Leaving DD-WRT

Posted by Ripdubski on 2015.05.21
Posted in: DD-WRT. Tagged: , , . 6 Comments

In this post I explain why I recently chose to leave DD-WRT, and instead opt for the ASUSWRT.

First, DD-WRT (http://www.dd-wrt.com) is an alternative firmware for many routers.  It offers many features and benefits over many of the manufacturer firmwares that ship with routers.  I’ve run DD-WRT on my primary router for the past 5+ years with a great deal of satisfaction in both features and performance.

Some of the key features I use:

  • DHCP : This router “standard” feature gives hosts on the network an IP address for a period of time.  It manages which host has which address, and the renewals when they expire.
  • Local DNS : This gives the ability to lookup local hosts on the network by name rather than by their IP address.  The version in DD-WRT (DNSMasq) integrates with DHCP giving the ability to lookup names without maintaining a manual table.  This was the number one reason I went to DD-WRT.
  • VPN: Many routers offer Virtual Private Networking.  With VPN a secure connection can be made to the router from anywhere with Internet access such as a Hotel.  Think of it as a secure route to your home network.  DD-WRT was no exception.  DD-WRT allowed multiple VPN sessions whereas many routers only allow one.  I only need one at any given time so the number supports isn’t a big deal.
  • QOS: Quality Of Service is not something all routers offer.  With QOS individual hosts can be given different priorities to the available WAN connection bandwidth.  In addition to hosts, network protocols can be prioritized as well.  This is especially useful for degrading peer to peer (P2P) traffic such as bit-torrent if needed, or upgrading voice over IP (VOIP) traffic.
  • Filtering: Filtering give the ability to block access to sites containing certain words in their body content or URL.  It can also be used to completely block certain traffic such as P2P.  DD-WRT allow these to be applied in ranges.  I had a range for devices I own, and a range for guest devices (managed through DHCP reservations).  The guest devices had all P2P traffic blocked.
  • DDNS: DDNS is Dynamic DNS.  This allows the router to send WAN IP address updates to a service provider of your choice when the WAN IP address changes.  The service provider could be a DNS provider.  For example if you host a web site from a machine in your home, you have a leased WAN IP address (most common), and have a domain name myawesomewebsitemachine.com, updating the DNS record is mandatory if you want/need continual access to it.  In my case I was pushing updates to DNS-O-Matic (http://www.dnsomatic.com), which in turn updated OpenDNS (http://www.opendns.com) so my content filtering continues to abide by my rule definitions (since its based on incoming WAN IP match).
  • Traffic Monitor: This gives the ability to see how much bandwidth is being sent in and out of the WAN connection.  Initially I was using this to monitor the monthly usage as there was a usage cap set by my ISP.  Later it just become trivia to get an idea of the household usage.

 

So why would I want to leave?

DD-WRT is actively being updated to add features and provide security fixes.  But…  There’s always a but.  As the router hardware gets older it sees less and less updates in favor of newer hardware.  There are exceptions to that.  In my case I am using an ASUS RT-N16 router.  In the entire time I was running DD-WRT, there was one update.  And that update was in 2010.

My DD-WRT firmware was almost 5 years old.  In the last year there have been several security issues surrounding VPN.  I don’t use VPN often, but when I do I want it to be secure.  The last time I used it was April 2015.  I was nervous leaving it on for the duration I needed it.

I started looking at updates for DD-WRT and found there may be one, but figuring out which firmware and where to get it was proving to be a difficult task – harder than it needs to be (links to links to links from the main DD-WRT site, and maintained by users only known by handles).  For me, it boiled down to a matter of trust at that point.  How do I know there was no backdoor embedded or other malicious code added?

 

What did I switch to?

I looked at some alternatives like Tomato (http://www.polarcloud.com/tomato) and OpenWRT (https://openwrt.org), but ultimately decided to use ASUS’ own firmware.  The firmware ASUS initially shipped on the RT-N16 was not the greatest.  If I recall correctly it was a 1.x version that last time I looked at it.  I also have an ASUS RT-N66U which serves as an access point.  I’ve seen their latest interface and have been happy with it and the updates it receives.  I looked at their latest offering for the RT-N16, which is now called ASUSWRT, and found that it is actively being updated and has basically the same version as the RT-N66U.  I chose this as my first option.  If I don’t like it in the long run, I’ll look at OpenWRT since it appears to be actively updated on the RT-N16 as well.

 

What is missing?

Of all the features of DD-WRT that I was using, the only feature not included in the current ASUSWRT firmware is local DNS.  This was the primary reason I went to DD-WRT.  I thought about how often I actually reference another machine by name, vs bookmark or other predefined link.  As it turns out, it’s not that often.  Thus, I committed to the ASUSWRT.

 

How did I convert?

  1. I backed up the the DD-WRT configuration to a file.  I also printed (to PDF) the contents of each of the interface configuration pages for reference.
  2. I logged into the router using the command line, and executed “erase nvram”.
  3. I then used DD-WRT update firmware to load the ASUSWRT firmware.  At completion, the router reboots itself.
  4. When it came back up, I renewed the lease on my computer so it could communicate with the router again, since the primary router address and subnet changed.
  5. I logged into ASUSWRT and used the reset router to factory defaults and rebooted again.
  6. This time when it was back up, I logged into ASUSWRT and immediately changed the routers primary address and subnet.  Then again, reboot.
  7. I renewed the lease on my computer again so I could again communicate with the router again, since the address and subnet had been changed again.
  8. I logged into ASUSWRT again, then went through all the settings and configuring what I needed.

 

What did I end up with?

DHCP: A given, standard feature of all routers.

VPN: Not as robust as the DD-WRT solution which supports multiple connections, but it is current and secure and supports the single connection I need from time to time.

QOS: Ability to prioritize different traffic on the network by protocol or host.

Filtering:  Ability to filter (block) websites based on content or URL.

DDNS: Ability to update external DNS or other services with the local WAN IP address when it changes.

Traffic Monitor: Ability to see traffic patterns on the network.  This screenshot shows the first day of usage:

ASUSWRT-Traffic24

+ Labeled QOS Entries: This was a pleasant bonus.  In DD-WRT, QOS entries are listed as MAC addresses only (no names), so you need a cross reference table to identify what device is what.  Having names makes it simple to see the Ooma VOIP phone and quickly setting it to highest priority.  There are 5 priorities: Highest, High, Medium, Low, and Lowest.

+ QOS Tuning: ASUSWRT gives the ability to tune the QOS priorities to bandwidth specifications you want for both upload and download.   All devices on my network are accounted for and given priorities from Highest to Medium.  Guest traffic will land on Low by default thanks to the next item (Unmatched QOS).  In this screenshot you can see I gave Low and Lowest extremely tight limits:

ASUSWRT-QOS

+ Unmatched QOS: Unmatched QOS traffic is automatically mapped to the “Low” setting.  You don’t have to worry about a non-accounted for device sucking up all the bandwidth.

+ The GUI interface is a lot nicer to look at than DD-WRT’s.  I like the status screen in particular:

ASUSWRT-Status

 

Summary

After the first two days I only ran into 1 instance where I tried to reference a device on the network by name.  Losing Local DNS has had minimal impact.  If it becomes too much of a problem I may look at enabling DNS on the Synology NAS.

The only complaint I have is that even though the wireless is turned off, it still shows the SSID.

There is also a modified version of ASUSWRT called “ASUSWRT-Merlin” (http://asuswrt.lostrealm.ca) that adds many features.  I may look at this in the future should I replace the RT-N16.

 

 

 

6 comments on “Leaving DD-WRT

  1. Your comments here are excellent. I am coming at this from the other direction… I am running ASUSWRT-merlin and was considering DD-WRT in order to gain some additional DNS features. But, after reading your remarks, I’ve decided to stay put. I have been running the merlin firmware for a couple of years now and am extremely happy with it. The local DNS server support is very good for most stuff, but lacks a few features of a “real” DNS server like round robin, aliasing, etc. and I was curious if I could get those from DD-WRT. As you point out… I don’t really need these things very often, and moving to a system that has so few/infrequent updates for my hardware (ASUS RT-N66R) is a real concern.

    The maintainer of the Merlin firmware has been very responsive to problems that have arisen in the past couple of years, providing updates very promptly in the wake of various vulnerabilities as they have been announced. My only concern has been that the package seems to be maintained by one guy out of the goodness of his heart. I fear that he may eventually lose interest or life may take him in another direction leaving the product with support that is not as excellent as it has been so far.

    For years, I ran a standalone Linux box hosting my DNS/DHCP, etc. but, recently, I’ve tried to reduce the number of systems I had to keep up all the time. By hosting this stuff on the router — along with the usual firewall, VPN, DLNA, etc. I’ve been able to collapse all of that onto the router that has to be up 24×7. Now, my workstation and PowerEdge server I use to host VMs for dev work can be brought online only when needed, or allowed to sleep/powersave. Less noise, less heat, etc. makes hosting my home lab a lot nicer.

    I was looking hard at the Synology stuff before getting my ASUS router… mostly because of the options to run plugins to provide DNS. I think that overall, having a local DNS server/domain is the hardest thing to implement in a home lab and is also one of the most useful additions. I have a registered DNS domain, hosted with DirectNIC, who provides a nice virtual DNS server option on which I can do pretty much anything I need. But, this doesn’t really address my internal network needs. So, maintaining a local DNS is required for a variety of things.

    The stock ASUS firmware is good, but Merlin’s enhancements have been nice to have. If I recall correctly, one of the main things that got me looking at it was the availability of an sshd. This provides a nice, lighter-weight alternative to VPN. I either ssh in to a Linux command line or “tunnel” an RDP connection back to my windows desktop, allowing me to connect remotely from virtually anywhere, while only exposing a single ssh port externally. VPN at times makes me nervous since it tends to put the entire remote system “on” my internal network. There are times when this isn’t possible (from work) or really desirable to me. Plus, I may not have an appropriate VPN client available or configured.

    So, if you’ve been considering the Merlin release, I’d encourage you to give it a try if it has things you want. So far, I’ve been impressed with the package and its maintainer.

    Good luck. Nice post, very helpful to me … you probably saved me a weekend setting this up, plus another weekend to tear it down and switch back, plus all the headaches in-between as I slowly came to the conclusion you did.

    Regards,

    Marty Wise
    Gloucester, Virginia, US

    Reply

    • I’ve been running the merlin release since I replaced the my primary router. It is running very well. As you point out there are very few things missing vs. DD-WRT. Most notably is aliases. To be honest I don’t miss them. I am completely happy with the merlin solution.

      I do share your concern that a single person appears to be maintaining it. That said, support is better than DD-WRT. I’ve also been running the normal ASUSWRT on my access point (separate device), and should merlin disappear, I think I can get by with ASUSWRT. Thanks for your feedback!

      Reply

  2. You can also support IPv6 using Tunnelbroker directly/easily on the router. Not critical in most cases, but provides a nice way to get some hands-on with IPv6 if your ISP doesn’t provide support yet.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.