What if you’re more than a prosumer? Open Source Firewalls at Home

 

In last week’s blog article, we discussed commercial, and semi-proprietary options for a better firewall experience at home.   Most Commercial Off-the-Shelf routers can be reflashed with open source firmware giving them more features, USB or e-SATA ports to provide SAN capabilities, the ability to install packages, UI improvements, and more.  

Not all of this hardware is created equally, or priced equally, but there are resources online to determine what’s in the mystery box sitting on the shelf.  Most important to know are the CPU performance, amount of RAM, amount of flash, and the radios.

image01

We tested both DD-WRT and OpenWRT with a several year old Netgear WNDR3700v4, and a brand new WRT 1900ACS by Belkin’s Linksys division.

The Netgear is several years old and features a 560MHz processor, and 128mb of DDR ram, the radios support dual band 802.11n.

image00

The WRT 1900ACS is a different story.  It’s the biggest baddest, and fastest consumer router out there, featuring a dual core 1.6GHz ARM CPU, and 512mb of DDR3 ram.  One thing that the team noted is that, unlike older COTS firewalls, the WRT 1900ACS is quite heavy, and includes a significant heat sink and a fan.  

image03
OpenWRT 15.05, named Chaos Calmer, is the latest version, and it could be flashed easily from the Linksys software by simply selecting the image and flashing it.  Returning to the new UI I was forced (good!) to configure an admin password, and found pretty much everything disabled by default (also good!).  The WebUI looks very slick compared to DD-WRT which heavily relies on an old Linksys UI from 2005.  I’m not totally sold on having a package manager on a firewall, it doesn’t strike me as terribly secure, but the WebUI for iptables/ip6tables makes that up for me.  Also, it has most of a real command line and felt more like an OS than Firmware.  You can install Net-SNMP on OpenWRT, and it supports all the MIBs from SNMPv2-MIB.  OpenWRT worked equally well on both routers.

image02

On to DD-WRT.  Getting an image that worked with the Linksys router was quite a bit more difficult than OpenWRT, and required several recovery efforts.  The Netgear router worked immediately.

Once installed DD-WRT presented a UI that will be very familiar to anyone who has ever used the stock Linksys WRT54G/GS UI.  We were immediately prompted to enter an admin password when we first logged into the UI.  We were unable to mount a USB3 share on the Linksys, resulting in a traceback.  That said everything worked flawlessly on the older Netgear router, and given that the WRT 1900ACS just came out, teething problems were to be expected.  As for monitoring, DD-WRT has Net-SNMP built in.  In the end though, DD-WRT strongly favored the older router.

Both OpenWRT and DD-WRT performed very well throughout testing, and both have many features that stock firmware doesn’t (and likely never will) have.  The takeaway that we had from this project was that it’s best to wait a few months after a new COTS router comes out for open source firmware support, but the wait is more than worth it.

Interested in learning more? Enter your email address below to subscribe to our blog!