Hacker News new | comments | show | ask | jobs | submit login
Don't use Linksys routers (superevr.com)
398 points by zachinglis on Apr 6, 2013 | hide | past | web | favorite | 148 comments

The modern equivalent of a Linksys WRT54GL is the ASUS RT-N16. It runs OpenWrt, DD-WRT, and Tomato variants really well, does 802.11n (only one frequency) and has plenty of memory and flash storage for extra hacking. The ASUS RT-N66U is frequently advised if you want 5GHz 802.11n as well.

The other router mentioned in this article, the Linksys EA2700, doesn't seem compatible with third party firmware. And apparently the Cisco firmware is buggy, no surprise there. It is an awfully cheap Dual-Band 802.11n router, but if you can't put working software on it it's useless.

I don't understand why some major router manufacturer doesn't just sell routers pre-installed with Tomato. It's easy to use, stable, and works way better than any crap the router companies cobble together. Flashing new firmware on a stock ASUS router is too complex for ordinary consumers.

I am the owner of an ASUS RT-N16. I purchased it when my Linksys WRT-54G died after 4 years. It really is a fantastic wifi router for the reasons you list. However, if you live in an apartment complex you might find the 2.4GHz spectrum very crowded. Especially if there are others with 2.4GHz 802.11n, which uses more channels than 802.11b/g. This might make it worthwhile to purchase a 5 Ghz 802.11n router.

Definitely. There appear to be more than 30 named networks within range of my iMac. That's one reason I've wired my iMac and my fiancee's iMac with cat6; as I wrote in another comment day: https://news.ycombinator.com/item?id=5192837 :

It's also amazing how prevalent Ethernet still is, even when wireless is a competitor. The other day I left this comment: http://news.ycombinator.com/item?id=5052448 on HN, because in some circumstances running a cheap ethernet cable from a router to a desk, couch, or other work station can still be a real win, especially given how inexpensive even very long ethernet cables are from Monoprice.com.

They last forever, aren't subject to the level of interference wireless is, and, in many conditions, have faster data transfer speeds. Ethernet is still great.

> They last forever, aren't subject to the level of interference wireless is, and, in many conditions, have faster data transfer speeds. Ethernet is still great.

Take away "in many conditions" and replace with "always, without exception" and replace "faster" with a "at least a magnitude faster" and we are in agreement.

If you need performance and reliability (like for instance for iScsi) there is really nothing which even compares to wired ethernet.

Agreed - always use wired when possible, especially if you have gigabit-capable equipment.

Note that in most cases wireless systems are far slower than theoretical speed, but 100Mbit wired ethernet is good for 90+ in both directions simultaneously, so in most cases it'll be faster than 802.11n, and with better and more consistent latency.

I do the same, because my building is so crowded the connection drops all the time, even if I am sitting next to the router. :(

Switch to 5 GHz. You'll need a new router and WiFi adapters, but they're available. You won't have quite the range, but even business locations with dozens of 2.4 GHz networks (e.g. Physician office buildings) will have 1-2 5GHz networks total, and most off the shelf consumer laptops don't support it right now so adoption will take a while.

Stop telling people to do this. I like my roomy uncluttered 5ghz spectrum.

Part of the problem with 2.4 GHz in big buildings is that it passes relatively well through building materials, so that in a large building you get a lot of noise from equipment owned by other residents.

Someone measured the difference in transmissivity for different materials at 2 and 5 GHz (http://www.ko4bb.com/Manuals/05)_GPS_Timing/E10589_Propagati...) - the difference is quite large for brick and cinder block; unfortunately, they didn't measure insulation foil, which I expect would be quite a good RF shield, especially if earthed.

So if everyone switched to 5 GHz, the interference situation might still be better than if everyone was on 2.4 GHz.

Of course, being an early adopter of 5GHz probably helps with the other problem in apartment buildings, the 'prisoners dilemma' type problem where everyone who knows how ups their transmit power because of the noise, making the problem worse for everyone else but temporarily better for them, when if everyone lowered their power, everyone would get better speeds (exactly analogous to how everyone ends up shouting when having a conversation with the person next to them at a party, when if everyone talked quietly instead communication would be more successful).

This works until "everyone" takes your advice and switches to 5ghz.

Not necessary. The 5ghz band has a lot more channels available (21 in the US), and all of those are 20mhz wide with no overlap. You would have to live in an extremely dense apartment building to start to run into interference issues.


5 GHz also effectively has a shorter range than 2.4 GHz, particularly with building materials in the way. That gives more available capacity, and even without that it's likely to be at least another year before 5 GHz becomes standard in consumer laptops, plus most people aren't going to be replacing existing equipment immediately.

If possible increase the transmit output milliwatts, to "shout over" the other signals on the same channel.

Increase the beacon period of your router/AP to the fastest it will go, usually 20 microseconds. I think this is the best solution of anything you could try.

Maybe play around with the DTIM interval but I'm not sure what a good number for that is; too low supposedly drains batteries of wireless devices and too high causes other problems.

Max out RTS/CTS but you may lose overall throughput but that's no loss if it suck already, in for a lamb in for a sheep.

There are other settings too most explained in the help section of the AP/router help menu. They can be obscure but fiddling with them can help your AP signal a lot.

That's my unofficial educated guess theory.

I actually design wireless devices for a living and in my opinion, this is mostly bad advice.

The best bet it to switch to 5GHz, but that isn't practical for use with mobile devices.

Option B is to turn off the higher speed modes like 802.11n. Just try to stick with 11g. If you are still having connection problems, maybe switch down to 11b, but that will be real slow even when it works.

If you use an access point with detatchable antennas (which is actually most of them if you open the cover), then maybe replace the omni-directional antenna with a high-gain directional antenna (also known as a patch antenna). Then you'll need to point the antenna at where you sit.

Another (probably lousy) option to try (but very quick and cheap) is to move off of the commonly used WiFi channels (1, 6, 11). They are commonly used because they don't overlap with each other. So maybe try 4 or 9. The downside is that you will get interference from two commonly used channels, but the overall situation may be better than what you've got now.

I've had great success adjusting the beacon period to 20 milliseconds and using 2.4GHz.

Although I do agree with your advice about channels I often get relatives to do that as they first step in troubleshooting problems with their home wireless network.

People have all those adjustable router options they may as well try something rather than default settings. You don't have to design wireless devices for a living to fiddle with a few settings.

Thanks for this.

You say "switch to 5GHz, but that isn't practical for use with mobile devices" -- is the reasoning that the 5GHz signal doesn't penetrate the walls enough as you walk around with the device?

That is a factor as others have mentioned, but mostly I meant it is just that many mobile devices don't support 5GHz. And you can't just add a cheap USB dongle. That is starting to change though, so check the specs on your devices.

Thanks for the tips.

I, too, switched to the RT-N16 after my WRT54GL died unceremoniously one day. The RT-N16 is a pretty good router but I want to caution any one who, like me, was awestruck by its 128MB RAM without considering NVRAM.

The short version is that, depending on your usage, you may run out of NVRAM before RAM and may lose your settings. For reference see [1] and [2].

[1] http://www.dd-wrt.com/wiki/index.php/Asus_RT-N16#Current_Kno... [2] http://www.dd-wrt.com/phpBB2/viewtopic.php?p=506126

NVRAM should definitely be a top consideration. If you want to add any sorts of third party tools or customization to your router you will want plenty of it.

I have 32MB NVRAM to play with and that has served me well enough, but I see plenty of consumer-routers which can be "upgraded to dd-wrt" but which doesn't even have enough NVRAM to do an ipkg update.

The RT-N56U is one of the best routers I've ever used. Great transfer rates, strong signal in both bands, gigabit ports, and the management panel is pretty decent if you don't want to install Tomato.

> It runs OpenWrt, DD-WRT, and Tomato variants really well

You're sure about that? I've had an rt-n16 sitting on a shelf for over a year waiting for OpenWrt support. Your message caused me to go check their website, and all it says is:

"The Asus RT-N16 has early support in Barrier Breaker (trunk) only!"

Actually, no, I don't know anything about running OpenWrt on an RT-N16 and shouldn't have included it in my list. Sorry for the mistake! As noted by other commenters apparently it's only supported in WIP versions, details at http://wiki.openwrt.org/toh/asus/rt-n16

Thank you!

According to


there is support for dd-wrt, apparently since late 2010. You understand that Barrier Breaker is pre-release, right?

Yes, I understand Barrier Breaker is pre-release. That is precisely why, when NelsonMinar suggested the RT-N16 runs OpenWrt "really well," I asked if he was sure.

I am uninterested in dd-wrt, which is why I didn't mention it.

I see. Your quote mentioned dd-wrt, which threw me off.

BTW, if you want to help a non-geek install Tomato, the folks at EasyTomato have done great work making an accessible version of the firmware: http://www.easytomato.org/

> The modern equivalent of a Linksys WRT54GL is the ASUS RT-N16

When I was in the market for something like that one or two years back, I was recommended a specific type of Buffalo Router [1]. While I see my particular model has been superceeded by newer ones, I still thought I'd mention it because:

1. It was recommended to me by someone who had been served it extremely well by it in the past. It has now served me extremely well for years. It will probably do you good as well.

2. It's OK to support more than the top 3 vendors in the world with your money. This leads to more competition, more diversity and better products.

3. Putting stock dd-wrt or openwrt on it can be done all in browser and doesn't seem to involve brick risking procedures like bootloader updates, like I see you may have to go through for the Asus router.

[1] http://www.amazon.co.uk/gp/product/B0028ACYEK

After running DD-WRT on a WRT54GL for years I tried the RT-N16 and got terrible network throughout over WiFi even within 5-15ft. Maybe the issue has been solved in the last few months but I was very disappointed.

You need to adjust the default xmit power, in Tomato I use 63. There is a guy would did a bunch of testing of xmit power for the RT-N16 here http://www.linksysinfo.org/index.php?threads/asus-rt-n16-tra...

Oh woah, seriously? I use Tomato and it seems like the default is 17, no wonder I've been having some issues with range. I just thought it was because my neighbors were setting up more wifi routers. Will try that out, thanks!

The one thing I'm worried about though is whether that setting of 63 is worse for shorter distances. From my limited experience with building a simple radio transmitter/receiver and amplifiers, if your received signal is too strong it'll just saturate and turn to crap, and as it happens my bedroom is right next to the room with the router in it, so boosting the signal might screw up reception on my phone. But at least now I know that there's room to play around here, thanks for letting me know!

I just bought and re-flashed an ASUS RT-N16 with TomatoUSB (Shibby fork) last week and it is a great router. For me it has great stability and range. I had previously used Tomato on an older router and liked it so I stuck with it. You can use the ASUS recovery mode software to directly flash with custom firmware images. My understanding is that because it has this special recovery mode it is virtually un-brickable.

Thank you for the info - do you know if there's an ADSL modem that's good for DD-WRT these days? Last I looked (yeeeaaaars ago) there were only two models, long since out of production, and they didn't seem to be going in that direction anymore.

Still seems to be very little. You can get some boxes that convert adsl to ethernet (ATM over ethernet or whatever standard your country uses) that basically have no config and connect those to a router.

That's how I did it, connected my WRT-54GL (Tomato) to a D-Link modem/router, works fantastically well.

Are you thinking of Bridged mode?

I used to do this until something happened at my ISP and my router can no longer authenticate against my ISP's PPPoE server. Now I have my modem providing NAT and DHCP, and my router is just a dumb access point. The only problem is my modem has an externally accessible administration page running on port 4567, and telnet on port 1111 that I can't turn off, even when all remote management configuration options are turned off. I've had to set up a cronscript to attempt to telnet into the thing continuously, and if successful it will kill the httpd server and telnet daemon.

It's absolutely ridiculous how insecure home network equipment is.

>It's absolutely ridiculous how insecure home network equipment is.

But remember not to leave your wireless access open to passers-by. That helps hackers, and Al-Qaeda, and pedophiles, and drug dealers! /sarcasm

UPnP is the one that gives me concern. User programs can punch holes in your firewall without you knowing about it. Now you have a port open on your firewall... pointed at someone's computer without your knowledge. UPnP goes off - if you want that port open, let's talk about it, little software thingy.

UPnP does not decrease security in a home/SMB environment.

There is a good reason why reverse shells exist.

Yeah, I'm running in bridged mode, it works great. I used to run it like your current setup, but now I can finally run the Tomato router as my main one, and QoS is just too amazing to pass up on...

Why would you run linux on your modem? Unless its a hybrid modem/router.

I haven't seen a modem (from a telecom) that isn't a router in the past 5 years. Most ship wireless router/modems to their customers these days as standard.

Cable companies might still ship modems (they did the last time I had cable internet, but that was probably 8 years ago).

Insight Cable (recently acquired by TWC, sigh) has been installing a plain modem + cheap Belkin router for years now.

Amusingly, they always set the SSID to 'insight_wifi_XXXX' and their formula for WPA keys is `firstname[0] + lastname + housenumber`.

Thats awful. It looks like you can purchase a standalone ADSL model for about $30: http://www.newegg.com/Product/Product.aspx?Item=N82E16825165...

That coupled with a router/wireless ap running tomato or the like should work well from what I understand. I, however, never have used DSL so I'm not an expert.

After having several crappy modem/router/wifi things from ISPs, I've taken to buying routers independently. Usually less than $50 (if anything, since you can reuse them), and always less of a pain.

There's nothing to return, I get DD-WRT instead of whatever garbage they're running, and usually measurably faster in both internet speed (usually lower latency) and wifi speed. In particular, I've never had a bundled device get within 50% of what 802.11n is capable of, especially when you have 4 or more devices. All my dedicated routers have done just fine.

Many of the DSL routers can be put in bridge mode. I run an Asus RT-N16 as my router connected up to the "modem" (now in bridge mode) provided by my DSL provider.

ADSL modems are frequently hybrids, and it's one less thing to take up a power socket to use a hybrid over a two-thingy combo.

Tomato works fine until you need QoS. Then it hangs sporadically. Verified with two different router types.

Interestingly I found the N16 stock firmware to have the best QoS of any router I've used. It requires no configuration and always seemed to work great. DD-WRT's QoS, on the other hand, can require significant effort to configure correctly.

Every router I ever owned that I put Tomato firmware on I could never get any version of QoS to work correctly.

It's a free firmware and great other than QoS but who am I to complain :/

Hmm, I've used QoS in Tomato for years. The early versions of Tomato had a very simple QoS build. The latest Toastman builds have some 30+ rules. All versions seem to work OK for me. But I'm sure it depends on traffic and would be hard to debug if it did fail.

I feel like it'd be cheaper for manufacturers to write better QoS drivers specifically for tomato, or wrt, than whole new firmwares, surely?

Not here.

Why? Control, keeping the advanced software features out of the low tier products and planned obsolescence.

Consumer routers are a low margin product. Vendors want to do as little work as possible, so they ship mostly the software provided by the silicon vendor.

Nobody here seems to realize that these firmware upgrades do little to adress these issues. Tomato explicitly says its a UI update only..

Or just put OpenWRT[1] on it. It's a real Linux distribution with a package manager and everything. You can even disable the webinterface, if you don't trust it, and use SSH.

EDIT: WRT54GL is pretty old and it won't run the default build of OpenWRT Attitude Adjustment (the newest release). It also probably won't have enough memory to operate the package manager or the webinterface.

But I do have one running a custom build. The only downside is that you need to decide which software to include upfront. Their build tool is rather friendly[2].

EDIT2: You can have a VPN server and any routing you like on OpenWRT, same with Samba, radvd, vnstat... There are even webUI pluings (luci-app-whatever) so you can control those from the webinterface for ease of access. It is a real Linux distro that just happens to run on routers.

[1] https://openwrt.org/

[2] http://wiki.openwrt.org/doc/howto/build

The trouble with the WRT54G series (and most of these little routers) is that they have ~200MHz CPUs and ~16MB of RAM. This is, incidentally, why they often crash when you open a lot of simultaneous connections -- memory exhaustion.

I find that if you're interested in experimenting with a Linux router, old PCs are a much better choice. You can get a PowerPC G3 or G4 or a late model Pentium III for practically zero money (if not literally zero money out of a trash heap) and PCI NICs for secondary interfaces are similarly inexpensive. For only slightly more money the G4 Mac Mini is an excellent choice for a wireless router. Then you have a processor that is several times faster and can put arbitrarily much memory and storage in it to suit your needs and then put your favorite Linux router distribution (or Debian) on it and have at it.

What is it about these class of devices that makes them so expensive?

They tend to have 500Mhz CPUs, approximately no RAM, unresponsive very basic web interfaces, and fall over at the touch of a light breeze.

An el-cheapo Android tablet with 1.6Ghz dual core ARM processor, 1Gb RAM, WiFi, and a bunch of other technically hard stuff on top (IPS screen, battery) costs less than one of these style of WAP/switch/routers.

Are they really so different?

Low turnover.

I was always wondering that too. Seems like they should be $25-50 max. Decent hardware with Tomato seems like the way to go.

While an old PC is certainly good hardware spec-wise, they aren't good in the noise, space, and power consumption areas. If you're going to buy something, get something that won't have it's caps blow in 6 months.

I recently got a PC Engines Alix [1]. It's not as cheap as a consumer router but it's got good specs and runs the latest OpenWRT with no problems. Most of all, it's as small, unobtrusive, and fan-less as a consumer router.

There's a mini-pci slot so you can add wireless, but I have an airport express and so I'm just using that in bridge mode for my wireless.

[1] http://www.pcengines.ch/alix2d13.htm

seconding the Alix. They're AWESOME.

I got plain Ubuntu working on it, you just have to set it to serial boot.

You might be shocked by the power bill for running one of those older beasts 24/7.

Idle power consumption, measured at the plug by a watt meter:

Dell Optiplex (1.4GHz Pentium III): 32W ($5.76/month @ $0.25/KWh)

Mac Mini (1.25GHz G4): 17W ($3.06/month @ $0.25/KWh)

Even if a WRT54G uses zero watts, you're still talking about a year before you even recover the $50 cost of one, and in any event ~$50/year is not a very expensive hobby.

It's interesting the way you drew the opposite conclusion that I would. I look at that and think "$50 a year to route a few packets? To heck with that."

Part of that is surely that I don't see what makes having a very ordinary Linux box sitting around making noise a hobby. To each his own.

That is an extremely high cost of electricity.

I live in what I believe to be a relatively high electrical cost area and I pulled up my bill online for 2/13/2013 to 3/14/2013 and I'm paying 13 cents per KWh solely for energy although by the time I add on the substantial fixed monthly meter fee, the state low income assistance tax, 100% energy for tomorrow (in theory, all my KWh come from the local windfarm instead of from coal, in practice its probably merely a greenwashing scam) I'm writing a check (well, paying online) for about 17 cents per KWh, other words the number of KHw divided by the debit to my bank account. So the optiplex would cost me a whopping $4.04 per month lets call it a buck a week. Do I get a buck a week of fun out of my homemade firewall/PBX/other things? Yes.

If I did my math right, this is equivalent to about 4 minutes of labor at my current family income, other words spending time on detailed monthly accounting is more expensive than just paying for it outta the slush fund.

I don't have a wifi network installed merely to roast my brain with microwatts of RF. It exists solely as background infrastructure for a small herd of apple idevices and android phones/tablets all of which are value engineered to be disposable after a year or two. If I had no wifi devices I probably wouldn't have a wifi router. In other words if I wanted to save money in the category of "tablets", I'd look first at not replacing it every year or two. Just the capital/depreciation cost of only one wifi connected idevice is about an order of magnitude more than I'll pay for the electricity to run my home router/PBX/Buncha-other things. Electricity is so cheap its not even a rounding error in total systems cost, and optimizing for the wrong value is always a fail.

Another interesting anecdote is a couple decades ago I was taught as a pretty crude consumer product engineering estimate "a watt for a year is about a buck" but via inflation etc its now about $1.50. Apparently folks in less civilized areas are paying around $2 for a watt for a year. So something that runs 24 hours a day and costs $8 at walmart like a 5 watt clock radio alarm clock uses its own cost in electricity in a bit more than a year. This is also the genesis of trying to save money on wall warts, if a wall wart costs $2.50 and uses $5 of electricity per year, a more efficient switcher that costs $10 and uses only $1 of electricity per year pays for itself rather quickly.

"a watt for a year is about a buck" (fifty). Thanks for that.

A one-year payback time means an IRR (hope I'm using that term right!) of 100%. If you're choosing between putting your money into paying down your mortgage at 6%, investing in the stock market at 3% (plus or minus enormous volatility), insulating your house at 20%, or replacing your old PC router with a cheap MIPS box at 100%, go for the cheap MIPS box!

That's assuming you paid $0 for hardware, and your time is worth nothing.

No, it takes the cost of the router into account. The cost of the now-turned-off PC is immaterial; it's a sunk cost. (Although maybe freeing it up from router duty will make it more valuable since you can, e.g., sell it.)

It's true that it doesn't take the value of your time into account.

Use more recent notebook with a bad display. Much less power needed, and you can get one for free or really cheap. Or use that three-year old notebook you've replaced, and turn off the display.

Or a new higher spec router. I have the Netgear WNDR3700v2 which has 128MB RAM, and has an officially supported open source firmware page http://www.myopenrouter.com/ - there is a manufacturer thats sane...

Unfortunately, that doesn't really help normal customers because they can't be bothered with doing stuff like flashing an alternative firmware

> It also probably won't have enough memory to operate [...] the webinterface.

It does have enough memory for the web interface - at least for the one in KAMIKAZE (8.09.2, r18961), the version mine is running.

Linksys went from being the "iPhone of home networking" to being something I won't recommend. In Cisco's care the company has gone from being a market leader to a dud.

Now a lot of people might say "I doesn't matter who makes it, I'll just flash OpenWRT or DD-WRT onto it!" But I say to that, "then why buy a Linksys?"

Asus for one example are cheaper, they often have external antenna giving you more power and flexibility (both literally and figuratively) plus and most importantly they can be flashed with OpenWRT or DD-WRT at your pleasure.

Even without the security issues there is no good reason to buy a Linksys.

Right now I am using my ISP supplied "router" in cable-modem "mode" (i.e. just dumb pass-through to ethernet) and have a cheap MikroTik/RouterOS device sitting behind it which was cheaper than most retail grade routers but with the functionality of commercial grade equipment.

RouterOS might not be as easy to use as DD-WRT, but if you can use it then it is far more powerful as a web-based environment. Just for one example, want a VPN server? RouterOS supports IPSec/L2TP, PPtP/GRE, SSTP, and OpenVPN. Basically everything. The list of its network functionality is almost endless...

"being the "iPhone of home networking""

Howso? All I remember from their heyday was that they were good enough, cheap enough, and flashable. I don't remember them commanding a premium for any particular reason.

I think they meant it not in terms of a premium price, but rather as the default product to buy. They were never that much more expensive (if at all), but back in the day it was the one most people bought.

Should have said iPod then as I don't think iPhone ever attained "default" status outside of SF.

I highly recommend Mikrotik to anyone fed up with traditional consumer wifi routers/APs. I dont know how they compare to other vendor hw eg Asus + OpenWRT, but this little guy has been rock solid and a joy to use: http://routerboard.com/RB2011UAS-2HnD-IN

Thanks for the recommendation. I'm absolutely fed up with my D-Link DIR-655 always needing to be restarted when the wireless decides to stop working, and was looking for something exactly like this. I was beginning to dread having to build something like a Smoothwall/pfSense box; I did that around 2005 with an old desktop computer and it didn't work that well.

I've actually heard of Mikrotik before; about 10 years ago I was doing some work planning a 2.4GHz wireless ISP (WISP) and I think Mikrotik equipment was highly regarded then (especially in the 900MHz spectrum IIRC) so looking forward to this.

Here's a link to a distributor where it can be purchased: http://www.roc-noc.com/mikrotik/routerboard/RB2011UAS-2HnD-I...

The smaller versions also work as well and are only $80! http://www.roc-noc.com/mikrotik/routerboard/RB951G-2HnD.html

I have a Mikrotik/RouterOS device.

Positives: Cheap. Powerful. Stable.

Negatives: Harder to use than OpenWRT/DD-WRT or similar. It is still a web-interface, but doesn't "baby" the user. If you aren't comfortable manually setting up interfaces and then setting up tunnels through those interfaces for example then skip this.

I love it. But I won't kid myself, it isn't for everyone. The documentation isn't comprehensive and the software is very powerful but not very intuitive (or at least it isn't if you don't have a good background configuring network equipment).


I've got a pretty in-depth networking background and for my home network rebuild I wanted something less power-hungry than my previous big AMD box running Vyatta, but needed something that supported n+ layer 3 interfaces, BGP and VLANs (i.e a proper router). Couldn't justify the cost of a 1900 series Cisco and associated k9-sec license, so went for a RB1200 (512MB RAM, 1Ghz PPC chip, 10 physical ports, 5 of which can do hardware switching and wire-speed filtering) and a couple of Groove access points.

Getting tagged and untagged VLANs to interact together on a single port is a non-starter (not supported at all), and getting VLAN trunking and routing to work together simultaneously requires terminating the layer three interface on a virtual bridge, then for each VLAN you need to create a virtual VLAN interface for each physical interface, and then put that onto the bridge as a 'bridge port'. The documentation is very scant on this side of things and the command line interface is pretty arcane compared to IOS but does make sense after a while.

If they weren't 1/4 price (or less) than an equivalent product from $enterprise_vendor I'd hesitate to recommend them to anyone, but seeing as they are - if you've got a networking background and can put up with some of it's quirks and limitations, there is very little out there that can compete with Mikrotik on price/feature set.

Anyone who has ever set up a Cisco router to do anything even slightly complex should be able to pick up Mikrotik in a snap. The windows based GUI configuration tool (winbox) is simply incredible. (Runs fine in wine on OSX as well)

they rewrote it into a browser based app, looks identically, just a bit more shiny.

The Unifi line by Ubiquiti is also great, dirt cheap, good-looking and have wi-fi bridging as a bonus.


Rather than the RB2011 series, if you can make do with fewer ports, you can look toward the RB751.

Fewer ports, but essentially the same wireless specs (1W DC 2.4GHzbgn). The routing capacities on both are way more than you'll ever run up against on a home connection. Same RouterOS. License level is one lower, but that essentially just restricts you to 200 VPN connections instead of 500.

The RB751 is ~$80 (5xgiga) or ~$60 (5xfast) versus the 2011's ~$130 (5xgiga+5xfast).

Seconded. I've got one for my office (20+ computers and a number of BYODs) and I've had to power it off once - when we were moving. It is solid, stable, has not crashed or frozen for me even once.

Setup can be quite complicated, though, compared to a consumer router.

Look well-made. I've never seen that brand in any US stores unfortunately. There were a few US distributors listed but most were tiny shops.

We've ordered thousands of dollars worth of stuff from roc-noc.com over a couple of years. Chatted on the phone with them a bit too. I'd definitely vouch for them if you're looking to make an order.

Seconding this recommendation. In addition to being super powerful they have great potential as a research platform.

My Linksys router has had Tomato on it from the first day, it's the only sane thing to do (OpenWRT or DD-WRT would work too) when closed-source software is regularly exploited and not patched in a timely manner - and when noone knows what kind of government-friendly backdoors exist in such products (made by companies that earn significant revenue from government contracts).

Also, there's plenty of very cheap router hardware coming from China nowdays, from TP-Link you can get OpenWRT-capable routers for less than $15, so there's not much point in paying a lot more for Linksys products.

Having looked at the post, doesn't he really mean don't buy "these models" of Linksys? Or are all models open to certain vulnerabilities?

This indicates that they're not doing enough testing of any of their routers. Not conclusive, of course...

I use Linksys routers, but not with default software (which we know is "limited"). I would recommend alternatives from here http://tomatousb.org/mods

Which makes it a bit odd that he mentions the "uber-popular Linksys WRT54GL router" specifically. The "L" stands for linux, and it was brought back because people specifically wanted to install third party software on it.

And the reason for it becoming popular in the first place was probably a security issue that allowed third party software to be installed.

The "L" version was introduced because newer routers didn't have this capability/vulnerability and people wanted something they could install third party software on. So when the "L" version (which I use) came it was just an older model, with even less memory than the original and a much heftier price. Unless you wanted to run third party software on it it was really bad value for your money.

Anyway, all of this truly sucks. But really, I don't expect more of any consumer router.

EDIT: Oh wow, the WRT54GL was introduced in 2005, nothing too fancy at the time and you can still buy it today - lots of stores have it in stock even.

That's inexact. The WRT54GL was brought in as the (at the time) retail version of the WRT54G had much less RAM and flash because they switched from Linux to VXWORKS.

It's not that they didn't have the "security vulnerability" but they just weren't able to run Linux in a useful manner due to low hardware resources.

I also don't remember if the WRT54G became popular in the first place because of a security issue, I think it just enabled you to upload any firmware to it and that the original firmware eventually became open-source after they received GPL violation complaints. But my memory might be fuzzy, it was a while ago.

Your memory is how I remember it too.

Basically the WRT54G with base firmware was better than anything else on the market at the time of release (within the same market segment - retail routers).

Just to put that into some perspective before the WRT54G, some of the functionality in the base firmware was being sold to small-medium businesses by companies like Cisco for thousands of dollars.

Word spread quickly and instead of your local coffee shop paying Cisco $20,000 to install their WiFi, they could spend $100 on a Linksys router. This meant companies could afford to give away WiFi for free because it cost them little or nothing to install the WiFi initially.

But what happened next is what turned the Linksys WRT54G from a "great" to a "legendary" product - people found out it ran on Linux. Now Linux is open source but more specifically it is under the GPL license.

What that meant is that legally Linksys were required to share the source code that made the WRT54G run. Which after some not-so-gentle prodding and legal threats they did.

People then made distro's (in the Linux sense) which updated the Linksys firmware to add new functionality, fix issues, and similar. This made the thing even more powerful than perhaps even Linksys wanted, and ate into Cisco's small-medium business space even more.

Word spread like wildfire and soon everyone and their brother owned a Linksys WRT54G. Linksys improved the base firmware only mildly while the third party firmware was steamrolling ahead.

Cisco eventually purchased Linksys and started cutting corners on all of their retail products. Using less powerful CPUs, less RAM, and stripping out functionality while not altering the cost. Linksys stagnated.

This was likely in no small part to try and get some of their small-medium customers back onto Cisco's books, but by then it was too late. The market that Linksys had created had spread to Linksys's competitors and soon everyone was "letting" their routers get firmware updates that turned a cheap little home router into something able to fend off medium-business level commercial equipment.

AFAIK Cisco bought Linksys back in March 2003.

The reason it became popular in the first place is because Linksys included GPL code in their stock firmware, and because of the terms of the license, they were forced to release the entire firmware source under the same license. Once the full source was available, modding and porting Linux became straightforward.

I'm a fan of pfsense [1] on an alix board [2]. The alix boards a little pricey for a router, but has a real amount of memory (256MB). The only downside is that pfsense, since it's based on FreeBSD, doesn't support any 802.11n cards, so you're either stuck with 802.11g, or using a separate access point like I do.

Add in a managed switched and you have the start of a real network at home.

[1] http://pfsense.org/ [2] http://pcengines.ch/alix.htm

FreeBSD supports some 802.11n cards, doesn't it? https://wiki.freebsd.org/WiFi80211n

There are no drivers for 802.11n cards in pfsense 2.0 (current stable version), which is based on FreeBSD 8.1. Some b/g/n cards will work, but only in b/g modes:


Drivers for 802.11n are in FreeBSD 9.0 and later, but that won't be the base for pfsense until 2.2:


Let me just get this in before the cries of JUST INSTALL OPENWRT come raining down.

Your mother / father / grandmother / etc are not installing openWRT on their routers. Installing one of these CISCO home routers is pretty much hacking yourself. And, just update the firmware is not gonna work.

Try it one day, go up like 10 people and ask them what's a firmware. If the user isn't technical, you're going to get a 0/10 correct responses.

>Your mother / father / grandmother / etc are not installing openWRT on their routers.

My mother / father / grandmother / etc are typically not buying the routers. They are saying things like, "next time you visit, can you fix my internet?" Or, "since you're here, can you check what's wrong with the internet? I can't get it to work." which is when you install and configure the xxxWRT device for them.

Maybe they should just ship with the alternative firmware installed if the open source is doing a better job?

I've read (but haven't personally confirmed) that Netgear used skinned OpenWRT on some of their routers (like the wndr3700v1)

It is true http://www.myopenrouter.com/ is their info page. They make it really easy to flash, and provide specs as well so they are well supported so you can use a different version, but it does ship with it too.

Have a look, quite a few mfrs have products that either ship with DDWRT or at least advertise "support" (I guess they mean compatibility?) for DDWRT.



It should be pretty easy to upgrade vulnerable WRT54GL routers. Any volunteers to setup a page that POSTs a newer firmware like OpenWrt or Tomato?

What use is that? If people don't know enough to upload a file to their router, they definitely won't know enough to configure it after it's been done.

Embed the link in a joke/lolcat/puppy/political forward-email and spam it to all of our relatives/acquaintances who regularly do the same.

Is this a problem if I have DD-WRT?


Just buy Draytek. Playtime is over. Pricy but mine lasted 7 years before I replaced it with another Draytek (for dual WAN support). Bomb proof and great VPN support out of the box. I bridge my parent's network to mine over VPN, and the Linux servers at either end provide failover DNS, mail etc. So useful, especially for remote support.

> Just buy Draytek. Playtime is over.

I went to their website (draytek.us) and got this:

> Database connection error (2): Could not connect to MySQL.

I guess playtime really is over.

What recommendations do people here have for an entry level commercial router instead of a high consumer level router?

Draytek Vigor. Any of the mid range units. Bomb proof, well supported and have VoIP support that isn't a piece of shit.

Juniper SRX100 ($500), with Ubiquiti APs (~$100).

That's a bit overkill don't you think? Do you really think a home user would have a need to run BGP?

Overkill for a random home, but maybe OK if you WFH and need to vpn/IT wants manage a bunch of devices centrally/etc. $1k in equipment vs. $300 in equipment isn't that big a difference for a few important home users if you're already using all the same equipment in your other offices.

(also a lot of startups have like 20 people working out of a home or condo, and they bump up against memory/crapiness/etc. limits of consumer routers and APs pretty hard.)

OP asked for "low end commercial router", though.

I'll add on the following requirements.

Working QoS IPSec (roadwarrior config w/ certs) CoDel (big plus but optional) VoIP (optional)

Google Cache of the site since it's having issues. [0]

I enjoy my Asus RT-AC66U. [1] Best commercial router I've seen, and Asus Merlin [2] firmware makes it better.

[0] http://webcache.googleusercontent.com/search?q=cache:JNu4Z9X...

[1] http://www.newegg.com/Product/Product.aspx?Item=N82E16833320...

[2] https://github.com/RMerl/asuswrt-merlin

The only problem with Asus Merlin is that it uses the older "stable" wifi drivers. I've been running the unreleased Russian build for months now and it's stable as a rock.

My ISP makes me use a "gateway"[1][2] with a wireless router built into it. In the name of reducing electricity usage, I forego running my own router and surrender to using theirs. I would be willing to bet many others do the same. I wonder how secure it is?

[1]http://www.att.com/u-verse/explore/residential-gateway.jsp [2]http://verrytechnical.com/wp-content/uploads/2011/10/ATTUver...

My router uses about 3 watts. That adds about $5 per year to my electric bill, which I'm happy to pay to avoid the painful ISP-provided router.

My ISP also sent an "all-in-one" device when I hooked up.

All I really wanted was to set it up in bridge mode in front of my pfsense box, but couldn't do this. I cloned their router's MAC, put their router back in the box and used my existing 'dumb' modem.

Perhaps this would work for you as well.

I just had U-Verse installed yesterday, the tech said you can use your own router if you like. My router is still with my old roommate though, so I haven't tried it - But I see plenty of ethernet ports so I don't see why it wouldn't work.

Half-OT: does anyone know a DD-WRT/OpenWRT compatible WiFi router with support for 2.4/5 GHz WiFi, as well as VLAN on the ports? Bonus points for individual VLAN assignment to the individual ports.

What? Linksys routers are a great deal - you can find them at goodwill for $5, flash the firmware & configure it in 15 minutes and they work great. My one beef is why don't they put a cheap fan on them when they cost upwards of $100 now that they come with a cisco logo slapped on them.

Shouldn't 'hardware' firewalls be secure? And everyone knows that software firewalls are crap. Isn't this common knowledge with professionals. ;)

;) In the end, all routers are software. A properly set up Linux or BSD router/firewall on a regular PC can be very, very good.

A higher end hardware router actually has tested and (mostly) secured software, these don't...

I mostly-bricked a Linksys doing a security analysis on it. It still works, but the UI is completely locked up; I can change nothing on it.

I also bricked my Linksys by opening /upgrade.cgi (mentioned in the article) on a browser.

I was able to finally fix it by downloading a firmware from Linksys, doing a 30/30/30 reset (push reset button for 30 s, turn power off for 30 s and keep on pushing reset for another 30 s after turning it on again) and flashing it with tftp as explained in http://community.linksys.com/t5/Wireless-Routers/E4200-Firmw...

After that I was able to login using the web interface again.

For Mac OS X the command to flash is just tftp, and then in the console that opens type:

    rexmt 1
    timeout 60
    put firmware_filename.bin

So this researcher went from notifying Linksys to open disclosure to the internet after only a month? That hardly seems responsible.

Mitigating factor, the attacker would need to have been granted access to your network in the first place?

Not at all. That's what CSRF is all about. All the attacker needs to do is get you to visit a page on the internet that they control. Then the code on the page does its magic and runs on the browser and because you and the browser are on your network it can work.

As a simple example, imagine that you had a test server behind a firewall in your own home network, totally inaccessible from the internet. Now let's say you have it set up so that it will, oh, let's say turn on the oven if you hit a specific URL without any authentication (like testserver/actions/oven/on, or some such). If someone knows of this then they could contrive to have you visit a web page with some embedded resource such as an inline image that causes you to hit that url from your browser. Boom, now your oven is on and you didn't even know it. Even if you switch to using logins and cookies on your test server to ensure that only authorized users on your network can use it then you'll still have the same problem, because when your browser hits that URL it will be in your name, and all of the right cookies will be there. That's the nature of CSRF.

I think this is just what topic meant:

Error 102 (net::ERR_CONNECTION_REFUSED): The server refused the connection.


OpenSource is a vulnerability not an Asset according to #5.

For small projects which few contributors I would agree but, for projects as large as OpenWRT and DDWRT and such, I don't agree.

In an ideal world, whether code is open source is neutral. The extra ease of finding bugs is balanced by the fact that people can and do find then fix them. Theory says that these two are, to first order, equivalent. So end user security is the same. (But code quality tends to be higher with open source software.)

However whenever code moves towards being more open, you've got all of the vulnerabilities of closed source software, and all of the bug-finding ease of open source software. This is the worst of all possible worlds.

Therefore #5 is true. The fact that you have easy access to known-to-be-crappy code increases the vulnerability of that code.

"Code quality is higher on open source"

<sarcasm> Right, because somehow people not being paid to work on code right better since they are doing it for their pride, where as closed source people just lose their jobs if they write crappy code</sarcasm>

Open Source with wide adoption leads to bugs being fixed.

Closed source security through obscurity leads to exploits being only known by those exploiting them. Not a good thing.

Just curious, but wouldn't this indicate that open source code which allow iterators to close off their improvements would produce less vulnerable code overall?

If a vulnerability is found in open source code, people will try it on yours. So they won't be finding it directly in yours, but that is not protecting you.

The real consequence is that how secure a product is depends more on the project than on whether it is open source. Apache and OpenBSD are two examples of very good open source code. Java and Rails are two examples of not so good open source code.

Google's website is an example of good closed source code. The software shipped by Linksys is an example of bad closed source code.

I get that there are different levels of quality regardless of the type of code. I was more interested in the security effects of hiding code after the open source community has had a chance to deal with vulnerabilities. None of the examples you gave were specific to code which has transitioned between open to closed.

What I've gotten from your answer so far is that it isn't an effect which is general, and it'll depend on the project in question. Am I on the mark?

Yes. Opening closed code is always going to be problematic. But closing opened code can go either way.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact