Windows 10 Start Menu Crash/Freeze & Repair

For the reasons Windows 10 is an upgrade, a freezing start menu is beyond frustrating. After rebuilding the Windows Search database, confirming DISM is healthy, did a CHKDSK and System File Checker, I was running out of ideas.

Then I came across this: Reset Windows 10 Start Menu “TileDataLayer”. which led to Fix Windows 10 Start Button Does Nothing in 10 Minutes and a repair tool from Microsoft released in June 2016 (direct link). So this is a known issue.

Before becoming aware of the Microsoft utility, I did my own fix. Using a tool called Unlocker (portable version; part of my digital toolbox) you can forcibly rename/delete files locked by the system. FYI, Unlocker can cause false-positives with anti-virus software. If you are concerned, please upload your downloaded copy to VirusTotal for a second scan.

Using Unlocker, I went to the following location:unlocker_choose_folder


Hit “OK”. Action should be “Rename” and change the name to “DatabaseBackup“.


Finally you should get the following prompt; his “Yes”.


Let the system reboot.
Now – Reboot again – a second time

You will have to recreate your tiles but your start button should at least work and search.

What a mess: Exchange 2013 with Direct Booking and the AutoAccept Agent

In short, Direct Booking and all the associated mailbox delegation controls that were in Exchange 2003 became confusing in 2007 and became a mess in Exchange 2013.

This is a short, reference post.

At this point in time (Mid-2016) most people already experienced this pain but, through these links, I finally tracked down multiple issues with Room Resources not sending Accept/Reject emails to Delegates.

  1. Start with a simple explanation between the old and new ways:  Exchange 2003 Auto Accept Agent vs. direct booking & Booking Delegation Vs. Classic Delegation.
  2. Then use this Powershell script to discover which mailboxes and/or resources have Direct Booking enabled: Use Exchange Web Services and PowerShell to Discover and Remove Direct Booking Settings. Then use the “write” method to actually make the changes to the desired mailboxes. Read the include README file closely for prerequisites.
  3. Simple PowerShell to confirm and modify resources one-by-one: Two ways to grant access to a Resource in #MSFTExchange
  4. Lastly, and because we have a manageable number of Room Resources, go one-by-one and save them using the EAC. Decent double check because in at least one Microsoft Exchange Team blog post they mentioned that EAC does cleanup when it is saved post-upgrade. Specifically, a few rooms under “Booking Delegates” had a setting “Use customized setting to accept or decline booking requests”. Change the Room Resource to either “Accept or decline…” or “Select delegates…”.
    Before: custom booking delegates
    After:booking delegates

 Additional Reading:

  1. Setting Calendar Options For Resource Mailboxes In Exchange 2010…
  2. How to Create and configure a meeting room mailbox with Exchange Server 2007
  3. A Look at Exchange Server 2013 Resource Mailboxes
  4. Working with Resource Mailboxes in Exchange Server 2016
  5. Tool before the PowerShell script above: SetAA – Tweak Auto Accept Settings Across Mailboxes and an article explaining how to use it: Disable Direct Booking For All Room Mailboxes.
  6. I found the last step, saving in EAC, does mailbox cleanup. If not you can manually remove the mailbox from a room resource: I can’t disable a resource mailbox? Sez Who?
  7. Before screenshot above which was not well documented: Resources Booking Delegates Fix (AutomateProcessing: AutoUpdate)
  8. Exchange 2007: Resource delegate never receives forwarded meeting requests for approval 
  9. Useful method for appending information to meeting requests: Using Transport Rules to append text to Meeting Requests when Room Mailbox is selected as Resource

Bypassing “This program cannot run under VMWare or Virtual PC”

We had a specific application that did not want to run on as a virtual machine ( VMWare guest).

Sorry, this application cannot run under a Virtual Machine

“This program cannot run under VMWare or Virtual PC”
“Sorry, this application cannot run under a Virtual Machine”

Tell VMWare to prevent the guest from knowing its a virtual machine (VM).
Kudos to this post on

In this particular situation, all access to the guest was done over Remote Desktop Protocol (RDP); in other words, graphics performance was not critical.

NOTE: The modified VM will have poorer performance, especially with graphics, and VMware Tools will not work. This is an experimental configuration and not advised for long term use.

Shut down your VM. Add the following lines to the .VMX file of your VM (refer to this KB article from VMWare showing how to add these lines to different enciroments; e.g. Workstation, vSphere Client, etc.) = “TRUE” = “TRUE” = “TRUE” = “TRUE”
monitor_control.disable_directexec = “TRUE”
monitor_control.disable_chksimd = “TRUE”
monitor_control.disable_ntreloc = “TRUE”
monitor_control.disable_selfmod = “TRUE”
monitor_control.disable_reloc = “TRUE”
monitor_control.disable_btinout = “TRUE”
monitor_control.disable_btmemspace = “TRUE”
monitor_control.disable_btpriv = “TRUE”
monitor_control.disable_btseg = “TRUE”
tools.upgrade.policy = “manual”
monitor_control.restrict_backdoor = “TRUE”

Power-on your VM. Remove VMWare tools.
The problematic application should launch and run without issue. Enjoy.

cPanel Email Filtering to Stop Chinese or non-English Character SPAM

Customers complained about “Chinese SPAM” even after filtering was being handled by SpamExperts. This post is based on the good work from Dr. John.

I am long time cPanel/WHM user and customer for LAMP sites. I use EZPZ Hosting and highly recommend them; this an honest referral. Thankfully EZPZ uses SpamExperts to handle the “heavy lifting” for incoming SPAM filtering. However, even with SpamExperts, customers still got “Chinese SPAM” or emails containing non-English characters.

Here is a sample email that got through SpamExperts and needed to be blocked:

Here is how to filter it easily with cPanel regex:

  1. Login to cPanel
  2. Go to “Account-Level Filtering” (or User-Level Filtering if you want to pick a specific email address)
  3. Hit “Create New Filter”
  4. And enter the following:
    The drop-down shows a few good options. You can outright discard the message, which is easy, but I recommend the “Deliver to Folder”. This places the filtered emails in a users’ email folder (e.g. Junk E-mail folder) for review or retrieval in case any of these filtered emails are needed. All email that matches the regex will go to this users’ email folder. If you want to filter per user and not globally for the domain, the User-Level Filtering allows you to create the same regex filter for each user.

Group Policy Preferences + Preference Item-Level Targeting + Security Groups = One Big Mess

Microsoft. While Group Policy Preferences, when they work, work wonders, when they do not work or the UI breaks them, I lose all confidence.

USE CASE: we recently deployed PaperCut across our multi-function printers (MFPs). [PaperCut, BTW, is an excellent product, especially for Healthcare and HIPAA compliant environments.] Globally I pushed the default, PaperCut virtual printer to all PCs. Users can print to the virtual and then then fetch their print jobs securely on any MFP across campus running the PaperCut embedded application.

However, we had certain user AND computer exceptions to the default printer; e.g. local USB printers or Terminal Services/RemoteApp servers. Loopback merging can get complex rather quickly (another good, quick refresher here). Group Policy Preferences Item-Level Targeting is a better solution. Read about it here from Microsoft directly.

In my default printer example, the intent is to exclude users and computers. To make it easy to manage, I created a Security Group name “PaperCut-NonDefault” that contained both users and computers I wanted to exclude. I then set “Targeting…” on the PaperCut preference.

In the Targeting Editor I created the following logic:PaperCut-Targeting

Now, up until this point, every seemed very straight-forward and yet the Targeting refused to work properly. If I added the users and computers directly into the Targeting Editor, I was able to get it working perfectly. The moment I used a Security Group, everything broke.

After sleeping on the problem, I finally came across this wonderful post. In short, do not use the “…” button to select your Security Group. Re-read that. In other words, do not use the DOMAIN\SECURITY_GROUP convention; just use the Security Group name only (as I have highlighted in the screenshot above). Based on the comments it appears that Microsoft has a hotfix which may solve the issue but I chose to fix it by dropping the “DOMAIN\”. Also note that I have two “Items” both calling the “PaperCut-NonDefault” Security Group. Targeting Security Group “Items” can only apply to either a computer or user; not both in one item. By having two items, I have one for users, one for computers.

With this subtle but critical change in place, the default printer Targeting works very effectively excluding certain users and computers. To make it even easier for our users, I added a second printer preference that ONLY applied to those in the “PaperCut-NonDefault” group which adds the PaperCut printer but does not set it as default. In other words, even users who do not want PaperCut as their default printer, they still get the PaperCut printer as an option.PaperCut-Targeting-NonDefault

Enjoy. When Targeting works, its effective and powerful. Here are 10 things Group Policy Preferences can do better than your current script!

Disabling Hidden Shares in Windows 10 (& Windows Vista, Windows 7, and Windows 8.1)

A simple post confirming that the same registry key works in Windows 10.
Based largely off of this ITworld write-up by Paul McFedries.

As is commonly known, a “$” in a Windows share name makes it “hidden”. This does not mean it is any more secure; it only obscures the name. That said, Microsoft, by default, enables hidden shares for “Administrative” purposes, including one for the system drive, C: (C$), and any other hard disk partitions you have on your system. Windows Vista+ also sets up the following hidden shares:

Share Shared Path Purpose
ADMIN$ %SystemRoot% Remote administration
IPC$ N/A Remote interprocess communication
print$ %SystemRoot%\System32\spool\drivers Access to printer drivers

Open an elevated Command Prompt and type “net share” and press Enter. You see a listing similar to this:

Share name   Resource                        Remark
C$           C:\                             Default share
D$           D:\                             Default share
ADMIN$       C:\WINDOWS                      Remote Admin
IPC$                                         Remote IPC
print$       C:\System32\spool\drivers       Printer Drivers
Public       C:\Users\Public                 

So although the C$, D$, and ADMIN$ shares are otherwise hidden, they’re well known, and they represent a small security risk should an intruder get access to your network. To close this hole, you can force Windows Vista to disable these shares. Here are the steps to follow:

    1. Click Start, type “regedit” in the Search box, and then click regedit.exe in the search results. The User Account Control dialog box appears.
    2. Say “Yes” to the UAC prompt and the Registry Editor should open.


  1. Open the HKEY_LOCAL_MACHINE branch.
  2. Open the SYSTEM branch.
  3. Open the CurrentControlSet branch.
  4. Open the Services branch.
  5. Open the LanmanServer branch.
  6. Select the Parameters branch.
  7. Select Edit, New, “DWORD (32-bit) Value”
  8. Type “AutoShareWks” and press Enter. (Leave the default value of 0.)
  9. Reboot or restart the “server” service using a Command Prompt: “net stop server” then “net start server”.

Once again, open an elevated Command Prompt and type “net share” and press Enter. The output should now looks like this:

Share name   Resource                        Remark
IPC$                                         Remote IPC
print$       C:\System32\spool\drivers       Printer Drivers
Public       C:\Users\Public                 

FYI – Its possible certain applications require the hidden shares.  To disable or rollback to “default” simply remove the “AutoShareWks” Registry Key or change the value to “1”.

KeePass batch scripting for secure and automatic databases on boot or login using PASSWORD_ENC

KeePass. The venerable KeePass.
You need to use a password manager. Not a Word or Excel document. Not a napkin or Post-it note. A real password manager. I recommend KeePass. You may prefer LastPass or SplashID. Regardless, I reiterate: you need to use a password manager.

Having used KeePass 8+ years and with hundreds of saved passwords, it is one of my most used applications. Anything that falls under PCI or HIPAA is in a KeePass database.

All that said, KeePass is typically the first program I execute upon logon. If you are following best practices, upon logon, you then have to type a very long password accompanied by a keyfile (optional) to open your KeePass database. I am not going to cover in this post what makes a strong password and what are appropriate password lengths.

You might ask, why not just use Windows user accounts introduced in KeePass 2.x? Two main drawbacks: 1) If your Windows user profile (UID) is corrupt/lost, you cannot access your KeePass database, and 2) if you want to synchronize your database, it cannot use Windows user accounts.

So, how to do you securely launch KeePass using command line without putting your password in the batch file as plaintext?

Based on the excellent post in this superuser thread along with more guidance from this post, you can securely script your KeePass databases. Here is how:

  1. Create a file called “RunMeKeePass.bat”
  2. Right click on the file and choose Edit.
  3. Go into your KeePassdatabase your want to script, and create a new, temporary entry called “RunMeKeePass.bat” (or whatever you called the filename in step 1).
  4. Go to the “Auto-Type” tab and hit the “Override default sequence” radio button, and copy/paste “{PASSWORD_ENC}” into the field.
  5. Leaving KeePassopen, go back to Notepad where you are editing the empty “RunMeKeePass.bat”. Hit Crtl+Alt+A to active the KeePass auto-type feature. Read more here about it if this step does not work or if you changed the default hotkey. Auto-type is one of the best features of KeePass. After hitting Crtl+Alt+A, KeePass should start spitting out a very long password string. You can read more about {PASSWORD_ENC} here, towards the bottom. In short, is long, generated string is a unique password for your KeePassdatabase that only works under your current username. This is what makes the method secure. You assume you have a secure user session because you as a user are scripting it. If someone manages to take this unique password string, it will not work on another PC/user opening the same/original KeePass. It only opens your KeePass database under your Windows user on this unique PC (UID/SID).
    Save this string.
  6. Now its time to script the password string into actually launching KeePass.
    Here is example .bat file script:

    echo KeePass DB #1 without a keyfile
    START "" "%programfiles(x86)%\KeePass Password Safe 2\KeePass.exe" %DATABASE% -pw-enc:%PASSWORD_ENC%
    echo KeePass DB #2 WITH a keyfile
    START "" "%programfiles(x86)%\KeePass Password Safe 2\KeePass.exe" %DATABASE% -keyfile:%KEYFILE% -pw-enc:%PASSWORD_ENC%
    echo Re-opening KeePass DB #1 to bring it in focus
    START "" "%programfiles(x86)%\KeePass Password Safe 2\KeePass.exe" %DATABASE% -pw-enc:%PASSWORD_ENC%
    REM To Generate the pw-enc password string (which is specific to the Window user's UID), create a "dummy entry" in KeePass.
    REM Courtesy of:
    REM and
    REM and

    Basically replace “<COPY/PASTE THE LONG, AUTO-TYPED PASSWORD STRING>” with the auto-typed password from the earlier step. In Line 2, set the correct location for your KeePass database (.dbbx) file. Line 3 is for 64-bit Windows7/8/10; for 32 u(x86) for 32-bit versions.

    I provided multiple examples. The 2nd example uses a keyfile. Should be self-explanatory.

    You may also wonder why I commented “Re-opening KeePass DB #1 to bring it in focus”. KeePass, when it opens multupe tabs, keeps track of the order which files are opened. When you have multiple files and you use auto-type with multiple matches, the order of the UI is based on the order of opened files. By “re-opening” the first file, it bring that database tab to the forefront but it is still opened first keep it at the top of auto-type matches.

  7. The last step is to launch your “RunMeKeePass.bat” file. I chose to use Task Scheduler; Tigger=”At log on” and it calls the .bat file. I unchecked the “Start the task only if the computer is on AC power” (since I primarily use this on a Surface Pro 3). Read here if you need additional help in creating the Scheduled Task. The Task Scheduler “triggers” are rather powerful; e.g. if you configured KeePass to automatically lock your database after a certain amount of time, you could add additional triggers for “On workstation unlock” and “On connection to user session” for local and remote computers and open/close KeePass depending on your application.
    Another option is to run have a shortcut placed in the “Startup” folder; read more here for details on how to create it.

Now that you can more easily launch KeePass, you have no excuse not to use it (or  something like it). Enjoy. Here is the PASSWORD_ENC man page.

Safely grant only your PowerShell session “bypass” permission; “the file is not digitally signed. You cannot run this script on the current system.”

In short, this is my future quick reference:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

This sets the execution policy for only this session (process) of PowerShell and do not make the change permanent.

In contract, do not run:

Set-ExecutionPolicy RemoteSigned

This will set the policy for your LocalMachine, leaving you open to malicious PowerShell scripts in the future. Don’t do it.

See more here, here, and here if you want more information.

(I most recently used this “byass” for this excellent Exchange script to export all of our internal Distribution groups with one simple command)

RDS 2012 Certificates. SSO. A website is trying to run a RemoteApp program.

The goal was to remove this dreaded end-user dialogue box:
A website is trying to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.

Simple right? Wrong; especially when I came across many blogs attempting to address RDS certificate issues. This one post gets you 90% there but was not complete. Specifically, see the red section below.

  1. Get a certificate (in my case, a GoDaddy wildcard cert)
  2. Assign the certificate to the RDS roles. Refer to this great post with screen shots.
  3. Extract the certificate thumbprint, remove the “Get-Childitem Cert:\LocalMachine\My” PowerShell command on your RDS server or follow the steps outlined on Morgan Simonsen’s blog. Make sure you properly format the thumbprint: no spaces, all caps.
  4. Create and assign a GPO for the following settings:
    1. Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > “Specify SHA1 thumbprints of certificates representing trusted .rdp publishers”.
      Under Options, paste the formatted thumbprint.
      Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
    2. Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > “Allow .rdp files from valid publishers and user’s default .rdp settings”.
    3. Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation > “Allow Delegating Default Credentials > “Allow Delegating Default Credentials”.
      Enable and add “TERMSRV/<insert your RDS gateway/server name>” (refer to the example text in the GPO editor).
      Allow Delegating Default Credentials 
    4. Yet after repeated gpupdate /force and a full reset of IE settings, the dialogue warning persisted. Then I stumbled across these two nuggets: here combined with 2nd post down here. The “Specify SHA1…” GPO was not adding the proper “PublisherBypassList” keys.
      The solution? Manually adding the “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\PublisherBypassList” as a User Configuration GPO registry update.
      PublisherBypassList GPO
      Notice the key is the thumbprint above with an additional “00” placed at the end.
      PublisherBypassList regedit
      The easiest way to verify the key is to check the “Do not remind me….” on the RDS prompt. It will save the thumbprint for you in the proper format.
  5. For icing on the cake, enable single sign-on; see this excellent blog post or the official MSDN blog post“.

Enjoy. SSO RDS connections with no dialogue boxes or end-user warnings or prompts.

5GHz Wireless Client Bridges & Turning back the clock: Convert a WRT610N v2 to E3000

My Linksys E3000 dual radio wireless router was finally retired last week for a Netgear Nighthawk R7000. In the early days I ran DD-WRT exclusively, but in the last two years I have split between Tomato (Shibby) and DD-WRT depending on application (i.e. Tomato as router, DD-WRT for wireless briges, repeaters).

E3000 vs. R7000(Table courtesy of Wiki Devi).
For a router released in early 2010 (over 5 years old), the E3000 still holds it own. You can overclock it to 532mhz, has a 2.4GHz and a 5.8GHz radio (simultaneous), it supports both DD-WRT & Tomato, and the throughput is still impressive; ~130mbps routed on Shibby v130.

As part of designing a campus wireless solution, we searched-and-searched for a cost effective way to create per room/apartment VLANs; e.g. residents and students have a wireless printer, a Roku, an Apple TV, and mobile devices that all need to talk mDNS & UPnP on a “local” network. Typical client-to-client isolation on campus wireless APs make this difficult. Currently we have older integrated DOCSIS cable modems with wireless routers providing this “local” network (e.g. Motorola SBG901)

So, after many hours with vendors and internal discussions, we made a decision: the best, simplest, easiest option is to create wireless routed bridges. Refer to this DD-WRT wiki page on “Linking Routers“; specifically “Client Bridged“. Not all residents will need this solution; only those with wired desktop(s) and those needing a “local” network for devices.

That solution leads us back to the Linksys E3000. For ~$35 on eBay, with its open-source firmware support and having two radios, it is an ideal candidate to create cost-effective, high performing, wireless routed client bridges. The 5GHz radio in client mode as the WAN connection, connected to our campus wireless dual-band APs. The 2.4GHz radio and LAN switch ports providing a local, routed private network for resident devices (e.g. 192.168.1.X).

Turning back the clock: Convert a WRT610N v2 to E3000

It just so happens that Linksys also made the WRT610N v2 with identical hardware to the E3000.  Here are the steps (loosely based on this post):

  1. Flash to DD-WRT from the Linksys web interface: get the WRT610N v2 image “dd-wrt.v24-15962_NEWD-2_K2.6_mini_wrt610nv2.bin”. I am assuming the IP address of the WRT610N v2 is
  2. Download this complete pacakge of WinSCP portable, HxD portable hex editor, Putty portable, the latest E3000 firmware, and latest Shibby VPN (v130) firmware for the E3000. Feel free to go compare MD5 hashes before flashing or go download the apps individually: WinSCP portableHxD hex editor portable (go down on the page for the portable version), & Putty portable.
  3. Make a copy of the e3000_cfe_V21_COPY_ME_BEFORE_EDITING.bin
  4. Using HxD, open the duplicate copy of e3000_cfe_V21.bin
  5. With the .bin open, hit “Search” on the top menu bar, then “Goto”.
    1. Search for “1E00” and hit “OK”.  This will show you the MAC address location. Flip over your WRT610N v2, find the MAC address on the back, and type in the MAC address delimited by colons (:); e.g 00:00:00:00:00:00. HxD will prompt you if make a mistake (e.g. “this operation changes the file-size”); DO NOT hit OK. You do not want to change the file-size. Hit “Cancel”.
    2. Do the same for the serial number. Search for “3FE30” and fill in the serial number.
    3. And the same for the PIN; search for “3FCDC” and enter the PIN number from the back without the dash (-).
  6. Save your newly customized CFE .bin.
  7. Login to DD-WRT, go to the Services tab, and “Enable” the SSHd. Hit “Apply”.
  8. Open WinSCP, “File Protocol”, choose SCP, type in the router address, and hit connect. Browse to “/tmp” (or pick your preferred folder).
  9. Copy over the customized CFE .bin to “/tmp”. Do not reboot.
  10. Using Putty, connect to and login.
  11. Type the following commands and DO NOT reboot:
    cd /tmp
    mtd unlock cfe
    mtd write -f [CFE .bin's filename] cfe
  12. Go to the web interface, “Administration” at the top. Then “Factory Defaults“. Hit “Factory Defaults” and hit “Apply”. The router will reboot.
  13. After reboot, login to the web interface and go to “Administration” and then “Firmware Upgrade“.
  14. Flash the OEM factory “FW_E3000_1.0.06.002_US_20140409_code.bin” firmware contained in the .zip file.
  15. Wait. A-long-time. The router will reboot a couple of times. Then retry to login to the web interface. You will not be able to login (NVRAM still contains the encoded DD-WRT password). Get a pen or paperclip, push and hold the reset button for 30 seconds, while holding the reset button, pull the power, count to 5, and plug it back all while holding the reset button. Keep holding the reset button for another 30 seconds and finally release. The router will reboot one final time.
  16. You should now be able to login to the OEM firmware with “admin” as the username and “admin” as the password.

Flashing DD-WRT or Tomato Firmware (non-OEM)

  1. Get on OEM factory firmware. Follow the prior three steps above to get to the factory E3000 firmware from Linksys. Make sure you also clear the NVRAM and be patient while it resets.
  2. Login to the OEM firmware at; username: admin / password: admin
  3. Go the “Administration” link at the top.
  4. Then to “Firmware Upgrade”
  5. (As of 7/5/2016, my preferred firmware choice) For DD-WRT, contrary to a lot of conflicting information, you can flash directly to:

    but you must use a paperclip and clear NVRAM after waiting 5 minutes for the flash to write. NOTE: be patient and wait a full 5 minutes to be safe!

  6. For Tomato, I recommend Shibby v132 (before MultiWAN was introduced):
  7. After flashing either Tomato or DD-WRT, login to the web interface and clear the NVRAM (again). In Tomato, go to “Administration” then “Configuration”, and do a “Thorough” NVRAM erase. In DD-WRT, go to “Administration” then under “Factory Default”, select “Yes” and hit “Apply”.

Wireless Client Bridged: DD-WRT

  1. On “Setup” tab, set Timezone & NTP:
    Time Zone:
  2. US/Eastern



    Hit “Save”

  1. Go to the “Wireless” tab.
    Set the bottom wireless adapter (5GHz) mode to “Client”.Set Network Name to the wireless network/SSID you want to connect the bridge. For example, “BV”. In a wireless client bridge, think of this as a WAN connection replacing the hard-wired physical WAN port.Set the top wireless adapter (2.4GHz) to the local network/SSID. For example, “Resident Network”. Choose 20MHz. Pick a channel (do not leave auto).
    dd-wrt client bridge wifi setup
  2. Go to “Wireless Security” sub-tab (in the “Wireless” tab).Set both to WPA2-Personal, AES (Do not use the TKIP+AES).
    Wireless Security for 2.4GHz radio; whatever password you want for the local network.
    Wireless Security for 5GHz radio; password for the network you are connecting to as your WAN.
    Hit “Save”.
  3. Go to “Services” tab
    Under DNSMasq disable “No DNS Rebind”.  A must!
    Disable ttraff Daemon (last option – trying to limit the number of NVRAM writes over time)
    Hit “Save”.
  4. Go to “Security” tab
    Uncheck all options and disable “SPI Firewall” at the top.
    Hit “Save”.
  5. Go to “Administration” tab. Under “Management” tab.
    Under Remote Access, Web GUI Management “Enable” (choosing NOT to use HTTPS to keep it simple). Port 8080 is default.
  6. Go to “Administration” tab. Then “Keep Alive” subnet.
    Reboot at least weekly at 2am (keep the client bridge “fresh”)
    Hit “Save”.
  7. Reboot router for changes to apply (or click “Apply”; full reboot preferred).
    After reboot, login to DD-WRT ( again and look upper right; it should show a WAN IP in the range of the wireless network you are bridging.

Wireless Client Bridged: Tomato

This assumes Tomato; DD-WRT can be a client AND a repeater (which means you can be a 5GHz client and be an AP for 5GHz clients). But in the interest of keeping this simple, the 5GHz radio will be the client, the 2.4GHz radio would be the AP for “local” clients. I also had issues getting “Repeater” or “Repeater Bridge” mode working on DD-WRT (newer builds have issues).

Log into the web interface and go to the “Basic” then “Network”. Refer to the screenshot below.

  1. Type: DHCP assuming the AP you are connecting to assigns IPs
  2. Under “Wireless (2.4 GHz / eth1)” this is the setup of the “local” wireless connection in a private subnet to be routed out of the 5GHz WAN/internet connection.
  3. Under “Wireless (5 GHz / eth2)” set to “Wireless Client”. Enter the exact SSID and password/key used to connect to the exiting 5GHz network. Be careful: everything is case sensitive.


In conclusion…

For $20-$35, you have a very fast (upwards of ~130mbps) routed wireless 2.4GHz repeater with a 5GHz uplink (client) for the WAN/internet. The irony is that it is less then similarly performing USB dual band wireless adapter and its much more versatile. Enjoy.