WRT54GL + Tomato + Rented house

Soldato
Joined
15 Jan 2003
Posts
4,947
Location
South East
Does anybody here have a WRT54GL who could offer me guidance with my setup?

I'm trying to setup a WRT54GL in advance of vFast WiMax connection due to be installed at a house that my father is renting.

I have purchased the Linksys almost entirely based on the hype that most people seem to give it and the completely customisable third party firmware Tomato and others (that and it was £3 cheaper than the preconfigured TP Link TL-WR541G).

Between now and next Tuesday (survey and almost certain confirmed install date) I'm trying to configure the router with settings that will limit or block P2P (Limewire?) and lock down other settings so that the connection will be at reduced risk of being abused.

I am planning to setup MAC filtering so that a) only those paying the extra for the internet are allowed to connect and b) only the tenants of the house are able to connect (would prefer not to allow non-tenants access). I will be gathering MACs from the tenants as soon the service is installed.

I’m also interested in remotely connecting to the router if it’s easy to do (and if it’s secure enough without risking access to both external people (and even the tenants from accessing the router homepage to change settings).
 
Soldato
Joined
28 Oct 2002
Posts
9,227
Location
Stockport / Manchester
Tomato has a section where you can easily limit and/or block any traffic you require and includes pre-set profiles for many popular P2P protocols/clients. It's really easy to do, just click "Access Restriction" in the menu on the left and it should be pretty straight forward. This will be effective, but of course not 100%. Personally I'd strongly suggest not restricting the internet in such a way. It's not fair, especially if they are paying for the service.

MAC filtering is not a good way to secure a wireless network. With the right tools (any PC with a wireless card and a bit of software) bypassing it takes seconds and is pretty much pointless in this day and age. I suggest using WPA or WPA2 to secure the network. You can distribute the key to your tenants and easily change it as required. It also means they don't have to tell you if they get a new device, or if a mate brings their laptop round and wants to go online, etc.

It is very easy and secure to setup remote access. Like anything, exposing it to the outside world carries small risk, but the risk is minute and there are currently no known major security issues with Tomato. Using Tomato you can find it in "Administration > Admin Access" just make sure you set it to HTTPS. A strong password will of course be required to prevent unwanted access, both from the outside and to stop tenants themselves from having a play. It is of course more important to keep your firmware up to date as each version will fix any potential security issues.

Hope that helps somewhat.
 
Last edited:
Soldato
OP
Joined
15 Jan 2003
Posts
4,947
Location
South East
Tomato has a section where you can easily limit and/or block any traffic you require and includes pre-set profiles for many popular P2P protocols/clients. It's really easy to do, just click "Access Restriction" in the menu on the left and it should be pretty straight forward. This will be effective, but of course not 100%. Personally I'd strongly suggest not restricting the internet in such a way. It's not fair, especially if they are paying for the service.

The reason we wish to restrict/shape P2P traffic is two fold:
1) to avoid any lovely legal letters dropping through the letter box in my father's name and 2) to avoid any arguments about tenants hogging the bandwidth.

A counter point with regards to it being 'fair' to restrict access, it wouldn't be fair to my father if he were to face potential prosecution because of an individual who rents for a month and then disappears elsewhere.

MAC filtering is not a good way to secure a wireless network. With the right tools (any PC with a wireless card and a bit of software) bypassing it takes seconds and is pretty much pointless in this day and age. I suggest using WPA or WPA2 to secure the network. You can distribute the key to your tenants and easily change it as required. It also means they don't have to tell you if they get a new device, or if a mate brings their laptop round and wants to go online, etc.

MAC filtering was not going to be the sole security in use. A WPA/WPA2 password will also be setup. MAC filtering will be used to make sure only those tenants who are paying (as part of the rent) will be given access to the internet.

It is very easy and secure to setup remote access. Like anything, exposing it to the outside world carries small risk, but the risk is minute and there are currently no known major security issues with Tomato. Using Tomato you can find it in "Administration > Admin Access" just make sure you set it to HTTPS. A strong password will of course be required to prevent unwanted access, both from the outside and to stop tenants themselves from having a play. It is of course more important to keep your firmware up to date as each version will fix any potential security issues.

I'll have to use a Dynamic DNS service to carry out remote login. A strong password is planned to be used regardless of remote login or not.

Hope that helps somewhat.

Cheers
 
Soldato
OP
Joined
15 Jan 2003
Posts
4,947
Location
South East
Any techie that moves in will be raging at some jumped up so and so trying to treat them like a child :p

You're opinion.

When you are in a situation where you’re renting a house to unknown people (who may or may not pay there rent) then you may take a different view point.

My father's already absorbed the initial costs of getting the internet hooked up. There is nothing in the tenant’s contracts that mentions that he had to supply any internet connection at all. All the current tenants were fully aware of this when they moved in.
 
Last edited:
Associate
Joined
24 Jun 2007
Posts
1,869
Location
Landan.
Micro-managing the internet would be the least of my worries..

Someone could slap their own router between the modem and your WRT54GL.

This. Whatever measures you put in place, if you haven't taken steps to secure it by lock and key, they'll simply unplug your router.

I have to agree with others, you're being quite anal about the whole thing I have to say - though as you rightly pointed out, it's your dads perogative :)
 
Man of Honour
Joined
13 Oct 2006
Posts
90,821
Its a bit of a rock and a hardplace... I can quite see why you'd want to limit certain traffic... but on the flip side theres plenty of legit applications that use portions of P2P style code of P2p in legit manner that would be prevented from working which I wouldn't be too happy about if I was the rentee... tho as your not selling internet access as a feature its a little different...

Also its a losing battle... if I did move in and wanted to run my games that use parts of P2P style mechanisms for their updaters (but don't do full upload/sharing) I'd just proxy the whole connection through a remote endpoint - which would be pretty much impossible to block without cutting off internet entirely... which might move the blame away from your father but if the proxy used X-Forward, etc. theres no guarantee.
 

wij

wij

Associate
Joined
27 Dec 2006
Posts
1,422
Location
-
Also its a losing battle... if I did move in and wanted to run my games that use parts of P2P style mechanisms for their updaters (but don't do full upload/sharing) I'd just proxy the whole connection through a remote endpoint - which would be pretty much impossible to block without cutting off internet entirely... which might move the blame away from your father but if the proxy used X-Forward, etc. theres no guarantee.

Yep, a £6/month VPN service was all it took to circumvent my University's firewalls when I was in halls in my first year and unless you're using very sophisticated pattern matching filters (which you won't be) there's sweet FA you can do to stop it.

TBH I'd just get a router that does per-client rate limiting (DrayTek's do this pretty well, or you could use a box running dummynet or something similar) and just divide up the bandwidth equally amongst all the tenants.

Nobody complains because xyz doesn't work due to your rules and no one person can max out the connection in any one go.

I'd agree that maybe doing some very basic content filtering to block out common torrent websites and the like is not a bad move as you are liable for the use of the connection, but at the same time those letters are rare, and even more uncommon (in this country at any rate) is a successful prosecution, especially as you could quite easily just prove that the people using the connection are not you.
 
Soldato
Joined
28 Oct 2002
Posts
9,227
Location
Stockport / Manchester
The reason we wish to restrict/shape P2P traffic is two fold:
1) to avoid any lovely legal letters dropping through the letter box in my father's name and 2) to avoid any arguments about tenants hogging the bandwidth.

A counter point with regards to it being 'fair' to restrict access, it wouldn't be fair to my father if he were to face potential prosecution because of an individual who rents for a month and then disappears elsewhere.
Then don't provide them Internet access. No matter what lengths you go to, it's still possible for people to access illegal content one way or another. And there are worse things they could do than download a few movies.

Aside from that, as others have said, you may inadvertently block a legal service, which will mean your tenants will be on the phone to you moaning their Internet is not working! Personally if I was a tenant who was paying for Internet and you told me "tough, it's blocked" I'd simply remove your router and/or get my own Internet connection.

You can use QoS to ensure that the connection is never saturated enough to degrade the service significantly.

MAC filtering was not going to be the sole security in use. A WPA/WPA2 password will also be setup. MAC filtering will be used to make sure only those tenants who are paying (as part of the rent) will be given access to the internet.
As stated, MAC filtering can be circumvented in seconds. It also makes your job harder, as every time I client gets a new device (PC, laptop, console, mobile phone and that's just the start these days) you will have to make alterations. A WPA2 key is more than sufficient and could be changed on a semi-regular basis for extra protection.

I'll have to use a Dynamic DNS service to carry out remote login. A strong password is planned to be used regardless of remote login or not.



Cheers

Tomato has a built in feature for use with Dynamic DNS, works well I do it that way myself :)


Seems to me like you just want to go to extreme lengths to limit peoples access. Makes me want to ask, what's the point? Either let them use it as they want to or just don't bother!
 
Soldato
OP
Joined
15 Jan 2003
Posts
4,947
Location
South East
Well I am sat here at the house now with the router plugged in (currently running the latest Linksys firmware) but am having problems with two of the three tenants laptops.

One is a MacBook Pro with Broadcom N wifi and the other is a Toshiba with Realtek wifi but neither can connect and obtain an IP with a password set on the router.

I started with Tomato firmware with a pretty standard password using WPA/WPA2, then changed down to WPA and still nothing. Finally changed down to no password and the Toshiba would connect and obtain an IP.

The Macbook Pro will connect with a password setup under OSX 10.5 but switching to Windows XP and it won't connect even without a password.

I've had no problems no matter what password or settings I've used all day with my father's Samsung NC10 laptop and an Intel 5300 wifi card.

Arrggghh!!!!!!

Any ideas on why the other laptops are not getting an IP (the Macbook Pro even without a password fails to obtain an IP)?

I've no idea if the drivers for either cards are up to date (it's little hard to check make/models of the cards as one laptop is in Czech and the other Chinese).
 
Last edited:
Soldato
Joined
16 May 2005
Posts
6,509
Location
Cold waters
I vaguely remember having similar WPA compatibility problems and settling on the following, which has worked with OS X and Windows since:

Firmware: Tomato
Security: WPA2 Personal
Encryption: AES Only
 
Soldato
OP
Joined
15 Jan 2003
Posts
4,947
Location
South East
I vaguely remember having similar WPA compatibility problems and settling on the following, which has worked with OS X and Windows since:

Firmware: Tomato
Security: WPA2 Personal
Encryption: AES Only

Will this allow WPA compatible cards to connect? I didn't try WPA2 Personal but did try the WPA/WPA2 Personal combo option (can't remember if I tried WEP).

Key wise, I've tried simple keys being either all lower case or all upper case and, purely because the router wouldn't allow anything smaller, 12345678 as a key. All to no avail (so glad that I did upgrade my father's NC10 when I did).
 
Last edited:
Back
Top Bottom