Old Router, DDW-RT, and new Interfaces

A

aliaskary77

Limp Gawd
Joined
Dec 18, 2006
Messages
439
I have a Netgear WNDR3700 v1 which works great, but is getting long in the tooth, about 7 or 8 years old. I dont mind the interface and there are many options. Rebooted maybe twice a year when power went out, otherwise no issues.

I got a new Dlink 1930, and the simplified interface didnt let me do a pre-filled wireless access list by MAC address. I could only block them once they connected. Granted they would need a password first, still didnt like it and it went back.

With all the stuff going on with consumer router hacking etc, I should get a new router with newer firmware. My latest firmware from Netgear on the WNDR3700 is 4 years old.

1. DDW-RT is available for this router, but would it be with all latest updates and be better than the 4 yr old Netgear firmware?

2. If I should replace the router instead, any good recommendations in the 100 to 160 range? Cant really see spending 250+ on routers. I do like more control on the settings and i dont like the direction dlink has taken. not sure if they use the same simpler interface on higher end routers too.
 
I don't know about the D-Link, but Open-WRT/Lede is an option for the Netgear WNDR3700. I've had it on mine (now acting as a wireless ethernet bridge) for years. The WNDR3700 is still a solid unit, if a bit old (e.g., not supporting 802.11ac).

MAC filtering is false security. Valid MACs are easily sniffed and trivially spoofed on most devices. Don't use MAC filtering options as any sort of criteria in choosing a router/firmware.

Most of the instances of router viruses/hacking you read about are carried out by a) hijacking an admin session with the router, b) otherwise compromising a legit LAN node, or c) probing the WAN interface for weaknesses (e.g., admin interface access, open telnet/SSH, manufacturer backdoor).
 
if the 4 yr old netgear firmware is solid, if I don't have remote admin turned on, anything to worry about? don't keep any ports open though upnp is probably used for plex streaming
 
thebufenator said:
Pfsense and converting your router to an AP should solve all the problem with SOHO security
Click to expand...


AAAAAA-HAHAHAHA... No.

Because there's no way that any of the components that make up pfSense (OS, web server and framework, various services, plugins, etc.) would ever be susceptible to a bug that could be exploited. And certainly no one could ever misconfigure it in such a way that would leave it vulnerable.

pfSense is a fine distribution, but it's not some security panacea. It also won't resolve the issue of potentially outdated firmware on the Netgear.
 
I am in the same mindset as thebufenator, except I think you should go with Ubiquity Unifi. It will be 100% better than any consumer grade firewall/router/wifi that you can buy. And if you have an old computer to run the controller software on you can get a gateway and a AP-Lite for 200 dollars. Ubiquty pushes firmware updates about once a month and it is super easy to update from the controller.

I switched from an old consumer router running dd-wrt to a ubiquty setup and I will never go back to consumer grade hardware ever again. The performance,features and reliability is miles ahead of any consumer networking gear you can buy.
 
BlueLineSwinger said:
AAAAAA-HAHAHAHA... No.

Because there's no way that any of the components that make up pfSense (OS, web server and framework, various services, plugins, etc.) would ever be susceptible to a bug that could be exploited. And certainly no one could ever misconfigure it in such a way that would leave it vulnerable.

pfSense is a fine distribution, but it's not some security panacea. It also won't resolve the issue of potentially outdated firmware on the Netgear.
Click to expand...

Okay hoss. Op makes note of all the recent consumer router hacking. I am curious......how many pfsense version have been listed as compromised by various SOHO botnets?

Russia's VPNFilter botnet is the latest one in the news. Was pfsense listed?

Pfsense + snort will do a pretty good job and not just getting hacked, but by performing IPS functions for your computers on your network.
 
Buy/build yourself a prosumer or enterprise grade edge firewall and convert your current router to a simple AP. That way if a new wireless standard comes out that you want to migrate to you don't have to change your edge security. Plus if you need to add a 2nd AP, you can just add it to the WiFi network segment.
 
thebufenator said:
Okay hoss. Op makes note of all the recent consumer router hacking. I am curious......how many pfsense version have been listed as compromised by various SOHO botnets?

Russia's VPNFilter botnet is the latest one in the news. Was pfsense listed?

Pfsense + snort will do a pretty good job and not just getting hacked, but by performing IPS functions for your computers on your network.
Click to expand...


Sure, pfSense wasn't listed as being a part of the VPNFilter exploit. But so what? A lot of other devices also weren't.

The fact is that pfSense is potentially just as vulnerable as any consumer router. The basic idea of it (*nix-like kernel with various services running on top) is the same. The only real security benefit it has is that it's constantly updated and devices aren't abandoned like consumer devices often are.

Like I said, pfSense is fine. The problem I have is you tried to sell it as some end-all be-all for security, which is nowhere near the case. And again, it does nothing to address the Netgear, which in your scenario is still on the LAN.

Wanna have some fun? Go read the list of pfSense-specific security vulnerabilities. Those are the same types of vulnerabilities that made VPNFilter and the like possible. And that list doesn't even touch on defects in the services that make up pfSense (e.g., big ones such as Heartbleed). (Oh, and for an extra laugh, one of the listings mentions Snort.)
 
aliaskary77 said:
will need to do some learning and lookup product types. any specific recommendations?
Click to expand...

I would give the Ubiquiti Edge Router line a look. The Lite version has 3 gig ports. 1 for WAN, 1 for LAN, 1 for WiFi. Some versions have POE. Supposed to be compatible with their management software if you add a Ubiquiti AP at some point.
 
This Lite3 looks interesting. So the cable modem/router in bridge/dumb mode will connect to the Lite3..then i hook up a U-AP to it for wifi functionality...and do i use the existing netgear router also in bridge mode to act as a switch? i need 4 to 5 gig ports.
Or do i have the hook up wrong?

edit: can i hook up the bridged netgear for the ports and as an AP for the Edge router to manage?
 
Last edited:
BlueLineSwinger said:
AAAAAA-HAHAHAHA... No.
pfSense is a fine distribution, but it's not some security panacea. It also won't resolve the issue of potentially outdated firmware on the Netgear.
Click to expand...

pfSense is just a phat software bundle with more to hack, period. On a firewall, LESS is MORE. Don't get mesmerized by all the the bells and whistles of pfSense. DD-WRT is solid.
 
Mega6 said:
pfSense is just a phat software bundle with more to hack, period. On a firewall, LESS is MORE. Don't get mesmerized by all the the bells and whistles of pfSense. DD-WRT is solid.
Click to expand...

I will be travelling in a month to the states (from canada) so will get any new routers or AP then. I may try DDWRT again first. Last time I did it and I bricked something, thanksfully was able to go back to netgear firmware.
 
Last edited:
Depending on the router model, there may be a "pre-flash" package. DD-WRT Research and due diligence is key but worth it.
 
aliaskary77 said:
and do i use the existing netgear router also in bridge mode to act as a switch? i need 4 to 5 gig ports
Click to expand...

The Lite3 gives you 3 router ports. They are not switchports. (IIRC, they can switch packets but they have severely degraded perf.)

I run a Lite3 and a Ubiquiti AP AC Lite. They have been working great for me.
 
Ok, maybe I am using the term wrong. (switch v. router)

I have 2 PCs connected via Gb LAN
I have a VOIP box connected via LAN
The rest are all WiFi (laptops, phones, tablets, TV, about 6 to 8 devices)

Only thing i need getting out is Plex streaming, which i think UPnP manages on the netgear.
I am looking through the user guide so trying to understand what all i need or can reuse and come up with my shopping list, post research.
 
Just get Google WiFi. You won't have to worry about getting hacked by China, Russia or NK. However, nobody can guarantee that some data may or may not be skimmed for ad purposes, though. It IS Google, so...
 
aliaskary77 said:
This Lite3 looks interesting. So the cable modem/router in bridge/dumb mode will connect to the Lite3..then i hook up a U-AP to it for wifi functionality...and do i use the existing netgear router also in bridge mode to act as a switch? i need 4 to 5 gig ports.
Or do i have the hook up wrong?

edit: can i hook up the bridged netgear for the ports and as an AP for the Edge router to manage?
Click to expand...

I would use the AP purely as a WiFi AP and buy a simple 5-8 port gig switch for your extra wired ports. That allows the switch to be best located for wired service and the AP placed for best WiFi service. It would be a rare setup where both matched. And it would let you shop in the future for a pure WiFi AP.

I would let the Edge gizmo manage things like DHCP and security rules for the AP.
 
Dead Parrot said:
I would use the AP purely as a WiFi AP and buy a simple 5-8 port gig switch for your extra wired ports.
Click to expand...

Shouldn't even need to do this initially if an EdgeRouter Lite 3 is used as the router/firewall, as the Netgear AP should have enough switchports.

I would also recommend looking at the Unifi Security Gateway instead- it's basically an EdgeRouter Lite running Unifi instead of EdgeOS, which means that it will integrate with a Unifi AP if one is added later, for simplicity's sake.

And for the moment, aliaskary77, get DD-WRT on your Netgear. You can get it set up now and it may be all that you need; if it isn't, you can use that firmware to set the Netgear as a pure AP (no firewalling, NATing, or DHCP) for another router.
 
As an Amazon Associate, HardForum may earn from qualifying purchases.
Nice thread. My AC66U recently got it's last firmware from Merlin. Time to either get a new version or play with pfsense or the Ubiquity that's getting so much chatter.
 
yep, i ve been hearing so much about ubiquity here.

I got DDWRT up and running last night. Think i got most settings right, though some devices would not connect. Had to do the 30/30/30 reset and leave some options default.
turned off 2.4GHz antennae leaving on the 5GHz only. All "n" devices and switched the mode to Full2 20/40 at first. Default shows Full 20 only which allowed the devices to connect. Dont know if that was the reason, but at 1:30am, i stopped messing with it. Will play with some more settings tonight.
May also need to reboot my modem. I have 200/15 connection and get that most times. The 15 up runs stable, but lately i am getting 2 to 5 on the down most times but does go up other times. Will cycle modem and call ISP to check. Dont think its DDWRT related.

still looking at the edgerouter and unifi gateway though. IdiotInCharge, will the unifi AP run with both? Not sure why it would work more simply with gateway over edgerouter, or the difference in OS for that matter.
If going this route, would like the PoE option so dont have to run power to the AP.
 
aliaskary77 said:
still looking at the edgerouter and unifi gateway though. IdiotInCharge, will the unifi AP run with both? Not sure why it would work more simply with gateway over edgerouter, or the difference in OS for that matter.
If going this route, would like the PoE option so dont have to run power to the AP.
Click to expand...

Yup- the AP needs a Unifi controller for configuration (like all 'Unifi' stuff), be that software on a desktop (or a Pi or a Docker container somewhere, even on a NAS) or their hardware cloud key, and it will work with whatever you plug it into, including a 'dumb' switch with a PoE injector between the switch and the AP for power. The controller software just needs to be able to find the Unifi AP to take control of it.

You do want to plug it into a switch if using a Ubiquiti router, though, as Ubiquiti's routers do not have switching hardware and thus offload that function to the CPU which limits bandwidth. The router, as with many/most discrete routers, should only have WAN and LAN connections*.

With respect to Edgerouter (ER) versus a Unifi Security Gateway (USG) with a Unifi AP: using the USG puts the router and AP configuration on a single Unifi Controller instance. However, the USG is ~US$100 and not any faster hardware wise than the ~US$50 Edgerouters. And since the Edgerouters have their own Web GUI (like your average home router) with a wizard to get you set up quickly while the AP needs very little setup itself, going 'all Unifi' is really only useful for more complicated installations** that also may require regular adjustments. For a home system, it's pretty much a bullet-proof 'fire and forget' solution either way.

[*you might have more than one WAN connection, i.e., a failover, and you might have more than one LAN connection, i.e., your home and a 'home lab', though nearly all LAN separation may be more easily accomplished with VLANs instead]

[**the Unifi setup does allow you to do quite a bit of remote 'cloud' management as the Unifi software can communicate with their cloud- some prosumers appear to find this useful when providing administration for other family or for small businesses]
 
You must log in or register to reply here.
Back
Top