Openwrt is good as perimeter router, to protect against bugs

Just found from cvedetails that openwrt only got handful of bugs each year and usually got patched.
Last week I still use a TP1ink C2, which have a large hole before wannacry (2017), and
Still no update after wannacry! Even another D1ink 842, there are updates but
Seems don’t address the large hole. (both are code execution holes!)

So my opinion is openwrt good as outer router.

But I will still use an inner router, because that old buggy TP1ink C2 got MUCH
Better parental control. You can go see in TP1ink’s website, the emulator.
It let you choose device(by mac/ip), target site(by url/ip), schedule time PLAN,
And then choose combination. Openwrt only choose device(mac/ip), target (by ip, no URL), exact time slot, And need enter all again for each entry. Openwrt can block URL by adblock but NO timing can be chosen.

Many people are against “double NAT”, so far I am ok with it. And
Indeed I hope it provide further security to my PC.

thanks

As i have told many users here on the forum, the router is only part of the security.

You can run have a pc connected to a switch directly to the internet and no have issues if you harden the security on the pc, which is more important. There have been users here on the forum running VPN + Tor and other things, and at the same time run Windows 7 or some other unsupported system.

Clicking on links from email, downloading files and not scanning for viruses, can be worse for your security than the router firmware version.

You are mentioning Wannacry as well; that was a rootkit attack, the people affected downloaded an email attachment or clicked on a link to download the rootkit. It was not issues with their router. The spreading part of Wannacry targeted the SMB protocol, but if your pc was transmitting SMB out to the internet, you have bigger problems on your hands. Internal network spread was also not avoidable if you had an unpatched system, since routers don’t block ports inside the firewall, only from internal to external network.

I thought the GL.inet firmware had samba in it for file sharing from the USB port?
Not quote the same as sending SMB to the internet, same attack vector though. Someone downloads something malicious and then vulnerabilities in SMB on the GL router become exploitable.

Simon

No that is not how it works. The rootkit uses the PC’s smb, windows shares that is always running even if you don’t share anything, to spread in the network. Wannacry was a windows smb implementation issue.

When you share using the routers usb port, its still behind the firewall as well, not open to the internet.

For linux there was SambaCry, but again, it affected the end user pc. If it infected the router, it would just encrypt the routers data and render it unusable, before it can even be used to spread. People don’t save important data on their routers itself. As before, end user pc to pc spread could not be avoided on the router, unless all end user pc’s were isolated from each other with subnets.

From personal testing of SambaCry based malware (just for fun, you know on a rainy day), i noticed that it would try to spread to other pc’s (ie 192.168.0.x), and not to the gateway itself (192.168.0.1), probably because of the reason i wrote about before, if you take down the router, then you have a harder time infecting the network.

1 Like

natting does not help in security, that’s a myth my friend. you just need a good firewall for security concerns.

I need the 2nd router esp a TP1link for blocking internet addiction site e.g. utube

openwrt’s firewall/block is really un-usable, compared to TP1ink, even the C2 ver1
is 5yr’s old and just USD 30. One can go TP1link s site and check out C2’s internet access control vs openwrt, it’s like MS word vs notepad.

I tried last time that when openwrt is the outer router,
if I disable NAT+DHCP in the inner TP1ink, the blocking by TP1ink is not working.

I am not sure is it I set it wrong, but currently if I enable the inner router (TP1ink)'s NAT,
the URL blocking is working.

So at the moment i will live with double NAT, until I have time to verify is it
I must have double NAT for the inner router (TP1ink) to function to block URLs.

If someone can introduce a function on openwrt to block URL, as good as TP1ink,
I will be much appreciated.

And as said in #1, that TP1ink got a code execution bug before and after wannacry,
so cant trust on security.

thx

When you get your Brume you can test the firmware that includes Adguard. It lets you block ads and any services such as Facebook might you want.

let’s try,

but those “consumer router” like TP1ink s GUI are much user friendly,

they let you set device, target site(by url/ip), time plan, and let you make different combinations of it.

openwrt mostly is by IP. and the timeslot need type again for each entry.

GL has been working on parental controls, will be via the mobile app. No idea what the progress of it is. Lets call in the big guns.

@alzhao

hi~

the big gun pls have a look on TP1ink 's archer C2’s firmware’s parental control on TP1link 's emulator site pls.

it’s VERY userfriendly. It’s like a MS word when compare to openwrt, which is a notepad.

thank you.

For consumer router “parental” control, blocking, quotaing, monitoring, as far as I’m aware Gargoyle Router is the best option out there.

Based on DDWRT it allows you granular control for IP address, IP ranges, download quotas, time restriction and you can do a whole lot of different filtering/blocking.

Takes a little bit of time to work out the logic and to setup but a great tool if you’ve need to restrict or monitor those kids or flatmates :slight_smile:

Sadly it only runs on the AR150, MT300N, MT300N-V2 and AR750

thx for intro,
i saw in ur photo, that one can block by website URL(s).

this is lacking in openwrt’s “firewall”.

when google, for openwrt everyone say “'it’s possible by editing a BUNCH of files”.

i say F_ _ _ Off.

ps: still, TP1ink C2’s rom is let you choose A. device mac/ip, B website ip/URL, C time schelue, among other things like protocol etc. And add new rules by clicking a combination of the above.
That’s the best GUI I think.

One thing you have to remember is that in reality you’re looking at two different markets comparing the TP-Link (with OEM firmware) with ANY OpenWRT router. The TP-Links are marketed towards the consumer market so the interface is “simplified” so “mum and dad” could use it. OpenWRT is aimed more at an “enthuiast” market;users who are more than willing to dig in and use the CLI to set things up and running. Just compare the number of options in LUCI compared to the TP-Link interface. The Gl.Inet interface just makes lots of the standard operations much easier for those to use but you also have the ability to use LUCI or CLI to further configure the router as required.

honestly,

my brumeW only arrive today and I am indeep thinking I should buy a x86 SBC and install x86 openwrt,
becoz say seeed’s odyseedy with celeron J4105, 8GB ram etc are far more powerful and can do
much more.

But today when I setup the brumeW, I am glad I got GL inet’s UI and the app.

Honestly if I am asked to install a new “pure openwrt”, I may not be able to set it up.

openwrt really too low level, and GL inet makes a good transition.
That’s where the money go, otherwise i’ll simply buy a x86 SBC and install x86 openwrt.

Fantastic you seem happy with the purchase :slight_smile:

My intro to Gl.iNet routers kinda came about the same way as yours. I had a TP-Link WR802N that hadn’t had a firmware update for ages and hadn’t had the Krack vulnerability fixed. There was no “official” OpenWRT release for it, but there was a snapshot. As such I had to setup a TFTP server to get the snapshot OpenWRT firmware loaded . Once this was loaded a snapshot doesn’t include the LUCI interface as standard. So to load LUCI I had to connect to the internet however I couldn’t connect via the way I normally would…via LUCI. Circles within circles :slight_smile: As such I had to investigate and work out the correct files to edit and how to edit them to actually load LUCI. Learnt quite a bit that day.

The Gl.iNet interface makes all the common functions REALLY easy to use and as mentioned in the previous post, other things can be done either via LUCI or via CLI. I’m now “semi” comfortable using both LUCI and CLI.

That being said, I still can’t get a USB drive to be shared on native OpenWRT but it’s easily done on all the Gl.iNet devices.

The other good thing about the products, is that if you do get stuck, people on this forum are more than happy to lead you through…even if it’s CLI command :rofl:

Hope you enjoy the BrumeW :slight_smile:

oh no.

my D1ink 842, which I wanna install openwrt only got snapshot.

that 842 also got a bug and seems not fixed. it got a hardwired user build in.

Now my solution is turn off 842’s wifi, and attach the mango as a AP…
but seems limit it to 100Mbps as the link between 842 and mango will be mango’s 100Mbps.

adguard is not enough.
tested.

pls told them learn from TP1link.

now it make sense to me why TP1ink could start from nothing in year 2000 (my 2nd router),
and become world’s no. 1.

And…mostly China manufacturer dont spend much time on software…

thru GL inet is somehow China + Hong Kong?

Yeah GL.iNet is Hong Kong based. CEO and marketting in HK, development and factory in Shenzhen China.

And yeah that is the issue. If you get something like a TP.link, it will have 10 year old kernel and no bug fixes even in latest firmwares. They did all the development one time, then just make it work for their other routers. It’s the same for Asus, they are on old kernels. You also will only get updates the first year or so, not more after that.