Safely sharing your Internet connection with the neighbors: Using DD-WRT to setup a Linksys WRT54G in repeater mode

How do you bring down the high cost of cable Internet access? Share it with your neighbors (for a price, obviously)! You can do this naively by telling your neighbors your wi-fi network name and password, but this introduces a few problems:

  1. Liability: Do your neighbors use file-sharing services like BitTorrent? Comcast monitors that sort of traffic and sends cease-and-desist e-mail to customers sharing [unencrypted] torrents.
  2. Coverage: Unless you live particularly close together, a single wi-fi access point will probably not be sufficient for everyone to have a strong wi-fi signal everywhere they use their computers, tablets, and smart phones.
  3. Performance: No one wants their Internet connection to slow to a crawl because their neighbor is using all of the available bandwidth to download the latest Game of Thrones episode.

For this guide, I’m assuming you already have a home wi-fi router and want to learn how setup a shared network with enhanced coverage and performance, while reducing liabilities. All without running extra cables around your house or apartment!

Equipment needed

  • A broadband Internet connection
  • A wi-fi router for your home or apartment (I’m using an Apple Airport, but any decent, modern router should work)
  • A Linksys WRT54GL wifi-router for your neighbors (you can find these online for less than $50)
  • DD-WRT firmware to unlock the full power of your Linksys router

 Network overview

Our basic idea is to create a private wi-fi network for yourself, and a public wi-fi network for your neighbors. This is why you’ll need two wi-fi routers. Plus, the public router allows you to position it where your neighbors will get the best signal strength, while you can still position your private router wherever it works best for you. The network you create will look something like this (solid lines represent Ethernet cables, dashed lines represent wi-fi connections):

Network topography: By introducing a second, public wifi router, you can keep your computers separated from your neighbors’ computers.

As this diagram shows, we’ll have an Ethernet cable running from your cable/DSL model to your private router, but that’s it! No other cables necessary!

Setting up your private network

I’ll assume you’ve already setup your private wi-fi router (just about all of them come well-configured out-of-the-box these days), but here are some recommendations for a fast, secure network:

  • Enable WPA2 encryption: this is much more secure than WEP encryption, and lets you use easy-to-remember passwords instead of arcane sequences of hex characters. DD-WRT (which we’ll be using to setup your public router) only works well with WPA2 encryption, so this isn’t just a good idea; it’s required if you want your private router and public router to communicate wirelessly.
  • Pick an unused wi-fi channel: the most common channels are 1, 6, and 11. You can use a tool like iStumbler (Mac) or Kismet (PC) to identify which channels are already being used by nearby wi-fi routers. If channel 1, 6, or 11 is available, use it. If there are already a lot of other people using those channels, choose 3 or 9 to reduce wi-fi interference as much as possible.

Setting up the public network

Once you have your private wi-fi working properly, it’s time to setup your new Linksys WRT54GL to share your connection with the neighbors. We’ll also install DD-WRT firmware on it, which allows this old router to learn new tricks and perform significantly faster than it does out-of-the-box.

What’s firmware? Firmware is the software that controls your router. By upgrading from the Linksys firmware to DD-WRT, you are essentially installing software that can do more things (and do them faster!) than the Linksys software.

  1. Download the following files, and save a copy of this guide to your computer. You’ll be disconnected from the Internet while you initially configure your router:

    It may also be worthwhile to check this forum thread for newer recommended builds, but I know the r14929 has worked extremely reliably for me. Additional information about installing DD-WRT on the WRT54GL can be found here.

  2. Do a hard reset of your Linksys WRT54GL router. A hard reset involves four steps:
    1. With the router powered on, press and hold the power button for 30 seconds (I usually use a pen to press this button)
    2. Unplug the router from the power outlet while continuing to press the power button for an additional 30 seconds.
    3. Plug the router back into the power outlet while continuing to press the power button for an additional 30 seconds.
    4. Release the power button to let the router turn itself back on.

    So, you’ll be pressing and holding the power button for a total of 90 seconds. I can’t stress how important this step is—I skipped it the first time I setup my WRT54GL, and while everything looked fine, nothing actually worked properly.

  3. Connect your computer to the WRT54GL using an Ethernet cable plugged into the jack labeled 1 on the back of the router and turn off wi-fi on your computer.
  4. Open up a web browser and type 192.168.1.1 into the address bar, then hit the return key. You should be asked for a username and password. Leave the username blank, and type in admin as the password (this is the default way to login to Linksys WRT54 routers).
  5. Upgrade your WRT54GL with the micro DD-WRT firmware you downloaded earlier. We need to start with the micro firmware because of a bug in the Linksys firmware—some routers will stop working entirely if you try to install the standard DD-WRT firmware first. Linksys provides step-by-step instructions for installing new firmware.
  6. Wait about 5 minutes for the upgrade process to complete and the router to restart. Do not unplug the router during this time.
  7. Once the router has restarted, visit 192.168.1.1 again to confirm that everything is online. Then perform another hard reset (step 2 above).
  8. Once the router has restarted again, visit 192.168.1.1 in your web browser. Click on the Administration tab at the top of the page. You should be asked to log in; the default username is root, and the default password is admin.
  9. Click the Firmware Upgrade tab (beneath the Administration tab). Click on the Browse… button and select the standard firmware file you downloaded earlier, then click Upgrade.
  10. As with step 6, wait about 5 minutes for the upgrade process to complete.Do not unplug the router during this time.
  11. Once the router has restarted, visit 192.168.1.1 to confirm that everything is online, and then perform another hard reset (step 2 above). Yes, that’s three hard resets, and yes, they’re all necessary. I tried to skip these steps and found that none of my settings were saved by the router; each time it restarted it would revert to the default settings. Learn from my mistake!
  12. Now for the fun stuff! Visit 192.168.1.1 in your web browser and click on the Setup tab. If prompted to login, the username is root and the password is admin. (Feel free to change these at any time from the Administrationtab.) Most of the settings can be safely left at their default values, while others will depend on your personal network configuration. The sections below  describe the necessary changes to get your public wi-fi network running, plus some recommended (but optional) settings that I find work well. Each step refers to settings on a specific tab and sub-tab of the router’s configuration webpage (192.168.1.1).

    Always click the ‘Save’ button before moving on to the next tab!

    1. Setup→Basic Setup
      • Local IP Address (optional): My private router uses the IP address 10.0.1.1, so I set this field to 10.0.2.1 to easily tell them apart. If you make this change, you’ll need to connect to 10.0.2.1 instead of 192.168.1.1 for the rest of this guide.
      • Static DNS 1 (optional): Set this to Google’s public DNS server, 8.8.8.8.
      • Static DNS 2 (optional): Set this to Google’s backup DNS server, 8.8.4.4.
      • NTP Client (optional): Enable this and set the time zone appropriately.
      • Server IP/Name (optional): If you enable NTP, then set this to 0.us.pool.ntp.org.
    2. Wireless→Basic Settings
      • Wireless Mode: Repeater.
      • Wireless Network Name: Set this to your private network name. For example, before I added the public wi-fi router, I had one wi-fi network named Prydain, which is what I entered here.
      • Wireless Channel: Set this to your private network channel. You may need to log in to your private wi-fi router to determine (or set) the channel it uses. I would set it to 1, 6, or 11, and not the auto mode most routers default to.
      • Network Configuration: Bridged.
      • Now click the Add button. A set of fields will appear for your new virtual interface (this will be the public wi-fi network). Configure them as follows:
      • Wireless Network Name: Set this to your public network name. For example, I named my public network A Series of Tubes, which is what I entered here. Almost anything will do.
      • Wireless SSID Broadcast: Enable so your neighbors can easily find your wi-fi.
      • Wireless Channel: Set this to your private network channel, same as above.
      • AP Isolation: Disable so if your neighbors have multiple computers, they’ll be able to share files with one another via wi-fi.
      • Network Configuration: Bridged.
    3. Wireless→Wireless Security
      • Security Mode: WPA2 Personal (If you haven’t already done so, your private router also needs to be configured for WPA2 Personal security with AES encryption. Most modern routers (as of 2012) default to this security type, but it’s a good idea to verify it.)
      • WPA Algorithms: AES.
      • WPA Shared Key: Enter your private wi-fi password (i.e., the password you normally use to connect your computer to your wi-fi network).
      • Under the Virtual Interfaces section, use the exact same settings as above, except for the WPA Shared Key. Make this different, so that your neighbors will use a separate password than you use. The virtual interface’s Wireless Network Name is the wi-fi name you’ll tell them to connect to, and its WPA Shared Key is the password they’ll need to successfully connect.
    4. Wireless→Advanced Settings
      • Frame Burst (optional): Disable
      • TX Power (optional): I experimented with higher values, and found 110 to result in a strong signal for my neighbors without causing interference. I wouldn’t set this any higher than 150; return it to the default of 71 if you experience problems.
      • WMM Support (optional): Disable to conserve memory.
    5. Services→Services
      • DNSMasq (optional): Enable (These settings enable local DNS caching with a memory limit)
      • Local DNS (optional): Enable
      • Additional DNSMasq Options (optional): cache-size=100
    6. Security→Firewall
      • SPI Firewall (optional): Disabled (The firewall isn’t needed inside of the network, and interferes with bridging mode)
    7. Access Restrictions→WAN Access
      • Catch all P2P Protocols (optional): Enable this setting to block all unencrypted peer-to-peer traffic for your neighbors.
    8. NAT / QoS→QoS
      There are a lot of options on this page for controlling Quality of Service (QoS), which essentially means setting speed limits on certain Internet activities. If you set Start QoS to Enabled, you’ll have the option of setting a bandwidth limit on your neighbors’ Internet speed, or use the Services Priority section to only limit certain types of activities (like BitTorrent downloads) by setting their priority to bulk.
  13. Restart the router by unplugging the power cable for a few seconds, and then plug it back in. Enjoy your new, secure shared network!

20 thoughts on “Safely sharing your Internet connection with the neighbors: Using DD-WRT to setup a Linksys WRT54G in repeater mode

  1. Todd, this is a great idea. Thanks for the tutorial. One thing I didn’t understand though is how it reduces liability. Won’t the neighbors’ internet activity still show up on the same IP from Comcast’s point of view?

    I wonder if it would work to route all neighbor traffic through Tor or something.

    • Ack, I left out one of the DD-WRT configuration options. Under the Access Restrictions tab is an option named “Catch all P2P Protocols”. Turn that on, and non-encrypted peer-to-peer traffic is blocked by the router.

  2. It’s so great to stumble on this blog post! I’m a starving college student and about a month ago I tacked a note by my apartment complex’s mailboxes asking if I could join someone’s wifi network. A neighbor replied and we’ve been merrily sharing wifi since (at a very reasonable $15/month on my part).

    I have a question though: I opened iTunes the other day and saw that there was a shared iTunes library. This got me thinking: Even though I have all my sharing options turned off (as far as I know), is there a way for my neighbor to peek in on my internet traffic? Put another way, should I be worried when paying bills online?

    I should have prefaced this by saying that I’m an internet/technology dunce and he seems to have a computer science degree (whenever he talks to me about various network configurations, I could swear he’s speaking German). I don’t really know him, but I also have no reason to distrust him; I think these concerns are mostly born out of my ignorance.

    Any guidance would be greatly appreciated. And thank you for spreading the word about sharing internet charges. The amount of money companies charge (per month, for equipment, for setup) really is ludicrous.

    • “Is there a way for my neighbor to peek in on my internet traffic? Put another way, should I be worried when paying bills online?”

      Yes to your first question, no to your second.

      Most Internet traffic is unencrypted, and anyone with the right know-how can see all of it. If you’re neighbors want to know which stories you’re reading on CNN, they’ll have that information. Email is the same way (which is why secure sites, like banks, never e-mail you your password). That doesn’t just mean your neighbors could get this; anyone with access to a computer sitting between yours and the website you’re visiting could do the same thing. Which is why, from very early in the Internet’s existence, there’s been a secure method for handling sensitive information.

      Banks, utilities, online stores, even Facebook, all use a secure way of transferring information from your computer to theirs, called Secure Sockets Layer or SSL. Any website that beings its address with “https://” instead of just “http://” is secure; your web browser will display a locked icon or something similar to let you know the site is secure. Most websites use SSL to encrypt logins, passwords, and other sensitive data, and an increasing number of sites (like Gmail and Facebook) are making it possible to encrypt *everything*.

      So, could your neighbors be snooping on your Internet traffic? Absolutely. Could they be snooping on your bank account? Only if your bank is criminally negligent regarding its website security; as long as you see an “https://” in the address bar, you’ll be fine.

      As for iTunes; when I’ve shared Internet access with close friends, I opened up iTunes sharing because I knew we had similar tastes. That’s something your neighbor is doing intentionally, maybe for someone else in his apartment, maybe because he set it up long ago and forgot it about it, or maybe just on the off-chance that you (or anyone else he’s sharing wi-fi with) will be into his CD collection.

  3. This is not the proper way to set up internet connection sharing utilizing both a private and public networks. While your hardware configuration is semi-correct, your software configuration leaves the owner’s private network open to many vulnerabilities.

  4. Um, doing another hard reset at the end will completely wipe out the settings of the Linksys. This seriously misguided step you have recommended really puts into question everything else you’ve suggested here.

    Don’t go through all the trouble of configuring the DD-WRT interface if you plan on doing the hard reset suggested here. It will all be for naught!

  5. I am trying to provide a safe internet connection for my teenage daughter, but unfortunately I just found out that she is connecting to an unlocked internet from a neighborhood, could you please tell me how can I disable that internet connection to protect my child. I don’t want her to have any connection to that wi-fi. please help me to disable this connection.

  6. Todd – I own and live in a four-plex in a low-income neighborhood. I have provided my tenants guest access to my century link internet connection, but several of the neighbor kids have asked for access.

    That got me on the idea of providing free or low cost internet access for the entire block. I’m just now learning the ins and outs of networks, so pardon a simple question:

    Q1: If I buy a new router and set up a network like you describe, would the range be long enough for the rest of the block to access it consistently and dependably? FYI: my four-plex is basically right in the middle of the block.

    Q2: Could century link ‘come after me’ for doing this or would it be better just to have another internet account altogether?

    If I need a particularly dependable router with an ‘extra-long’ range, what do you suggest?

    Thank you so much!

  7. hi there!

    I need some help.. i am sharing internet to my neighbor.. they have the router, so i buy cable and connect that cable to their router so i can use internet. my question is i want to but wifi router so i can use internet all around the house i am worried if that will work if the i buy wifi router and connect the cable from it..will it work or not..

    thanks!

  8. Great article Todd.

    Glad you’re spreading the word on how to utilize DD-WRT to share internet. Anyone interested in finding a neighbor to share internet with should check out net-neighbors.com. Share internet – save money.

    Cheers,
    Adam

  9. I’m no networking expert, but won’t that make everyone on the public router in the same subnet as you on the private router, inside the firewall?

  10. I don’t even understand how I stopped up here, but I believed this publish used to be great. I do not recognise who you might be but certainly you’re going to a famous blogger when you aren’t already. Cheers!

  11. Is there a reason why you’re calling the neighbor’s network ‘public’? Seems like it’s another private network, at least it should be.

    Another approach which yields better bandwidth for the neighbors network, is you use up one of the ethernet connections on your router (the private one) to connect to the neighbor router (the public one). On your network, the neighbor’s router looks like just another device. The configuration of the neighbor’s router is almost the same as yours – it does NAT address translation too. So devices on the neighbors network are double-NAT-ed, but that’s how the internet protocol works, there’s no downside. For extra network hygiene, prevent your neighbor from accessing your network by adding access restrictions to your network range (use 10.* for your network and 192.* for theirs, for example). Of course, you’ll be able to see into their network, but you are the ISP after all. ;-). Anyway, this yields better bandwidth for them because their router doesn’t have to receive and send wirelessly for all traffic to their network – most routers, and that one in particular, can’t do that efficiently.

  12. I live in an apartment with a xfinity wifi hotspot. to Access the hotspot I had to log in to my mothers xfinity account on the web browser. I want to create a private wifi network from the hot spot signal . Is that possible to do that so I can do airplay and have a wirelessly connected printer or chrome cast
    ??

  13. Hi,

    I came upon this article because I wanted to get access restrictions and QOS to work on my repeated network. However, I don’t see any differences in our configuration. Are you sure the access restrictions work on the secondary network (remember, it says WAN restrictions, while the repeater isn’t delivering any WAN services)? Try for instance to block all http traffic on the neighbours network, it won’t work!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>