- Gargoyle
- X-WRT
- logfile /var/log/ppp.log
- cat /etc/config/httpd
- cat /etc/config/dropbear
- vim /etc/config/firewall
- vim /etc/firewall.user
- cat /etc/init.d/ipv6tunnel
- !/bin/sh /etc/rc.common
- Information from the "Tunnel Details" page
- Uncomment if you have a /48
- ROUTED_48=Your /48 netblock's gateway address, e.g., 2001b::1
- echo ip6_tables >> /etc/modules.d/20-ipv6
- echo ip6table_filter >> /etc/modules.d/20-ipv6
- --------------------------------------------------
- -- IP6TABLES
- --------------------------------------------------
- Defailt rate limiting
- RLIMIT="-m limit --limit 3/s --limit-burst 8"
- Logging options.
- Unprivileged ports.
- --------------------------------------------------
- Sysctl
- --------------------------------------------------
- --------------------------------------------------
- Default policies.
- --------------------------------------------------
- Drop everything by default.
- Set the nat/mangle/raw tables' chains to ACCEPT
- --------------------------------------------------
- Cleanup.
- --------------------------------------------------
- Delete all
- Delete all
- Zero all packets and counters.
- --------------------------------------------------
- Basic user-defined chains
- --------------------------------------------------
- LOG packets, then ACCEPT.
- $IP6TABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
- LOG packets, then DROP.
- $IP6TABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
- LOG packets, then REJECT.
- TCP packets are rejected with a TCP reset.
- $IP6TABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
- --------------------------------------------------
- Vulnerabilities
- --------------------------------------------------
- Remove RH0 vulnerability
- https://lists.ubuntu.com/archives/kernel-bugs/2007-June/027320.html
- https://www.sixxs.net/forum/?msg=general-573582
- $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
- $IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP
- $IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP
- --------------------------------------------------
- ICMP
- --------------------------------------------------
- Allow IPv6 ICMP
- --------------------------------------------------
- Basic allowed traffic - loopback, outgoing
- --------------------------------------------------
- Allow incoming connections related to existing allowed connections.
- $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- Allow outgoing connections EXCEPT invalid
- $IP6TABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- Allow incoming connections related to existing allowed connections.
- $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- Allow new outgoing forwarded connections
- $IP6TABLES -A FORWARD -o ${IP6_WAN_IF} -m state --state NEW -j ACCEPT
- $IP6TABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
- $IP6TABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
- --------------------------------------------------
- Drop Invalid traffic
- --------------------------------------------------
- $IP6TABLES -A INPUT -m state --state INVALID -j DROP
- $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
- $IP6TABLES -A FORWARD -m state --state INVALID -j DROP
- --------------------------------------------------
- Port scans and SYN floods
- --------------------------------------------------
- --------------------------------------------------
- Drop bad IPs
- --------------------------------------------------
- IANA reserved and unallocated
- http://www.iana.org/assignments/ipv6-address-space/
- http://www.iana.org/assignments/ipv6-unicast-address-assignments/
- --------------------------------------------------
- Inbound
- --------------------------------------------------
- Allowed ports
- --------------------------------------------------
- Forward
- --------------------------------------------------
- Allowed ports
- $IP6TABLES -A INPUT -j REJECTLOG
- $IP6TABLES -A OUTPUT -j REJECTLOG
- $IP6TABLES -A FORWARD -j REJECTLOG
- OpenWRT
- !/bin/sh /etc/rc.common
- Copyright (C) 2009 OpenWrt.org
- Linksys
- Replacement
- Log
- 2009-01-21
- 2009-01-25
- 2009-01-27
- 2009-04-02
- 2009-08-18
- 2009-08-19
- 2009-08-20
- 2009-08-21
- 2009-09-??
- 2009-09-08
- 2009-09-12
- 2009-09-16
- 2009-09-18
- 2009-11-24
- 2009-12-10
- 2009-12-12
- 2009-12-13
- 2009-12-14
- 2009-12-15
- 2009-12-16
- 2010-01-03
- 2010-01-19
- 2010-02-26
- 2010-03-02
- 2010-03-03
- 2010-03-04
- 2010-03-16
- 2010-05-04
- 2010-10-27
- 2010-12-16
- 2011-06-06
- 2011-06-14
- 2011-11-09
- 2013
- 2013-10-20
- 2013-10-22
- To Do
Gargoyle
Fix Disk Space
-
https://dev.openwrt.org/changeset/13650
echo "option overlay_root /jffs" >> /etc/opkg.conf
IPv6
- Attempted on Gargoyle (OpenWRT 8.09-beta)
- http://wiki.openwrt.org/IPv6_howto
-
NOTE: opkg has replaced ipkg
opkg update opkg install kmod-ipv6 kmod-ip6tables opkg install radvd ip ip6tables insmod ipv6 # doesn't fucking work!
Insmod ipv6 fails with: > insmod: unresolved symbol tcp_destroy_sock
TFTP Upgrade
- Upgrading OpenWRT via TFTP
- Run tftp
atftp --trace --option "timeout 10" --option "mode octet" --put --local-file openwrt-xxx-x.x-xxx.bin 192.168.1.1
- Power cycle the router
- With boot_wait already configured no need to press reset button
X-WRT
IPv6 take 2
2009-08-20
- Attempted on OpenWRT 8.09 X-WRT
-
https://forum.openwrt.org/viewtopic.php?id=19603
opkg update opkg install ip kmod-ipv6 kmod-ip6tables radvd
Still doesn't fucking work. 2.6 kernel only.
Remove
opkg remove kmod-ipv6tables kmod-ipv6 radvd ip6tables
-
Ha! Fix opkg repos
vi /etc/opkg.conf
cat /etc/opkg.conf
#src/gz snapshots http://downloads.openwrt.org/kamikaze/8.09.1/brcm47xx/packages
src/gz snapshots http://downloads.openwrt.org/kamikaze/8.09.1/brcm-2.4/packages
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /jffs
#src X-Wrt http://downloads.x-wrt.org/xwrt/kamikaze/8.09.1/brcm47xx/packages
src X-Wrt http://downloads.x-wrt.org/xwrt/kamikaze/8.09/brcm-2.4/packages
Reinstall packages
opkg update
opkg install -force-downgrade ip kmod-ipv6 kmod-ip6tables radvd ip6tables
Configure PPP
- http://nuwiki.openwrt.org/oldwiki/IPv6_howto
-
Activate PPP IPv6 support. Add following lines to /etc/ppp/options :
+ipv6
logfile /var/log/ppp.log
No v6CP response so e-mailed Entanet (ipv6 at enta dot net)
Iodine
-
opkg install kmod-tun iodine
httpd listen address
-
Set httpd port to LAN IP and port
cat /etc/config/httpd
config 'httpd' option 'port' '192.168.1.1:80' option 'home' '/www'
Port Forwarding Lockups
- Stops forwarding ports after a while
Reduce TCP established timeout
-
/proc
echo -n 900 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
-
vim /etc/sysctl.conf
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=900
NTP Time Synchronization
- http://martybugs.net/wireless/openwrt/timesync.cgi
-
Install ntpclient
opkg update opkg install ntpclient
-
Run once
/usr/sbin/ntpclient -c 1 -s -h 0.openwrt.pool.ntp.org
SSH listen address
-
Set SSH port to LAN IP and port
cat /etc/config/dropbear
config dropbear option PasswordAuth 'on' option Port '192.168.1.1:22'
Fix BT iptables forwarding
-
Change live iptables rules
iptables -t nat -nv --list zone_wan_prerouting --line-number iptables -t nat -I zone_wan_prerouting 4 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.4 iptables -t nat -I zone_wan_prerouting 5 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.4 iptables -t nat -D zone_wan_prerouting 7 # delete old rule iptables -t nat -D zone_wan_prerouting 6 # delete old rule
-
Edit saved rules
- Modified dest_port '6881-6889' to ''
vim /etc/config/firewall
config 'redirect' 'BT' option 'src' 'wan' option 'proto' 'tcpudp' option 'src_ip' '' option 'dest_ip' '192.168.1.4' option 'dest_port' '' option 'src_dport' '6881-6889'
Configure IPv6 tunnel
- Create he.net tunnelbroker account
-
Let he.net ping the router
vim /etc/firewall.user
iptables -A input_wan -p icmp -m icmp --icmp-type echo-request -m limit --limit 10/s -j zone_wan_ACCEPT
Set IPv6 Address in WebIf to 2001:470:1f09:471::1/64
Tunnel Script
- http://blog.silviosilva.com/index.php/2009/03/15/ipv6_tunnelbroker_openwrt/
-
http://www.tunnelbroker.net/forums/index.php?action=printpage;topic=106.0
cat /etc/init.d/ipv6tunnel
!/bin/sh /etc/rc.common
Information from the "Tunnel Details" page
SERVER_v4=216.66.80.26 SERVER_v6=2001:470:1f08:471::1
CLIENT_v4=78.32.119.229 CLIENT_v6=2001:470:1f08:471::2
Uncomment if you have a /48
ROUTED_48=Your /48 netblock's gateway address, e.g., 2001b::1
ROUTED_64=2001:470:1f09:471::1
START=50
start() { echo "Starting he.net IPv6 tunnel: " ip tunnel add henet mode sit remote $SERVER_v4 local $CLIENT_v4 ttl 255 ip link set henet up
ip -6 addr add $CLIENT_v6/64 dev henet ip -6 ro add default via $SERVER_v6 dev henet # Set by WebIf #ip -6 addr add $ROUTED_64/64 dev br-lan # Uncomment if you have a /48 #ip -6 addr add $ROUTED_48/48 dev br-lan ip -f inet6 addr echo "Done."
} stop() { echo -n "Stopping he.net IPv6 tunnel: " ip link set henet down ip tunnel del henet
# Set by WebIf #ip -6 addr delete $ROUTED_64/64 dev br-lan # Uncomment if you have a /48 #ip -6 addr delete $ROUTED_48/48 dev br-lan echo "Done."
} restart() { stop start }
radvd
# cat /etc/config/radvd
config interface
option interface 'lan'
option AdvSendAdvert 1
option AdvManagedFlag 0
option AdvOtherConfigFlag 0
option ignore 0
config prefix
option interface 'lan'
# If not specified, a non-link-local prefix of the interface is used
option prefix '2001:db8:feed:b00::/64'
option AdvOnLink 1
option AdvAutonomous 1
option AdvRouterAddr 0
option ignore 0
config rdnss
option interface 'lan'
# If not specified, the link-local address of the interface is used
option addr ''
option ignore 1
Enable WebIf services
- Enable ipv6tunnel, radvd
Official OpenWRT IPv6 howto
ip6tables
- http://ipv6.debian.net/
-
Add to /etc/modules.d
echo ip6_tables >> /etc/modules.d/20-ipv6
echo ip6table_filter >> /etc/modules.d/20-ipv6
Adapt ip6-stateless script
- network/Firewall/router.fw.sh
-
cat >> firewall.user
--------------------------------------------------
-- IP6TABLES
--------------------------------------------------
PORTS_IN_TCP_ALLOW="" PORTS_IN_UDP_ALLOW="" PORTS_FWD_TCP_ALLOW="22" PORTS_FWD_UDP_ALLOW=""
IPTABLES="/usr/sbin/iptables" IP6TABLES="/usr/sbin/ip6tables"
IP6_WAN_IF=henet
Defailt rate limiting
RLIMIT="-m limit --limit 3/s --limit-burst 8"
RLIMIT=""
Logging options.
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" LOG="$LOG --log-ip-options"
Unprivileged ports.
PHIGH="1024:65535" PSSH="1000:1023"
--------------------------------------------------
Sysctl
--------------------------------------------------
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
--------------------------------------------------
Default policies.
--------------------------------------------------
Drop everything by default.
$IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP $IP6TABLES -P OUTPUT DROP
Set the nat/mangle/raw tables' chains to ACCEPT
$IP6TABLES -t mangle -P PREROUTING ACCEPT $IP6TABLES -t mangle -P INPUT ACCEPT $IP6TABLES -t mangle -P FORWARD ACCEPT $IP6TABLES -t mangle -P OUTPUT ACCEPT $IP6TABLES -t mangle -P POSTROUTING ACCEPT
--------------------------------------------------
Cleanup.
--------------------------------------------------
Delete all
$IP6TABLES -F $IP6TABLES -t mangle -F
Delete all
$IP6TABLES -X $IP6TABLES -t mangle -X
Zero all packets and counters.
$IP6TABLES -Z $IP6TABLES -t mangle -Z
--------------------------------------------------
Basic user-defined chains
--------------------------------------------------
LOG packets, then ACCEPT.
$IP6TABLES -N ACCEPTLOG
$IP6TABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
$IP6TABLES -A ACCEPTLOG -j ACCEPT
LOG packets, then DROP.
$IP6TABLES -N DROPLOG
$IP6TABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
$IP6TABLES -A DROPLOG -j DROP
LOG packets, then REJECT.
TCP packets are rejected with a TCP reset.
$IP6TABLES -N REJECTLOG
$IP6TABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
$IP6TABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset $IP6TABLES -A REJECTLOG -j REJECT
--------------------------------------------------
Vulnerabilities
--------------------------------------------------
Remove RH0 vulnerability
https://lists.ubuntu.com/archives/kernel-bugs/2007-June/027320.html
https://www.sixxs.net/forum/?msg=general-573582
$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
$IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP
$IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP
--------------------------------------------------
ICMP
--------------------------------------------------
Allow IPv6 ICMP
$IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT
--------------------------------------------------
Basic allowed traffic - loopback, outgoing
--------------------------------------------------
$IP6TABLES -A INPUT -i lo -j ACCEPT $IP6TABLES -A OUTPUT -o lo -j ACCEPT
Allow incoming connections related to existing allowed connections.
$IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A INPUT -p tcp ! --syn -j ACCEPT
Allow outgoing connections EXCEPT invalid
$IP6TABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A OUTPUT -j ACCEPT
Allow incoming connections related to existing allowed connections.
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A FORWARD -p tcp ! --syn -j ACCEPT
Allow new outgoing forwarded connections
$IP6TABLES -A FORWARD -o ${IP6_WAN_IF} -m state --state NEW -j ACCEPT
$IP6TABLES -A FORWARD -o ${IP6_WAN_IF} -j ACCEPT
--------------------------------------------------
Drop MS ports - SMB, CIFS, etc
--------------------------------------------------
$IP6TABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
$IP6TABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
--------------------------------------------------
Drop Invalid traffic
--------------------------------------------------
$IP6TABLES -A INPUT -m state --state INVALID -j DROP
$IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
$IP6TABLES -A FORWARD -m state --state INVALID -j DROP
--------------------------------------------------
Port scans and SYN floods
--------------------------------------------------
$IP6TABLES -N SYN_FLOOD
$IP6TABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN $IP6TABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j LOG --log-prefix SYN-DROP: $IP6TABLES -A SYN_FLOOD -j DROP
$IP6TABLES -A INPUT -p tcp --syn -j SYN_FLOOD $IP6TABLES -A FORWARD -i ${IP6_WAN_IF} -p tcp --syn -j SYN_FLOOD
--------------------------------------------------
Drop bad IPs
--------------------------------------------------
Block lists
$IP6TABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG
$IP6TABLES -A FORWARD -s INSERT-BAD-IP-HERE -j DROPLOG
IANA reserved and unallocated
http://www.iana.org/assignments/ipv6-address-space/
http://www.iana.org/assignments/ipv6-unicast-address-assignments/
--------------------------------------------------
--------------------------------------------------
Inbound
--------------------------------------------------
Allowed ports
for PORT in ${PORTS_IN_TCP_ALLOW} ; do #${IP6TABLES} -A INPUT -m state --state NEW -p tcp --dport ${PORT} -j ACCEPT ${IP6TABLES} -A INPUT -p tcp --syn --dport ${PORT} -j ACCEPT done
for PORT in ${PORTS_IN_UDP_ALLOW} ; do #${IP6TABLES} -A INPUT -m state --state NEW -p udp --dport ${PORT} -j ACCEPT ${IP6TABLES} -A INPUT -p udp --dport ${PORT} -j ACCEPT done
--------------------------------------------------
Forward
--------------------------------------------------
Allowed ports
for PORT in ${PORTS_FWD_TCP_ALLOW} ; do #${IP6TABLES} -A FORWARD -i ${IP6_WAN_IF} -m state --state NEW -p tcp --dport ${PORT} -j ACCEPT ${IP6TABLES} -A FORWARD -i ${IP6_WAN_IF} -p tcp --syn --dport ${PORT} -j ACCEPT done
for PORT in ${PORTS_FWD_UDP_ALLOW} ; do #${IP6TABLES} -A FORWARD -i ${IP6_WAN_IF} -m state --state NEW -p udp --dport ${PORT} -j ACCEPT ${IP6TABLES} -A FORWARD -i ${IP6_WAN_IF} -p udp --dport ${PORT} -j ACCEPT done
--------------------------------------------------
Reject the rest
--------------------------------------------------
$IP6TABLES -A INPUT -j REJECTLOG
$IP6TABLES -A OUTPUT -j REJECTLOG
$IP6TABLES -A FORWARD -j REJECTLOG
<<EOF
Allow IPv6-in-IPv4 through iptables
$IPTABLES -A input_wan -p ipv6 -j zone_wan_ACCEPT
Public Wifi
nodogsplash
wget http://kokoro.ucsd.edu/nodogsplash/latest.ipk
Network Configuration
config 'interface' 'public'
option 'proto' 'static'
option 'type' 'bridge'
option 'macaddr' ''
option 'ipaddr' '172.16.0.1'
option 'ip6addr' '2001:470:903c:ac10::1/64'
option 'netmask' '255.255.255.0'
option 'gateway' ''
option 'ip6gw' ''
option 'dns' ' 195.74.113.58 195.74.113.62'
Wireless Configuration
config 'wifi-iface'
option 'device' 'wl0'
option 'network' 'public'
option 'mode' 'ap'
option 'hidden' '0'
option 'encryption' 'none'
option 'network' 'public'
option 'ssid' '30 Rustat Public'
option 'bssid' ''
option 'server' ''
option 'port' ''
option 'isolate' '0'
option 'txpower' ''
option 'bgscan' '0'
option 'frag' ''
option 'rts' ''
option 'wds' '0'
option 'key1' ''
option 'key2' ''
option 'key3' ''
option 'key4' ''
option '80211h' ''
option 'compression' ''
option 'bursting' ''
option 'ff' ''
option 'wmm' ''
option 'xr' ''
option 'ar' ''
option 'turbo' ''
option 'macpolicy' 'none'
option 'maclist' ''
Firewall
config 'zone'
option 'name' 'public'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
config 'forwarding'
option 'src' 'public'
option 'dest' 'wan'
option 'mtu_fix' '1'
DHCP
config 'dhcp' 'public'
option 'interface' 'public'
option 'start' '100'
option 'limit' '150'
option 'leasetime' '720m'
option 'ignore' '0'
radvd
# cat /etc/config/radvd
config interface
option interface 'public'
option AdvSendAdvert 1
option AdvManagedFlag 0
option AdvOtherConfigFlag 0
option ignore 0
config prefix
option interface 'public'
# If not specified, a non-link-local prefix of the interface is used
option prefix '2001:470:903c:ac10::/64'
option AdvOnLink 1
option AdvAutonomous 1
option AdvRouterAddr 0
option ignore 0
config rdnss
option interface 'lan'
# If not specified, the link-local address of the interface is used
option addr ''
option ignore 1
Recovery
2009-12-16
- Borked router deleting stuff from /jffs
Reboot to Failsafe
- Power cycle
- When DMZ light comes on press and hold Reset button until DMZ light flashes (~3Hz) telnet 192.168.1.1 > firstboot > reboot
QoS
opkg update
opkg install qos-scripts
Nodogsplash
opkg update
opkg install nodogsplash
- http://nuwiki.openwrt.org/oldwiki/hotspothowto#configure.nodogsplash
- Abandon for now. Too buggy.
SSH access
- dropbear
- authorized keys
Reconfigure
From host scp etc/config/* router:/etc/config/ scp etc/firewall.user router:/etc/
-
OpenDNS configuration cat >> /etc/resolv.conf.opendns nameserver 208.67.222.222 nameserver 208.67.220.220 EOF
- And replace DNS entries in /etc/config/network with these
- ppp cat >> /etc/ppp/options +ipv6 #logfile /var/log/ppp.log EOF
Reinstall
opkg update
opkg install kmod-ipv6 kmod-ip6tables
opkg install radvd ip6tables 6scripts
opkg install qos-scripts nptclient
opkg install nodogsplash
Services
/usr/sbin/ntpclient -c 1 -s -h 0.openwrt.pool.ntp.org
/etc/init.d/radvd start
/etc/init.d/firewall restart
Status
root@router:~# df /dev/mtdblock/4
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/mtdblock/4 1792 1192 600 67% /jffs
OpenWRT
Upgrade
- Upgrade to OpenWrt 8.09.2
- ipv6 broken on x-wrt as it was on Gargoyle
Backup config
scp -r router:/etc ./
ssh router 'opkg list_installed' > installed_packages
Download
- http://downloads.openwrt.org/kamikaze/8.09.2/brcm-2.4/openwrt-brcm-2.4-squashfs.trx
- http://downloads.openwrt.org/kamikaze/8.09.2/brcm-2.4/openwrt-wrt54g-squashfs.bin
Upgrade
- Via web interface with .trx
Reinstall
opkg install kmod-ipv6 ip ip6tables kmod-ip6tables qos-scripts 6scripts radvd ntpclient
Reconfigure
scp etc/config/* router:/etc/config/
scp etc/firewall.user router:/etc/
scp etc/hosts router:/etc/hosts.local
scp etc/dropbear/authorized_keys etc/dropbear/
Fix dnsmasq, was using /etc/resolv.conf.opendns sed -i -e 's%/etc/resolv.conf.opendns%/tmp/resolv.conf.auto%' /etc/config/dhcp
Fix ppp ipv6 cat >> /etc/ppp/options +ipv6 #logfile /var/log/ppp.log EOF
SNMP
Install
- http://members.aon.at/linuxfreak/linux/mini_snmpd.html opkg install mini-snmpd
Configure
/etc/config/mini_snmpd
-
config mini_snmpd option enabled 1
option community public
option location ''
option contact ''
option disks '/tmp,/jffs'
option interfaces 'ppp0,br-lan,br-public' # Max 4
/etc/init.d/mini_snmpd
-
http://wlan-lj.net/browser/branches/openwrt/packages/net/mini_snmpd/files/mini_snmpd.init?order=date
!/bin/sh /etc/rc.common
Copyright (C) 2009 OpenWrt.org
NAME=mini_snmpd PROG=/sbin/$NAME START=50
append_string() { local section="$1" local option="$2" local value="$3" local _val config_get _val "$section" "$option" [ -n "$_val" ] && append args "$3 $_val" }
mini_snmpd_config() { local cfg="$1" args=""
append_string "$cfg" community "-c" append_string "$cfg" location "-L" append_string "$cfg" contact "-C" append_string "$cfg" disks "-d" append_string "$cfg" interfaces "-i" config_get_bool enabled "$cfg" "enabled" '1'c [ "$enabled" -gt 0 ] && $PROG $args &
}
start() { config_load mini_snmpd config_foreach mini_snmpd_config mini_snmpd }
stop() { killall mini_snmpd }
Make executable chmod a+x /etc/init.d/mini_snmpd
Run
mini_snmpd -i ppp0
Upgrade to 10.03
- http://backfire.openwrt.org/10.03/brcm-2.4/openwrt-brcm-2.4-squashfs.trx
- http://backfire.openwrt.org/10.03/brcm-2.4/openwrt-wrt54g-squashfs.bin
- Upgraded via web interface with .bin
Config Changes from Kamikaze
- /etc/config/httpd replaced with /etc/config/uhttpd
- Delegated block in /etc/config/6tunnel
- 6tunnel.init script fix https://dev.openwrt.org/ticket/7203
- add services to init: 6tunnel, radvd, mini_snmpd
Geolocation Tunneling
SSH
# opkg install tinyproxy autossh
- Set for transparent proxying
- http://open-wrt.ru/forum/viewtopic.php?id=2069
VPN
UPNP
# opkg install miniupnpd
cat /etc/config/upnp
config upnpd config
option enabled 1
option secure_mode 1
option log_output 1
option download 1024
option upload 512
option external_iface wan
option internal_iface lan
Native IPv6
- Divide Entanet allocated /56 into three subnets
- 2001:4d48:ad51:xxx0::/64 for edge
- 2001:4d48:ad51:xxx1::/64 for lan
- 2001:4d48:ad51:xxx2::/64 for public
Multihoming
NOTE: native ipv6 only works alongside tunnelled ipv6 if multihoming is supported.
Adding native IPv6 didn't work initially because hosts were using their first assigned (tunnelled) ipv6 address and replies couldn't be routed back via native ipv6
Network
/etc/config/network config 'interface' 'wan' ... option 'ipv6' '1' option 'ip6addr' '2001:4d48:ad51:xxx0::1/64' # not necessary ... config 'interface' 'lan' ... option 'ip6addr' '2001:4d48:ad51:xxx1::1/64' ... config 'interface' 'public' ... option 'ip6addr' '2001:4d48:ad51:xxx2::1/64'
ip6addr option doesn't work for pppoe - can be added manually ip addr add 2001:4d48:ad51:xxx0::1/64 dev ppp0
Router Advertisements
-
Add /64 adverts to /etc/config/radvd config prefix # Native Entanet prefix option interface 'lan' option prefix '2001:4d48:ad51:xxx1::/64' option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 0
config prefix # Native Entanet prefix option interface 'public' option prefix '2001:4d48:ad51:xxx2::/64' option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 0
Firewall
- /etc/firewall.user
- Adapt script to support multiple ipv6 endpoints (henet and ppp0)
Disable 6tunnel service
rm /etc/rc.d/S46_6tunnel
AAISP IPv6
Divide AAISP allocated /48
- 2001:8b0:16b9:xxxx::/60 for location 1
- 2001:8b0:16b9:xxx1::/64 for lan
- 2001:8b0:16b9:xxx8::/64 for public
Upgrade to 12.09
Does not support WRT54GL. Recommended version is 10.03.
Remote Logging
Recent watchdog resets (probably from rtorrent's ~700 connections). Uptime in the range of minutes.
- http://wiki.openwrt.org/doc/uci/system
- https://forum.openwrt.org/viewtopic.php?id=11912
- http://www.rsyslog.com/receiving-messages-from-a-remote-system/
- http://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/
Log server
Accept logging on Hastur:
Enable imudp plugin /etc/rsyslog.conf
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
Log remote messages from router to a file /etc/rsyslog.d/router.conf
## Match router hostname
:source, isequal, "router" /var/log/phase1/router.log
& ~
Configure rsyslogd
OpenWRT
Set log_ip and log_port. Default port is 514
/etc/config/system
option 'log_ip' '192.168.0.4'
option 'log_port' '514'
Linksys
-
tftp 192.168.1.1
tftp> binary tftp> rexmt 1 tftp> timeout 60 tftp> trace tftp> put WRT54GL_v4.30.11_012_ETSI_EN_code.bin
Replacement
Replaced by WDR-3600, see Mobile Router
Log
2009-01-21
Turned on QoS. Prioritized www and ssh over bittorrent
2009-01-25
Installed DD-WRT.
2009-01-27
Installed OpenWRT
Configure IPv6
2009-04-02
Fix OpenDNS configuration http://forum.openwrt.org/viewtopic.php?id=12408
cat >> /etc/resolv.conf.opendns
nameserver 208.67.222.222
nameserver 208.67.220.220
EOF
vi /etc/config/dhcp
...
config dnsmasq
....
option resolvfile '/etc/resolv.conf.opendns'
2009-08-18
- Replaced Gargoyle with x-wrt OpenWRT 8.09
- Web interface upgrade didn't work so flashed via TFTP
- Configured WAN in pppoe mode, no bridge
- Configured LAN, bridge mode (for wireless)
- Set LAN DNS servers to OpenDNS
2009-08-19
- Configured wireless
- Configured port forwarding
- Set PPPoE MTU to 1472
2009-08-20
- IPv6
- Force kernel downgrade
2009-08-21
- Testing iodine
2009-09-??
- Set httpd to listen on LAN only
2009-09-08
- Port forwarding lockups
- Reduced TCP conntrack timeout to 900 seconds
-
Adjusted bittorrent forwarding rule
iptables -t nat -nv --list zone_wan_prerouting --line-number iptables -t nat -I zone_wan_prerouting 4 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.4 iptables -t nat -I zone_wan_prerouting 5 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.4 iptables -t nat -D zone_wan_prerouting 7 # delete old rule iptables -t nat -D zone_wan_prerouting 6 # delete old rule
Time synchronization
- Dropbear SSH on LAN only
2009-09-12
- Switch wireless to channel 6, distance to 18m
- Configure he.net tunnel
2009-09-16
- Initial ip6tables config
2009-09-18
-
Fix ip6tables tunnel and synflood
$IPTABLES -A input_wan -p ipv6 -j zone_wan_ACCEPT $IP6TABLES -A FORWARD -i ${IP6_WAN_IF} -p tcp --syn -j SYN_FLOOD
2009-11-24
- Upgrade packages - Fails due to lack of disk space
- Fix IPv6
- Upgrade deleted firewall.user
2009-12-10
- Removed iodined
- Started public wifi configuration
2009-12-12
- Public wifi configuration
2009-12-13
- install 6scripts
- fix misconfigured public wifi
2009-12-14
- Block INPUT from public network by default
2009-12-15
- configured public wifi
- firewall rules for br-public
2009-12-16
- opkg remove ip (freespace 288k)
- opkg install qos-scripts
- Nope. Still not enough space
- remove /etc/init.d/6bridge /etc/config/6bridge
-
Remove unused ip6tables modules root@router:/jffs# df /dev/mtdblock/4
Filesystem 1k-blocks Used Available Use% Mounted on /dev/mtdblock/4 1792 1512 280 84% /jffsroot@router:/jffs/lib/modules/2.4.35.4# lsmod | grep ip6 ip6t_LOG 4556 1 ip6t_IMQ 684 0 (unused) ip6t_owner 1020 0 (unused) ip6t_limit 892 2 ip6t_frag 924 0 (unused) ip6t_eui64 684 0 (unused) ip6table_mangle 2284 0 (unused) ip6table_filter 1740 1 ip6_tables 17440 8 [ip6t_LOG ip6t_IMQ ip6t_owner ip6t_limit ip6t_frag ip6t_eui64 ip6table_mangle ip6table_filter] root@router:/jffs/lib/modules/2.4.35.4# rmmod ip6t_owner ip6t_frag ip6t_eui64 root@router:/jffs/lib/modules/2.4.35.4# rm ip6t_owner.o ip6t_frag.o ip6t_eui64.o root@router:/jffs/lib/modules/2.4.35.4# df /dev/mtdblock/4 root@router:/# vim /etc/modules.d/49-ip6tables Filesystem 1k-blocks Used Available Use% Mounted on /dev/mtdblock/4 1792 1508 284 84% /jffs
Borked router - reset required
2010-01-03
-
Suspicious rules found in iptables Chain zone_wan (1 references) pkts bytes target prot opt in out source destination
60899 4775K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0- Rules accepted all traffic. DNS was externally visible.
- Rules removed
-
Fixed IPv6 ip -6 addr add 2001:470:903c:c0a8::1/64 dev br-lan ip -6 addr add 2001:470:903c:ac10::1/64 dev br-public
- Broken by missing addresses on router br-lan and br-public interfaces
- Should br-lan and br-public also get autoconfigured by radvd?
2010-01-19
- Give Michelle a static IP 172.16.0.100
- NAT GRE iptables -t nat -A zone_wan_prerouting -p gre -j DNAT --to-destination 172.16.0.100
2010-02-26
- Switch br-lan back to 192.168.1.0/24
- Rename "30 Rustat Public" to "SavePublicWifi.org"
2010-03-02
- Set wl0 txpower to 25dBm
iwconfig wl0 txpower 25dBm
2010-03-03
- Upgrade to OpenWrt-8.09.2
- Fix configuration of dnsmasq (used to have /etc/resolv.conf.opendns)
2010-03-04
- Install mini-snmpd
2010-03-16
- Reverted to Linksys firmware
2010-05-04
- OpenWrt 10.03
- Got snmp and ipv6 working again
2010-10-27
- Installed miniupnpd
2010-12-16
- Reenabled ppp ipv6 following Proto 41 Filtering
2011-06-06
- Configure native IPv6
- Enable ipv6 on PPP link through Luci (AdministrationInterfaces)
2011-06-14
- Change remove host address from bridged interfaces. (Replaced :1 with ::)
- Restarted wan to fix ipv6 routing issue # ifdown wan ; sleep 3 ; ifup wan
2011-11-09
- Move to AAISP
- IPv6 routing failure fixed by restarting radvd
2013
- On hiatus while at #25.
- 192.168.0.13 DHCP must be reserved for Pivos Xios
2013-10-20
- Investigate and abandon upgrade to OpenWrt-12.09 "attitude adjustment"
- Create git repo for settings
2013-10-22
- Configure for PPTP-to-PPPoA with Sky
To Do
QoS
OpenWrt 12.03 Attitude Adjustment
Nodogplash
- Add nodogsplash, need to free space first
IPv6 UDP broken
- UDP responses aren't passed in by stateless firewall
- Breaks DNS over IPv6
Public Wifi
- Route SavePublicWifi.org through tor
- http://hardy.dropbear.id.au/blog/2008/02/hosting-multiple-wireless-networks-on-openwrt
- http://kokoro.ucsd.edu/nodogsplash/
- Needs a reflash upgrade
- http://p3f.gmxhome.de/OpenWRT/Configure-OpenVPN.html
- vim: set syntax=pmwiki: