# Tutorial: Secure Your Network With Tomato



## thiussat

This is going to be a tutorial to show you how to secure your network using the Tomato firmware. This is not a comprehensive tutorial on every aspect of Tomato, but rather focuses on the security.

This tutorial is going to assume that you have a router than can be flashed with the Tomato firmware. The routers that Tomato is capable of running on (as of April 2009) are the following:

Code:



Code:


Linksys:

 WRT54G v1-v4
 WRT54GS v1-v4
 WRT54GL v1.x
 WRTSL54GS (no USB support)

[B]Note: Most WRT54G and WRT54GS (not WRT54GL) sold in stores right now are the
v5.0+ variety and will not work with Tomato.[/B]

If you want to buy a Linksys router, then you definitely want to buy the WRT54GL.

Buffalo:

WHR-G54S
WHR-HP-G54
WZR-G54
WBR2-G54

Asus:

WL500G Premium

The SparkLAN WX-6615GT also is reported to work.

If you have one of the above routers you should definitely give Tomato a try. In my opinion, it is simpler, yet as fully functional as DD-WRT, while being more lightweight. Like DD-WRT, it runs a Linux kernel (which means it is really just a very small Linux distro). I am going to assume that you know how to flash the router with the firmware. If you don't, then go here. Once flashed, you should be able to login to your router by entering http://192.168.1.1 or whatever address your router used before.

Here is a screenshot of the introduction screen:










For brevity, I am not going to discuss the "Status," "Bandwidth," or "Tools" menus, as they are self-explanatory and not related to security. But you might want to go through them to make sure everything looks to be recognized properly.

I will start with the *"Basic"* menu. Click on it, and then on *"Network."* Under *WAN/Internet*, the settings are self-explanatory. You will probably want to use DHCP and keep the MTU at default. Under *LAN*, you can change the router's IP address, but I see little point in doing so.

Now for the first security tip, next to *"IP Address Range"* only allow a number of IP addresses to be assigned that are equal to the number of machines on the subnet. If you are using Tomato for, say, one wired machine and one wireless machine, then set the allowable IP addresses to something like

Code:



Code:


192.168.1.100 - 192.168.1.101

This will only allow 2 machines to be active at once on the network. The router will not allow any more IP's to be assigned. See the example below:










Now, move down to the *"Wireless"* section (still under Basic --> Network). Obviously you will only enable this is you have a need for wireless. If you do need it, then click "enable." If you don't need it, be sure to uncheck the box. Now, for *"Wireless Mode"* select Access Point. For *"B/G mode"* it is recommended to leave it "Mixed" but I prefer to keep it on "G Only" because my wireless adapter supports G (as most do). Under *SSID*, set it to whatever name you want to be broadcast. Under that you can check whether you want it to be broadcast at all (I recommend letting it broadcast). Next under *"Channel"* just select a channel that no neighbors are on.

Now, for the important part. The *"Security"* setting is going to depend on what your wireless adapter can handle (look in the instruction manual or Google if you don't know). If your adapter can handle WPA2, then you should definitely use that (*select WPA2 Personal*). If not, then use WPA Personal. If you are stuck with an ancient adapter that only can handle WEP, then enable that *(though WEP sucks and is easy to crack)*. Now, for *"Encryption"* select *AES*. AES is pretty much the standard in strong encryption today and has been approved by the NSA for TOP SECRET data. It will not be broken in our lifetimes (but if it is broken it will be big news and everyone can switch).

Here is perhaps the most important part of wireless security: selecting a strong key. Here is a nice function of Tomato: next to *"Shared Key" hit the "random" button.* This will automatically generate a pseudo-random pass-key that is 60 characters in length. To brute force a pass phrase of this size would take longer than the age of the universe even if using every computer on earth (see the post in my sig for more detail).

You may ask, how will I remember this? You don't have to. Simply write the key down (or print it) and transfer it to your wireless PC. Most adapters will store the key so you don't have to enter it each time. What I did was e-mail the key to myself, then opened the email on my wireless PC and cut and pasted it. This way, I didn't have to enter it manually. I am not worried about my e-mail being "intercepted," but if you are, then encrypt your email or simply enter the pass key manually.

Once done with this, be sure to click *SAVE.*

Here is what my "Wireless" screen looks like:










Now, moving on. Click on *Basic ---> Static DHCP.* You don't have to do this, but I prefer both of my PC's to always have a static IP address. Simply enter your computer's MAC address, then enter the IP address you want it to always have (it has to be an address within the range you specified under "IP Address Range"). Then enter the hostname for the PC and click add. Do this for however many PC's you have. *Save when done.*

Now, click on *Basic ---> Wireless Filter.* Click on *"Permit Only the Following Clients."* Here you ONLY want to allow however many wireless PC's you have. So, if you only have 1 PC connecting wirelessly, then enter it's MAC address and it's "Description" (for this I entered the hostname). This will enable MAC filtering, which is not all that great of security by itself, but is a smart thing to do to stop casual intruders. Now, *click save* and let's move along.

Click on *Advanced ---> Firewall.* The firewall in Tomato is always enabled, but let's check it to make sure. If you want every inbound packet blocked, then uncheck "Respond to ICMP Ping." I have all of the three options unchecked. As for NAT Loopback, I have it set to "Forward Only" which is probably desirable for most people. NOTE: If you are a Linux guru and are familiar with IPtables rules, you can write your own custom firewall rules, though I see little reason to do so for a home network, as everything is already blocked on the inbound side by default.

Now click on *Advanced ---> Wireless*. Most of these settings have nothing to do with security, so I will skip them. The one that is important for our purposes is the *"Maximum Clients"* option. Here you want to set this to however many wireless PC's you will have connecting to the router. In my case, I only have one, so I set it to "1." This will make it so that as long as your wireless adapter is actively connected, no other wireless client can be connected at the same time.










Now, let's move down to *Administration ---> Admin Access.* At this screen, the first option is *"Local Access"*. I prefer to change it to *HTTPS*, and put the port on *443.* Now, here's the important part -- if you will *NOT* be connecting to your router from a remote location, then be sure to set *"Remote Access" to DISABLED.* Below this option is an option to *"Allow Wireless Access."* What this does is allow someone connected wirelessly to administrate the router. I prefer to leave this *UNCHECKED*. If I want to administrate the router, I will simply do it from my main wired box.

Now, for perhaps the most important security option of all: Under *"SSH Daemon"* you have the option to allow ssh connections or turn it off completely. The main reason you might want SSH is if you want to open a shell within your router for advanced configuration. If you have no need for this, then turn it *OFF.* If you choose to turn it off, then ignore the next couple of paragraphs. (Be sure to click *Save* when done).

If you *DO* want ssh access to the router, then click *"Enable at Startup."* Now, the biggest decision here is whether you want to be able to access SSH from the outside. If you *do NOT* need to access the router from outside the network, then be sure to *UNCHECK "Remote Access."* If you do want to access it remotely, then check the "Remote Access" box and change the Port to something other than 22 (port 22 is scanned constantly on the Internet).

Here is another big security enhancement. Uncheck the box *"Allow Password Login."* What, you say? Do not allow a password login? That's right, uncheck that box. Instead of using a password, you want to use a DSA or an RSA key. You will have to generate this key outside of Tomato. How to do this depends on what OS you are using. For Windows, click here. When you generate the key, then cut and paste the public key into the *"Authorized Key"* box in Tomato. (_For Linux, simply install ssh, and then run from the terminal "ssh-keygen -t rsa" -- then navigate to /home/username/.ssh/id_rsa.pub. Open *id_rsa.pub* and cut and paste the key into the *"Authorized Keys"* box in Tomato. You can also create a DSA key instead of RSA and even change the key length)._

Once you get the keys set-up, then you simply open a terminal and type "ssh [email protected]_of_your_router" That's it, it will not prompt you for a password because you are now using a ssh key.

Now, still on the same screen, look at *"Remote Web/SSH Admin Restriction."* If you plan to administer your router from the outside, then next to *"Allowed IP Address"* enter the IP address that you want to be allowed to connect (for more than one, separate them by commas). All IP addresses not listed will automatically be blacklisted.

Here's how I have mine set-up. I have it set where SSH is ONLY allowed locally. If you need it remotely, again, follow the directions above.










Under *"Telnet Daemon,"* I recommend *EVERYONE* turn this OFF.

Under *"Password"* set your administrator password. Make it something strong, but also something you can remember.

*Now click Save.* You will probably also want to reboot the router.

That's it. This tutorial should provide more than adequate security for a wireless network, making your network far much more trouble to crack than its worth.


----------



## WannaBeNoob

Very Nice Tutorial, +rep for you man.


----------



## murderbymodem

Great tutorial, it's a shame I can't use it. I got a v5.









I'll have to look around. If I can find a newer Linksys router with wireless N that I can use custom firmware with it may be worth the upgrade.

Quote:

Broadcom BCM5352EKPB Chipset - Switched to VxWorks OS and reduced Flash Memory and RAM; not compatible with most 3rd party firmware. Then, Vxworkskiller (by bitsum.com) was created, which restores compatibility with some 3rd party firmware. Since less physical RAM is available in this and future models, the 3rd party firmware (popular opensource projects) were modified into special "micro" versions


----------



## lockrob2000

I followed your instructions- very clear by the way - and now get the message that the link is broken and I can't log into the router. It appears to ne working, I just can't get to it any more. Any suggestions?
Thanks


----------



## Lige

Try to power cycle the router by unplugging it for thirty seconds and plugging it back in.


----------



## lockrob2000

Did that -
No joy -
Perhaps a hard reset...


----------



## Armitage

Quote:


Originally Posted by *lockrob2000* 
Did that -
No joy -
Perhaps a hard reset...

Have you switched admin access to HTTPS as the tutorial suggests? If so, you will need to use: http*s*://192.168.1.1 instead of http.


----------



## MrMeck

Can Tomato be used on a WRT54G2 v1? Currently I used dd-wrt but I hear tomato is faster.


----------



## luv2sd

bump for a great guide


----------



## SpideySense

I've been playing around with my Tomato firmware lately, but there are a couple things I can't figure out. First of all, I got the passwordless ("Authorized Keys") bit working thanks to this thread, but only for one of the two computers I want to access it from. Do you know what Tomato expects between the two keys? Just on the next line? Does it matter? Can more than one key be in the authorized key list?

I also got Transmission bittorrent daemon (via ipkg) working, but I don't really like the idea of it running as root the whole time. I managed to add a new user, but couldn't figure out how to define/change his password, which would be ideal as the torrent client has a web gui. Typical linux commands for this (changing password) don't seem to work.

Any suggestions are appreciated!


----------



## scottsee

Well, Props on actually searching and trying to bring up a thread instead of making a new one.. But perhaps, seeing how your question is more specific about your particular situation a new thread is a better idea.


----------



## dccgiang

Could some help me to configure my router using the Tomato Firmware v1.28.9054 MIPSR2-beta K26 USB Ext so I can remote login the router to Wake On Lan my computer.

I can wake on lan my computer from within the local area network via the router GUI.


----------



## linkinparkfan007

Repped and bookmarked very good tut


----------



## Qiko

bumping old thread but great info here! +rep


----------

