jump to navigation

How to Secure Your Network With Tomato April 30, 2009

Posted by tasthius in Uncategorized.
Tags: , , , , ,
add a comment

This post was first written by me for the overclock.net message forum.  I have since transferred it here since I opened this blog.

This is going to be a tutorial to show you how to secure your network using the Tomato firmware. This is not a comprehensive tutorial on every aspect of Tomato, but rather focuses on the security.

This tutorial is going to assume that you have a router than can be flashed with the Tomato firmware. If you are not sure if your router supports it, then you can check here.

In my opinion, Tomato is simpler, yet as fully functional as DD-WRT, while being more lightweight. Like DD-WRT, it runs a Linux kernel (which means it is really just a very small Linux distro). I am going to assume that you know how to flash the router with the firmware. If you don’t, then go here. Once flashed, you should be able to login to your router by entering or whatever address your router used before.

Here is a screenshot of the introduction screen:

For brevity, I am not going to discuss the “Status,” “Bandwidth,” or “Tools” menus, as they are self-explanatory and not related to security. But you might want to go through them to make sure everything looks to be recognized properly.

I will start with the “Basic” menu. Click on it, and then on “Network.” Under WAN/Internet, the settings are self-explanatory. You will probably want to use DHCP and keep the MTU at default. Under LAN, you can change the router’s IP address, but I see little point in doing so.

Now for the first security tip, next to “IP Address Range” only allow a number of IP addresses to be assigned that are equal to the number of machines on the subnet. If you are using Tomato for, say, one wired machine and one wireless machine, then set the allowable IP addresses to something like

Code: -

This will only allow 2 machines to be active at once on the network. The router will not allow any more IP’s to be assigned. See the example below:

Now, move down to the “Wireless” section (still under Basic –> Network). Obviously you will only enable this is you have a need for wireless. If you do need it, then click “enable.” If you don’t need it, be sure to uncheck the box. Now, for “Wireless Mode” select Access Point. For “B/G mode” it is recommended to leave it “Mixed” but I prefer to keep it on “G Only” because my wireless adapter supports G (as most do). Under SSID, set it to whatever name you want to be broadcast. Under that you can check whether you want it to be broadcast at all (I recommend letting it broadcast). Next under “Channel” just select a channel that no neighbors are on.

Now, for the important part. The “Security” setting is going to depend on what your wireless adapter can handle (look in the instruction manual or Google if you don’t know). If your adapter can handle WPA2, then you should definitely use that (select WPA2 Personal). If not, then use WPA Personal. If you are stuck with an ancient adapter that only can handle WEP, then enable that (though WEP sucks and is easy to crack). Now, for “Encryption” select AES. AES is pretty much the standard in strong encryption today and has been approved by the NSA for TOP SECRET data. It will not be broken in our lifetimes (but if it is broken it will be big news and everyone can switch).

Here is perhaps the most important part of wireless security: selecting a strong key. Here is a nice function of Tomato: next to “Shared Key” hit the “random” button. This will automatically generate a pseudo-random pass-key that is 60 characters in length. To brute force a pass phrase of this size would take longer than the age of the universe even if using every computer on earth (see the post in my sig for more detail).

You may ask, how will I remember this? You don’t have to. Simply write the key down (or print it) and transfer it to your wireless PC. Most adapters will store the key so you don’t have to enter it each time. What I did was e-mail the key to myself, then opened the email on my wireless PC and cut and pasted it. This way, I didn’t have to enter it manually. I am not worried about my e-mail being “intercepted,” but if you are, then encrypt your email or simply enter the pass key manually.

Once done with this, be sure to click SAVE.

Here is what my “Wireless” screen looks like:

Now, moving on. Click on Basic —> Static DHCP. You don’t have to do this, but I prefer both of my PC’s to always have a static IP address. Simply enter your computer’s MAC address, then enter the IP address you want it to always have (it has to be an address within the range you specified under “IP Address Range”). Then enter the hostname for the PC and click add. Do this for however many PC’s you have. Save when done.

Now, click on Basic —> Wireless Filter. Click on “Permit Only the Following Clients.” Here you ONLY want to allow however many wireless PC’s you have. So, if you only have 1 PC connecting wirelessly, then enter it’s MAC address and it’s “Description” (for this I entered the hostname). This will enable MAC filtering, which is not all that great of security by itself, but is a smart thing to do to stop casual intruders. Now, click save and let’s move along.

Click on Advanced —> Firewall. The firewall in Tomato is always enabled, but let’s check it to make sure. If you want every inbound packet blocked, then uncheck “Respond to ICMP Ping.” I have all of the three options unchecked. As for NAT Loopback, I have it set to “Forward Only” which is probably desirable for most people. NOTE: If you are a Linux guru and are familiar with IPtables rules, you can write your own custom firewall rules, though I see little reason to do so for a home network, as everything is already blocked on the inbound side by default.

Now click on Advanced —> Wireless. Most of these settings have nothing to do with security, so I will skip them. The one that is important for our purposes is the “Maximum Clients” option. Here you want to set this to however many wireless PC’s you will have connecting to the router. In my case, I only have one, so I set it to “1.” This will make it so that as long as your wireless adapter is actively connected, no other wireless client can be connected at the same time.

Now, let’s move down to Administration —> Admin Access. At this screen, the first option is “Local Access”. I prefer to change it to HTTPS, and put the port on 443. Now, here’s the important part — if you will NOT be connecting to your router from a remote location, then be sure to set “Remote Access” to DISABLED. Below this option is an option to “Allow Wireless Access.” What this does is allow someone connected wirelessly to administrate the router. I prefer to leave this UNCHECKED. If I want to administrate the router, I will simply do it from my main wired box.

Now, for perhaps the most important security option of all: Under “SSH Daemon” you have the option to allow ssh connections or turn it off completely. The main reason you might want SSH is if you want to open a shell within your router for advanced configuration. If you have no need for this, then turn it OFF. If you choose to turn it off, then ignore the next couple of paragraphs. (Be sure to click Save when done).

If you DO want ssh access to the router, then click “Enable at Startup.” Now, the biggest decision here is whether you want to be able to access SSH from the outside. If you do NOT need to access the router from outside the network, then be sure to UNCHECK “Remote Access.” If you do want to access it remotely, then check the “Remote Access” box and change the Port to something other than 22 (port 22 is scanned constantly on the Internet).

Here is another big security enhancement. Uncheck the box “Allow Password Login.” What, you say? Do not allow a password login? That’s right, uncheck that box. Instead of using a password, you want to use a DSA or an RSA key. You will have to generate this key outside of Tomato. How to do this depends on what OS you are using. For Windows, click here. When you generate the key, then cut and paste the public key into the “Authorized Key” box in Tomato. (For Linux, simply install ssh, and then run from the terminal “ssh-keygen -t rsa” — then navigate to /home/username/.ssh/id_rsa.pub. Open id_rsa.pub and cut and paste the key into the “Authorized Keys” box in Tomato. You can also create a DSA key instead of RSA and even change the key length).

Once you get the keys set-up, then you simply open a terminal and type “ssh root@name_of_your_router” That’s it, it will not prompt you for a password because you are now using a ssh key.

Now, still on the same screen, look at “Remote Web/SSH Admin Restriction.” If you plan to administer your router from the outside, then next to “Allowed IP Address” enter the IP address that you want to be allowed to connect (for more than one, separate them by commas). All IP addresses not listed will automatically be blacklisted.

Here’s how I have mine set-up. I have it set where SSH is ONLY allowed locally. If you need it remotely, again, follow the directions above.

Under “Telnet Daemon,” I recommend EVERYONE turn this OFF.

Under “Password” set your administrator password. Make it something strong, but also something you can remember.

Now click Save. You will probably also want to reboot the router.

That’s it. This tutorial should provide more than adequate security for a wireless network, making your network far much more trouble to crack than its worth.