Securing a research VLAN on a retail router with DD-WRT

I’m building a lean operation here, and I don’t really have need of a high-end firewall, along with their associated licensing costs. So, I’ve decided to try firmware-modding a retail router. I’m hoping it will be an inexpensive way to increase security and get a few more features than a typical WiFi router.

After a bit of reading, I settled on the Netgear Nighthawk R7000, partly because it was in stock at Walmart. Right on the box, it promotes a firmware-modding website run by Netgear. It is compatible with DD-WRT, which has some nice features.

The installation instructions here worked perfectly, and I was able to load Kong’s DD-WRT build. This site also has clear instructions and tells how to revert back to stock firmware.

Warning: Back up your configuration often. Once I broke things and couldn’t reach the router anymore. I had to press “reset” on the router and then load my last good configuration. Also, when making changes, save often but “apply changes” only when everything is in a consistent state. Oh, and you may have to reboot the router to actually get some changes working.

Research VLAN

I set up three tiers of access:

  1. Research VLAN – Machines on this subnet can talk to each other, and they can also talk to the “family” VLAN, which allows them to reach the Drobo5N backup device and the printer. They have a toggle switch which keeps them all generally blocked from reaching the internet. My laptop has access to this VLAN, but my laptop is always able to reach the internet.
  2. Family VLAN – These devices can talk to each other but not to the research boxes.
  3. Guest WiFi – These devices cannot talk to each other or to anything on another subnet. I have also blocked them from being able to reach the router administration web interface.

My first step was to move the physical ethernet port 1 on the router out of vlan1 and into vlan3. All my research boxes are connected to a dumb switch that plugs into port 1 on the router. This FlashRouters guide was helpful to me.

Virtual wireless interfaces

DD-WRT has the ability to set up virtual wireless interfaces on the same band. So, I followed the FlashRouters guide to set up a guest WiFi network on interface wl0.1. Note the following option meanings:
AP Isolation = Guests can not hack each other on guest VAP
Net isolation = Guests can not hack your private LAN+WLAN

This is based on wl0, which is the family 2.4 GHz interface. In the same way, I created wl0.2, which is the research wireless network at 2.4 GHz (which seems to reach further in my house). And I created wl1.1, which is the research wireless network at 5 GHz, based on the family 5 GHz network: wl1. Of course, I also set passwords in the wireless security tab.

I did not bridge these into br0, so br0 still looks like this:

I put each of them on separate subnets:

  • br0 – 192.168.0.1 (I changed the default router settings to use this instead of 192.168.1.1)
  • wl0.1 – 192.168.2.1
  • wl0.2 – 192.168.3.1
  • wl1.1 – 192.168.4.1

DHCP

In the Setup >> Networking tab, I also made sure vlan3 was not bridged, and I gave it IP address 192.168.1.1.

Now, because I’m using all these subnets, I needed to add more DHCP servers. To do that, I first needed to enable Dnsmasq under the Services >> Services tab. Then, here are the extra DHCP servers I added:

Access rules

Finally, I updated the firewall rules. I pasted the following rules into the “Commands” box in the Administration >> Commands tab, then clicked “Save Firewall.” I did not include the comment lines. Thanks to this wiki for the guidance:

# restrict br0 from accessing vlan3 research boxes
iptables -I FORWARD -i br0 -o vlan3 -m state --state NEW -j DROP
# restrict br0 from accessing wl0.2 research 2.4 GHz WiFi
iptables -I FORWARD -i br0 -o wl0.2 -m state --state NEW -j DROP
# restrict br0 from accessing wl1.1 research 5 GHz WiFi
iptables -I FORWARD -i br0 -o wl1.1 -m state --state NEW -j DROP
# restrict wl0.1 from accessing vlan3
iptables -I FORWARD -i wl0.1 -o vlan3 -m state --state NEW -j DROP
# restrict wl0.1 from accessing br0
iptables -I FORWARD -i wl0.1 -o br0 -m state --state NEW -j DROP
# restrict vlan3 from accessing the WAN port (no internet access!)
iptables -I FORWARD -i vlan3 -o `get_wanface` -j DROP
# deny guests access to the router web interface
iptables -I INPUT -i wl0.1 -m state --state NEW -j DROP
# permit guest clients to receive DHCP and DNS information, else they wouldn't get internet connection due to web interface rule
iptables -I INPUT -i wl0.1 -p udp -m multiport --dports 53,67 -j ACCEPT

Conclusion

This firmware is great! I’ll end this post now, but I’ve discovered many more cool things I can do with this router. Sure, they could all be done with a regular linux server, but there’s something satisfying about controlling everything from this one small appliance and saving all my servers for generic computing.