During the prime day, my friend grabbed a GL.iNet Flint 2 (GL-MT6000) for a fair price, thanks to the slickdeals community.

The specs of this model feels like a beast to me, because I don’t have enough high-end devices and Internet plan to utilize that much of performance.

But what I can do is to boost its security and stability for my friend.

Note: For operational security, all initial settings should be done without physical Internet/WAN connection.

Use browser to access the web admin panel via 192.168.8.1 to go through the initial setup guide that created by GL.iNet.

Thoughts on Security

Although the stock firmware is a so called OpenWrt fork, there are way too many preinstalled plugins/features such as cloud services, various preconfigured WireGuard profiles, Tor, ZeroTier/Tailscale… that normal users like my friend would never use whatsoever. Even for sysadmins, we may use those features but wouldn’t deploy them altogether at same device/network.

I know from a product perspective, more pre-built feature means reaching more market segment and better user experience. But the cost of being user-friendly is also attacker-friendly.

More opening services/interfaces create more attack surface, not saying many of these build-in features are optimized for easy-of-use (again which is the opposite of security). And the risk of this firmware is much higher than the vanilla OpenWrt, due to proprietary or outdated downstream code that can contain either backdoor or unpatched vulnerability.

Configuration

So, follow the official guide to download and flash sysupgrade.bin file via Admin Panel - SYSTEM - Upgrade - Firmware Local Upgrade

Make sure to confirm the hash before uploading

file name:
openwrt-24.10.3-mediatek-filogic-glinet_gl-mt6000-squashfs-sysupgrade.bin
sha256sum: 26d979191db9534c12402a81c97c5b64df9949ef767f25507a27ff2ac5a389b7

After awhile, it’s ready to log in with OpenWrt’s good old credential root:admin via http://192.168.1.1

Now, set up a strong root password by Snowden’s rule via System - Administration, then disable SSH Access by unchecking Enable Instance

Using HTTPS can be beneficial in untrusted environment, but using HTTP can make web adminstration easier for the sake of modern browsers, so Redirect to HTTPS is not recommended in this case

Before setting up the WiFi, click Status - Channel Analysis - Refresh Channels to look up which channel is going to be used

Remember the least crowded channel number for both 2.4 and 5GHz, and connect the WAN cable for Internet access (confirm via Network - Interfaces)

Go to Network - Wireless, do not enable any Access Point for now, but Edit one

In Device Configuration, set Operating frequency to N with the best channel found during analysis, and leave other settings default unless needed

In Interface Configuration, set Mode as Access Point, give a ESSID that not contain any meaningful information (don’t troll your neighbors with WiFi)

Go to Wireless Security tab, set WPA2/WPA3 Personal (PSK/SAE) mixed mode for Encryption

Create a random long password if it is not meant to be share with a lot of people, or follow Snowden’s rule by creating something like margaretthatcheris110%SEXY

Enable Enable key reinstallation (KRACK) countermeasures for WPA2 packages and Save then Save & Apply

Now, it is time to Enable the Access Point which has been configured, then test it with a very new phone and a very old phone

Next, repeat the same step to setup the 5GHz Access Point which operating on AX mode

Refer to this blog for the details for selecting the best channel and width

Finally, test speed from different devices and location. If this is a really good router, I shall set-and-forget it!