Ricky in Melbourne - Enjoy Learning

How to upload SSL certificate to Asus router

When it comes to home network security, people always saying I don’t need to worry about that since it’s my home network, not a corporate network. However, your home network is still connecting to the internet which means exposed to the attackers.

One of a good example is some people remote back in home’s network, like your router, NAS or even FTP etc. If you only using HTTP, anyone who just had a simple traffic capture can see all of your whole paint text traffic, included your password.

In today’s world, not only enterprise need a better security, home network as well. and encrypt your traffic is not that hard, just by enabling HTTPS.

So last time I had my NAS remote HTTPS enabled, today I will use the same free public SSL certificate to upload to my Asus router.

No matter what firmware you are using, the upload SSL process should be the same since the core is a linux system

OK, let’s get started.

 

1. Prepare your public SSL certificate

The certificate format has to be a PEM certificate, which may has the extension by .pem, .crt, .cer, .key

If you would like to know more about differernt certificate format and wants to convert between them, you can found here

Here’s what my certificate looks like

clip_image002clip_image004

 

2. Enable SSH on Asus router

Navigate to Administration->System, just enable SSH and apply

Note: I do not recommend enable SSH for WAN, although SSH is a secure protocol, but less ports (doors) to your home is always better

clip_image006

 

3. Enable HTTPS login for router

Navigate to Administration->System

clip_image008

 

4. Login to SSH

To login to SSH, a free tool called “PuTTY” is your friend

Just open PuTTY and type in your router’s IP and port

clip_image010

 

5. Follow the steps below or here to upload your certificate

—————–Verify that https_crt_save is off—————————-

ricky@Ricky-AC87U:/tmp/home/root# nvram get https_crt_save
0

——————Enable https_crt_save and verify that it was set correctly——————

ricky@Ricky-AC87U:/tmp/home/root# nvram set https_crt_save=1
ricky@Ricky-AC87U:/tmp/home/root# nvram get https_crt_save
1

ricky@Ricky-AC87U:/tmp/home/root# cat >/etc/key.pem

—————-Open your key file in Notepad and paste here, do NOT use “Word Wrap”—————–

clip_image012

——————–Hit Ctrl+D to save and exit cat command———————————-

ricky@Ricky-AC87U:/tmp/home/root# cat >/etc/cert.pem

———————-Open your cert file in Notepad and paste here, do NOT use “Word Wrap”—————————-

———————–Hit Ctrl+D to save and exit cat command———————–

——————————Verify https_crt_file is empty—————————

————————–You should see empty here—————————-

ricky@Ricky-AC87U:/tmp/home/root# nvram get https_crt_file

ricky@Ricky-AC87U:/tmp/home/root#

ricky@Ricky-AC87U:/tmp/home/root# nvram get https_crt_file

================You will see your new certificate file like below——————–

clip_image014

———————Restart httpd———————–

ricky@Ricky-AC87U:/tmp/home/root# service restart_httpd

—————————Reboot———————-

ricky@Ricky-AC87U:/tmp/home/root# reboot

 

6. Verification

After the reboot, let’s test the result

clip_image016

That’s my own SSL certificate, no warning anymore

By rickygao on March 1, 2015 | Network, Tech | 9 comments

Tuning The Asus Wireless Router To Best Performance

I’ve been really enjoying Asus wireless router at home for years, which I believe is the best home wireless router in the world.

The reason why I’m saying best is because of the following consideration as a home wireless router

  • Coverage
  • Performance
  • Features
  • Compatibility
  • Third party firmware support, like Tomato and DD-WRT

The last Asus wireless router I was using was RT-N16 which is one of the classic router from Asus, it served my home for 2 years without any issues. However, by moving into a bigger house and all of my devices now supporting dual-band network, it seems that I have to buy a new router.

The consideration of the new router will still be the above, especially for the best signal coverage as I don’t want to extend my network by using any WIFI extender and slow down my network.

Lucky, the new Asus RT-AC87U can meet all of my requirements, the only AC2400 4×4 MIMO wireless router in the world with 465m2 coverage premised. More review can be found here,  the longest effective range so far.

image

In case some people need to understand a few performance parameters:

AC2400: the WIFI network speed can reach to 2.4Gb with 600Mbps (Max speed of 2.4GHz network) plus 1734Mbps (5GHz network)

4×4 MIMO: best router capacity, read here

With the best hardware (home router), our next step is to tweak the router to best match our environment since every family may have their own needs.

So the first thing we need to think about is the firmware loaded on the router.

Since Asus router supported various types of firmware, and they all have pros and cons, you can consider by my below matrix

Firmware

RT-AC87U Supported HW Acceleration VLAN Guest Network VPN QoS Per IP Traffic Monitoring Save History to USB Static DHCP Nickname Firmware Quality
Asus Original Yes Yes No Yes Yes Yes No No No Stable
Asuswrt-Merlin Yes Yes No Yes Yes Yes Yes Yes Yes Stable
Tomato No Yes Yes Yes Yes Yes Yes Yes Less Stable
DD-WRT No Yes Yes Yes Yes Yes Yes Yes Less Stable

I also struggling a long time to decide since all of the features are critical for me, especially for a home network with a lab. Although both Tomato and DD-WRT still haven’t support the latest RT-AC87U yet, but I can still flash to it, just lacking the new feature support I believe.

However, the Hardware Acceleration can boost your router a lot, especially for NAT, the internet speed once you have a large number of devices, I don’t want to miss these important feature, so finally I decided to go with Asuswrt-Merlin, which is the one just right build on the original firmware with more customized features. Once Tomato and DD-WRT starting support HW Acceleration, I may switch to them.

To be more clear on the Hardware Acceleration on both Asus original and Asuswrt-Merlin firmware, please refer to below table

  • CTF(Cut Through Forwarding): Software optimization technique to accelerate NAT
  • FA (Flow Accelerator): Hardware NAT acceleration mechanism design for accelerating wired DHCP and Static IP connections

Level 1=CTF Only

Level 2=FA + CTF

Category

Feature

Menu

Support HW Acceleration  Level

QoS

Traditional

Adaptive Qos->QoS

Off

QoS

Adaptive

Adaptive QoS->QoS

Level 1

None of Above

Level 2

Asuswrt-Merlin

Category

Feature

Menu

Support HW Acceleration  Level

QoS

Traditional

Adaptive Qos->QoS

Off

Traffic Monitor

IP Traffic Monitoring

Tools->Other Settings

Off

QoS

Adaptive

Adaptive QoS->QoS

Level 1

None of Above

Level 2

OK, now we are clearly enough on the Hardware Acceleration, let’s start tunning the settings

I will ignore a few basic settings since everybody should knows that Smile, will only focus on the advanced settings

1. Wireless->General

imageimage

Option Description Recommendation

Protected Management Frames

Current 802.11 standard defines “frame” types for use in management and control of wireless links. IEEE 802.11w is the Protected Management Frames standard for the IEEE 802.11 family of standards. TGw is working on improving the IEEE 802.11 Medium Access Control layer. The objective of this is to increase the security by providing data confidentiality of management frames, mechanisms that enable data integrity, data origin authenticity, and replay protection. These extensions will have interactions with IEEE 802.11r and IEEE 802.11u

More security, Less compatibility

Disable
Wireless Mode (2.4GHz) Max the 2.4GHz performance since the 802.11 a/b/g connection will slow down the 2.4GHz speed, and it’s hardly to see any a/b/g client now

N only

Network Key Rotation Interval (2.4GHz+5GHz)

The key is automatically generated from the SSID and the password set for the network. Refreshing of this key does not mean that a new password will have to be entered every hour. However, it results into Internet connection being unavailable for some time at regular intervals

More security, connection may lost during key renew

0

2. Wireless->WPS

image

Less security protocol, just turn it off

3. Wireless->Professional

imageimage

Option Description Recommendation

Roaming assistant

Enabled if more than one AP

Disable

IGMP Snooping (2.4GHz+5GHz)

Better streaming TV

Enable
Preamble Type

Preamble Type defines the length of time that the router spent for CRC (Cyclic Redundancy Check). CRC is a method of detecting errors during data transmission. Select Short for a busy wireless network with high network traffic. Select Long if your wireless network is composed of older or legacy wireless devices.

Newer wireless “b” devices using a short preamble typically experience quicker data transfers. Moving from a long to short preamble will not solve poor connection issues or slow Internet speeds. However, moving to wireless “g” and wireless “n” devices increases transfer speed and range. Short preambles work with every wireless type other than older types with limited transmission rates in the 1 to 2 Mbps range.

Better performance, Less compatibility

Short
AMPDU RTS Deal with traffic congestion problems. For example, the throughput of your machine might be suffering when others are doing large downloads or file transfers or streaming media Enable (default)

Enable TX Bursting

Improve transmission speed of g device Enable
Enable WMM APSD WMM APSD is a QoS setting which, when enabled, allows some devices to go into a lower power and higher latency state while others stay as low latency as possible. WMM = QoS and APSD = Automatic Power Save Delivery. Enabled (default)
Reducing USB 3.0 interference Better 2.4GHz performance and range, less USB 3.0 speed Enable
Optimize AMPDU aggregation MPDU aggregation also collects Ethernet frames to be transmitted to a single destination, but it wraps each frame in an 802.11n MAC header. Normally this is less efficient than MSDU aggregation, but it may be more efficient in environments with high error rates, because of a mechanism called block acknowledgement. This mechanism allows each of the aggregated data frames to be individually acknowledged or retransmitted if affected by an error Disable (default)
Optimize ack suppression with no ack is that SSL based communications are more likely to error, very slight bandwidth decrease with it enabled Disable (default)
Turbo QAM Better performance, both router and client must support it Enable (default)
Airtime Fairness With airtime fairness, every client at a given quality-of-service level has equal access to the network’s airtime. This is essential for ensuring predictable performance and quality-of-service, as well as allowing 802.11n and legacy clients to coexist on the same network. Without airtime fairness, router using mixed mode networks risk having legacy clients slow down the entire network or letting the fastest clients crowd out other users Enable (default)
Explicit beamforming The clien’ts WLAN adapter and router both support beamforming technology. This technology allows these devices to communicate the channel estimation and steering direction to each other to improve download and uplink speed. Enable (default)

Universal Beamforming

For legacy wireless network adapter that do not support beamforming, the router estimates the channel and determines the steering direction to improve the download speed Enable (default)
Regulation mode IEEE 802.11h is the IEEE standard for Spectrum and Transmit Power Management Extensions. It solves problems like interference with satellites and radar using the same 5 GHz frequency band. It was originally designed to address European regulations but is now applicable in many other countries. The standard provides Dynamic Frequency Selection (DFS) and transmit Power Control (TPC) to the IEEE 802.11a MAC

It has no useful function as far as we are concerned. However, if left “floating” in an unknown state, it caused association problems

Off (default)

4. LAN->Switch Control

image

Option Description Recommendation

NAT Acceleration

HW Acceleration 

Auto

Enable Jumbo Frame

More compatibility, less performance Disable

5. WAN->Internet Connection

image

Option Description Recommendation

Enable VPN + DHCP Connection

If you enabled VPN service, this must be enabled 

Yes

 

 

 

If you would like to flash the router to Tomato, you can refer to here

By rickygao on February 25, 2015 | Home Lab, Network | A comment?

How to find out the best energy plan in Australia

Are you so annoying of the Australian energy service company? The price sheet is always so hard to read, and the discount they offer is so unclear as well

I agree there are few websites that can help you compare the price of those energy company based on your usage, but those websites are usually sponsored by the energy company as well, so it’s hard to trust them sometimes.

I did some homework by myself, by comparing on those most popular energy plans from majority of the service providers, so I think it will be useful to share it out.

Let’s started with the basic concept of the energy service in Australia:

 

Distributor and Service Provider

  • Distributor: the energy infrastructure owner, not selling the energy directly to the user, only to the service provider

If you are in Melbourne, you can find your distributor from below map, or visit here

image

  • Service Provider: like a reseller, package the energy with plans and sell it to the users

 

Service Fee/Daily Charge and Usage Fee

Now it is more make sense that you can see there’s two types of fees included in the bill, “service fee/daily charge” and the “usage fee”

  • Service /Daily Charge Fee: This fee charged daily based as you can see from the name, you can image this is a kind of management fee, service fee or labour fee
  • Usage Fee: This is the fee you actually consumed the energy

 

Discount

You should be very carefully on the discount rate. Some company only discount on “Usage Fee” and some others discount on both

And when energy company advertising their product, they always only promote their discount rate rather than the actual after discount fee

 

Email Notification and Online Management

 

I was using Red Energy before switch to Dodo, one of the annoying thing was they only post your bill, which means when your bill lost for some reason (like posted to the wrong mailbox), there’s no way to track your bill.

So that is way email notification and online management portal is another my consideration.

 

Note: each area may have different price since under different distributor, and energy company may change their price anytime

If you are with my distributor, you can use my data to estimate your best plan

If you are not with my distributor, you can refer to my data, but may need to do your own homework

 

Price Date: Jan 2015

Data Source: Energy service company website

My Sub: Heathmont, VIC

My distributor: SP AusNet

My Choice: Dodo

My Reason: I’m not a strong energy user, so daily charge is more important to me

Dodo Promotion: Dodo has a referral promotion which give both of us 25 credits, comment me if you need my ref no.

 

image

 

By rickygao on January 23, 2015 | Daily Life | A comment?

AD
ADFS
ADRMS
Android
Azure
Certification
Citrix
Cluster