It was time again to revisit my home network. When I looked at it, I saw that I had the following:
1 firewall system running Smoothwall
1 wireless router
1 file server running FreeNAS
1 Atom D525 system running Asterisk
as well as the computers which used the network. Because of the way the apartment is set up, the firewall, phone system, file server and wireless router were all in my living room. While the systems were all mini-ITX systems, there was still enough of a fan noise to be noticable when it was quiet, as well as the extra electricity being used.
A number of years ago I learnt about DD-WRT, which is a free replacement firmware/software to replace the firmware of many wireless routers. At the time I was using a Linksys wrt54g, and tried using it, but was unimpressed due to the limitations of the router and the early development level of DD-WRT. I have kept hearing about it over the years, and decided to take a second look at it.
What I found was a highly-professional firmware based on Linux, which included a ton of stuff, as well as additional packages which could be downloaded and installed. Also, the hardware has improved over the years, both with faster cpu’s, more memory, and overall better quality.
I looked at the available wireless routers, looking for one with the following abilities:
Maximize RAM and NVRAM
All current wireless protocols supported: a/b/g/n
4 or more network ports, preferably gigabit
USB port for external hard drive
Ability to use latest version of DD-WRT
and a reasonable cost.
I settled on the Buffalo WZR-HP-G300NH, which has 64 meg ram, 32 meg nvram, 4 network ports plus the WAN port which can be configured to be a fifth LAN port, all gigabit, and a USB. There are others equally as good. One reason I chose the Buffalo is that Buffalo provides a re-branded version of DD-WRT specifically for this router. This tells me that there would be very good support for DD-WRT from many places.
Rather than repeat already-existing instructions, I’ll be providing links along with a short comment about it.
First I had to install the DD-WRT firmware. Apparently it is somewhat specific to each chipset; for this router I used this: WZR-HP-G300NH. Nothing special about the flashing, you essentially download a binary and flash it. When done, you have DD-WRT installed. Very easy to do.
Now that I had DD-WRT installed, I had to configure it so that it is a bit more like a Linux box. The problem with these routers is that quite often the NVRAM/filesystem is read-only, making it very difficult to make any changes or updates. Now is when an external drive becomes very useful, even if you aren’t going to use it as a file server. You can use any USB storage device, including a flash drive, hard drive, etc. Since I’m using this as a file server, I plugged in a 1 terabyte drive, after first formatting it with the EXT3 filesystem. If you don’t have a Linux box to do the formatting, you can use a bootable CD, such as GParted. While not necessary, I recommend that you partition the disk to create the following filesystems:
|1||ext3||500 meg to 1 gig|
|2||swap||128-256 meg (optional)|
|3||ext3||(NAS data, this is the space that Samba will share)|
Now I was ready to install some additional software. I followed the instructions on this page: Howto Install Optware on Atheros units.
My old router supported OpenVPN, to allow me access to my network from the outside. So I now followed these instructions, with the following minor changes:
- Ignore the section labelled: Getting Started – Flashing the Router
- I created my certificates on a Linux box, so I ignored the section labelled: Creating Certificates Using Easy RSA in Windows
Problems with OpenVPN are beyond the scope of this article; if you have problems, try looking in the Openvpn site.
One problem with DD-WRT is that the port forwarding page is more limited than I like. I have a number of specific IP addresses which I forward ports to my internal phone system, and I couldn’t do this in DD-WRT. So I write a small script which would run at startup to implement these specific port forwards. I used this page as a reference, and the script is as follows; all internal and external IP addresses have been changed to protect the innocent (script updated 5/25/2011):
# # This is written for the BusyBox shell implementation, which doesn't have # arrays. Simulate them using variables which only differ in the # number, as follows: r1="18.104.22.168/32,tcp,5060:5082,192.168.2.150" r2="22.214.171.124/32,tcp,4569,192.168.2.150" r3="126.96.36.199/32,tcp,5060,192.168.2.150" r4="188.8.131.52/32,tcp,5060,192.168.2.150" r5="184.108.40.206/32,udp,5060:5082,192.168.2.150" r6="220.127.116.11/32,udp,4569,192.168.2.150" r7="18.104.22.168/32,udp,5060,192.168.2.150" r8="22.214.171.124/32,udp,5060,192.168.2.150" NUMLINES=8index=1rm -f /tmp/root/iptables.logwhile [ $index -le $NUMLINES ]; doeval r=\$r$indexif [ "$r" != "" ]; thenip=`echo $r | cut -f 1 -d","`protocol=`echo $r | cut -f 2 -d","`ports=`echo $r | cut -f 3 -d","`dest=`echo $r | cut -f 4 -d","`iptables -t nat -I PREROUTING -p $protocol -s $ip -d $(nvram get wan_ipaddr) --dportiptables -I INPUT -p $protocol -i eth1 --dport $ports -j logacceptiptables -I FORWARD -p $protocol -d $dest -s $ip --dport $ports -j logacceptecho " " >>/tmp/root/iptables.logfiindex=$((index+1))doneindex=1 rm -f /tmp/root/iptables.log while [ $index -le $NUMLINES ]; do eval r=\$r$index if [ "$r" != "" ]; then ip=`echo $r | cut -f 1 -d","` protocol=`echo $r | cut -f 2 -d","` ports=`echo $r | cut -f 3 -d","` dest=`echo $r | cut -f 4 -d","` iptables -t nat -I PREROUTING -p $protocol -s $ip -d $(nvram get wan_ipaddr) --dport iptables -I INPUT -p $protocol -i eth1 --dport $ports -j logaccept iptables -I FORWARD -p $protocol -d $dest -s $ip --dport $ports -j logaccept echo " " >>/tmp/root/iptables.log fi index=$((index+1)) done
Now that I’ve taken care of my security, I need to get Samba working. Luckily, Samba is already installed in the basic DD-WRT package. This page contains the information, but I had to make the following changes:
- I added additional users to the passwd and group file to support my existing users, using the same group and uid numbers.
- I ignored step 4, and instead added the samba command to the startup commands.
DD-WRT uses DNSMasq instead of bind. Not being familiar with DNSMasq, I followed this page to set it up. The page details several different ways to set up DNSMasq, I used step 4, and modified the script to reflect my installation. When done, I added a call to it in the startup commands.
Finally, I needed a way to backup all my data, so I installed rsync. This page details it, but I had to change the procedure slightly as follows:
- Replaced calls to
- Replaced startup of rsync daemon with call in startup script:
/opt/usr/bin/rsync --daemon --config=/opt/etc/rsyncd.conf
Finally, I’m done for now. I’ve decided to keep my phones on a separate box, but this little wireless router plus an external hard disk, for a total cost of around $100, is replacing two mini-ITX systems which each would cost about $150-$200 to replace. Additionally, I’m getting the advantage of reducing the noise level in my apartment, reducing my electricity usage, and gaining some additional functionality.