WRT54G firmware and security help

Hello friends.

My WRT54GL (model WRT54GL-EU) arrived yesterday and I have two simple questions before installation:

1. If I opt NOT to upgrade the firmware - to Tomato or others - and I save settings in the router, would these be wiped out if I upgrade the firmware at a later stage?

2. Is there a guide on how to - security-wise - properly set the router? So far I collected these tips, are they enough?
a. It is always a good idea to change the name of SSID - Wireless Network Name - not the factory standard
b. Change the IP address on which you can change your Router's setting
c. Change the user and admin password
d. Apply Mac Address Control
e. When using wireless connections and finally, disable wireless administration
f. Shut down unnecessary protocols.

Cheers!

 

a -> You can hide the SSID you are using ,but it depends on the OS you are using on the device you connect with if the connection will still work.Choose another name the router alows you to change it.That name should be set in both your router and in your device
2
b->You can change the X in 192.168.y.X to whatever you want for the router adress ,but dont forget it to be able to connect to the set up page
c->Change the password to something with more than 8 characters
d->Mac control is good but almost useless ,you need to use WPA 2 and AES TKIP encryption also for the wireless setings.
e->To shut down many unnecesary protocols and services you would need a 3-rd party firmware.

Use the browser and log in into the router to do all the changes needed.In the router manual or on the back of it you should see the first time log in info
Aditionally you can restrict the number of LAN IP-s
Don t update firmware untill you ve saw the wiki of the 3-rd party firmware.

 

Thanks.

Ok, judging by the serial number and what's written at the bottom I own the WRT54GL v1.1 so it should be compatible with Tomato. I might as well flash it straight away and then start changing the settings as per your list

 

I've done some Google research in the meantime. Do I have to reset the router using the reset button at the back before I actually flash it? And shall I clear NVRAM after I do it?

Thanks.

 

If i remember corectly (i ve used a identical router in the past) you should be able to update from the factory firmware to the Tomato without issues.
Yes you need to do the 30-30-30 hardware reset to the back of the router (read DD WRT wiki regarding this).
Make sure you are connected wired and all the other ports are not in use .
Get the right file and upload it from the interface of the factory firmware.After the update wait 10 minutes for the firmware to setle in , practically 10 minutes after you clicked update let the PC alone.Enter the new firmware ,reset to Tomato factory settings and use.Opera or Firefox should work just fine for the operation.Disable any software firewall on your PC to avoid issues while updating.
If you want DD WRT you need to flash a custom mini image before the standard one.
Tomato for this router is better though.
Take care and be aware that anything going bad means a bricked router.

 

I thought this was going to be easy. I'm afraid I have to take advantage of your kind help my friend.

So, regarding the 30-30-30 hardware reset, do I have to plug the ethernet cables when doing it or I can do it with no cables plugged in whatsoever? Also, I understand that the reset button should be pressed throughout the whole process, is that right, even after I unplug the router and plug it back in.

Also, what is "reset to Tomato factory settings"? Is that the NVRAM thing?

Thanks.

 

Yes it sounds strange to keep the button pressed while the unit is off , but this is the way The update is to be made wired .
This is from the DD WRT wiki ,but it applyes :

http://www.dd-wrt.com/wiki/index.php/Installation#Is_Your_Router_Supported.3F

"Flashing with Web GUI

The following instructions are very general and apply mostly to Linksys routers. Check for hardware-specific instructions in the Hardware-specific page.
Reset your router
Use Hard reset or 30/30/30.
While not as preferable (this may cause problems down the line) you can reset to Factory Defaults instead.
If you do decide to restore defaults, if you do not know the IP address, username, or password of your router, you will need to use the reset button (this does not appear to be referring to a Hard reset or 30/30/30; this appears to be referring to a simple 30-second reset - clock). Be careful when using this method! Apparently if you have OpenWRT already on your router the reset button may not function as it is assumed here and may actually brick your router! Research the functionality of your current firmware to be safe.)
Again, if you decide to restore defaults, if you already have a version of dd-wrt installed, and you know the IP address, username, or password of your router, you can use this method (other routers may require different instructions):
Follow the instructions in the next section to log in to the Web GUI.
Click the "Administration" tab.
Click the "Factory Defaults" sub-tab.
Select "Yes".
Click the "Save Settings" button.
A new page will open, click "continue".)
Log on to the Web GUI (if you have not done so already).
To use the Web interface, you will need to have Javascript enabled with any security restrictions disabled. Some versions of the Linksys firmware Web GUI have trouble with different browsers (some don't work with Firefox, some don't work with Safari). If the Web GUI is giving errors, try switching to a different browser.
Type in the IP address of the router (typically, the default is 192.168.1.1, especially with Linksys) into the address bar of your browser. (If you do not know the router IP address, you can attempt to obtain it).
You will be prompted for username and password. (If your router already has a DD-WRT versions starting with 2006-Feb-28, the default username is root. Prior versions have a blank username by default. For Linksys firmware, the default username can be left blank or set to anything. For both DD-WRT and Linksys firmware, the default password is admin. Search online for other defaults on other routers).
Upload the Firmware.
WARNING:It is VERY important that you not interrupt the setup while the router is being flashed and rebooted. Do not turn off the computer, close the web browser, or turn off the router during this process! (I usually just take a step back, and turn my head away so I don't breathe on it for these crucial 2 minutes).
This section is written for a dd-wrt web GUI. Your router's GUI's operations may be different. Please see the previous comment about the possible need for "kill" firmware before your dd-wrt installation. This section may not work for your router as written. Please see the Hardware-specific section for information on your specific router's needs.
First do a hard reset on the unit that DD-WRT is to be loaded onto.
You should be in the Web GUI of the router. Go there now (as discussed above).
Click the "Administration" tab
Click the "Firmware Upgrade" sub-tab.
(Only applicable when DD-WRT is already installed.) Choose the option to Reset to Defaults after flashing.
Click the "Browse" button and select the DD-WRT .bin file you downloaded and confirmed.
Click the "Upgrade" button.
The router will take a few minutes to upload the file and flash the firmware. During this time, the power light will flash.
A new page will open confirming that the upload was successful (Installation#Possible errors if not). Now wait about 5 minutes before clicking "Continue".
Lastly, do another hard reset on the unit.
If flashed successfully you will now be able to access the DD-WRT web interface at 192.168.1.1 (again, that is default for most Linksys, etc routers; does not apply to all routers. Check your router's IP before you start this process - clock)."

 

Wow.

Your help is incredibly useful Sm3K3R, million thanks, it will be a long morning tomorrow

 

Sm3K3R, two more questions, if I may:

1. Before the tomato one, is there need to upgrade the firmware either to the newest Linksys one or an old DDWRT? I read somewhere that an old DDWRT is needed but can you please confirm I just can go ahead with Tomato without doing anything to the firmware? Is that what you mean by I can update from the factory firmware to the Tomato straight away?

2. The "Erase all data in NVRAM Memory (thorough)" option after the firmware is complete. Should I do this BEFORE or AFTER the 2nd 30-30-30?

Apologies for maybe being repetitive but I prefer to be safe.

 

OK, I went on and flashed the device this morning and thank God everything worked like a charm. I will post a step-by-step guide of all the steps I took for those who will need to do the same thing in the future.

Again thanks to Sm3K3R for his help and directions

 

Glad it worked.
Now here it is another interesting forum that may help you for conifguration

http://www.linksysinfo.org/forums/forumdisplay.php?f=160

Once you tweak the QOS everything will go smooth.Make sure TCP Vegas is ON also.Security wise enable the Syn Cookies.
Tomato was excellent for WRT 54 GL (1.23 at that time) and still works now in some neighbour network.Anyway the hardware is a little outdated ,the CPU can t do routing for high speed connections ,it may limit your bandwidth.It depends on your ISP juice and what settings are you using of course.

You ve done well !

 

Yes, I need to tweak the settings I believe.

I tried download a file from rapidshare and I get maximum of 300k/sec (I'm on a 10mbit connection) - if I remember correctly I used to get more on just one file with my old router.

Also the file stopped downloading after 40mb and resumed after 10 seconds.

Will QOS solve these "problems"?

 

I don t know what the problem might be but usually if you encouter strange connectivity you may need to adjust maximum connections and TCP timeout look here -> http://www.dd-wrt.com/wiki/index.php/Router_Slowdown
As your router has only 16 megs you may need to adjust to around 3000 connections.
There are guides for Tomato QOS on the net.
You may need to try 2-3 Tomato builds to find the proper one.My router was ok with 1.23 ,but it is a build a little old.
Ask for help on the forum i ve pointed out if you need more info and advices.

 

Cheers mate.

Ironically enough I disabled + re-enabled the connection and I now see 1.02MB/sec, which is more like it.

Again, a big big thank you and I'll make sure to post the guide after all experimentation is complete

 

thehawkMT

Congrats on making the jump to Tomato. You have made a very wise choice. With the numbers of security zealots (no offense intended to anyone here) on this forum, I'm surprised that there are not more users of hardware firewall solutions such as Tomato.

I have the WRT54G-TM with Tomato and it is the single most important piece of network security equipment in my house. I have used BrazilFW, pfSense, and other hardware firewall solutions and Tomato is better than any of them IMO. The most valuable feature is the QOS which works pretty well to prioritize my VoIP and XBOX Live traffic.

The only issue I've ever had was when setting up DDNS, I couldn't use my then-current DynDNS password because of invalid characters and there was nothing telling me they were invalid. A post to the Linksys Tomato forums gave me my answer. First time I've asked for technical help on anything in a couple of years, lol. Go there for any questions you may have.

Now that you've replaced the default firmware, you can easily switch between different Tomato, DD-WRT, OpenWRT, and many other alternate firmwares

I am currently running Tomato RAF v1.28.8620 MIPSR1. It's a Tomato Mod that includes the Teddy Bear Mod with some extra enhancements that have to do with streamlining your internet connection. I currently run my Qwest Modem in half-bridged mode so it makes the DSL connection, but my Tomato router makes the internet connection and gets the IP from Qwest and therefore is the only device that is doing any routing. Even though it has wireless, I shut it off and have a separate 11n WAP. They are both connected to my Gigabit switch.

I am so jealous of your 10 MBit connection. My choices are Qwest at 3 MBit max (bad phone lines), and Comcast at 6 MBit max, and Comcast doesn't work overall for me.

From my understanding, the TCP Vegas function has never worked right and actually seems to cause a slowdown. It was a good idea in theory, but hasn't been a benefit in practice.

 

We are at least three on this wagon here ;-).
I am another satisfied user of Tomato, on same router.

Thanks for informative post, charincol!

 

Are you running vanilla Tomato, or one of the various mods with added features?

 

I am newbie on this stuff, so I went with plain vanilla v1.28.1816.

(WRT54GL v1.1, on ADSL 5M)
Could you suggest something better?

 

It depends on what features you want that the vanilla build may not have. If you want to try out a different build, make screenshots of your settings along with exporting them to a config file. That way, you can set it up the same when you put a different firmware on it. Some of the settings don't match up between builds so it's not a good idea to restore the config file to a new or different build. If you decide to go back to one you have, then you can restore the config file you made earlier.

The teddy bear mod is probably the best all-around one to use. I use the RAF mod because Victek includes the teddy bear mod and has the speed mod version that includes the ability to run a firewall script on startup that optimizes my ADSL connection. It's not for the faint of heart to figure out because nobody documents how it works very well, but I was able to figure it out somewhat. If you want to try it out, here's the download link for it.

If you run a speedtest of your connection and get some accurate up/down speeds, I could modify my script with your values and show you where to put it.

 

TCP Vegas can only work for traffic that originates from your router.

When TCP Vegas is disabled you still get the standard (reno ?) flow control which generally works OK.

thehawkMT, I think you will be fine with the original tomato firmware, I ran it for years before switching to TomatoUSB (www.tomatousb.org) to access some more advanced Wireless settings of the newer kernel they use in a beta build.

For QOS, the key rule to follow is keep your rules as simple as possible and as generic as possible that forfil your needs (e.g. only use port ranges instead of L7 application specific filtering) This will make maintaining and tweaking easier, but also reduces the processing overhead.

Also the default settings are pretty good and very little tweaking should be needed for good performance, just change what you need to for compatibility/configuration or disable stuff you will never need before you start fiddling with settings.

The one tweak I had to do on my cable connection was turn off ACK priorisation at the top of the QOS settings page as it was the cause of anything that could max my bandwidth out to stutter.

Cheers, Nick

 

Thanks for those explications. The Tomato RAF firmware seems appealing, I will download it and probably give it a try next week after researching this subject a bit more by myself.

Some nice helping tips in this tread, thanks all.