individual component on the network. and I think I found the perfect thing MBM2!!! (thanks to forum user mention, I had never heard of the devices before!:D)

GS3, I am now leaning towards MBM2 (link above) which, amongst many cool options can be Power over Ethernet and otherwise has very good/low power requirements. I lean away from pfsense now and either use the MBM2 for pihole/dnscrypt-proxy and other things I'd like to do.. or get a fitlet2, get ubuntu 16.04 (iirc) on it and set Streisand up! (I'm really fascinated with Streisand at this point and this formfactor looks like the perfect hardware to get that done all things considered, including a very portable package deal with great storage, wifi and even optional cellular!)

now to wait for black Friday/cyber Monday deals to roll out :mrgreen:
Locked

Return to “Open Chat”