Protect your home network using TomatoUSB – how to only allow only HTTP/S out!

While we continue to see the WannaCry and other malware around, I thought I would secure my own network. Since I allow visitors onto their networks, I figured I would configure all new DHCP’d hosts to access the Internet only via HTTP and HTTPs and not allow them to use any DNS servers other than OpenDNS. Here’s how to do it:

The first thing I did was create an access restriction. I did this just to see what chain would be created and I would put subsequent rules into that chain.

access restriction screenshot

The previous screenshot created this chain:

Chain rdev07 (1 references)
target prot opt source destination
DROP all -- 192.168.0.15 anywhere

With this chain, I can add additional rules. The first thing I want to do is allow only DNS access to OpenDNS servers and none other. For this, I would run the following commands:

iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 208.67.222.222/32 --dport 53 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.0/24 -d 208.67.222.222/32 --dport 53 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 208.67.220.220/32 --dport 53 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.0/24 -d 208.67.220.220/32 --dport 53 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0/0 --dport 53 -j REJECT
iptables -A rdev07 -4 -p udp -s 192.168.0.0/24 -d 0.0.0.0/0/0 --dport 53 -j REJECT

These rules basically allow DNS queries from my network to the 2 OpenDNS servers. The last 2 rules mean that no other DNS servers outside of those 2 servers can be queried. The reason I do this is because there is some malware out there that will change the DNS servers to query on Windows, effectively overriding the DHCP setting. An alternative to this would be to configure Tomato to intercept DNS requests, but I would rather do it this way.

I added the following rules because I had noticed for some reason that some connections coming back from OpenDNS were dropped. I think they’re optional, but I put them in.

iptables -A rdev07 -4 -p tcp -s 208.67.222.222/32 -d 192.168.0.0/24 --sport 53 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 208.67.222.222/32 -d 192.168.0.0/24 --sport 53 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 208.67.222.222/32 -d 192.168.0.0/24 --sport 53 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 208.67.222.222/32 -d 192.168.0.0/24 --sport 53 -j ACCEPT

Next, I go to create my whitelist – this would be my iPhone, iPad, android, etc – any hosts that I trust. I’m going to allow these host to go out to any host with TCP and UDP.

 

iptables -A rdev07 -4 -p tcp -s 192.168.0.3/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.11/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.31/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.3/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.11/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.31/32 -d 0.0.0.0/0 -j ACCEPT
I know that they can still get viruses. I hope they don’t. They can only use OpenDNS for DNS services, but they can access basically anything outside on any port.
Lastly, I configure the rules to allow only HTTP and HTTPs out.
iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 80 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 443 -j ACCEPT
iptables -A rdev07 -4 -p all -s 192.168.0.0/24 -d 0.0.0.0/0 -j DROP
With this, anyone else on the network can connect to port 80 and 443 of any host on the Internet. Then, any traffic going out to any other port is dropped.
After testing all commands and seeing that they worked for me, I put them all into Administration/Scripts/Firewall.
Inserting custom firewall rules
Have fun and be safe! Please post any comments below.

Using 2 ISPs at home at the same time! Tomato MultiWAN – works great! (Video)

Why do you really need this? When Shibby first put out the firmware with MultiWAN support, I questioned why someone would pay for 2 service providers. Too much bandwidth utilization? If you need more bandwidth, just upgrade your line with your current ISP. It would be cheaper than getting a new line!

Do you need reliability? When you work from home and need to be connected to the Internet for your work and it’s not available, that’s when you might look into a solution like this one! I have Comcast Business. Does that help? No, not really when the problems is with the infrastructure and not a misconfiguration or something internal. It just means that when you call, you talk to someone a little more competent and you can get a person quicker than going through the phone system. You can have someone come on-site a little faster too. That said, the service is the same as that of all other consumers. After a few rains and a couple of Comcast outages (not exactly outages, but huge degradations in service), I started to think about getting a second provider. Luckily, in San Francisco, we have a few options for service providers here. I happen to be lucky enough to have access to 2 different cable providers, Comcast and Wave Broadband (formerly Astound). I used Astound before. It was not bad. My experience was not nearly as bad as what the Yelp reviews say. I’ve now had them for a couple of weeks and still have the same opinion. They seem to be just fine.

So, moving onto the implementation. As you can see from the screenshot, Shibby makes it easy! First configuration the VLAN. It points to a link for where to do it – in advanced settings. You can look at the next screenshot to see an example of the VLAN being set up. I’m using LAN port 1 for the 2nd WAN port.

In this screen however, You might notice my “Load Balance Weight”. The problem with my service providers is that Comcast gives me unlimited bandwidth. Wave Broadband does not. Because of this, I want more connections to go out of the first WAN link and Shibby gives us a couple of ways to do it. First is with “Load Balance Weight”. I’m just setting the 1st link to 2 and 2nd WAN link to 1. You can play with the numbers to try finding your desired balance.

Screen Shot 2016-04-29 at 6.43.42 PM

Screen Shot 2016-04-29 at 6.43.01 PM

Another place to do load balancing is by pinning a particular host to a particular WAN link. For example, I have some traffic I want out of 1 WAN link and some out of another. This way, I can tell my highest traffic hosts to go through WAN1 while some others through WAN2.

Screen Shot 2016-04-29 at 6.47.37 PM

Here’s a status window to show that I have both WANs connected.

Screen Shot 2016-05-01 at 4.23.59 PM

Lastly, you can see from different searches of what’s my IP, that both WAN links are being utilized.

Screen Shot 2016-05-01 at 4.29.15 PM Screen Shot 2016-05-01 at 4.29.26 PM

Please post your comments and share!

Wait … before you move to Tomato from DD-WRT!

If you’re reading this, it’s probably too late. You’re probably already running into this issue:

401

and it’s probably driving you nuts!

If you haven’t done the move yet, good. Telnet into the router and run:

nvram get http_username

and

nvram get http_passwd

The way that Tomato and DD-WRT store passwords usernames and passwords is different – DD-WRT stores them encrypted whereas Tomato doesn’t, so with this, you can use it to log into Tomato after you’ve done the move. I call it a move and would hate to call it an upgrade, because some hardcore DD-WRT users might be offended.

Now, if you haven’t done this already and are seeing the error, this will be interesting. With the ASUS router, I think I was able to just do a 30-30-30 reset and it took care of it. Unfortunately with Shibby’s implementation of Tomato, they don’t implement the reset button, so you can press the reset button until you’re blue in the face and it won’t do a thing. On other routers, you may need to press the SES/AOSS button. On the Netgear Nighthawk, it’s the WIFI on/off button. You can hold it down and it will start a password-less telnet daemon at port 233 if held for 20+ seconds. So, when you’re booted into Tomato (the web login will still say DD-WRT) and you can’t log in, hold the button down for 20+ seconds and then go to the command prompt and run:

telnet <router IP> 223

There, you should be able to run the 2 ‘nvram get’ commands and use that info to log into the router and do a reset from there.

Hope this helps!

Why I choose TomatoUSB over DD-WRT

I recently bought a Netgear Nighthawk R7000 for my home router. I figured it would be a good time to get a new router, so I was debating between this on and the ASUS (RT-AC68U). I chose the Nighthawk purely based on price. It was 10% off at Target. 🙂 When I shop for a router, I normally try to get open-source. The reason for this is so that I can hack it as I enjoy doing things like that and I like to use features that are not designed the original product. Why companies build routers and put their own firmware on it is beside me. I really wonder why they don’t just use the open-source stuff since it’s so good. If you look at my blog, you’ll see that I have run DD-WRT on my older routers as well.

The reason I decided to go with Tomato instead of DD-WRT is because of a couple of features that I like in Tomato. The first feature is the QOS transfer rates.

Screen Shot 2014-06-11 at 10.59.05 PM

I haven’t found where I can easily do this in DD-WRT. The reason I like this feature is because I can instantly know who is using up my bandwidth.

Another feature I like that unfortunately does not work on this router yet is A feature where I could see all of the URLs that I’ve visited and searches that I’ve done. I hope that Shibby fixes this in the 121 build.

Screen Shot 2014-06-11 at 11.01.41 PM

These are the two major reasons why I decided to use Tomato over DD-WRT. I’ve also run into issues with using the wireless bridge feature in DD-WRT where Tomato worked very easily.

I would love for some DD-WRT hardcore fans to debate with me. I’ve used DD-WRT firmware for a long time and just switched to Tomato very recently. The main reason I switched to Tomato was back in the days when I had the ASUS RT-N16 router. DD-WRT had Wi-Fi that kept dropping off almost daily and I had to find something better and Tomato was the answer at the time.

Please post your comments! Thanks!

 

 

Drobo connected to Asus router running TomatoUSB

Simple – Don’t do it! This was from a couple of years ago when running TomatoUSB on an ASUS RT-N16 router. DD-WRT had issues where the wifi would drop off periodically. I found that TomatoUSB (Shibby or Toastman) were both very good alternatives. So good that I’ve since moved onto Tomato for almost all of my routers.

Anyways, some of the issues I ran into were:

Value too large for defined data type …

Sep 24 00:01:08 unknown daemon.err smbd[1539]: disk_free: sys_fsusage() failed.
Error was : Value too large for defined data type
Sep 24 00:01:08 unknown daemon.err smbd[1539]: disk_free: sys_fsusage() failed.
Error was : Value too large for defined data type

[email protected]:/tmp/etc# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 5.6M 5.6M 0 100% /
tmpfs 62.0M 400.0K 61.6M 1% /tmp
devfs 62.0M 0 62.0M 0% /dev
df: /tmp/mnt/Monster: Value too large for defined data type

Along with this, the CPU on that router just couldn’t handle NTFS-3G well – CPU utilization was going through the roof on writes. I think reads were okay.

It would be better to just build a cheap NAS.