Home Networking Tips and Giving Superpowers to the TP-Link Archer C7

Friday, October 7, 2016 @ 6:32 pm

There are many good resources on setting up and tweaking home networks, but I just wanted to put this post together as a compilation of all the best practices I’ve come across over the past ~15 years. I’ll also describe how to move away from proprietary firmware to open-source firmware for the TP-Link Archer C7 wireless router.

General Home Networking Tips:

  • If possible, plug in your computer/device. A wired connection will always be faster and more stable than a wireless connection (e.g. no interference from walls, other devices, and signals).
  • Lower channels/frequencies are able to penetrate walls better than higher frequencies (example: when you encounter a car blasting loud music on the streets, you typically only hear the bass).
  • Comparing the Frequency Bands:
    • 2.4 GHz: better range and compatibility with devices, but more congested and susceptible to interference (e.g. microwaves).
    • 5 GHz: faster data rates and less congestion (ideal for streaming and wherever possible), but shorter range and not supported by older devices.
  • Choosing a Network Name: with modern routers being dual-band (both 2.4 GHz and 5 GHz), this means that you can set up and connect to two different “networks” in your home/office.
    • Using the same name: your devices will automatically detect which one is better to connect to.
    • Using different names: you would have to manually configure your devices to have a preferred order of networks (to connect to the 5 GHz network if available, if not then connect to the 2.4 GHz network).
    • For simplicity, I’d recommend you set up both to use the same name (e.g. “Bill Wi the Science Fi”) instead of using different names (e.g. “Bill Wi the Science Fi” and “Bill Wi the Science Fi_5GHz”) (a Former Apple Wi-Fi Engineer also advises the same).
  • Choosing a Channel:
    • For the 2.4 GHz band: use either channels: 1, 6, or 11. Here’s why.
      • If a microwave is interfering with your connection when it’s in use, try to use channel 1 (source).
    • For the 5 GHz band: avoid using any channel between 50-144 as they are subject to DFS (dynamic frequency selection as they use the same frequencies as some radars). Unlike the 2.4 GHz band, you can pick any channel.
      • If range or heat management is important in your situation, choose a lower channel (36, 40, 44, 48).
        • Note: choosing a lower channel may limit your maximum transmit power level based on your region, so you may be forced to use a higher channel (149, 153, 157, 161, 165)
    • When choosing a channel, choose one that is least congested. To help understand what channels nearby networks are using, you can use tools such as Acrylic WiFi Home (for Windows), InSSIDer 3.1.2.1 (the last free version – for Windows), Wifi Analyzer (a highly rated free Android app).
  • Channel width: if you have the ability to set the radio channel width on your router, use 20 MHz for the 2.4 GHz band for less interference (here’s why), and 40 MHz for the 5 GHz band for greater device compatibility (here’s why).
  • Transmission power: if available in your router settings, set your 2.4 GHz radio to be around 6 dB lower than the 5 GHz radio’s transmit power to achieve a roughly equivalent area of coverage (source).

Giving Superpowers to the TP-Link Archer C7

By superpowers I mean moving away from the stock firmware to a custom, open-source firmware: OpenWRT.

OpenWRT on the Archer C7 v2

The TP-Link Archer C7 (v2) has been rated by The Wirecutter to be the best router (for most people).

Why OpenWRT instead of stock firmware:

  • More stable: stock TP-Link firmware updates are few and far between – for example, the official Archer C7 v2 firmware (Canadian) hasn’t been updated to address the bug where it can’t detect high-capacity external hard drives.
  • Improved performance: I noticed there would be a decrease in LAN transfer speeds if I was downloading a large file with the stock Archer C7 firmware. I don’t experience this anymore with OpenWRT.
  • Lightweight and feature-rich: by default, OpenWRT comes with only the bare essentials to get a basic wired/wifi network up and running. You have the ability to install various packages, such as an SSH server, adblocker, VPN, BitTorrent client, and traffic-shaping/QoS.
  • Open-source: this means the source code is accessible and open for review/scrutiny. For privacy nerds, this is important because the likelihood of backdoors/snooping/vulnerabilities is much lower with OpenWRT than with using stock firmware.

Recently I’ve successfully “upgraded” two Archer C7s to OpenWRT v15.05.1 (“Chaos Calmer”) with the following features:

  • USB Support: allow detection and recognition of any USB stick/hard drive plugged into the router’s two USB ports.
  • Network File Sharing: share any USB-connected storage media across the entire network. I have a few Amazon Fire TV boxes that stream media off of a couple ofcentral external hard drives.
  • Power Efficiency: automatically spin-down any connected external disks if they’ve been idle for 10 minutes.
  • Intelligent Traffic Prioritization: using QoS (Quality of Service) to be able to download a large file while streaming an online video buffering-free, for example.
  • Ad and Tracker Blocking: any device connected to my network will automatically have ads and tracking services blocked.
  • DNS Protection: DNS spoofing is prevented courtesy of DNSCrypt.

For one router, I have over 15 devices simultaneously connected (laptops, tablets, phones, TV boxes), and it is able to cope with this without any problems.

In short, this guide will show you step-by-step how to flash and customize OpenWRT to have no loss in features provided by the stock firmware (e.g. USB support and QoS), with the added feature of having adblocking at the router level.

If you own a different router: sections #1 to 3 in this guide would likely still work for you. You would just need to check to check if OpenWRT supports your router. Proceed from section #4 onwards with caution.

Disclaimer: I’m not responsible for anything that might happen to your router if you follow this guide.

Continue with this guide if you meet the following requirements:

  • You own a TP-Link Archer C7 that has a hardware revision of v2 with a serial number less than 215C.
    • If your serial number is 215C or greater, you must use the trunk release of OpenWRT. The trunk release does not have the driver for 5 GHz functionality and the web interface installed by default. So you may need to run: opkg install kmod-ath10k luci
  • You have physical access to the router.
  • You have laptop/computer and an ethernet cable handy.
  • Your Internet service is delivered via cable.
  • Your USB storage devices are in NTFS format.

1. Preparation

  1. Log into your router and keep notes/screenshots of:
    • Your existing wireless settings (e.g. DNS servers, channel, password).
    • Shared USB storage or static IP addresses.
  2. Notify anyone on your network that the network will be down (temporarily – until the end of section #3 below).
  3. Download the following onto your computer:
  4. Keep this page and these steps open during the installation and set-up process.

2. Flash OpenWRT

At this stage, we will flash OpenWRT onto our router.

  1. Connect your computer to one of your router’s 4 LAN ports (blue) using an ethernet cable.
    • Disconnect from any wireless connection.
  2. Find the OpenWRT file you downloaded (openwrt-15.05.1-ar71xx-generic-archer-c7-v2-squashfs-factory.bin) and rename it to openwrt.bin
    • This is required because the stock TP-Link interface won’t accept it otherwise.
  3. Log into your router.
  4. Go to System Tools => Firmware Upgrade.
  5. Click on the “Choose File” button and find the openwrt.bin file you freshly renamed in step #1.
  6. Click on “OK”.
  7. Click on the “Upgrade” button.
  8. Do not touch your computer or router while it is upgrading, otherwise you risk bricking your router.
  9. Wait for ~2 minutes for the OpenWRT firmware file to be uploaded to your router and flashed/installed.

3. Initial OpenWRT Setup

At this stage, we now have OpenWRT on our router and need to set it up so that we can install the functionality we want.

Note: if there are any options in OpenWRT that I do not explicitly mention in this guide, assume that you should keep it at its default setting.

  1. In your browser, go to http://192.168.1.1/
  2. Click on “Go to password configuration…”
  3. Enter a password and re-enter it to confirm.
  4. Under “SSH Access”, beside “Interface” tick “lan”.
  5. Scroll to the bottom of the page and click on “Save & Apply”.
  6. At the top of the page, hover over “System” and click on “System”.
  7. Set your timezone then click on “Save & Apply”.

By default, wifi is disabled in OpenWRT. Let’s go ahead and set up our 2.4 GHz and 5 GHz wifi networks now so that anyone at home/the office aren’t left without Internet for too long!

  1. At the top of the page, hover over “Network” and click on “Wifi”.
  2. You will see two radios that are disabled (2.4 GHz and 5 GHz):
    • Qualcomm Atheros QCA9880 802.11nac (radio0) = 5 GHz
    • Generic MAC80211 802.11bgn (radio1) = 2.4 GHz
  3. We will need to configure both radios. Click on the “Edit” button for Qualcomm Atheros QCA9880 802.11nac (radio0), go through the steps below, and then repeat for Generic MAC80211 802.11bgn (radio1).
    1. Device Configuration:
      • General Setup tab:
        1. For Qualcomm Atheros QCA9880 802.11nac (radio0):
          • Mode: AC
          • Channel: choose a channel that isn’t in use by (many) other routers. Read General Home Networking Tips at the top of this page for tools to check nearby wifi networks and what channels they are on. Choose the least congested one.
          • Width: 40 MHz
          • Transmit Power: this depends on your needs. If in doubt, leave at the default value.
        2. For Generic MAC80211 802.11bgn (radio1):
          • Mode: N
          • Channel: choose 1, 6, or 11. Again check nearby wifi networks and what channels they are on. Choose the least congested one.
          • Width: 20 MHz
          • Transmit Power: this depends on your needs. If in doubt, leave at the default value. If comfortable, you can set this to be 6 dBm less than your 5 GHz (radio0) transmit power level.
      • Advanced Settings tab:
        • Country Code: set to your country
    2. Interface Configuration:
      • General Setup tab:
        • ESSID = enter any name you want to give your wireless network. I recommend that this is the same for both radio0 and radio1.
      • Wireless Security tab:
        • Encryption = WPA2-PSK
        • Cipher = auto
        • Key = enter any password you want
    3. Click on “Save & Apply”.
  4. Go through both radios again (“Edit”) and verify that the channel and transmit power values are correct. The options and maximum levels vary across countries.
  5. Once everything looks good, you can click on “Enable” for both.

It should now look like the below screenshot:

Enabled wireless radios

4. Log into SSH

Now that we’ve set up a password and enabled SSH access, we can now go ahead and log in.

  1. Open PuTTY.
  2. For “Host Name (or IP address)”, enter: 192.168.1.1
  3. Click on the “Open” button.
  4. You will see a PuTTY Security Alert message, click on “Yes”.
  5. A black box will appear and will ask you to enter a username and password.
    • Use root as your username.
    • Use the password you configured in 3. Configuring OpenWRT step #3 above.

5. Install Features

We have logged into SSH to install the necessary packages to recognize USB devices, share them on the network, spin-down disks if they are idle, as well as a Quality-of-Service (QoS) package.

  1. Copy the following commands to your clipboard (note: if your USB devices are not in NTFS format, you will need to replace ntfs-3g below with the correct package):
    opkg update
    touch /etc/config/fstab
    opkg install kmod-usb-storage block-mount hd-idle luci-app-sqm nfs-kernel-server vsftpd ntfs-3g
    mkdir -p /mnt/usb1
    mkdir -p /mnt/usb2
  2. In PuTTY, right-click in the window to paste and execute the commands (you may need to manually press Enter to run the last command).
  3. Next we will enable network file sharing when a USB storage device is connected to one or both of the USB ports in the router. Run the following command:
    vi /etc/exports
  4. Press the i key on your keyboard to go into insert mode.
  5. Press Backspace or Delete to delete the default entry in the file to ensure everything in the file is deleted.
  6. Paste the following lines into the file:
    /mnt/usb1 192.168.1.0/255.255.255.0(ro,no_root_squash,insecure,no_subtree_check,async,mp)
    /mnt/usb2 192.168.1.0/255.255.255.0(ro,no_root_squash,insecure,no_subtree_check,async,mp)
  7. Press the Escape key on your keyboard.
  8. Type the following command in:
    :wq
  9. Press Enter to save the file and to return to the command prompt.
  10. Copy the following commands to your clipboard:
    /etc/init.d/portmap start
    /etc/init.d/portmap enable
    /etc/init.d/nfsd start
    /etc/init.d/nfsd enable
  11. In PuTTY, right-click in the window to paste and run the commands (you may need to manually press Enter to run the last command).

6. Customizing OpenWRT

  1. In your browser, go to http://192.168.1.1/
  2. At the top of the page, hover over “Network” and click on “Firewall”.
  3. Click on “Custom Rules”.
  4. Paste the following into the box:
    IPT=iptables
    IF_LAN=eth0
    NET_LAN=192.168.1.0/24
    
    $IPT -A INPUT -j ACCEPT -i $IF_LAN -s $NET_LAN -p tcp --dport 111 #------------------- portmap
    $IPT -A INPUT -j ACCEPT -i $IF_LAN -s $NET_LAN -p udp --dport 111 #------------------- portmap
    $IPT -A INPUT -j ACCEPT -i $IF_LAN -s $NET_LAN -p tcp --dport 32777:32780 #----------- nfsd
    $IPT -A INPUT -j ACCEPT -i $IF_LAN -s $NET_LAN -p udp --dport 32777:32780 #----------- nfsd
    $IPT -t raw -A PREROUTING -i $IF_LAN -s $NET_LAN -p tcp --dport 32777:32780 -j CT --notrack #-- don't track nfs
    $IPT -t raw -A PREROUTING -i $IF_LAN -s $NET_LAN -p udp --dport 32777:32780 -j CT --notrack #-- don't track nfs
    $IPT -t raw -A OUTPUT -o $IF_LAN -d $NET_LAN -p tcp --dport 32777:32780 -j CT --notrack #- don't track nfs
    $IPT -t raw -A OUTPUT -o $IF_LAN -d $NET_LAN -p udp --dport 32777:32780 -j CT --notrack #- don't track nfs
  5. Click on “Submit”.
  6. At the top of the page, hover over “System” and click on “Startup”.
  7. Scroll down to “Local Startup” and paste the following into the “Custom” startup box:
    # Put your custom commands here that should be executed once
    # the system init finished. By default this file does nothing.
    
    sleep 3
    
    ntfs-3g /dev/sda1 /mnt/usb1 -o defaults,async,nofail,noatime
    ntfs-3g /dev/sdb1 /mnt/usb2 -o defaults,async,nofail,noatime
    # if not using NTFS devices, comment out the above two lines and uncomment the below two (remove the #s)
    # mount /dev/sda1 /mnt/usb1
    # mount /dev/sdb1 /mnt/usb2
    
    exit 0
  8. Click on “Submit”.

7. Set up QoS

  1. Go to http://www.speedtest.net/ and do a speedtest.
  2. Once it’s completed, let’s do some math:
    • Download Speed = Speedtest Download Speed x 1000 x 0.95
    • Upload Speed = Speedtest Upload Speed x 1000 x 0.95
  3. In your browser, go to http://192.168.1.1/
  4. At the top of the page, hover over “Network” and click on “SQM QoS”.
  5. Tick the “Enable this SQM instance” box and ensure the “Interface name” is set to eth0
  6. Set the Download and Upload speeds to what we calculated in step #2.
  7. Click on the “Save & Apply” button at the bottom of the page.

8. Reboot the Router

Because we have installed and set up multiple things, it’s best to restart the router to make sure all of our settings have taken effect.

  1. In your browser, go to http://192.168.1.1/
  2. At the top of the page, hover over “System” and click on “Reboot”.
  3. At this point in time, feel free to connect your USB storage media to your Archer C7, if any.
  4. Click on “Perform reboot” to reboot the router.
  5. Once it reboots, you can go in and configure additional options, such as static DHCP IP addresses and DNS servers.

If you have Kodi or any type of media player, you can now access your USB device(s) connected to the router via Network File System (NFS).

Accessing the share through Kodi

9. Manage Files on Your USB Devices

  1. Download and install an FTP client program if you do not have one already (e.g. FileZilla)
  2. Open your FTP program
  3. Set it to connect to:
    • Server: 192.168.1.1
    • Port: 21
    • Username: root
    • Password: the password you configured in 3. Configuring OpenWRT step #3 above.
  4. Connect and you will initially see an empty folder.
  5. Navigate to /mnt and you should be able to see your USB devices.

10. (optional) Using a Custom DNS Server

You are able to set your router to use a custom DNS server. You can read about some of the benefits here. My personal preference is OpenNIC (click on the link, then select your country. Jot down the IP address (under the “IPv4” column) of any servers which have “Log Anon” in blue).

  1. In your browser, go to http://192.168.1.1/
  2. At the top of the page, hover over “Network” and click on “Interfaces”.
  3. Click on the “WAN” tab.
  4. Click on the “Advanced Settings” tab.
  5. Untick “Use DNS servers advertised by peer”.
  6. Below it enter the IP address(es) of the DNS servers you want to use.
  7. Click on “Save & Apply”.

If you want to use a whitelist-only DNS server from OpenNIC:

  1. Go to https://www.opennicproject.org/members/ and create an account.
  2. Log in and at the bottom of the page there will be a string under the “If you wish to register your IP for whitelisting:” label
  3. Note down the URL address (e.g. https://173.160.58.201/ip/update/?user=username&auth=authenticationkey)
  4. Connect via SSH (follow 4. Log into SSH above).
  5. Once logged in, run the following command:
    wget -qO- --no-check-certificate "address from step #3"
  6. Press enter, and you should see at least one IP address returned.
  7. At the top of the page, hover over “System” and click on “Scheduled Tasks”.
  8. As a new line, enter:
    0 12 * * * wget -qO- --no-check-certificate "address from step #3"
  9. Click on Submit.
  10. Repeat the first set of steps in this section to update your DNS servers.

11. (optional) Install Adblock

With OpenWRT, you are also able to implement adblocking capabilities at the router level for your network. This means that any device connected to your network will automatically have ads/tracking services blocked, which is a huge benefit in terms of privacy and speed.

Adblock blocklist source selection

Adblock comes with 3 blocklist sources enabled by default. In the steps below I will show you how to install it, enable more blocklist sources (for 7 in total), optimize adblock settings to reduce wear on your router, include it in router startup, and enable automatic daily updates.

  1. Download adblock and luci-app-adblock to your computer.
  2. Rename them to adblock.ipk and luci-app-adblock.ipk, respectively.
  3. Follow the steps in 9. Managing Files on Your USB Devices to connect to your router via FTP.
  4. In your FTP client, navigate to the /tmp folder.
  5. Upload both .ipk files you downloaded in step #1.
  6. Connect via SSH (follow 4. Log into SSH above).
  7. Once logged in, run the following commands:
    opkg install wget /tmp/adblock.ipk /tmp/luci-app-adblock.ipk
    /etc/init.d/adblock enable
    /etc/init.d/adblock start
  8. In your browser, go to http://192.168.1.1/
  9. At the top of the page, hover over “Services” and click on “Adblock”.
  10. Choose which blocklist sources you want to enable. Personally I have enabled:
    • adaway (comes enabled by default)
    • disconnect (comes enabled by default)
    • hphosts
    • malwarelist
    • whocares
    • winhelp
    • yoyo (comes enabled by default)
    • Note: you must keep in mind that available space/memory is limited, so do not enable all of the blocklist sources.
  11. (optional) Tick the “Do not write status info to flash” option. I have done this to conserve flash writes on my router. The only drawback is that the status page in the web interface won’t show the latest information, but that’s not an issue for me.
  12. Click on “Save & Apply”.
  13. At the top of the page, hover over “System” and click on “Scheduled Tasks”.
  14. Paste the following into the text box:
    0 13 * * * /etc/init.d/adblock start
  15. The above line will make it so blocklist updates are run every day at 1:00pm. I chose this time instead of early morning hours (e.g. 4am) because there is the possibility some systems are down for maintenance then. Read this page for more information and options.

12. (optional) Install DNSCrypt

DNSCrypt prevents DNS spoofing and is relatively easy to install and set up.

  1. Connect via SSH (follow 4. Log into SSH above).
  2. Once logged in, run the following commands:
    opkg update
    opkg install dnscrypt-proxy
    /etc/init.d/dnscrypt-proxy enable
    /etc/init.d/dnscrypt-proxy start
    vi /etc/config/dhcp
  3. Press the i key on your keyboard to go into insert mode.
  4. Find the following line – option resolvfile ‘/tmp/resolv.conf.auto’ – and add a # in front of it so it appears as:
    #option resolvfile '/tmp/resolv.conf.auto'
  5. Below this line, add the following entries:
    option noresolv '1'
    list server '127.0.0.1#5353'
    list server '/pool.ntp.org/208.67.222.222'
  6. Press the Escape key on your keyboard.
  7. Type the following command in:
    :wq
  8. Press Enter to save the file and to return to the command prompt.
  9. Type the following command in:
    /etc/init.d/dnsmasq restart
  10. Press Enter
  11. To verify everything is working, type the following command in:
    logread | grep "Proxying from"
  12. You should see something similar to:
    daemon.notice dnscrypt-proxy[23183]: Proxying from 127.0.0.1:5353 to 208.67.220.220:443
  13. In your browser, go to http://192.168.1.1/
  14. Scroll down to “Local Startup” and paste the following into the “Custom” startup box just above “exit 0”:
    sleep 10
    /etc/init.d/dnscrypt-proxy start
  15. Click on “Submit”.

If you want to use a custom resolver:

  1. Connect via SSH (follow 4. Log into SSH above).
  2. Once logged in, run the following commands:
    wget --no-check-certificate -O /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv
    vi /etc/config/dnscrypt-proxy
  3. Press the i key on your keyboard to go into insert mode.
  4. Uncomment the resolver and resolvers_list lines (remove the # in front of both of these)
  5. For the resolver option, find one and enter the “name” value into the configuration file (e.g. fvz-anyone).
  6. Press the Escape key on your keyboard.
  7. Type the following command in:
    :wq
  8. Press Enter to save the file and to return to the command prompt.
  9. Run the following commands:
    /etc/init.d/dnscrypt-proxy restart
    /etc/init.d/dnsmasq restart
  10. To verify everything is working, type the following command in:
    logread | grep "Proxying from"

Handy Commands

Here are some useful commands (to be executed via SSH). Follow the steps under 4. Log into SSH in order to run them:

Restart wifi without rebooting entire router:

wifi down && sleep 5 && wifi

Cleanly remove packages and all orphaned dependencies:

opkg remove --autoremove packagename

Reload NFS export configuration file:

exportfs -ar

Check the specs of the two wireless radios:

iw list