[DD-WRT] Asus RT-AC68U vs Netgear R7000 vs other ?

[spookyneo]

Hi,

I am looking for a new router for one of my customer. My customer is getting PCI certified, therefore I must isolate in a separate subnet the payment terminal. Their current router (Linksys EA4500) does not support having multiple subnets, so I am looking at a router that can have DD-WRT. Unfortunately, the EA4500 does not support DD-WRT.

While we're looking to change the router, the customer decided that he would like some improvements over the previous one. Here the features that are important for the new router :

• External antennas. The current router has very weak WIFI coverage even of 5GHZ.
• Must be able to create different subnets with DHCP enabled on each subnet. These subnets must not be able to talk between each other; only to Internet. I believe it is the "bridge" feature in DD-WRT.
• Must be able to create multiple WIFI networks which only have access to Internet and cannot talk between each other. Sounds like a guest network to me !
• A VPN server is required. OpenVPN Server is prefered but L2TP or at worst PPTP is also possible.
• Good WIFI performances and dual band. My customer is in a building with a lot of WIFI interferences. He already has 5GHZ and wants to keep it. A lot of his devices are also running on WIFI.
• Upgrading to AC is a nice benefit because some of his devices support it.
• Must be rock stable in DD-WRT. I wouldn't want to install something that will cause issues.

At first, I was going to buy the Asus RT-AC68U because I am an Asus fanboy and I know it is a good device. However, I've seen some reports that the Netgear R7000 might be more stable than the AC68U on DD-WRT. Stability is a very, very important point in this decision.

Both of these routers are in the price range.

Do you guys have other suggestions ? I heard about the Buffalo WZR-1750DHPD which comes with DD-WRT preinstalled, but I've read that the performances aren't very good.

Thanks,

Neo.

 

[RMerlin]

Won't you need a router that's PCI-compliant or at least with some certifications for that network?

Quite frankly, with the security track record of those home routers, I wouldn't use them on a network that involves payment information. Get a business-class product.

 

[spookyneo]

Won't you need a router that's PCI-compliant or at least with some certifications for that network?

Quite frankly, with the security track record of those home routers, I wouldn't use them on a network that involves payment information. Get a business-class product.

A PCI-compliant router is not required, at least for our Self-Assessment Questionnaire (SAQ). It is just mandatory that the payment terminal must not be able to talk to others on the network. Which is why I am looking at subnetting.

I too would prefer a business-class product (my primary job is working as a Net Admin with Cisco/HP network products), but my client doesn't want to pay that much. This is why I am looking at high-end home products but with DD-WRT.

 

[RMerlin]

A PCI-compliant router is not required, at least for our Self-Assessment Questionnaire (SAQ). It is just mandatory that the payment terminal must not be able to talk to others on the network. Which is why I am looking at subnetting.

I too would prefer a business-class product (my primary job is working as a Net Admin with Cisco/HP network products), but my client doesn't want to pay that much. This is why I am looking at high-end home products but with DD-WRT.

And they don't have a manageable switch in place, which could let you setup VLANs by any chances?

RT-AC68U and R7000 are two very similar routers performance-wise. Slightly faster CPU on the R7000, might be helpful if using DD-WRT on a WAN that's faster than 300 Mbps (since it lacks CTF support), or for the OpenVPN server it will host. One advantage of the R7000 is that Kong is actually working on that specific model, so you could expect better DD-WRT support than with the RT-AC68U.

 

[spookyneo]

And they don't have a manageable switch in place, which could let you setup VLANs by any chances?

RT-AC68U and R7000 are two very similar routers performance-wise. Slightly faster CPU on the R7000, might be helpful if using DD-WRT on a WAN that's faster than 300 Mbps (since it lacks CTF support), or for the OpenVPN server it will host. One advantage of the R7000 is that Kong is actually working on that specific model, so you could expect better DD-WRT support than with the RT-AC68U.

Thanks for replying so promptly Merlin.

They unfortunately don't have a manageable switch in place. They actually have wired 2 desktops, 1 server and the payment terminal on their current router. That's pretty much it about the copper, everything else is wireless (2 laptops and 1 printer). Because of their current needs, a separate switch is not required so they never bought one. As you can see, it is a very small network.

I totally agree that a router/firewall such as a Sonicwall would be better, but they aren't willing to pay that price. I also checked on buying everything separate (router, manageable switch, AP), but this is also out of their budget. So I have to work out with their budget and DD-WRT fits in it.

So you would recommend a R7000 with DD-WRT then between the 2 ? I know you are more Asus with your firmware, but are you aware of any important bugs/issues in Kong's releases that could have an impact on the operations of the business ?

Again, thanks.

 

[RMerlin]

So you would recommend a R7000 with DD-WRT then between the 2 ? I know you are more Asus with your firmware, but are you aware of any important bugs/issues in Kong's releases that could have an impact on the operations of the business ?

I haven't kept up with Kong's development, sorry. Best place to check would be the DD-WRT forums, there are a few threads devoted to the R7000 there.

 

[spookyneo]

I haven't kept up with Kong's development, sorry. Best place to check would be the DD-WRT forums, there are a few threads devoted to the R7000 there.

No worries Merlin, thanks

I was thinking about this again this morning and a company came to my mind : Ubiquiti. They aren't as expensive as Cisco stuff, but they are more "business" than DD-WRT and a home router.

For the same price of an R7000 or an RT-AC68U, I could get a small Ubiquiti EdgeRouter X (5 ports) + a Ubiquiti AC AP. It supports VLANs, VPN (PPTP, L2TP, OpenVPN). I could just buy a dummy Gigabit switch for the server and desktops. The dummy switch does not need to support VLANs, as everything plugged into it would be on the same VLAN and the native VLAN configured in the Ubiquiti for that interface would be set properly.

The router : https://www.ubnt.com/edgemax/edgerouter-x/
The AC AP : https://www.ubnt.com/unifi/unifi-ap-ac-lite/

Any thoughts on Ubiquiti products ?

 

[Rickst29]

Maybe my comments are two months too late, but here they are:

The Self-Asessment-Questionaire will accept a firewall which drops all packets between the POS Terminal and any Device which isn't its specific hosting Server/Subnet. This is easily configured in DD-WRT using a couple of 'iptables' firewall rules. A "separate subnet" is NOT required to lock down a device, and you will need (at most) just 6 rules to establish this lockdown:

(match source address == outside "partner" address or subnet) (match destination == POS Device) (match protocol = TCP) : FORWARD
(match source address == outside "partner" address or subnet) (match destination == POS Device) (match protocol = UDP) : FORWARD // only if UDP is also required.
(match source = POS Device) (match destination address = outside "partner") (match protocol = TCP) : FORWARD
(match source = POS Device) (match destination address = outside "partner") (match protocol = UPD) : FORWARD // only if UDP is also required.
(match source = POS device) (destination == everywhere) : DROP
(match destination = POS device) (match source == everywhere) : DROP

The reason why the SAQ is written in terms of "subnets" is: Many firewalls can't "reach" all the way down to the individual device. But DD-WRT "iptables" allows you to create a rock-solid firewall, while still using routing tables (and perhaps DHCP Reservations) on a single subnet. You will need to assure that your R7000 is physically and logically protected from ALL attempts at unauthorized connections, reconfiguration, and bypass.
- - - -

I'm using an R7000 with iptables in a similar manner, to prevent SIPVICIOUS attacks on my IP phones. Netgear firmware for R7000 doesn't provide a complete firewall (it can only limit or route "services" by port number, without making decisions based on Source or Dest addresses). (BTW, I'm using a Kong build from the most recent month. In my limited usage scheme, without attached storage or printers, it's been flawless.)

 

[Klueless]

Oh ouch! We just received our new chip compatible card readers.

One is wireless and portable. Just carry it from desk to desk as needed. Plug it into the charger at night. Charger has a phone jack so the unit can be used as a dial-up if the network is out.

The other two are Ethernet with roll-over to telephone if the network is out. (They were about half the price of the wireless version.)

I asked our vendor about PCI. "No problems they said." Sure wish I saw this post before we did anything!

Cisco, Ubiquiti, managed VLANs? Way over my head!

At our main shop, where the wireless reader is going, we have a simple Asus RT-66U. It offers 8 WLANs. I'm thinking all I have to do is set up a "guest" SSID/WLAN and give no one the WPA2 key (except the wireless reader). If I'm reading the Asus docs right it would then have access to nothing but the Internet and thus might be PCI compliant?

The other two locations have ancient (WEP only ancient) Netgears. Short term I guess I'll have to disable Ethernet and use dial-up only. Longer term, if the main shop passes PCI using an Asus stand alone WLAN, then I might just upgrade the old routers to affordable Asus RT-66Us and buy a couple of those cheap gaming boxes that turn Ethernet into a single port wireless and connect to a stand alone WLAN.

Question to original poster, did you go with your Ubiquiti idea? Did it work out? Was it simple? (Remember, I'm Klueless!) What did it all cost?

Open question, does anyone think my stand alone WLAN might pass the muster?

 

[sfx2000]

Won't you need a router that's PCI-compliant or at least with some certifications for that network?

Quite frankly, with the security track record of those home routers, I wouldn't use them on a network that involves payment information. Get a business-class product.

I agree with RMerlin - consumer grade router/AP isn't really the right answer here...

Friend of mine runs a gas station - and they have DSL service, and they get two public IP's - one for general purposes, and one for the Points of Sales - the PoS drops into a small biz Cisco router/vpn/firewall appliance (I'd have to check the model number), which is provided as part of the PoS/PCI compliance solution...

 

[htismaqe]

Open question, does anyone think my stand alone WLAN might pass the muster?

No, it won't.

PCI compliance for PoS isn't something to fudge. Hire somebody and have the do it correctly. It will save you time and money in the long run.

 

[sfx2000]

PCI compliance for PoS isn't something to fudge. Hire somebody and have the do it correctly. It will save you time and money in the long run.

It will save a lot of time, frustration, and these days, money... most card issuers have new agreements in place with stores, in that the store is now responsible for any fraud, if the store doesn't accept the terms - no card processing...

Puts the stores a bit in the vise - don't mess with PCI compliance - hire a pro that knows the ins and outs and the gotchas...

 

[sfx2000]

I am looking for a new router for one of my customer. My customer is getting PCI certified, therefore I must isolate in a separate subnet the payment terminal.

And with the new rules - your customer will have recourse upon you if he is compromised...

If you don't know what you're doing, walk away from this one...

 

[Klueless]

I lucked out!

We needed to buy "chip card" readers. (As of October if a customer presents you a chip card and you don't process it with a chip card reader liability goes to you. If a customer presents you with a non-chip card liability remains with the bank.)

Our vendor had explained that the new chip cards transfer much more data and strongly advised us to get the Wi-Fi enabled ones for faster processing.

Come installation day he goes, "Oh crap, I ordered the wrong ones, these only work over a telephone line!"

I say, "No problem, let's install them anyway and we'll fix it later."

We ran a couple test transactions. Turns out the plain old telephone system is plenty fast enough ... for us! "I'm keeping these!"

PCI-wise my life just got a whole lot easier!

IMO the speed issue has more to do with placing the call than the amount of data transferred. If dial-up was good enough before the new cards then there's probably little reason to change. If not then ... well ... good luck ; - )

 

[RogerSC]

Just a side comment, the R7000 is working very well with Kong's dd-wrt 28600 release. If you're still asking this question, that's worth a long look.

 

[htismaqe]

And with the new rules - your customer will have recourse upon you if he is compromised...

If you don't know what you're doing, walk away from this one...

Probably the most important piece of the newest PCI rules. Financial liability for breaches is a "we're closing our doors" issue.