- Change the default admin username and password on first login.
- Restrict web UI management to LAN only (
Administration -> Management -> Web Access).
- Disable WAN management unless you have a strict allowlist and upstream firewall filtering.
- Disable Telnet and use SSH only.
- If SSH is enabled, use key-based authentication and a non-default port.
- Disable unnecessary services like
ttraff Daemon, UPnP, and WPS when not required.
¶ Firewall and Network Segmentation
- Keep SPI firewall enabled and drop unsolicited WAN traffic.
- Create separate VLANs or guest SSIDs for untrusted devices.
- Block inter-VLAN traffic by default and allow only required flows (DNS, DHCP, specific app ports).
¶ VPN and Remote Access
- Prefer WireGuard or OpenVPN for remote access instead of direct management exposure.
- Enforce strong client credentials and rotate VPN keys/certificates periodically.
- Restrict VPN clients to minimum routes needed for operations.
- Track stable DD-WRT build threads before upgrades and avoid untested beta builds in production.
- Export configuration backups before upgrade and keep rollback firmware images ready.
- Re-validate firewall/NAT and DNS settings after each firmware update.
¶ Logging and Monitoring
- Forward syslog to a central log server to preserve audit trails across reboots.
- Alert on repeated auth failures and configuration changes.
- Review enabled startup scripts (
Administration -> Commands) for drift or unauthorized changes.