UPDATE: This post got published by accident when we upgraded our blogs and I just left it up. A lot of the settings I figured out were unnecessary (like the VPN settings) after I completely reset my router. However, it is handy to have these settings for when I need them. So, here is the post. Good luck.
Since I got my new machine up and running, I've been working on getting it integrated into my home network, media capabilities and all. I've been adding to this post as I go for a few weeks, so it's gotten pretty long. If you're not interested in tweaking your home network, you might want to check back next time. That being said, here we go.
Like most guys, I'm a bit of a hardware junkie. I've got tons of stuff wired together at home and I'm always trying to get it to work a little better. In this post, I'm going to talk about tweaking your home network, specifically using the hacked router firmware, DD-WRT. I've cobbled together a large number of tweaks and settings from my personal experience and all over the web and thought I'd share them. This post is as much for my own good as yours because every time I mess around with (and inevitably break) my home network, I wonder why I forgot to takes notes on all those settings I worked so hard on.
Disclaimer: I have been running hacked firmware for a pretty long time. Upgrading your firmware is completely legal but most of the time it voids your warranty and allows you to change settings that might be better left alone. Make sure you understand the possible consequences before changing anything. (i.e your xmit power setting can only be so high or you will burn up your router or run afoul of the FCC.) ABOVE ALL, YOU CAN BRICK YOUR ROUTER DOING THIS STUFF.
So, to start off, let's talk about my home network. My network isn't particularly advanced by some standards but I do have a pretty diverse environment. My network topology looks something like this:
I run DD-WRT. Period. It's got a long story behind it. The market for hacked firmware has continued to grow, as has the number of compatible devices, however, I've been on DD-WRT since it was Alchemy and it keeps getting better.
The first thing to do is get DD-WRT up and running. Instructions for downloading and installing DD-WRT are here. I won't go into specifics since there are so many variations but it's usually pretty simple if you take your time. A few tips:
- Read the instructions before you install anything. I can't stress this enough. The DD-WRT Setup Wiki is great but very information dense and full of device-specific information. Find your device, read the installation instructions, then follow them to the letter. Just take your time and you'll be okay.
- Start with a single router. If you've got multiple routers like I do, it can be difficult to troubleshoot network issues if you try bring them all online at once. Start with a single device and add them one at a time as you go. Otherwise, you'll end up with a bunch of half-working boxes and no idea which is causing problems.
- I MEAN IT! READ THE INSTRUCTIONS!
After you get DD-WRT installed, you should be able to surf to your router's IP address (usually 192.168.1.1 by default) and get a new, tabbed interface that looks something like this:
The basic settings you'll probably want to change on each router as you get them going are:
- Basic Setup
- Spanning Tree Protocol (STP) - Turn this off if your ISP is Comcast because it can cause DHCP issues.
- Router Name - Make it unique and fun. Above all, make sure that if you are looking at a list of clients, you can identity which device is which by the name. RouterMain and routerSecondary are boring but tend to be much more helpful names than BoxODoom, StupidRouter, or even...sigh...linksys.
- Time Zone - You want your logs to be accurate don't you?
- Router Username - Change your username for logging into the router or leave it on the DD-WRT default of root. Either is fine as long as you change your password.
- Router Password - Change your password for logging into the router. Do NOT leave the password set to the default. All it takes is a 3 second Google search to find the default password for just about any router or firmware out there.
That's about it for out of box setup. Doesn't seem like much does it? However, now that your router is hacked, stable, and secure, there is a lot more that you can do with it. Here are a few of my favorite features (all of which I'm using at home).
WDS (Wireless Distribution Service)
Wireless Distribution Service (or WDS) gives you the capability of having more than one router work together as a single wireless network. Some routers have recently started including this feature but it's been in DD-WRT forever and is a bit more powerful. An example of when this is useful is my apartment in San Francisco. The walls of my older apartment are apparently made of Kryptonite and chicken wire. So much so that the wireless on my original router failed to even reach the back of the house.
A second router and WDS solved the problem. It also saves me a few bucks on wireless adapters since all of my devices can reach one of the two routers with a wire. WDS is first on my list because it's one of the most useful features, however it's also one of the most difficult to setup. It took a few tries but I succeeded in getting it working by following the DD-WRT wiki WDS setup instructions to the letter.
Some tips to get WDS going:
- Put the routers next to each other and in the same room when you're setting them up. This way you can use a wire to switch between the two quickly during setup. More importantly, you can see when they are setup correctly, before dealing with other environmental factors (like seriously dense walls).
- Set up the main router first, bring the client routers up after. This helps you differentiate between configuration issues and other issues, like routers fighting over IP addresses or names.
- Set the whole network up first without encryption, then increase encryption a step at a time. Once the network works without encryption, turn on WEP. This is the lowest common denominator encryption. It isn't very strong but it usually works for every device. After that, move up to WPA/WPA2. Be careful, some people have seen issues using WDS with WPA2 and TKIP+AES (in the wiki, under the Notes section).
- As suggested in step 6 of the setup wiki, I set the IP address for my routers as 192.168.1.1 and 192.168.1.2 and changed the starting address for each router to 100 (for *.1) and 200 (for *.2) so that the two don't fight over IP addresses. Also, I can always tell which router a client is connected to by what it's IP address is.
WDS and the Airport Express
In addition, with WDS you can connect your Airport Express to your network, which under any other circumstances will only connect to other Apple Extreme base stations. The instructions I used to set this up are over at ryanschwartz.net. There is also a new set of instructions on the DD-WRT setup wiki that I have not tried. Note: The Apple Express doesn't support WPA unless it has been upgraded to the latest official firmware.
General Firewall and Port Forwarding Settings
If you set up your network using WDS, your main router should have the firewall enabled and the client router's firewall should be disabled. In most cases, your firewall should be set up as follows:
- Block Anonymous Internet Requests - Checked.
- Filter Multicast - Checked.
- Filter Internet NAT Redirection - Unchecked. This setting should be turned off specifically for most online gaming.
- Filter IDENT (Port 113) - Checked.
Also, many programs require certain ports open to work properly. If you set up your network using WDS, you should set up port forwarding up on the main router only. I left the exact settings for each required port under it's corresponding section below to avoid confusion.
Since there are great many legal uses for Bit Torrent these days, including the Blizzard Downloader and many distributions of Linux, I'll assume that is what you're using it for.
Most routers still don't handle the BitTorrent protocol very well out of the box. That's because Bit Torrent is one of the most chatty protocols ever created. From Wikipedia:
Routers that use NAT, Network Address Translation, must maintain tables of source and destination IP addresses and ports. Typical home routers are limited to about 2000 table entries while some more expensive routers have larger table capacities. BitTorrent frequently contacts 300-500 servers per second rapidly filling the NAT tables. This is a common cause of home routers locking up.
You've probably seen this when your router works fine at first, then slows down and eventually just stops responding. The reason for this is that the router comes configured for a low number of connections, each of which stays open for a long time. Meanwhile, a protocol like BitTorrent relies on being able to open a high number of connections, each for a short time. DD-WRT allows you to change the behavior of the router. The normal fix for this is to increase the number of ports and decrease the connection timeout by adjusting the following settings on the Administration tab:
- IP Filter Settings
- Maximum Ports - 4096
- TCP Timeout (in seconds) - 60
- UDP Timeout (in seconds) - 60
In addition to changing these settings, you will usually need to forward the ports BitTorrent uses to establish connections. This is done on the Applications & Gaming tab. You should add the incoming port (chosen by your client) and the standard BitTorrent ports as follows:
- Applications & Gaming
- Port Range Forwarding
- BitTorrent, 6881 - 6999, Both
- Port Forward
- BitTorrent, [###, Decided when you install your client], Both
Xbox Live Settings
In order for Xbox Live to work properly, you will need to forward a few ports and turn off NAT Redirection on your router.
- Filter Internet NAT Redirection - Unchecked.
- Applications & Gaming
Remote Desktop and DDNS
One of the really cool features I have set up is that I can access my home computer across the Internet from anywhere through Remote Desktop.
The first thing you'll need is a reliable IP address for the computer you're trying to reach. Luckily, DD-WRT provides a very simple and helpful feature called dhcpd. Dhcpd allows the dhcp server assigning IP addresses to recognize a device by it's unique hardware signature and give that device the same IP address every time. Translation, your router will recognize your computer and give it the same address every time it connects. To set up dhcpd, you'll need to get the MAC address for your computer. In Windows, you can find this out by opening a command window and typing:
In the results, you'll see an entry for physical address. That's your MAC address. If you have more than one entry, you've probably got multiple network or wireless cards. You want the one you are connecting to the router with. Once you get your MAC address, simply Add a dhcpd entry on the Administration tab and choose an IP address. I choose something high and reflecting the router I'm connecting to, like 192.168.1.249.
- DHCP Server
- Static Leases
- MAC Address - The physical address of your computer
- Host Name - The host name (computer name)
- IP Address - The IP address you'd like assigned to this device.
The next thing you need to setup is an external host name. This is so that you can aim Remote Desktop at your computer without having to know the IP address (which may change frequently, depending on your ISP). I use the free DynDNS service. You will need to create a free account but in return they will give you a free subdomain that you can use to access your computer/router across the Internet. It will be something like myawesomedomainname.dyndns.org.
After you have your DynDNS account and domain set up, you'll probably want your main router (the one facing the Internet) to update the service whenever its IP address changes. DD-WRT provides this update functionality for numerous services on the DDNS tab.
You'll just need to set it to DynDNS.org and point it at your account and domain name.
- Dynamic Domain Name System (DDNS)
- DDNS Service - DynDNS.org
- User Name - Your DynDNS Username
- Password - Your DynDNS password
- HostName - The DynDNS subdomain you chose and want updated
Lastly, after you've gotten your domain set up and updated, you'll need to forward the Remote Desktop port and turn off Loopback for the connection to work properly.
- Applications & Gaming
Advanced Monitoring and Logging
Most of the time a home router is a black boxes. You plug it in, watch the lights blink and just hope it works. However, it's got a Linux OS running the show and with a quick tweak, you can get a lot more visibility into what's going on under the hood. DD-WRT includes the Linux tool syslogd for optional increased logging. It's actually very simple to set up.
First, you'll want to pick up a syslogd client. For Windows, I use the excellent and (mostly) free Kiwi Syslog Daemon. It's a quick install, runs as a service and is very easy to use. After you get that installed, you need to on syslogd for each of your routers and point them at the machine you just installed the Kiwi Daemon on.
- System Log
- Syslogd - Enable
- Remote Server - [IP Address of daemon machine]
Easy enough. Here's what you get.
When your router stops working, you can pop this open and see dropped packets first-hand. When you reboot the router, you can watch the boot process line by line, just like your computer. Very cool stuff.
(Outgoing) VPN Setup
You probably have a work VPN that you connect to. You'll need to make sure that the VPN settings (Security > VPN) are set to allow passthrough traffic. This allows traffic for protocols like PPTP, the protocol for Microsoft's VPN Client, to pass through the router.
- IPSec Passthrough - Enable
- PPTP Passthrough - Enable
- L2TP Passthrough - Enable
If you have any problems connecting, you may also need to forward some or all of the following ports. Note: I never had to forward any of these until I started running WDS. Now I have to have them forwarded or else my VPN will not connect.
- You can adjust the strength of the antenna signal using the Xmit Power setting under the Wireless > Advanced Settings tab. By default, this setting is 28mW. It can be set to a maximum of 251mW. The consensus I've seen is that 70 is a pretty good setting. The higher you set the Xmit, the more you risk damage to the hardware or increasing the noise and actually hurting your signal.
- You can manage traffic by traffic type, router port, or MAC address using QoS (on the Applications & Gaming > QoS tab).
- If you're interested in connecting to your router at the OS level, you can do so through Telnet or SSH. Both of these protocols are located on the Administration > Services tab. I would recommend disabling Telnet and enabling the more secure SSH. You can then connect to SSH with a client like Putty.
- DD-WRT has an info site that requires no login or password out-of-the-box. I recommend disabling this functionality so that the info page also requires logging in. You can do this by going to the Web Access section of the Administration > Management tab and enabling Info Site Password Protection.
This is by no means an exhaustive list of features for DD-WRT. If you haven't had enough, head over to the tutorials section and pick your poison. Lastly, if by some chance you do manage to brick your router, consult the oracle. In many cases, it may be possible to salvage the router with no damage.