Slashdot Mirror

Routers with vulnerable Broadcom UPnP stack are mostly based on Broadcom chipset. You can check how many manufacturers use Broadcom chipset here (search for Broadcom, brcm or bcm).

Looks like https://www.bufferbloat.net/pr... would help a lot on your DSL line. It can be used on any openwrt compatible router https://wiki.openwrt.org/doc/h... . Also, a lot of Asus routers compatible with asuswrt-merlin have it https://github.com/RMerl/asusw...
It will help with games a lot - you will see about 30ms increased latency (time to send one full size packet at 0.5Mbps) when uploading over idle, and up to 50ms of increased latency when downloading (most of the time only about 5ms increased but at peaks it will go higher since your router are not at the correct location for doing QoS in the downstream).

My FTTH 200Mbps symmetric connection doesn't have good QoS on ISP's end, and without fq_codel/cake I see peak latency of about 100ms when downloading and 50ms when uploading. With it, I see almost no additional latency when uploading and about 1ms when downloading.

Uh, latency is something you want to *decrease*. 30ms *increased* latency like you cite there would be about twice as bad as what I have now. Little things like this make you sound like you don't really understand what you're talking about, especially when you say them multiple times (so, not a typo).

Looks like https://www.bufferbloat.net/pr... would help a lot on your DSL line. It can be used on any openwrt compatible router https://wiki.openwrt.org/doc/h... . Also, a lot of Asus routers compatible with asuswrt-merlin have it https://github.com/RMerl/asusw... It will help with games a lot - you will see about 30ms increased latency (time to send one full size packet at 0.5Mbps) when uploading over idle, and up to 50ms of increased latency when downloading (most of the time only about 5ms increased but at peaks it will go higher since your router are not at the correct location for doing QoS in the downstream). My FTTH 200Mbps symmetric connection doesn't have good QoS on ISP's end, and without fq_codel/cake I see peak latency of about 100ms when downloading and 50ms when uploading. With it, I see almost no additional latency when uploading and about 1ms when downloading.

If you're willing to learn how to configure a firewall, it's an excellent value.

Bonus: If you don't like EdgeOS/Vyatta-style configuration, or you simply prefer open source, you can install OpenWRT on this device.

My main router was a Netgear running OpenWRT for years. They lagged behind in updates. Another group picked up where they left, and started the LEDE Project. Now the two projects have merged again.

They provide updates regularly now, and it is very customizable.

Highly recommended. Just pick a router that is explicitly supported.

Actually, since we're on Slashdot and all, the instruction should be:
Install your own VPN server and use that on all public networks. It's not that hard.
- https://openvpn.net/index.php/...
- https://wiki.openwrt.org/doc/h...
- https://play.google.com/store/...

There are SD cards on the market which contain an embedded WiFi chip which creates a portable hotspot to connect to and download pictures directly off the SD card via a built in webserver. They seem like they must be running some sort of embedded *nix OS.

You don't say?
The person you replied to, who linked to exactly that, didn't have me convinced such a thing existed. But thankfully an anon came along to reply to that and confirm it!

(Sorry, but I couldn't help myself there)

So it would seem like it should be possible to create an SD card with a similar embedded system which automatically encrypts files as their written to the FS in a write-only fashion. Obviously this wouldn't allow previewing of images, which is sort of the point anyways.

Not "seem like", but that exists too.

There used to be an SD card under the brand and name "Trancend Wifi SD Card" containing a multi core ARM processor, flash, wifi hardware, and RAM - all running Linux, a wifi/tcp stack, hostap, Apache, and Samba.

You can easily gain root on these cards with physical access and from there and reprogram it to your hearts content, or if you prefer even reflash the entire ARM system with OpenWRT

This was documented back in 2013:
https://forum.openwrt.org/viewtopic.php?id=45820&p=1

One project I saw back then, but unfortunately can't find the github repo for now, was a daemon that ran on the SD card and watched for new files to be stored on the flash via the SD interface.
It would then use GPG to encrypt the file using an uploaded public-key and basically 'move' it into a subfolder.

The idea was that you left the private-key at home on your computer, so the files saved to it can only be decrypted there.

That exact code with slight changes could be used for this purpose and a camera.
Since cameras tend to write their data fairly slow, you'd want to bump up the timing check for new files such that it only 'kicks in' after the file hasn't been modified for a couple seconds, to ensure the integrity of the data being encrypted.

So on one hand, using fully existing hardware one can have this feature today.
On the other, the fact it is some one elses existing hardware is the only reason this can't be sold by a 3rd party right now. (Which isn't necessarily impossible either, but does require securing permission and contracts from the companies that make the things)

There would be a higher cost associated in 'reinventing the wheel' and designing your own version of those SD cards, but obviously that is very much within the realm of possible seeing as it has been done before.

Most cheap routers don't have the memory or even really the flash space to handle anything complex. They can only handle simple routing jobs. But for those which do have the resources, you can often run openwrt on them, and use it for meshing.

Are you serious? Have you not heard of VLAN's. I have a WRT1200AC setup and VLAN the network. I also use separate virtual AP's that are on separate networks but use the same radio. You can alias/virtual networks inside of most Linux systems as they each have a different SSID to ident traffic. If you install OpenWRT it's fairly easy to d and then you can configure the firewall to prevent the two subnets from talking to each other. Here is a link to how to make a guest WLAN in OpenWRT. Below that is a link on how to configure the firewall. If you know how to use UCI there isn't much to learn. As a tip when using the -J drop/reject the direction is if you are inside the house already like a living room, and each subnet is a bedroom door attached. Think of it in that way and you will have the direction fine. Usually most errors with the rules are you got the directions mixed up. https://wiki.openwrt.org/doc/r... https://wiki.openwrt.org/doc/u...

Are you serious? Have you not heard of VLAN's. I have a WRT1200AC setup and VLAN the network. I also use separate virtual AP's that are on separate networks but use the same radio. You can alias/virtual networks inside of most Linux systems as they each have a different SSID to ident traffic. If you install OpenWRT it's fairly easy to d and then you can configure the firewall to prevent the two subnets from talking to each other. Here is a link to how to make a guest WLAN in OpenWRT. Below that is a link on how to configure the firewall. If you know how to use UCI there isn't much to learn. As a tip when using the -J drop/reject the direction is if you are inside the house already like a living room, and each subnet is a bedroom door attached. Think of it in that way and you will have the direction fine. Usually most errors with the rules are you got the directions mixed up. https://wiki.openwrt.org/doc/r... https://wiki.openwrt.org/doc/u...

Looks like OpenWRT will release a Chaos Calmer 15.05.1a (or 15.05.2) with fixes for dropbear, *ssl, dnsmasq, and hostapd binaries : https://forum.openwrt.org/view...

Sorry to break it to you, but the general consensus seems to be "Migrate to LEDE, OpenWRT is dead". Your APs better have enough RAM and storage.

336 Linksys WRT1200AC v1 (caiman), v2 (caiman) 17.01.3 https://wiki.openwrt.org/toh/l...

Grab them while you can. I picked up a TP-Link Archer C7 AC1750 v2.0 (european version) just days ago from ebay. Works with OpenWRT like a charm, does ~150mbits across two walls in 5GHz (faster if closer). This is one example where the latest firmware is locked but there's still hardware with older versions out there. They admit as much themselves:

The EU firmware was specialized for CE certification and can't be downgraded to other version, please click here for choosing your region and selecting the most suitable firmware version to upgrade.

Grab them while you can. I picked up a TP-Link Archer C7 AC1750 v2.0 (european version) just days ago from ebay. Works with OpenWRT like a charm, does ~150mbits across two walls in 5GHz (faster if closer). This is one example where the latest firmware is locked but there's still hardware with older versions out there. They admit as much themselves:

The EU firmware was specialized for CE certification and can't be downgraded to other version, please click here for choosing your region and selecting the most suitable firmware version to upgrade.

This is the table of hardware compiled at openwrt. https://wiki.openwrt.org/toh/s...

Some routers aren't "locked" particularly well, for example I have a WR841N v11 here which had supposedly FCC locked firmware, but it was relatively simple to install open firmware on it using the TFTP firmware recovery procedure

I've been using CeroWrt (https://www.bufferbloat.net/projects/cerowrt/wiki/ - the initial testbed for all of the bufferbloat work) for at least four years. For the majority of that time I had 1.5Mbps DSL service, but now I'm connected via a 12Mbps ADSL2+ link.

Prior to the installation of CeroWrt, it was painful for me to attempt to work remotely using an SSH tunnel if someone was watching a show via Netflix, but after setting up CeroWrt everyone was happy (me for not having to yell at my daughter and my daughter for being able to watch Netflix without me yelling).

With the 12Mbps link, it doesn't seem to be the ingress traffic that causes issues, but the egress traffic (at times, I upload large data sets). Without shaping the outbound traffic, I can see round-trip times in excess of 2 seconds which is just a bit excessive. ;-)

I recently installed LEDE (https://lede-project.org/) (an OpenWrt (https://openwrt.org/) fork) on a spare router (the same model as the CeroWrt router - WNDR3800) and it is obvious that the software continues to improve.

It appears that LEDE may be approaching its first stable release (https://forum.lede-project.org/t/criteria-for-first-lede-stable-release/552). If you have a spare router that is supported by LEDE, please consider installing a current build and report any issues found.

If you would like to learn more, here are a few random links to get you started:

• Explaining RRUL Charts (https://www.bufferbloat.net/projects/bloat/wiki/RRUL_Chart_Explanation/)
• The Cerowrt-devel Mailing List Archives (https://lists.bufferbloat.net/pipermail/cerowrt-devel/)
• The Lede-dev Mailing List Archives (http://lists.infradead.org/pipermail/lede-dev/)
• Does LEDE support my router? (https://lede-project.org/supported_devices)
• The Make Wi-Fi Fast Wiki (https://www.bufferbloat.net/projects/make-wifi-fast/wiki/)
• The Make-wifi-fast Mailing List Archives (https://lists.bufferbloat.net/pipermail/make-wifi-fast/)
• Possible OpenWrt and LEDE merge (https://www.google.com/search?q=OpenWrt+LEDE+merge)
• All of Dave's Patreon posts (https://www.patreon.com/dtaht/posts)

I feel that the work that Dave (and everyone else that is involved) is so important that I send a few coins his way every month via Patreon. Here's his most recent update: "Where your donations go" (https://www.patreon.com/posts/where-your-go-7564906).

Dave, a belated Merry Christmas to you and I'm looking forward to a New Year where all of the efforts to tame bufferbloat and make WiFi fast benefit everyone.

OpenWRT

Yes. OpenWRT uses OLSR

Running OpenWRT you may want to look into using dsnmasq to do the DNS blocking. From what I have seen there are a number of hosts files that can be used to populate dnsmasq so it blocks the windows spying. And hopefully this doesn't summon APK but one can setup a cron job to automatically populate block lists with various host files sources in OpenWRT which is what I do and it stops a lot of the crap on all devices. If looking for some host files to incorporate check out the source section of this page.

That however won't stop traffic to hard-coded IPs so there you would have to create some outbound firewall rules for the WAN interface that block traffic to specific IPs but that shouldn't be all that difficult

Running OpenWRT you may want to look into using dsnmasq to do the DNS blocking. From what I have seen there are a number of hosts files that can be used to populate dnsmasq so it blocks the windows spying. And hopefully this doesn't summon APK but one can setup a cron job to automatically populate block lists with various host files sources in OpenWRT which is what I do and it stops a lot of the crap on all devices. If looking for some host files to incorporate check out the source section of this page.

That however won't stop traffic to hard-coded IPs so there you would have to create some outbound firewall rules for the WAN interface that block traffic to specific IPs but that shouldn't be all that difficult

$70 is NOT a reasonable price for a WRT54GL! You can get a TP-Link TL-WDR3600 for less, also new, for example from Walmart. That is a simultaneous dual-band router, supported by OpenWRT, with two USB ports, 8MB flash and 64MB RAM, gigabit Ethernet and a CPU that can route about 300Mbps, compared to the ca. 30Mbps that the WRT54GL can handle between WAN and LAN.

Stop buying routers. Instead get a Raspi and USB wifi adapter capable of master mode.

The Pi has a single 100Mbit Ethernet hooked off the USB 2.0 bus. You're putting both the Ethernet and the wifi on the USB, which is going to get congested.

A typical home router has one or two gigabit Ethernet ports hooked directly to the SoC, with one of the interfaces connected to an internal manageable switch. It has one or two WiFi interfaces connected to a high-speed, low-latency bus. The WNDR3700 is a good example of the type of hardware people like to run OpenWRT on.

As far as I am aware, there is no cheap, hackable board that has the kind of connectivity you need for decent WiFi router.

Marvell for one, though I haven't seen them outside of OpenWRT devices they probably do exist.

https://wiki.openwrt.org/toh/s...

Rewrite the code in Lua (which is usually already installed) or install python if you have the room. https://wiki.openwrt.org/doc/s...

Not that I'd recommend participating in such pestering campaigns, mostly due to a lot of ISPs having some form of "no speed guarantee" clause in their contract.

(The article is really more about selling the Raspberry Pi than it is about ISP accountability, and it uses the most (actionable) emotional hook that people have about technology, access speeds.)

NanoPi seems like overkill as well.
https://wiki.openwrt.org/toh/u... are $8, pull only 200ma, runs linux, comes with wifi, Ethernet and 6 GPIOs.

These guys sell a tiny "travel router" (or just the board if you like) that goes for $25 on Amazon. Crucially it has 2 ethernet ports (albeit only 100Mbits), along with Wifi. It ships with their modified version of OpenWRT but takes only a couple minutes to flash to the latest fully open-source version. From there, going further into homebrew is trivially easy. I find it a better starting point than a raw Linux distro, and the low power consumption just cannot be beat. If you want to go Linux and don't have a fat pipe, I recommend it.

Could I gently point out that Dropbear is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt routers.

The sentence from the article was "Another recent addition to the group's arsenal is a backdoored version of a SSH server called Dropbear."

This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".

That is, it's not clear whether the SSH server is called Dropbear, and it has been backdoored, or whether it is the backdoored version that is called Dropbear.

Could I gently point out that Dropbear is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt routers.

OpenWRT uses OpenSSL 1.0.2e which is the latest version of the latest branch, so as long as you have updated you're fine. https://dev.openwrt.org/browse...

What hardware do you have that isn't supported?

Dlink DIR-835
https://wiki.openwrt.org/toh/d...

As I wrote elsewhere in the thread:

My internet is currently 120/6; so 100mbps isn't sufficient. I also want my openwrt box to have plenty of ram, cpu, and space, so that I can play with openwrt without worrying too much about running into the limits of the hardware. I have a Dlink dir-835 right now.

I'm open to replacing it with something that will likely be supported by new versions of openwrt sooner than later.

    I -like- having wifi AP all built into one box, but if separating them into two separate boxes would make openwrt easier than I'm game to consider it.

This is why the ability to install secure and Open Source firmware like OpenWrt is so important.
https://openwrt.org/

so wait, you are unhappy that we can setup our own OS on that thing? And to fix that, you are proposing to *restrict* the software you can run on it so that you can't modify it... that doesn't keep cisco routers from getting owned, or any other proprietary device from getting hacked, as far as i know.

there are litterally millions of home routers that run a "limited set of well documented functions" that are regularly abused for DDOS attacks to a complete port scan of the entire internet. and there are hundreds of people trying to fix those machines in various ways, either by reverse-engineering the hardware and installing free software on it or by just fixing the proprietary crap that's shipped with those. at least this machine starts on the right foot: it ships with free software and allows you to run your own.

any machine comes with its own foot shooting device, whether it is its openness or the false feeling of security that it's fine black box that will never fail and never need to be upgraded.

not understanding and not being able to fix a device isn't a advantage in security, i thought we agreed on that...

https://wiki.openwrt.org/doc/h...

There is nothing on this device that slapping openwrt on any freescale/arm device with wifi and a couple gigabit interfaces can't solve, and it's *still* twice the price of most of these openwrt-compatible devices: https://wiki.openwrt.org/toh/s... What's that? They have "threat detection"? You can also just run snort on many of those devices. The point you missed is that this project is re-inventing the wheel. Check yo'self.

What firmware are you talking about? The chips that provide WiFi are pretty well known and established. I'd like to know which ones you are referring to. Are they on this list? https://downloads.openwrt.org/...

...or buy one supported by https://openwrt.org/

Banana Pi Router Board BPI-R1 ($90/€70). And of course the OpenWRT project has given us easy access to many home routers at the firmware level, so you can run all open software on a home router with Wifi and VLAN capable switch that can be bought from $20 up. Their wiki has a list of supported devices.

I have been running OpenWRT on my Asus RT-N16 for a while now. First OpenWRT 14.07 (Barrier Breaker) and now OpenWRT 15.05 (Chaos Calmer) and it works like a charm. OpenWRT is the most stable alternative firmware I have ever used (compared to SveaSoft, DD-WRT, Tomato Toastman and Tomato Shibby).

You’re right that Broadcom is a pain in the ass and my next router will have an Atheros chip. But if you don’t mind using closed source drivers the Asus RT-N16 works like a charm with OpenWRT.

For anyone wanting to try OpenWRT 15.05 on an Asus RT-N16 I can recommend this post on the forum: https://forum.openwrt.org/view...

The fine documentation. OK, I'm exaggerating a bit, but if you're looking for someone to hold your hand, you're going to have to pay someone. Depending on how you want to limit the usage, the keywords are "quota", "qos", "rate limit". Various packages (with varying levels of documentation) exist for different ways of authenticating and limiting clients.

Unfortunately you appear to be correct.

I don't get why manufactures don't just don't put effort into getting OpenWRT, or DDWRT on their routers since it seems like it would be less effort than maintaining their own shit pile of code. For those few consumers who care it would make their lives easier while the vast number of general user wouldn't know the difference.

Just look at openwrt. That is the future they envision:

"Of course, NetworkManager should be renamed to "unetwork", dbus to "ubus", PulseAudio to "usound", and X.Org-Server/Wayland-Compositor to "udisplay"; and then indescribable happiness would come down to all people of this world." – Lennart Poettering

from: http://wiki.openwrt.org/doc/te...

DD-WRT works, it just isn't very clean under the hood.

- The entire interface is a mess of PHP spaghetti code with intertwined HTML
- Old code with poorly implemented features bolted on
- outdated UI that is honestly a little confusing to navigate
- poorly documented, and outdated documentation
I will say the user community is huge and that is one major benefit.

OpenWrt is more like a Linux based router OS, but is well organized internally, incredibly stable, and very flexible. By default it typically does not have a UI. There are a few different ones to choose from.

The original Tomato is actually a partially closed system. I should have been clear that I meant Tomato based firmwares such as the Toastman mod, Tomato Shibby, etc. which are based on TomatoUSB, an early fork of Tomato before it went commercial.

Well, there's this, but it's probably not open enough for you, and almost certainly tries to do too much at once, but it's a nice OpenWRT platform.

This is what passes for hacking nowadays?

Take a TP-Link TL-MR3020 plug a 3g or a 4g and install openWRT. Now you've got a cellphone connected WiFi client/access point. Leet h@x.

Seriously, this is juvenile.

Did no one test this security device for security before shipping it? Does this episode demonstrate the perls of outsourcing your developement to some newly qualified intern in the far east?

What is OpenWrt?

This is a preliminary workaround so im sure many of you will find bugs, but heres what im using:
1. unbox the router from your ISP. Many will come with an extra CAT 5 cord. Set this aside.
2. position the router (and wireless antennas should it come with wireless) directly above your garbage can
3. releasing the device will cause it to fall at 9.81m/s^2 directly into the bin (NOTE: this DOES NOT WORK or may respond slowly in areas without earth mode gravity...double check first.)
4. Wind the cat 5 cord in a pretty loop and hang it up with the rest of them.
5. continue instructions at: https://openwrt.org./

OpenWRT package mwan3 has similar functionality without the complication of multipath.

http://wiki.openwrt.org/doc/ho...

Really?

This is what the OpenWRT Table of Hardware is for. One nice feature of the list is de-facto announced end-of-life, so you'll know when to retire your old gear. DD-WRT doesn't do this with their hardware compatibility list so you're left thinking they'll push out an update for your unit, except they don't.

OpenWRT lists support for an interesting and cheap TP-Link router on their front page (the TP-Link TL-MR3420). What makes this 40 euro router so interesting is its support for both an ethernet WAN port, along with another GSM WAN port which affords the user internet provider redundancy. It's been on my to-do list for a while to pick one up.

European Pre-Pay GSM can be super-affordable too. Here's an Austrian ISP that will sell you 9Gb of 4G data for 9.90 euro. In The Netherlands Bliep will sell you 3G data for .50 cents a day, and 4G data for 1 euro a day.

Does anyone have any experience with such a router? I don't even try to discuss such configurations with the installation folks from the wired ISPs. The last guy was here simply amazed I had one with OpenWRT; and that I wasn't interested in the ISP's modem for anything except being a basic firewall and cable link to the OpenWRT unit.