In this post I explain why I recently chose to leave DD-WRT, and instead opt for the ASUSWRT.
First, DD-WRT (http://www.dd-wrt.com) is an alternative firmware for many routers. It offers many features and benefits over many of the manufacturer firmwares that ship with routers. I’ve run DD-WRT on my primary router for the past 5+ years with a great deal of satisfaction in both features and performance.
Some of the key features I use:
- DHCP : This router “standard” feature gives hosts on the network an IP address for a period of time. It manages which host has which address, and the renewals when they expire.
- Local DNS : This gives the ability to lookup local hosts on the network by name rather than by their IP address. The version in DD-WRT (DNSMasq) integrates with DHCP giving the ability to lookup names without maintaining a manual table. This was the number one reason I went to DD-WRT.
- VPN: Many routers offer Virtual Private Networking. With VPN a secure connection can be made to the router from anywhere with Internet access such as a Hotel. Think of it as a secure route to your home network. DD-WRT was no exception. DD-WRT allowed multiple VPN sessions whereas many routers only allow one. I only need one at any given time so the number supports isn’t a big deal.
- QOS: Quality Of Service is not something all routers offer. With QOS individual hosts can be given different priorities to the available WAN connection bandwidth. In addition to hosts, network protocols can be prioritized as well. This is especially useful for degrading peer to peer (P2P) traffic such as bit-torrent if needed, or upgrading voice over IP (VOIP) traffic.
- Filtering: Filtering give the ability to block access to sites containing certain words in their body content or URL. It can also be used to completely block certain traffic such as P2P. DD-WRT allow these to be applied in ranges. I had a range for devices I own, and a range for guest devices (managed through DHCP reservations). The guest devices had all P2P traffic blocked.
- DDNS: DDNS is Dynamic DNS. This allows the router to send WAN IP address updates to a service provider of your choice when the WAN IP address changes. The service provider could be a DNS provider. For example if you host a web site from a machine in your home, you have a leased WAN IP address (most common), and have a domain name myawesomewebsitemachine.com, updating the DNS record is mandatory if you want/need continual access to it. In my case I was pushing updates to DNS-O-Matic (http://www.dnsomatic.com), which in turn updated OpenDNS (http://www.opendns.com) so my content filtering continues to abide by my rule definitions (since its based on incoming WAN IP match).
- Traffic Monitor: This gives the ability to see how much bandwidth is being sent in and out of the WAN connection. Initially I was using this to monitor the monthly usage as there was a usage cap set by my ISP. Later it just become trivia to get an idea of the household usage.
So why would I want to leave?
DD-WRT is actively being updated to add features and provide security fixes. But… There’s always a but. As the router hardware gets older it sees less and less updates in favor of newer hardware. There are exceptions to that. In my case I am using an ASUS RT-N16 router. In the entire time I was running DD-WRT, there was one update. And that update was in 2010.
My DD-WRT firmware was almost 5 years old. In the last year there have been several security issues surrounding VPN. I don’t use VPN often, but when I do I want it to be secure. The last time I used it was April 2015. I was nervous leaving it on for the duration I needed it.
I started looking at updates for DD-WRT and found there may be one, but figuring out which firmware and where to get it was proving to be a difficult task – harder than it needs to be (links to links to links from the main DD-WRT site, and maintained by users only known by handles). For me, it boiled down to a matter of trust at that point. How do I know there was no backdoor embedded or other malicious code added?
What did I switch to?
I looked at some alternatives like Tomato (http://www.polarcloud.com/tomato) and OpenWRT (https://openwrt.org), but ultimately decided to use ASUS’ own firmware. The firmware ASUS initially shipped on the RT-N16 was not the greatest. If I recall correctly it was a 1.x version that last time I looked at it. I also have an ASUS RT-N66U which serves as an access point. I’ve seen their latest interface and have been happy with it and the updates it receives. I looked at their latest offering for the RT-N16, which is now called ASUSWRT, and found that it is actively being updated and has basically the same version as the RT-N66U. I chose this as my first option. If I don’t like it in the long run, I’ll look at OpenWRT since it appears to be actively updated on the RT-N16 as well.
What is missing?
Of all the features of DD-WRT that I was using, the only feature not included in the current ASUSWRT firmware is local DNS. This was the primary reason I went to DD-WRT. I thought about how often I actually reference another machine by name, vs bookmark or other predefined link. As it turns out, it’s not that often. Thus, I committed to the ASUSWRT.
How did I convert?
- I backed up the the DD-WRT configuration to a file. I also printed (to PDF) the contents of each of the interface configuration pages for reference.
- I logged into the router using the command line, and executed “erase nvram”.
- I then used DD-WRT update firmware to load the ASUSWRT firmware. At completion, the router reboots itself.
- When it came back up, I renewed the lease on my computer so it could communicate with the router again, since the primary router address and subnet changed.
- I logged into ASUSWRT and used the reset router to factory defaults and rebooted again.
- This time when it was back up, I logged into ASUSWRT and immediately changed the routers primary address and subnet. Then again, reboot.
- I renewed the lease on my computer again so I could again communicate with the router again, since the address and subnet had been changed again.
- I logged into ASUSWRT again, then went through all the settings and configuring what I needed.
What did I end up with?
DHCP: A given, standard feature of all routers.
VPN: Not as robust as the DD-WRT solution which supports multiple connections, but it is current and secure and supports the single connection I need from time to time.
QOS: Ability to prioritize different traffic on the network by protocol or host.
Filtering: Ability to filter (block) websites based on content or URL.
DDNS: Ability to update external DNS or other services with the local WAN IP address when it changes.
Traffic Monitor: Ability to see traffic patterns on the network. This screenshot shows the first day of usage:
+ Labeled QOS Entries: This was a pleasant bonus. In DD-WRT, QOS entries are listed as MAC addresses only (no names), so you need a cross reference table to identify what device is what. Having names makes it simple to see the Ooma VOIP phone and quickly setting it to highest priority. There are 5 priorities: Highest, High, Medium, Low, and Lowest.
+ QOS Tuning: ASUSWRT gives the ability to tune the QOS priorities to bandwidth specifications you want for both upload and download. All devices on my network are accounted for and given priorities from Highest to Medium. Guest traffic will land on Low by default thanks to the next item (Unmatched QOS). In this screenshot you can see I gave Low and Lowest extremely tight limits:
+ Unmatched QOS: Unmatched QOS traffic is automatically mapped to the “Low” setting. You don’t have to worry about a non-accounted for device sucking up all the bandwidth.
+ The GUI interface is a lot nicer to look at than DD-WRT’s. I like the status screen in particular:
Summary
After the first two days I only ran into 1 instance where I tried to reference a device on the network by name. Losing Local DNS has had minimal impact. If it becomes too much of a problem I may look at enabling DNS on the Synology NAS.
The only complaint I have is that even though the wireless is turned off, it still shows the SSID.
There is also a modified version of ASUSWRT called “ASUSWRT-Merlin” (http://asuswrt.lostrealm.ca) that adds many features. I may look at this in the future should I replace the RT-N16.