This was done from a Kubuntu 16.04 laptop wired directly via an Ethernet cable to the router. A VirginMedia Superhub 2 was also in play, connected to the router upstream port. The steps should be broadly similar no matter what kit you happen to have.
This post refers to DD-WRT as supplied by Buffalo and it has been modified from stock by them.
Background
With two people working from home it’s imperative that the Internet never goes down. Period. This was one reason for going with VirginMedia. If you have their cables under your street and can get connected (not always true, even in major urban centres) then I really advise you to do so. In the past four years I reckon we have lost connection only a handful of times and even then, only briefly. Great service.
Irony: The morning after posting this VirginMedia had an area-wide outage. After calling them they had it resolved in ~1 hour, although I did have to cycle the Buffalo’s WAN link to bring back connectivity.
Unfortunately the modem/router VirginMedia supply is like most ISP ones, utter garbage and built to a budget. This can entail daily reboots, poor Wifi (more on that later), lacking features and just general headache. To resolve these I purchased a Buffalo WZR-HP-AG300H router and put the VirginMedia hub into modem-mode. Bliss.
Whilst I had a much more capable router (SSH access, VPN, guest networking, wake-on-lan, scripting, full-featured web interface…) the cracks began to show in DD-WRT; inability to access one’s domain LAN side, missing system logs, buggy web interface, strange features I didn’t care about (my own ad network…really?) and most annoyingly, poorly written & out of date information. Time for a change.
The firmware running on it was a customise DD-WRT from 2012 with Heartbleed patches. I could have installed a 2014 upgrade (the latest available) but I had been told a few times that OpenWRT was far in a way superior to DD-WRT. If I’m going to break things, why not really break them? On a fairly chilled Sunday, I made the switch.
Preparation
The Internet must not go down. Step 0 was to ensure that the work machines would still communicate with the outside world via the VirginMedia Superhub 2. Some re-plugging of cables, back into router mode with it and all was good. I disabled the 5Ghz radio and switched the SSID on the 2.4Ghz. This would give me a direct link from my laptop to the Superhub during the process without interfering with the Buffalo, just in case.
Next step was to SSH into the router and copy any custom configs I’d modified. I already had copies of all the various keys and certs for OpenVPN etc. I also took screenshots of everything and ran a back-up, just in case.
Popping across to the OpenWRT wiki, it was pretty simple to find my router. A coupled of downloads and I decided to follow the “always working” TFTP steps.
Installation
So much for “always working”. The TFTP steps didn’t and I had a pretty hard time following them as they seemed to expect you to have ripped the cover off to access the serial interface. Somewhat excessive if to ask me. I also had issues with the Superhub seeming to try and grab the TFTP transfer – top tip; unplug the router from upstream when you try to flash it.
Luckily the update from the DD-WRT web worked first time and after a period of Christmas tree lights I had “CHAOS CALMER (15.05.1)” installed. Set the administrative password and let’s get going!
The main OpenWRT page with menus along the top for the various features
Initial config
The OpenWRT default web GUI is nice and clean. I basically went through each section one just to see where things were. Compared to my DD-WRT install there was lots missing. Not a big deal, I was glad lots of cruft was gone and I know OpenWRT has a proper package system, should be easy enough to add the bits back. I didn’t see much in the way of management options, but figured I’d see those as I switched various doo-daas on.
The package management should be familiar to any GNU/Linux user
Security
By default the DropBear SSH server is available on all interfaces. Considering the firewall is whatever comes as default, I’m not imposing the use of keys, Fail2Ban isn’t running etc, that gave me “The Fears”. Luckily it was just one mouse click to fix to LAN-only; something to definitely pay attention to though.
WiFi
Setting the LAN SSIDs for the radios was pretty simple (fill in a couple of text boxes, done) but I was confused why each SSID could only be bound to a single band. e.g. B, G, N or A. I couldn’t see an obvious way to create a G/N 2.4GHz network for example, not that that is a big issue right this second.
A quick iperf showed that no, OpenWRT hasn’t magically resolved the WiFi performance issues. Damn.
The wireless overview page gives a nice list of the networks and clients
Internet Connection (aka Reboot Rumba)
The rest of the LAN config was bang-on and all I needed to do was set my preferred IP address i.e. one that couldn’t clash with the Superhub, which OpenWRT would have done by default. Checking the interfaces section I could see the LAN network was running and had a nice green banner. Neat. WAN and WAN6 were both down and red which made sense as I had not set them yet.
Checking WAN it was set to “DHCP client” (I am ignoring WAN6 as VM does not support it) which seemed sensible, so I enabled it. And it didn’t connect, staying red. Uh-oh.
I remembered that the Superhub was acting as a full router rather than just a modem and I flipped that to modem, tried WAN again. No dice. No connection, still red. Grr…
Back to the OpenWRT docs and the Internet Configuration section. Digging through that whole thing and trying every option I could (most were of no use, I wasn’t using PPPoE or anything like that) I was stuck. I was sure it had to be “DHCP client” but I couldn’t really follow the docs as, just like DD-WRT, they were out of date. Whilst arguing with it I noticed that I could access the Superhub fine on 192.168.100.1 and the router’s routing table looked fine, but trying to do name resolution or ping an external IP address simply didn’t work at all. No DNS (LAN was fine), no route to network. Hrm…
I left the router in “DHCP client” and rebooted it, you never know; right? Yeah, that didn’t help.
I then flipped the Superhub back into a router so I had something for work in the morning and presto; I have Internet via the Buffalo! Wait…what? What did I change? Nothing. Anyway, minor brainwave – I killed the 2.4GHz band on the Superhub and plugged everything into the Buffalo. Still working. I now have another fall-back, if it comes to it I can use the Superhub in this lobotomised-router mode and get access. For chuckles I switched it back to modem-mode. Things continue to work.
Back to the interfaces. WAN is still red but I have Internet. What is going on? Then the penny drops. “red” doesn’t mean “not working”, it’s just a colour indicator for the firewall zone. ARG! Nice feature perhaps, but with no explanation of what the colour actually means, rather confusing. The clue was that the “Uptime” counter was behaving.
For whatever reason, it seems OpenWRT and the Suberhub modem need to go through some reboot cycles in order to sort themselves out. Perhaps restarting individual service such as dnsmasq would also have done the trick but the thing is so quick to wake up and I’m the only one connected, not a big deal to reboot.
Note: after fixing this I came across a few forum posts about the Superhub 2 failing in modem-mode. The solution is to switch it back to router-mode, so having it pre-configured as a dumb, no-Wifi router isn’t such a bad idea.
Brief finessing
I don’t do anything exciting, so I only had one fixed IP I wanted to set and this turned out to be super-simple in the “DHCP and DNS” section. This is also where I noted more missing features, I can’t expire a DHCP lease for example.
Initial Impressions
OpenWRT is good. Way better than the firmware on the Suprehub. The default install does seem to be missing some features I’d like to see (DHCP management, wake-on-lan) but what the GUI has works and works very well. It’s also responsive, which means it’s actually usable on a mobile device. DD-WRT’s can be a bit of a fiddle.
One thing I really like about the OpenWRT web GUI is that I can make changes in one section and jump to the next, not possible in DD-WRT where you have to commit that page before moving on, and that commit could cause a reboot. The GUI will inform me in the top right that I have unsaved changes, proving me with a way to review those changes and accept or discard them.
With OpenWRT reboots seem to be lessened (unless you force them of course). It appears to me that the individual services get restarted, which is really nice.
Information on the transmission power, other networks etc is really clear. It’s a nice static table, not the strange 3D spinning nonsense that DD-WRT did, rendering the information nigh on impossible to use; impressive though it may have looked.
The OpenWRT documentation isn’t fully up to date (a common problem in the software world, not just in F/OSS) but it is still better than the DD-WRT documentation, which is mostly random forum posts and wiki pages that say “I don’t know what this does…”
Jumping into SSH gives an amusing login message; I’ll have to try it sometime:
_______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ----------------------------------------------------- CHAOS CALMER (15.05.1, r48532) ----------------------------------------------------- * 1 1/2 oz Gin Shake with a glassful * 1/4 oz Triple Sec of broken ice and pour * 3/4 oz Lime Juice unstrained into a goblet. * 1 1/2 oz Orange Juice * 1 tsp. Grenadine Syrup -----------------------------------------------------
Conclusion
OpenWRT is nice, very nice. The main failing seems to be the lack of functionality on the web GUI. That’s probably not a huge issue if you’re an experienced network admin but it is one if you’re just an enthusiast. Simple things like expiring a DHCP lease simply are not possible via the GUI.
The DD-WRT community is also far larger than OpenWRT’s and most problems are already solved. Sure, the docs are in more of a mess and this means more web searching but once a thing is fixed; it’s fixed. I think the extra usability provided by the web GUI more than offsets its limitations.
After a bit more research, it looks like many of my issues were down to the modified version of DD-WRT supplied by Buffalo and how out of date it was. So the question is, go back to Buffalo DD-WRT or try community DD-WRT? Ponderings.
But before that, I will try to get along with OpenWRT that little bit longer. Maybe it will force me to learn a thing or three.
TODO
A few things, and this is in no particular order:
- Update the DNS records and see if I can access my own domain from the LAN (this is not possible in DD-WRT without some iptables re-plumbing).
- Set up the few port forwards and triggers I need (it appears this will be a trivial task).
- Guest network, possibly with client isolation.
- Fix WiFi performance (only getting 30Mbps from a supposed 300Mbps WiFi network is annoying)
- OpenVPN (hopefully I can re-use my current certs etc).
- Fail2Ban-ish.
- Network-level blocks. Maybe Privoxy or just pixelserv again.
- QoS/Traffic-shaping.
- Some hardening. I’m no netsec genius and whilst the defaults are probably OK, I have no doubt they can be improved. Even by a clueless fool like me.
- Multicast support maybe? I’d prefer to have the “hostile” devices (smart TVs, xbox 360) on a separate network but still be able to access a few services from the main LAN, such as DLNA.
- Add a 3g or 4g dongle to act as a back-up link. I just need to find a decent mobile provider. I want to buy (say) 6Gb and have that live until I use it up, not get expired within a few months.
Leave a Reply
You must be logged in to post a comment.