How to control the wireless radio on a home router.

[123]

NOTE: Applies to routers flashed with Tomato or DD-WRT firmware.

I recently upgraded my home router, from an ancient Netgear FVS318 plus WG102 Wireless Access Point, to a Cisco/Linksys e3000. Within a few days, I replaced its stock firmware with TomatoUSB (Toastman's build) and it is running fine. The VOIP hiccups I had with the old gear are gone and I didn't even have to employ Tomato's powerful QoS feature.

Not willing to leave good enough alone, I wanted to have my Home Automation system turn off the router's wireless radio whenever the ELK M1 was Armed Away or at bedtime. Given Tomato's impressive feature set, it seemed like an easy thing to do.

Looking for an easy solution, I wanted to use a URL to enable/disable the radios. After sifting through Tomato and DD-WRT's forums, posting a question and getting meager feedback, it became clear that I'd have to look elsewhere.

Telnet and SSH seemed to be the only way to access the router. After looking high and low for free, scriptable SSH clients, I found two solutions:
Bitvise Tunnelier
WinSCP

Tunnelier includes a console program called "sexec" that allows you to automate the process of logging in to the router, running a command, and logging out.

Assuming you have manually logged in and saved the session details (i.e. host name, username, password, RSA2 public key, etc) in a file called "MyRouter.tpl", here is all that's needed to disable the router's wireless radio:
sexec -profile="MyRouter.tpl" -cmd="wl radio off"
Naturally, your HA software needs to be able to execute DOS shell commands to take advantage of "sexec".

The e3000 has two radios, 2.4GHz (eth1) and 5Ghz (eth2). As a result, the "wl radio off" command only turns off the first radio (2.4GHz). To turn off the 5GHz radio, you use "wl -i eth2 radio off".


The latest version of WinSCP offers a .NET and COM library and allows for true 'native scripting' (assuming your HA software supports .NET or COM). You can write a driver for your HA software as opposed to using a shell command.

For example, here's the code, in VBScript, to turn off the first radio. FWIW, 90% of it is to set up the connection and only the last line executes the desired command.

set sessionOptions = WScript.CreateObject("WinSCP.SessionOptions")
with sessionOptions
	.Protocol = 1 ' SCP
	.HostName = "192.168.X.X"
	.UserName = "myusername"
	.Password = "mypassword"
	.SshHostKey = "ssh-rsa 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx"
end with
set session = WScript.CreateObject("WinSCP.Session")
session.Open sessionOptions
session.ExecuteCommand("wl -i eth1 radio off")

For my HA software (Premise), WinSCP's .NET and COM Library is a better fit but Tunnelier's sexec also gets the job done.

Given the ability to execute commands on the router (and put/get files) it need not be limited to simply enabling/disabling radios. Your home's occupancy status can govern other router characteristics such as Internet Access, Port Redirection, Guest Networks, etc.

 

[tmbrown97]

Why?

I mean - if this made any sense to do, I'd do it by switching power on/off to my AP, which is always separate from my router... but what's the point?

 

[123]

Given the time I spent researching the subject, and sharing my results with others on this forum, I clearly thought it made sense and had a point. Those who have been seeking a means to tailor their router's behaviour, to suit their needs, now have a little more insight in how it can be done. If you see no value to my post, please feel free to ignore it.

 

[wuench]

I didn't know that WinSCP was scriptable I think that opens up a lot of capabilities for all kinds of stuff. I am wondering too, if this might be possible via SNMP, I guess it would depend on if the MIBs are available.

 

[123]

The .NET and COM libraries are a new addition (and a separate download) to the latest beta release of WinSCP.

I haven't spent much time exploring Tomato's SNMP service but, based on a quick review of forum posts, most poeple are using it to monitor bandwidth usage. So far, Tomato's built-in bandwidth monitoring (graphs indicating usage by interface, client, current, daily, weekly, etc) is sufficient for my needs but it's nice to know there's more if I want it. My next project will be to write syslog messages to a CIFS share and use some sort of monitoring tool to comb the log and report unusual activity.

 

[wuench]

I currently use Cacti to monitor my DDWRT routers (and Cisco switches, NAS, etc) via SNMP for bandwidth etc. I loaded on a very small VM running Linux. It has been very handy for troubleshoot HTPC issues on my network.

I use the free version of Kiwi Syslog Deamon for syslog collection that writes the logs to a text file. I also wrote a syslog driver for CQC that allows me to trigger events based on syslog messages. Right now I have it setup to monitor my guest Wifi network and announce when someone attaches is to it. I have DDWRT setup to log any allowed access through the ACL that walls off the guest network, so as soon as a DHCP request packet is sent the router logs the message, and CQC looks for that.

Syslog is a very simple ascii protocol, you could probably do something similar with Premise pretty easily.

 

[damage]

My next project will be to write syslog messages to a CIFS share and use some sort of monitoring tool to comb the log and report unusual activity.

i'm doing this w/ my tomato'd router. very easy to do extending the syslog perl script i posted in the obi thread http://goo.gl/5SYEO

 

[tmbrown97]

I wasn't asking to be an ass... I was asking the honest reason for doing this? Paranoia of people accessing or hacking your wireless while you're out? I know in my case I want my wireless to work while I'm out - I often check the elk or open/close garage doors from my phone while the alarm is armed but I'm close by... it's faster over wifi than 4G. Also I have some wifi cameras I move around the house if I'm gone for extended periods so I can keep an eye on things.

And rarely in our homes is the wiring closet (where the router lives) in the optimum place for a wifi AP to live, so personally I always use a separate AP that's optimally located in the home - which would make the task even easier; just switch power on/off.

I do think the scripting aspect is pretty neat - and has other potential uses... and it could be interesting to turn on/off virtual AP's during certain times of day or for someone to make it super easy to change WPA key's and even integrate them into your HA system - which could be fun. It could even enable/disable VPN based on outside factors for the truly paranoid.

 

[video321]

I agree with the scripting end being a nice touch, but to turn off the radio???

How about something simpler, such as using the longest WPA2 key possible and getting an email (daily/weekly/etc.) with the MAC of all new connections. There are so many more things the router could be doing for enhanced security. Personally, I have a guest BSSID that only allows access to the WAN port but is still protected by a simple to enter WPA2 key. For remote access I use ssh with a key/password combo. For my stupid iPhone I use PPTP, but limit what that connection can access, plus send me a text whenever anyone connects/disconnects from it. Plus, it is protected against brute force.

So while what you accomplished is VERY sweet indeed....what I can see a use for, as Work said, is to turn on/off guest access via scripting.

 

[123]

I wasn't asking to be an ass...

Never crossed my mind.

Why turn off the wireless radio(s)? Choose one, or more, or none:

Increase network security.
Reduce power consumption.
Minimize household EM field.

I don't have a separate AP so I can't use the switched-outlet approach you described. My router lives in the basement yet services both floors above it adequately. I don't operate a guest network.

I understand your need for Wi-Fi at all times. If I'm not home, or asleep, my preference is to disable a service I'm not using.

Some people claim to suffer from Electromagnetic Sensitivity. Given that humans have not been subjected to continuous low-level EM fields, in the spectrum used by modern wireless devices, until very recently (i.e. last 100 years) and elevated levels in the last 35 years, since the introduction of cell phones and Wi-Fi in homes and offices, it's not surprising to learn that some people may be sensitive to these levels. Many medical conditions are not officially recognized until years or decades later.

I recall my dear departed mother telling me how, as a child, she was outfitted with a new pair of shoes. She put on the shoes, stood on a machine, and saw precisely how her toes looked inside the shoes. It was a fluoroscope.
http://www.orau.org/...gfluor/shoe.htm
Her mom was ensuring her daughter received the best fitting shoes courtesy of the latest technology, X-Rays.

In the province of Ontario, Canada, the Teacher's Union is urging a ban on Wi-Fi in classrooms.
http://www.cbc.ca/ne...oecta-wifi.html

Whether one buys into this theory or not, I normally turn off appliances I don't use, so it's no stretch of the imagination, for me, to turn off the wireless radio.

 

[video321]

Whether one buys into this theory or not, I normally turn off appliances I don't use, so it's no stretch of the imagination, for me, to turn off the wireless radio.

I'd say that's a good enough reason to turn off the radio via script

I'm assuming the radio can be turned on/off without the need to reboot the router?

 

[tmbrown97]

I walk away from the Microwave oven when in use - into a different room... that's my paranoia. A Microwave puts out 10,000 times the stray radio waves a WAP does. We all have our idiosyncrasies. I also don't use Blue LED's in my house, and I worry about the long term effect of LED on us... so while the main living areas of our house are lit by LED ($.40/kWh), I don't let the kids play with LED flashlights and the bedrooms are incandescent. I'm not immune from a certain amount of crazy - we all have our own flavors.

 

[video321]

Did not know about the issues with LEDs, Work. Now to decide if I'm going to take away my kid's Disney LED flashlights - they are bright.

 

[donkeydave]

Hi all,

I appreciate this thread is old, but I was doing something similar and thought I could add my approach. Basically, after installing tomato I also installed lighttpd so that the router can also run a mini php server. Having done that I used phpseclib to write a php script (hosted on the router) that connects to tomato via SSH and runs commands. I have it start / stop a VPN connection which means I can use my iPhone to switch on (or off) a VPN session on the router by just visiting the php page. If any of you are interested in this approach let me know and I'll post more details.

Dave

 

[joekamel]

Hi all,

I appreciate this thread is old, but I was doing something similar and thought I could add my approach. Basically, after installing tomato I also installed lighttpd so that the router can also run a mini php server. Having done that I used phpseclib to write a php script (hosted on the router) that connects to tomato via SSH and runs commands. I have it start / stop a VPN connection which means I can use my iPhone to switch on (or off) a VPN session on the router by just visiting the php page. If any of you are interested in this approach let me know and I'll post more details.

Dave

 
Dave,
 
I'd really like to know how you did it.  I'm looking for a way to selectively trigger moving some computers on the local network on and off of the VPN, and this would be perfect since all it would take would be a web shortcut for the computers in question.  I have the scripts for the rest done, just need a way to trigger them.
 
So just curious, how did you install phpseclib?  I found lighttpd on optware, but nothing about seclib.  Is seclib part of the php5 package?  Also, how much space did it take up?  I only have 1.6Mb in JFFS and unfortunately no USB.