Teach your router new tricks with DD-WRT or OpenWrt
Open source DD-WRT or OpenWrt firmware can breathe new life — and advanced features — into your old wired or wireless router
With each passing year, hardware devices grow less dependent on proprietary components and more reliant on open source technologies. Network routers are among the main beneficiaries of this trend, especially those that can support a variety of third-party open source firmware projects. Two of these firmware projects stand apart from the rest: DD-WRT and OpenWrt.
DD-WRT has become a common out-of-the-box option for many routers, but also exists in stand-alone implementations that can be installed on routers that support it. Hundreds of routers can run DD-WRT firmware, including nearly 100 Linksys models alone.
[ Also on InfoWorld: Linksys WRT1900AC, the best open router yet. | Get expert networking how-to advice from InfoWorld’s Networking Deep Dive PDF special report and Technology: Networking newsletter. ]
DD-WRT has a slightly convoluted history. In 2002, Linksys started releasing a line of routers (the WRT54G models) that used Linux as an embedded system. The company was eventually obliged to release the source code for those routers under the terms of the GPL. Another company, Sveasoft, picked up on the results and created its own third-party firmware (aka Alchemy). Eventually this work was turned into a commercial offering, which encouraged the folks at DD-WRT.com to launch their own branch of the project.
The project was successful enough that DD-WRT has become the basis for other firmware created by router manufacturers themselves. Consequently, while DD-WRT has been released under the terms of the GPL, commercial builds of the firmware may incorporate much non-GPL code. While DD-WRT has its roots in open source, it has a more commercial flavor than some of the projects in the same vein.
OpenWrt is open source firmware similar to DD-WRT, but with a markedly different approach to its construction and deployment. The OpenWrt project home page unpretentiously describes the technology as “a Linux distribution for embedded devices,” but that humble label doesn’t cover the whole picture. Instead of being released as a monolithic build à la DD-WRT, OpenWrt is more akin to an actual Linux distribution with its own package manager.
Because of all this, setting up and running OpenWrt can become a much more involved process, since the user has the freedom to make most any changes they want directly inside OpenWrt. But it also means access to a much broader range of components. By the same token, OpenWrt components tend to be more frequently updated than those for DD-WRT, while its package manager makes it easier for users to take advantage of those updates.
Why use DD-WRT or OpenWrt?
For me, the single biggest reason to go with an open firmware like DD-WRT or OpenWrt is the balance it strikes between convenience and openness. I can go out and buy a router that runs open firmware out of the box — such as the Buffalo router I currently use — and either upgrade it at my leisure to other open firmware builds or rely on Buffalo’s own official (albeit proprietary) builds. In many respects, using an open firmware is analogous to the use of an alternative Android ROM, like CyanogenMod, where an older phone can be kept current long after the manufacturer decides it’s not worth supporting anymore.
In the past I’ve bought a router, upgraded it faithfully as new revisions to the firmware come out, then ground my teeth in disgust when I discovered, 18 months or two years later, that it’s no longer supported. This is dismaying, especially in a post-Heartbleed world where an unpatched embedded device can be bad news. The only thing worse than no protection at all is a false sense of security, so I like the idea of using software that has at least a modicum of third-party oversight.
Page 2 of 6
A full list of the features in DD-WRT would spill over to pages on end, but here’s a rundown of the most significant and widely used items:
Firewall. Every router these days comes with a firewall, but the one included with DD-WRT is based on the iptables firewall in Linux and thus is extremely powerful and configurable. You can edit the firewall through DD-WRT’s own Web-based interface or use a tool like Firewall Builder to do most of the heavy lifting.
IPv6 support. With the world rapidly running out of IPv4 address space, it’s nice to know your router can speak IPv6 natively if it has to. DD-WRT has native IPv6 functionality, as well as the 6to4 address-translation system.
Quality-of-service controls. Most routers have basic QoS management, but some of the DD-WRT builds (mainly the commercially available version) can give you more sophisticated QoS settings, allowing you to specify such items as maximum bandwidth per netmask or MAC address. UPnP media streaming is also included as a standard item on just about every DD-WRT build.
DNS controls. These include Dnsmasq, a local DNS server that speeds up host-name lookups, as well as support for dynamic DNS providers like TZO, No-IP, and DynDNS.
Afterburner. A speed-enhancement system supported by some wireless network devices based on the Broadcom chip set. You should use it only if your router and your other network hardware support it, or you’ll actually see a net loss in performance.
Kai Daemon. This one’s for gamers. It’s a service to allow network tunneling for game consoles — mainly Microsoft’s Xbox — so that they can connect to the XLink Kai gaming network.
OpenWrt includes most of the above features and more:
Special hardware configuration options. Many routers feature built-in hardware elements such as an action button (usually involving Wi-Fi Protected Setup). OpenWrt lets you redefine the functions available to such buttons.
File sharing. Some commercial routers now allow you to share storage that’s attached directly to the router via USB or eSATA. OpenWrt makes this possible as well.
Support for a wide variety of USB-connectable devices. Aside from USB-connected storage, this includes devices like printers, Web cameras (a do-it-yourself home security system!), and even audio systems. Generally, most any hardware device that has Linux support will work, although you may be limited in your choice of devices by the connectivity of the router itself.
Mesh networking support. Protocols like 802.11s and BATMAN allow ad-hoc creation of mesh or peer-to-peer networks between devices. OpenWrt’s wireless drivers allow such configurations.
Port knocking. A sly way to enable external access through a firewall, port knocking isn’t widely used as a regular security measure, but OpenWrt makes it possible to configure such a setup if you want to use it.
Real-time stats collection and monitoring. For those who want the most in-depth insights possible into their network’s behavior — in real time, to boot — OpenWrt’s package collection includes apps like Nagios to make this possible.
Note that this isn’t an exhaustive or exclusive list. Some of these OpenWrt features may be found in DD-WRT as well. That said, thanks to OpenWrt’s packaging system and faster pace of development, a great many more features are to be found in OpenWrt’s ecosystem.
Many open firmware functions are designed for using the router as a public-access hotspot. If you’re setting up one of these in a business or residence, it’s convenient to have them in the box and not need to put them together by hand.
Client isolation. Wireless clients can see only the access point and not each other — quite important if you want multiple people to share the same access point and not get into each other’s shared files.
Sputnik Agent. An add-on that allows an access point manager to use the SputnikNet remote management system for controlling multiple access points from a single Web-based console. SputnikNet has both free and for-pay management tiers, depending on your needs.
Hotspot System. This appropriately named service lets you manage multiple locations, as well as the billing of clients who connect to your hotspot.
Wifidog. Another access-point portal solution, Wifidog provides a broad range of options from simply displaying a splash page for users (for no-strings-attached access) to requiring actual purchase of access time.
ChilliSpot. Yet another open source access controller for hotspots, ChilliSpot uses RADIUS authentication. Note that ChilliSpot is a legacy project that is no longer actively maintained, but still included with many DD-WRT builds as a backward-compatibility measure.
Page 3 of 6
One of the key differences between DD-WRT and OpenWrt is the presentation of options to the end-user. DD-WRT provides multiple monolithic builds, not only for different hardware configurations but also with different usage profiles and different feature sets. (OpenVPN, for instance, is only available in a few builds of DD-WRT.)
OpenWrt too is delivered in different builds based on the architecture of the device for which it’s being used, but that’s where the similarities end. In contrast to DD-WRT, the actual contents of the OpenWrt build — the supported features, the available drivers — are configurable from within OpenWrt itself. Changing or upgrading those features doesn’t require replacing the entire system image.
Finding a suitable router and build
The first step to take if you want to make use of DD-WRT or OpenWrt is to find a router that supports them. In the abstract, this isn’t terribly difficult. The DD-WRT site contains a list of supported devices that’s updated regularly, and OpenWrt keeps an equally detailed Table of Hardware. There, you can browse by hardware platform rather than manufacturer –for example, if you want to obtain a generic x86 build of OpenWrt and use that on your own hardware. In either case, you can see if routers from a particular manufacturer are supported and go with that.
My manufacturer of choice is Buffalo, and my current DD-WRT router is the WHR-HP-G300N, most recently given a DD-WRT update by Buffalo itself back in May 2011. Belkin, D-Link, Netgear, and Linksys also have DD-WRT routers in their lineup, as do a slew of smaller manufacturers, including Accton, Gateworks, and Rosewill. The Atheros routers made by Qualcomm also use a derivative of OpenWrt.
The next step is to pick a specific model of router. With OpenWrt, again, one can either browse by router model or by chip set. Beyond that, most of choices involve the specific hardware features you want supported, but not all routers that can run OpenWrt can support the full gamut of the firmware’s functions. Hardware VLANs, for instance: Many routers support it, but some don’t. If you plan on using hardware VLANs to perform accelerated tagging or similar functions, you’ll need a router that supports it natively. (Software VLANs are always possible, though.)
DD-WRT routers fall into roughly two camps, based on the chip sets they use:
Routers built with the Broadcom chip set can use a slightly wider variety of DD-WRT builds (more on this below).
Routers with the Atheros and Ralink chip sets use builds that are made specifically for the router model. For example, my Buffalo router is built on Atheros and needs a build made specifically for it by Buffalo. However, with a little work you can replace Buffalo’s official build with an unbranded DD-WRT build.
Broadcom routers use two different flavors of DD-WRT depending on their make:
The “normal” build, also referred to in DD-WRT’s documentation as NEWD. This is the one to use for recently manufactured routers.
The VINT build, which uses an older wireless driver designed for earlier revisions of the Broadcom chip set — specifically, the 4710 and 4712 CPUs.
I mentioned before how DD-WRT comes in a number of different “sizes,” with various features included or omitted. The smaller builds allow routers with less flash memory to use DD-WRT, albeit at a loss of functionality. The “micro” build, for instance, is designed to fit in a 2MB flash space and thus omits IPv6, OpenVPN, and the firewall. The “standard” build, which includes the vast majority of features, requires 4MB. The “mega” build, which includes everything plus the kitchen sink, requires 8MB.
If you’re in doubt about which build to flash, check the supported device list in DD-WRT’s wiki. Each entry in the list contains instructions on how to flash and which firmware build to use.
DD-WRT and OpenWrt extras
A full breakdown of the most immediately useful features in DD-WRT or OpenWrt would require a book — and might be redundant, considering many of those features are common to most routers. However, here’s a sampling of features included with DD-WRT and OpenWrt that might not be present on other routers.
Boot wait. When enabled, the router pauses for five seconds at boot time to allow the user to connect remotely and flash a new firmware if the current one is bricked. Leave this on, as you never know when it will be useful — and what’s five measly seconds out of a reboot cycle?
Logging. DD-WRT and OpenWrt can maintain running logs of its most crucial events and behaviors. The log can either be kept locally or written to a remote IP address that has a syslog daemon listening on the appropriate port. This can be left off by default, but it’s useful to toggle it on if you need to do any detailed troubleshooting (for instance, to find out if a specific action is messing up operations).
Overclocking. Some routers support the ability to overclock, or run the CPU faster than the manufacturer normally recommends. There are few cases where this is a good idea, especially since overclocking any hardware often leads to instability.
Scheduled reboot. You can force the router to reset itself at a given time of day, after a certain interval, or on a specific day of the week. Some claim this improves performance, although in my own experience it doesn’t seem to make much difference. The documentation (linked above) shows you how to do this via a command line, but some builds — including the one in my Buffalo router — let you set this in the GUI under Administration/Keep Alive. Note that in order to use this, you’ll need to enable the Cron option as well.
Telnet. The telnet daemon should be running if you plan on connecting via telnet to perform administration (such as to manually flash new firmware). If you’re worried about the security implications of leaving telnet running, you can shut it off until you need it.
Page 6 of 6
Transmit power and antenna gain. These let you control the power to the wireless antenna and the amount of gain or “focus” used to single out weaker signals. Most of the time these options should be left as-is, but you can experiment with the gain function to see if it improves reception in your environment. Note that increasing transmit power can cause some routers to overheat, so don’t fool with it, then forget about it.
Watchdog. If enabled, the router will attempt to ping other computers regularly and will reboot itself if it doesn’t receive a response. This should not be needed in most environments, but it can be useful if you have a flaky network gateway. Just be sure to use sane intervals for the pings — anything less than five minutes is probably overkill — and make sure you’re pinging an item for which inaccessibility will be a sure sign of trouble (Google, for instance, or your ISP’s home page).
Asterisk. This one’s for the truly ambitious. Asterisk is an open source PBX system that can be used as a replacement for a proprietary PBX, although the capacities available to Asterisk will be limited by the hardware you’re using.
The package list for OpenWrt can be dauntingly large, but that’s a testament to how flexible the firmware can be in the right hands.
Last words for DD-WRT and OpenWrt users
Once you have your setup running the way you want, keep a few final details in mind for smooth sailing in the future:
Back up your router settings every so often. DD-WRT lets you save your router’s settings to a file that can be stored on a PC, then reloaded into the router if needed. (OpenWrt has similar functionality.) If you have a number of custom settings — port forwarding, for instance — and need to do a 30/30/30 reset, it would be good to have all of it backed up so that you don’t have to manually punch it in again.
Set passwords. Not just for your wireless connection — be sure to use WPA2 if your clients can support it — but also for the administration panel in your firmware. It should go without saying, but designate a different username and password for the admin panel than the out-of-the-box settings. If you stick with the default credentials, your network is a sitting duck.
Check for updates about once a month. Bookmark the page where updates for your router are posted, and check it every so often for new versions of the firmware. There’s not much point in using a custom firmware if you’re not keeping it current.
Finally, if it ain’t broke, don’t fix it. This may sound counterintuitive, but if your main reason for picking up a custom-powered router is stability and functionality, don’t shoot yourself in the foot by tinkering with it too much. If you do tinker, back up your settings before trying anything particularly adventurous.
Of course, if you’re using a custom firmware explicitly in order to tinker with it, that’s another story!
Supported Devices for DD-WRT