[lug] DD-WRT, was Re: network question - pfsense, dd-wrt, etc

Maxwell Spangler lists at maxwellspangler.com
Thu Jul 16 14:33:03 MDT 2020 

Hi,
Just thought I'd share an opinion of DD-WRT.
In the past, when consumer devices were most definitely missing
featurse I thought DD-WRT was a great idea.
But after having bought about 8 used consumer routers at thrift stores
and experimented with DD-WRT, I'd summarize my experience as:
* Bricked about 15-20% of them.  Explored using serial io pins to
recover them and.. that seems like a waste of time these days.
* Upgrading to an initial version or a new version always seems like an
adventure with great risk. There isn't any good way to tell what's
stable, tested and supported.  If you're into the adventure, great, but
not me, not anymore.
* One key area where DD-WRT seems to be falling behind is the ability
to use a smartphone to monitor it with a dashboard and optionally
configure it.  This is one of those areas where I don't *require* it,
but as more and more things allow this I want it then I expect it then
I'm disappointed I don't have it.
If anyone wants to play with DD-WRT I've got a few older netgear units
I'd like to get rid of in the near future.  Older units with slower
processors but still quite capable.
I'm currently using an Negear Nighthawk R7000 with DD-WRT 3.0 on it.
I'm really happy with it, but my key area of concern is the lack of a
confident way to upgrade to a newer, stable release to protect against
any security issues.
Thoughts, anyone?
On Wed, 2020-07-15 at 11:03 -0600, Bear Giles wrote:
> This might be too much of a niche question but I thought I would
> start here. If nothing else it might give people some ideas.
> 
> My current network setup uses DD-WRT. Well, it will soon... my old
> router had Sudden Death Syndrome and, based on recent painful
> experiences, I bought two replacements. I'm using one and plan to put
> DD-WRT on the second then swap it for the first. If something breaks
> I can always swap the first router back in and regain network
> connectivity. They're identical models so I don't have to worry about
> hardware limitations forcing me to make changes.
> 
> I've also been planning to set up a physical firewall - I have a dual
> NIC system for this purpose. It's not very powerful but should be
> able to do the job. It looks like pfSense is the best choice for
> this. That's actually a FreeBSD derivative but it's common for Linux
> systems to run it within a virtual machine but I'll probably install
> it directly on the hardware.
> 
> I think pfSense can also support external wifi antennas - it's used
> in offices and such where you might have a dozen antennas scattered
> throughout the room. It could replace my DD-WRT router if I sprang
> for those antennas... maybe next time.
> 
> The ultimate goal is to have four network segments:
> 
>  - mobile
>  - IoT 1 - devices accessed from mobile devices
>  - IoT 2 - devices not accessed from mobile devices, e.g., rokus 
>  - "wired" - which ironically has a few wireless components (work
> laptop, Linux desktop downstairs, raspberry is)
> 
> The "wired" and "IoT 2" should be completely isolated.
> 
> The mobile and IoT-1 should have some interactions.
> 
> I want to be able to keep a close eye on what the IoT devices send
> and receive.
> 
> Many people also want a "kids" or "guest" segment. There would be
> similar issues on deciding who gets what access to the other
> resources.
> 
> My question is whether anyone has set up this combination and, if so,
> how did they configure it. There's two obvious places to put it -
> either between my cable modem and router or between my router and
> switch. In the first case I'll have to reconfigure the router as just
> an access point (I think) and handle all of the actual routing in
> pfSense. Otherwise I won't be able to access it to configure and
> monitor it. In the second case I can leave the router as-is and only
> use the firewall on the wired part of my network
> 
> There's a lot more flexibility here, e.g., DD-WRT lets you specify
> routing between the SSIDs and physical network ports, or I could set
> up a second access point, but I'm not looking at that level of detail
> yet. Just a general question of whether anyone else has set up both
> DD-WRT and pfSense and which one was upstream.
> 
> BTW my standard netgear software doesn't seem IPv6 ready but I'm
> pretty sure DD-WRT is and I know that pfSense definitely is. In fact
> I saw someone talking about getting 16 IPv6 segments, not just 1,
> from Comcast by using a simple configuration change. IPv6 can't be
> segmented so you can't partition devices like above. However with
> that change you can have separate IPv6 segments for each of the
> network segments I mentioned.
> 
> Ideas?
> 
> Thx, Bear
> 
> _______________________________________________Web Page:  
> http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety
-- 
Maxwell Spangler

===================================================================
Denver, Colorado, USA

maxwellspangler.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20200716/6dc8eb79/attachment.html>

More information about the LUG mailing list