DD-WRT and network control
In my last post I talked about RetroPie and the build it is based off of. I would like to continue with the discussion about unknown devices on a network. This situation isn’t unique to just the RetroPie, as we see the mass proliferation of IoT devices. Aside from all of the mobile devices, such as phones and tables, there is an increase number of “smart” devices that connect to the network wirelessly. Google, Amazon, and Apple are just a few vendors that leverage the fact that most home users have a wireless network. There are other devices like game consoles, televisions, refrigerators, washers, driers, lights, switches, and thermostats that are being connected. It is becoming common to assume a “thing” is connected. There is a tremendous amount of trust the public puts into these devices and that these devices will behave as expected.
In this post I’ll be covering an alternative firmware called DD-WRT. It provides a larger feature set to standard consumer grade internet routers. These are gateway devices that your home network has to go through to connect to the internet. One of the features that I’ll be covering is WAN access. This feature provides a way to control access to the internet from devices on the internal network.
Not all consumer grade routers will support DD-WRT, so refer to the DD-WRT website for details, https://www.dd-wrt.com/site/index.
I had an old router that lacked wan control features. It did provide some function that was originally intended to be used as parental controls. However, the method to identify and control devices on the internal network was limited. It used a loose method to identify devices which could be easily duplicated, masked, or spoofed.
DD-WRT provides a more robust way to control wan access using IP and MAC address filtering. The wan access can be granted or denied. That access can also be set to change at different times of the day, or days of the week. This is the most easiest way to control how the IoT devices access the internet.
The filters are set through a web UI. One thing to note is when making changes in the Web UI, you should save and apply the settings you want to keep before leaving that settings web page. I have noticed that my changes didn’t stick if I didn’t do this. Another tip is to reboot your router once the changes are saved and applied. This way you can be certain they have taken. Once all is as you like, I suggest making a backup of the router config. If you find that you need to reset or reload the firmware, you will not need to remember and reset all the settings you have made.
Another feature of DD-WRT is syslog. Without going into too many details about syslog, it simply is a text message from the router to another system that stores, forwards, or archives those messages. Some off the shelf routers support syslog, but the DD-WRT firmware sends much more information along the syslog pipe. This can provide you an audit trail should you need it at a later time.
With the increase of IoT devices entering the mainstream, it is wise to consider security. Not all devices will play nicely and some might have weaknesses yet to be revealed to the public. The other critical issue is the lack of disclosure to the public what these devices are capable of, usually under the premise of intellectual property. Data gathering is a huge business and the data sets these devices create are considered the property of the gatherers. It seems unlikely that these data sets will become public domain, yet they were gathered from the public domain. If you prefer not to feed the stream, I would suggest setting limits on what these devices can do. One way is to manage how they can connect to the internet. There are other ways too, but I only wanted to demonstrate how to recycle an old piece of equipment and put it to use with DD-WRT.