Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Search - "custom router"
Paranoid Developers - It's a long one
Backstory: I was a freelance web developer when I managed to land a place on a cyber security program with who I consider to be the world leaders in the field (details deliberately withheld; who's paranoid now?). Other than the basic security practices of web dev, my experience with Cyber was limited to the OU introduction course, so I was wholly unprepared for the level of, occasionally hysterical, paranoia that my fellow cohort seemed to perpetually live in. The following is a collection of stories from several of these people, because if I only wrote about one they would accuse me of providing too much data allowing an attacker to aggregate and steal their identity. They do use devrant so if you're reading this, know that I love you and that something is wrong with you.
That time when...
He wrote a social media network with end-to-end encryption before it was cool.
He wrote custom 64kb encryption for his academic HDD.
He removed the 3 HDD from his desktop and stored them in a safe, whenever he left the house.
He set up a pfsense virtualbox with a firewall policy to block the port the student monitoring software used (effectively rendering it useless and definitely in breach of the IT policy).
He used only hashes of passwords as passwords (which isn't actually good).
He kept a drill on the desk ready to destroy his HDD at a moments notice.
He started developing a device to drill through his HDD when he pushed a button. May or may not have finished it.
He set up a new email account for each individual online service.
He hosted a website from his own home server so he didn't have to host the files elsewhere (which is just awful for home network security).
He unplugged the home router and began scanning his devices and manually searching through the process list when his music stopped playing on the laptop several times (turns out he had a wobbly spacebar and the shaking washing machine provided enough jittering for a button press).
He brought his own privacy screen to work (remember, this is a security place, with like background checks and all sorts).
He gave his C programming coursework (a simple messaging program) 2048 bit encryption, which was not required.
He wrote a custom encryption for his other C programming coursework as well as writing out the enigma encryption because there was no library, again not required.
He bought a burner phone to visit the capital city.
He bought a burner phone whenever he left his hometown come to think of it.
He bought a smartphone online, wiped it and installed new firmware (it was Chinese; I'm not saying anything about the Chinese, you're the one thinking it).
He bought a smartphone and installed Kali Linux NetHunter so he could test WiFi networks he connected to before using them on his personal device.
(You might be noticing it's all he's. Maybe it is, maybe it isn't).
He ate a sim card.
He brought a balaclava to pentesting training (it was pretty meme).
He printed out his source code as a manual read-only method.
He made a rule on his academic email to block incoming mail from the academic body (to be fair this is a good spam policy).
He withdraws money from a different cashpoint everytime to avoid patterns in his behaviour (the irony).
He reported someone for hacking the centre's network when they built their own website for practice using XAMMP.
I'm going to stop there. I could tell you so many more stories about these guys, some about them being paranoid and some about the stupid antics Cyber Security and Information Assurance students get up to. Well done for making it this far. Hope you enjoyed it.26
So I have that custom-made wifi router I've built. And it uses a USB wifi adapter with AC (wifi5) capability - the fastest one I could find in AliExpress.
I set it up a while ago - the internet access works fine, although speeds are somewhat sluggish. But hey, what to expect from a cheapo on Ali! Not to mention it's USB, not a PCIe...
A few days ago I ran a few speedtest.net tests with my actual AC router and the one I've built. Results were so different I wanted to cry :( some pathetic 23Mbps with my custom router :(
This evening I had some time on my hands and finally decided to have an umpteenth look.
nmcli d wifi
this is what caught my eye first. The RATE column listed my custom router as 54Mbps, whereas the actual router had 195Mbps.
I have reviewed the hostapd configuration sooo many times - this time nothing caught my eye as well.
Googling did not give anything obvious as well.
What do we do next? Yes, that's right - enable debug and read the logs.
> VHT (IEEE 802.11ac) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling VHT capabilities
This is one of the lines at the top of the log. Waaaaiiitttt.. VHT is something I definitely want with ac -- why does it disable that??? Sounds like a configuration fuckup rather than the HW limitation! And config fuckups CAN be fixed!
Turns out, an innocently looking
made a world of a difference!
connect to the hostapd hotspot and run that iperf3 test again, and... Oh my. Oh boi! My pants fell off -- the speed increased >3x times!
A quick speedtest.net test deems my custom router's download speeds hardly any worse than the speeds obtained using my LInksys!!
The moral of the story: no matter how innocent some configurations look, they might make a huge difference. And RTFL [read the fucking logs]
In the pic -- left - my actual router, right - my custom-built router with a USB wifi adapter. Not too shabby!8
TLDR: Small family owned finance business woes as the “you-do-everything-now” network/sysadmin intern
Friday my boss, who is currently traveling in Vegas (hmmm), sends me an email asking me to punch a hole in our firewall so he can access our locally hosted Jira server that we use for time logging/task management.
Because of our lack of proper documentation I have to refer to my half completed network map and rely on some acrobatic cable tracing to discover that we use a SonicWall physical firewall. I then realize asking around that I don’t have access to the management interface because no one knows the password.
Using some lucky guesses and documentation I discover on a file share from four years ago, I piece together the username and password to log in only to discover that the enterprise support subscription is two years expired. The pretty and useful interface that I’m expecting has been deactivated and instead of a nice overview of firewall access rules the only thing I can access is an arcane table of network rules using abbreviated notation and five year old custom made objects representing our internal network.
An hour and a half later I have a solid understanding of SonicWallOS, its firewall rules, and our particular configuration and I’m able to direct external traffic from the right port to our internal server running Jira. I even configure a HIDS on the Jira server and throw up an iptables firewall quickly since the machine is now connected to the outside world.
After seeing how many access rules our firewall has, as a precaution I decide to run a quick nmap scan to see what our network looks like to an attacker.
The output doesn’t stop scrolling for a minute. Final count we have 38 ports wide open with a GOLDMINE of information from every web, DNS, and public server flooding my terminal. Our local domain controller has ports directly connected to the Internet. Several un-updated Windows Server 2008 machines with confidential business information have IIS 7.0 running connected directly to the internet (versions with confirmed remote code execution vulnerabilities). I’ve got my work cut out for me.
It looks like someone’s idea of allowing remote access to the office at some point was “port forward everything” instead of setting up a VPN. I learn the owners close personal friend did all their IT until 4 years ago, when the professional documentation stops. He retired and they’ve only invested in low cost students (like me!) to fill the gap. Some kid who port forwarded his home router for League at some point was like “let’s do that with production servers!”
At this point my boss emails me to see what I’ve done. I spit him back a link to use our Jira server. He sends me a reply “You haven’t logged any work in Jira, what have you been doing?”
Finally my dad buyed new router after telling hit to for over a year !!! Well Configured it and it was OK but USB speed was 2MB and WiFi speed was three time slower then promised by ASUS then i realized there is custom firmware flashed it and boom i got fucking 12MB/S on USB 2.0 !! and 4 times faster WiFi so dear ASUS STOP putting SWW that BLOCKS the HWW.
Building my own router was a great idea. It solved almost all of my problems.
Just recently have I started to build a GL CI pipeline for my project. >100 jobs for each commit - quite a bundle. Naturally, I have used up all my free runners' time after a few commits, so I had to build myself a runner. "My old i7 should do well" - I thought to myself and deployed the GL runner on my local k8s cluster.
And my router is my k8s master.
And this is the ping to my router (via wifi) every time after I push to GL :)
P.S. at least I have Noctua all over that PC - I can't hear a sound out of it while all the CPUs are at 100%12
## Building my own router
IT HAS ALREADY PAID OFF!!!!!
So I (with my fam) have evacuated from the capital of Lithuania into a distant place - much smaller, where average age is prolly >30 or even >40 years. I live in a village now. In a house with very good neighbours. In fact these neighbours own that house :D
Back to the point.
So these neighbours used to share their wifi (w/ internet) between the two houses. They have the line, the mian router has quite a strong antenna and that other house has 2 repeaters: 1 on the outside wall and another one -- indoors. Sepeaters are connected sequentially, i.e. the indoors one is repeating the outdoors one. ikr....?
The first day was alright. We settled in, got everything set up wifi-wise. Peachy.
The second day repeaters refused to issue a DHCP IP. That's something, right? Alright, nvm - I don't mind setting up static IPs. In fact I prefer them over the DHCP magic!
And by the noon both repeaters were connectable but neither of them could provide internet connection... We that sucks! I restarted both of them a few times, neighbours restarted their main router -- still no luck.
Here comes my router [God am I happy with this purchase and the whole idea of a customized router!!! Thanks @hakx20!].
I brought it outside, plugged it in. Connected to it through it's hotspot, used nmcli to connect to neighbours' main router with an internal wifi card (that shitty mPCIe operating in USB mode. yes, the same one, manufactured in 2003. Yes, in g mode.). A couple of iptables rules for traffic forwarding et voila! I have built my own repeater! And tomorrow I can WFH w/o any issues.
Yes, hardware routers are faster and easier to maintain. Yes, hardware routers are cheaper and usually have nicer bells and whistles. But when hardware fails you and the last thing you want is going to the public (shop), soldering rod won't help you. A software solution becomes the easiest to set up, considering you know how to.
Boi am I so happy about my purchase! CentOS router FTW!
P.S. even though we've fled the city we are responsible citizens and we've self-quarantined ourselves for the 14 days period. No local person any closer than 10 meters for the whole period until we're cleared. Being away from the city gives us sooo much freedom! Especialy now, when cities are shitting bricks in fear.6
## Building my own router
So after poor luck with mPCIe in my miniPC I decided to go with USB wifi solutions. So I got the https://aliexpress.com/item/... , hooked it up and started setting things up. Took me a day to figure out that firewalld (CentOS7/8 firewall) is not directly compatible with raw iptables commands. Damn it! But hey, a lesson learnt is time well spent!
Installed named, dhcpd, hostapd, disabled NetworkManager for my wifi card, etc.. And had to learn another lesson -- if a netowrk interface is bridged then iptables sees the bridge rather than the raw interface. That's another 2 hours well spent :)
In the end I have a working AP!!! It's still hooked in to my router via RJ45, but it does work and does work quite well!
Here's some comparison for now:
via router (2.4): https://speedtest.net/result/...
via router (5): https://speedtest.net/result/...
via miniPC (2.4): https://speedtest.net/result/...
via miniPC (5): <TBD>
Not that bad, aye?
All in all I'm happy with my decision to build a miniPC based router. Now I have the modularity I wanted so mush and a complete control on my networking! Can't wait for wifi6 USB dongles to be released :)4
## Building my own router
Damn it! I've got to read more before making decisions :) I already do that, but I need yet *MORE* reading.
So I bought a miniPC which I'm planning to turn into a router. I wanted to install AX200 (wifi6) card in it but it could only see the bluetooth part of it (using btusb kernel module).
What I did NOT know about wifi cards and mPCIe slots
M2 is only a form-factor. It defines what the connector looks like. Over that connector multiple different protocols could be used. m2 (NGFF) WIFI cards are usually using PCIe proto. And USB.
My so-desired AX200 uses both PCIe and USB protocols: USB for BT and PCIe for the actual wifi.
https://ark.intel.com/content/www/.... The same spec applies to both: m2 and mPCIe card versions.
Now my mini PC has a mPCIe slot but the label on the board says "USB wifi". Which suggests that it only accepts the USB-related pins of mPCIe (as wiki says about mPCIe: "The host device supports both PCI Express and USB 2.0 connectivity, and each card may use either standard.").
So I guess that means I'm stuck with a useless mPCIe port :D shit..
Now my best bet is to wait for USB dongles supporting wifi6 and use usb AC adapters until then. Well... It's not an optimal outcome. But still IMO a better solution than an embedded router from the shelf!
(No, I'm not giving up and buying another used/new PC :) )
At last I can calm down and stop searching for magical pcie-to-usb adapters :) Phew... That's a relief!1
Last week I wired up my home network (including custom modem and routers) myself, because the stuff my ISP wanted me to use was garbage.
Luckily Germany has "router-freedom" so ISPs are not allowed to force us to use their device to dial into the network.
I did everything myself, because the 'technicians' they kept sending me were just idiots who didn't know anything, considering the highly paid job they are doing. Usually they told me, to get the device from my ISP, because my "Router" (actually a business grade, standalone Modem by Cisco, to feed my Router) didn't even have WiFi ( lol ). Also all Technicians didn't arrive at the agreed date but at some other time. I wasn't able to wait any longer.
So I did it myself.
Consider me something more like a student of theoretical computer science. Not actually supposed to be experienced with hardware stuff.
The ISP is serving me with a DOCSIS 3.0 Network based on the television cable network in my city. For some reason they are providing the internet-access to only one socket in the apartment, which has a rather uncommon "WICLIC" connector. After having trouble getting an adapter for WICLIC to common coaxial F-Connectors (used by every DOCSIS-Modem), I made one myself.
After setting up everything (not that hard, once the connectors fit) my modem told me, that, while I'm perfectly connected to the ISPs internal Network, I still can't access the internet.
So I called the ISP...
After getting ranted at, about that what I'm doing is illegal and only certified employees are allowed to do this and I will break more, than actually do good and that I can't just connect my own "Router" (again I needed to correct her: Modem) I hang up the phone.
Also she accused me of hacking their devices because I'm not supposed to see my IP address... (My Modem told me on its web interface. I didn't even need telnet for that.)
I went to the ISPs head office, told the first desk as many technical terms as I could remember and got forwarded to something like the main technician.
He was a really nice guy. The only sane and qualified person I dealt with at this company. He asked me for my Address and Device Model, I told him my MAC and last internal IP, I had seen and he activated my internet access within a minute.
We talked a while about the stupid connector that ISP is using in the homes and he gifted me some nicer adapters to connect my modem to the wall.
Why do ISPs hate their customers that much?2
Years ago was the first time I put custom firmware on our wndr3700 router, it hasn't crashed since.
I bought a wndr4700, faster, 5ghz, possibility for a hard drive.
It's been 3 years and still no custom firmware.
After waiting 3+ years, I finally found custom firmware for my netgear wndr4700.
LEDE project(based on openwrt), you are amazing.
Now just to figure out the 10000 options i have now.
Anyone that can help me?
Per example, my router should be capable of 300 mbit theory and 200 mbit practical.
But the custom firmware says max 150mbit.1
So my future isp Jio fiber is rumoured to be using DPI. Main proof comes when a executive said "It’s called Deep Packet Inspection, and what you can do with the analytics of that is mind-boggling," in a new article. https://reuters.com/article/...
Should I be afraid or am I just being paranoid. Also should I just switch to another isp altogether if they are using DPI.
Also mini rant :- They make it harder to use your own router by not allowing bridge mode on their router and custom onts dont seem to work. The best option is to connect lan port of their router to the wan port of your router and disable wifi on their router3