Table of Contents

Gargoyle

Fix Disk Space

IPv6

  • Attempted on Gargoyle ([OpenWRT][36][?][36] 8.09-beta)
  • http://wiki.openwrt.org/IPv6_howto
  • NOTE: opkg has replaced ipkg

    opkg update opkg install kmod-ipv6 kmod-ip6tables opkg install radvd ip ip6tables insmod ipv6 # doesn't fucking work!

Insmod ipv6 fails with: > insmod: unresolved symbol tcp_destroy_sock

TFTP Upgrade

  • Upgrading [OpenWRT][36][?][36] via TFTP
  • Run tftp

atftp --trace --option "timeout 10" --option "mode octet" --put --local-file openwrt-xxx-x.x-xxx.bin 192.168.1.1

  • Power cycle the router
  • With boot_wait already configured no need to press reset button

X-WRT

IPv6 take 2

2009-08-20

Remove

opkg remove kmod-ipv6tables kmod-ipv6 radvd ip6tables

Reinstall packages

opkg update
opkg install -force-downgrade ip kmod-ipv6 kmod-ip6tables radvd ip6tables

Configure PPP

Iodine

  • opkg install kmod-tun iodine

httpd listen address

  • Set httpd port to LAN IP and port

    cat /etc/config/httpd

    config 'httpd' option 'port' '192.168.1.1:80' option 'home' '/www'

Port Forwarding Lockups

  • Stops forwarding ports after a while

Reduce TCP established timeout

  • /proc

    echo -n 900 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

  • vim /etc/sysctl.conf

    net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=900

NTP Time Synchronization

SSH listen address

  • Set SSH port to LAN IP and port

    cat /etc/config/dropbear

    config dropbear option PasswordAuth 'on' option Port '192.168.1.1:22'

Fix BT iptables forwarding

  • Change live iptables rules

    iptables -t nat -nv --list zone_wan_prerouting --line-number iptables -t nat -I zone_wan_prerouting 4 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.4 iptables -t nat -I zone_wan_prerouting 5 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.4 iptables -t nat -D zone_wan_prerouting 7 # delete old rule iptables -t nat -D zone_wan_prerouting 6 # delete old rule

  • Edit saved rules

    • Modified dest_port '6881-6889' to ''

    vim /etc/config/firewall

    config 'redirect' 'BT' option 'src' 'wan' option 'proto' 'tcpudp' option 'src_ip' '' option 'dest_ip' '192.168.1.4' option 'dest_port' '' option 'src_dport' '6881-6889'

Configure IPv6 tunnel

  • Create he.net tunnelbroker account
  • Let he.net ping the router

    vim /etc/firewall.user

    iptables -A input_wan -p icmp -m icmp --icmp-type echo-request -m limit --limit 10/s -j zone_wan_ACCEPT

  • Set IPv6 Address in [WebIf][37][?][37] to 2001:470:1f09:471::1/64

Tunnel Script

  • http://blog.silviosilva.com/index.php/2009/03/15/ipv6_tunnelbroker_openwrt/
  • http://www.tunnelbroker.net/forums/index.php?action=printpage;topic=106.0

    cat /etc/init.d/ipv6tunnel

    !/bin/sh /etc/rc.common

    Information from the "Tunnel Details" page

    SERVER_v4=216.66.80.26 SERVER_v6=2001:470:1f08:471::1

    CLIENT_v4=78.32.119.229 CLIENT_v6=2001:470:1f08:471::2

    Uncomment if you have a /48

    ROUTED_48=Your /48 netblock's gateway address, e.g., 2001ab::1

    ROUTED_64=2001:470:1f09:471::1

    START=50

    start() { echo "Starting he.net IPv6 tunnel: " ip tunnel add henet mode sit remote $SERVER_v4 local $CLIENT_v4 ttl 255 ip link set henet up

        ip -6 addr add $CLIENT_v6/64 dev henet
        ip -6 ro add default via $SERVER_v6 dev henet
    
        # Set by WebIf
        #ip -6 addr add $ROUTED_64/64 dev br-lan
        # Uncomment if you have a /48
        #ip -6 addr add $ROUTED_48/48 dev br-lan
        ip -f inet6 addr
    
        echo "Done."
    

    } stop() { echo -n "Stopping he.net IPv6 tunnel: " ip link set henet down ip tunnel del henet

        # Set by WebIf
        #ip -6 addr delete $ROUTED_64/64 dev br-lan
        # Uncomment if you have a /48
        #ip -6 addr delete $ROUTED_48/48 dev br-lan
    
        echo "Done."
    

    } restart() { stop start }

radvd

# cat /etc/config/radvd
config interface
        option interface        'lan'
        option AdvSendAdvert    1
        option AdvManagedFlag   0
        option AdvOtherConfigFlag 0
        option ignore           0

config prefix
        option interface        'lan'
        # If not specified, a non-link-local prefix of the interface is used
        option prefix           '2001:db8:feed:b00::/64'
        option AdvOnLink        1
        option AdvAutonomous    1
        option AdvRouterAddr    0
        option ignore           0

config rdnss
        option interface        'lan'
        # If not specified, the link-local address of the interface is used
        option addr             ''
        option ignore           1

Enable [WebIf][37][?][37] services

  • Enable ipv6tunnel, radvd

Official [OpenWRT][36][?][36] IPv6 howto

ip6tables

  • http://ipv6.debian.net/
  • Add to /etc/modules.d

    echo ip6_tables >> /etc/modules.d/20-ipv6

    echo ip6table_filter >> /etc/modules.d/20-ipv6

  • Adapt ip6-stateless script

  • network/Firewall/router.fw.sh
  • cat >> firewall.user

    --------------------------------------------------

    -- IP6TABLES

    --------------------------------------------------

    PORTS_IN_TCP_ALLOW="" PORTS_IN_UDP_ALLOW="" PORTS_FWD_TCP_ALLOW="22" PORTS_FWD_UDP_ALLOW=""

    IPTABLES="/usr/sbin/iptables" IP6TABLES="/usr/sbin/ip6tables"

    IP6_WAN_IF=henet

    Defailt rate limiting

    RLIMIT="-m limit --limit 3/s --limit-burst 8"

    RLIMIT=""

    Logging options.

    LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" LOG="$LOG --log-ip-options"

    Unprivileged ports.

    PHIGH="1024:65535" PSSH="1000:1023"

    --------------------------------------------------

    Sysctl

    --------------------------------------------------

    echo "1" > /proc/sys/net/ipv6/conf/all/forwarding

    --------------------------------------------------

    Default policies.

    --------------------------------------------------

    Drop everything by default.

    $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP $IP6TABLES -P OUTPUT DROP

    Set the nat/mangle/raw tables' chains to ACCEPT

    $IP6TABLES -t mangle -P PREROUTING ACCEPT $IP6TABLES -t mangle -P INPUT ACCEPT $IP6TABLES -t mangle -P FORWARD ACCEPT $IP6TABLES -t mangle -P OUTPUT ACCEPT $IP6TABLES -t mangle -P POSTROUTING ACCEPT

    --------------------------------------------------

    Cleanup.

    --------------------------------------------------

    Delete all

    $IP6TABLES -F $IP6TABLES -t mangle -F

    Delete all

    $IP6TABLES -X $IP6TABLES -t mangle -X

    Zero all packets and counters.

    $IP6TABLES -Z $IP6TABLES -t mangle -Z

    --------------------------------------------------

    Basic user-defined chains

    --------------------------------------------------

    LOG packets, then ACCEPT.

    $IP6TABLES -N ACCEPTLOG

    $IP6TABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "

    $IP6TABLES -A ACCEPTLOG -j ACCEPT

    LOG packets, then DROP.

    $IP6TABLES -N DROPLOG

    $IP6TABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "

    $IP6TABLES -A DROPLOG -j DROP

    LOG packets, then REJECT.

    TCP packets are rejected with a TCP reset.

    $IP6TABLES -N REJECTLOG

    $IP6TABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "

    $IP6TABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset $IP6TABLES -A REJECTLOG -j REJECT

    --------------------------------------------------

    Vulnerabilities

    --------------------------------------------------

    Remove RH0 vulnerability

    https://lists.ubuntu.com/archives/kernel-bugs/2007-June/027320.html

    https://www.sixxs.net/forum/?msg=general-573582

    $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP

    $IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP

    $IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP

    --------------------------------------------------

    ICMP

    --------------------------------------------------

    Allow IPv6 ICMP

    $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT

    --------------------------------------------------

    Basic allowed traffic - loopback, outgoing

    --------------------------------------------------

    $IP6TABLES -A INPUT -i lo -j ACCEPT $IP6TABLES -A OUTPUT -o lo -j ACCEPT

    Allow incoming connections related to existing allowed connections.

    $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    $IP6TABLES -A INPUT -p tcp ! --syn -j ACCEPT

    Allow outgoing connections EXCEPT invalid

    $IP6TABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    $IP6TABLES -A OUTPUT -j ACCEPT

    Allow incoming connections related to existing allowed connections.

    $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    $IP6TABLES -A FORWARD -p tcp ! --syn -j ACCEPT

    Allow new outgoing forwarded connections

    $IP6TABLES -A FORWARD -o ${IP6_WAN_IF} -m state --state NEW -j ACCEPT

    $IP6TABLES -A FORWARD -o ${IP6_WAN_IF} -j ACCEPT

    --------------------------------------------------

    Drop MS ports - SMB, CIFS, etc

    --------------------------------------------------

    $IP6TABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP

    $IP6TABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP

    --------------------------------------------------

    Drop Invalid traffic

    --------------------------------------------------

    $IP6TABLES -A INPUT -m state --state INVALID -j DROP

    $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP

    $IP6TABLES -A FORWARD -m state --state INVALID -j DROP

    --------------------------------------------------

    Port scans and SYN floods

    --------------------------------------------------

    $IP6TABLES -N SYN_FLOOD

    $IP6TABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN $IP6TABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j LOG --log-prefix SYN-DROP: $IP6TABLES -A SYN_FLOOD -j DROP

    $IP6TABLES -A INPUT -p tcp --syn -j SYN_FLOOD $IP6TABLES -A FORWARD -i ${IP6_WAN_IF} -p tcp --syn -j SYN_FLOOD

    --------------------------------------------------

    Drop bad IPs

    --------------------------------------------------

    Block lists

    $IP6TABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG

    $IP6TABLES -A FORWARD -s INSERT-BAD-IP-HERE -j DROPLOG

    IANA reserved and unallocated

    http://www.iana.org/assignments/ipv6-address-space/

    http://www.iana.org/assignments/ipv6-unicast-address-assignments/

    --------------------------------------------------

    --------------------------------------------------

    Inbound

    --------------------------------------------------

    Allowed ports

    for PORT in ${PORTS_IN_TCP_ALLOW} ; do #${IP6TABLES} -A INPUT -m state --state NEW -p tcp --dport ${PORT} -j ACCEPT ${IP6TABLES} -A INPUT -p tcp --syn --dport ${PORT} -j ACCEPT done

    for PORT in ${PORTS_IN_UDP_ALLOW} ; do #${IP6TABLES} -A INPUT -m state --state NEW -p udp --dport ${PORT} -j ACCEPT ${IP6TABLES} -A INPUT -p udp --dport ${PORT} -j ACCEPT done

    --------------------------------------------------

    Forward

    --------------------------------------------------

    Allowed ports

    for PORT in ${PORTS_FWD_TCP_ALLOW} ; do #${IP6TABLES} -A FORWARD -i ${IP6_WAN_IF} -m state --state NEW -p tcp --dport ${PORT} -j ACCEPT ${IP6TABLES} -A FORWARD -i ${IP6_WAN_IF} -p tcp --syn --dport ${PORT} -j ACCEPT done

    for PORT in ${PORTS_FWD_UDP_ALLOW} ; do #${IP6TABLES} -A FORWARD -i ${IP6_WAN_IF} -m state --state NEW -p udp --dport ${PORT} -j ACCEPT ${IP6TABLES} -A FORWARD -i ${IP6_WAN_IF} -p udp --dport ${PORT} -j ACCEPT done

    --------------------------------------------------

    Reject the rest

    --------------------------------------------------

    $IP6TABLES -A INPUT -j REJECTLOG

    $IP6TABLES -A OUTPUT -j REJECTLOG

    $IP6TABLES -A FORWARD -j REJECTLOG

    <<EOF

Allow IPv6-in-[IPv4][39][?][39] through iptables

$IPTABLES -A input_wan -p ipv6 -j zone_wan_ACCEPT

Public Wifi

nodogsplash

wget http://kokoro.ucsd.edu/nodogsplash/latest.ipk

Network Configuration

config 'interface' 'public'
    option 'proto' 'static'
    option 'type' 'bridge'
    option 'macaddr' ''
    option 'ipaddr' '172.16.0.1'
    option 'ip6addr' '2001:470:903c:ac10::1/64'
    option 'netmask' '255.255.255.0'
    option 'gateway' ''
    option 'ip6gw' ''
    option 'dns' ' 195.74.113.58 195.74.113.62'

Wireless Configuration

config 'wifi-iface'
    option 'device' 'wl0'
    option 'network' 'public'
    option 'mode' 'ap'
    option 'hidden' '0'
    option 'encryption' 'none'
    option 'network' 'public'
    option 'ssid' '30 Rustat Public'
    option 'bssid' ''
    option 'server' ''
    option 'port' ''
    option 'isolate' '0'
    option 'txpower' ''
    option 'bgscan' '0'
    option 'frag' ''
    option 'rts' ''
    option 'wds' '0'
    option 'key1' ''
    option 'key2' ''
    option 'key3' ''
    option 'key4' ''
    option '80211h' ''
    option 'compression' ''
    option 'bursting' ''
    option 'ff' ''
    option 'wmm' ''
    option 'xr' ''
    option 'ar' ''
    option 'turbo' ''
    option 'macpolicy' 'none'
    option 'maclist' ''

Firewall

config 'zone'
        option 'name' 'public'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'

config 'forwarding'
    option 'src' 'public'
    option 'dest' 'wan'
    option 'mtu_fix' '1'

DHCP

config 'dhcp' 'public'
    option 'interface' 'public'
    option 'start' '100'
    option 'limit' '150'
    option 'leasetime' '720m'
    option 'ignore' '0'

radvd

# cat /etc/config/radvd
config interface
        option interface        'public'
        option AdvSendAdvert    1
        option AdvManagedFlag   0
        option AdvOtherConfigFlag 0
        option ignore           0

config prefix
        option interface        'public'
        # If not specified, a non-link-local prefix of the interface is used
        option prefix           '2001:470:903c:ac10::/64'
        option AdvOnLink        1
        option AdvAutonomous    1
        option AdvRouterAddr    0
        option ignore           0

config rdnss
        option interface        'lan'
        # If not specified, the link-local address of the interface is used
        option addr             ''
        option ignore           1

Recovery

2009-12-16

  • Borked router deleting stuff from /jffs

Reboot to Failsafe

  • Power cycle
  • When DMZ light comes on press and hold Reset button until DMZ light flashes (~3Hz) telnet 192.168.1.1 > firstboot > reboot

[QoS][40][?][40]

opkg update
opkg install qos-scripts

Nodogsplash

opkg update
opkg install nodogsplash

SSH access

  • dropbear
  • authorized keys

Reconfigure

  • From host scp etc/config/* router:/etc/config/ scp etc/firewall.user router:/etc/

  • [OpenDNS][41][?][41] configuration cat >> /etc/resolv.conf.opendns nameserver 208.67.222.222 nameserver 208.67.220.220 EOF

    • And replace DNS entries in /etc/config/network with these
  • ppp cat >> /etc/ppp/options +ipv6 #logfile /var/log/ppp.log EOF

Reinstall

opkg update
opkg install kmod-ipv6 kmod-ip6tables
opkg install radvd ip6tables 6scripts
opkg install qos-scripts nptclient
opkg install nodogsplash

Services

/usr/sbin/ntpclient -c 1 -s -h 0.openwrt.pool.ntp.org
/etc/init.d/radvd start
/etc/init.d/firewall restart

Status

root@router:~# df /dev/mtdblock/4
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/mtdblock/4           1792      1192       600  67% /jffs

[OpenWRT][36][?][36]

Upgrade

  • Upgrade to [OpenWrt][42][?][42] 8.09.2
  • ipv6 broken on x-wrt as it was on Gargoyle

Backup config

scp -r router:/etc ./
ssh router 'opkg list_installed' > installed_packages

Download

Upgrade

  • Via web interface with .trx

Reinstall

opkg install kmod-ipv6 ip ip6tables kmod-ip6tables qos-scripts 6scripts radvd ntpclient

Reconfigure

scp etc/config/* router:/etc/config/
scp etc/firewall.user router:/etc/
scp etc/hosts router:/etc/hosts.local
scp etc/dropbear/authorized_keys etc/dropbear/
  • Fix dnsmasq, was using /etc/resolv.conf.opendns sed -i -e 's%/etc/resolv.conf.opendns%/tmp/resolv.conf.auto%' /etc/config/dhcp

  • Fix ppp ipv6 cat >> /etc/ppp/options +ipv6 #logfile /var/log/ppp.log EOF

SNMP

Install

Configure

/etc/config/mini_snmpd

/etc/init.d/mini_snmpd

  • http://wlan-lj.net/browser/branches/openwrt/packages/net/mini_snmpd/files/mini_snmpd.init?order=date

    !/bin/sh /etc/rc.common

    Copyright (C) 2009 OpenWrt.org

    NAME=mini_snmpd PROG=/sbin/$NAME START=50

    append_string() { local section="$1" local option="$2" local value="$3" local _val config_get _val "$section" "$option" [ -n "$_val" ] && append args "$3 $_val" }

    mini_snmpd_config() { local cfg="$1" args=""

    append_string "$cfg" community "-c"
    append_string "$cfg" location "-L"
    append_string "$cfg" contact "-C"
    append_string "$cfg" disks "-d"
    append_string "$cfg" interfaces "-i"
    
    config_get_bool enabled "$cfg" "enabled" '1'c
    [ "$enabled" -gt 0 ] && $PROG $args &
    

    }

    start() { config_load mini_snmpd config_foreach mini_snmpd_config mini_snmpd }

    stop() { killall mini_snmpd }

  • Make executable chmod a+x /etc/init.d/mini_snmpd

Run

mini_snmpd -i ppp0

Upgrade to 10.03

Config Changes from Kamikaze

  • /etc/config/httpd replaced with /etc/config/uhttpd
  • Delegated block in /etc/config/6tunnel
  • 6tunnel.init script fix https://dev.openwrt.org/ticket/7203
  • add services to init: 6tunnel, radvd, mini_snmpd

Geolocation Tunneling

SSH

# opkg install tinyproxy autossh

VPN

UPNP

# opkg install miniupnpd

cat /etc/config/upnp

config upnpd config
    option enabled      1
    option secure_mode  1
    option log_output   1
    option download     1024
    option upload       512
    option external_iface   wan
    option internal_iface   lan

Native IPv6

  • Divide Entanet allocated /56 into three subnets
    • 2001:4d48:ad51:xxx0::/64 for edge
    • 2001:4d48:ad51:xxx1::/64 for lan
    • 2001:4d48:ad51:xxx2::/64 for public

Multihoming

NOTE: native ipv6 only works alongside tunnelled ipv6 if multihoming is supported.

Adding native IPv6 didn't work initially because hosts were using their first assigned (tunnelled) ipv6 address and replies couldn't be routed back via native ipv6

Network

  • /etc/config/network config 'interface' 'wan' ... option 'ipv6' '1' option 'ip6addr' '2001:4d48:ad51:xxx0::1/64' # not necessary ... config 'interface' 'lan' ... option 'ip6addr' '2001:4d48:ad51:xxx1::1/64' ... config 'interface' 'public' ... option 'ip6addr' '2001:4d48:ad51:xxx2::1/64'

  • ip6addr option doesn't work for pppoe - can be added manually ip addr add 2001:4d48:ad51:xxx0::1/64 dev ppp0

Router Advertisements

  • Add /64 adverts to /etc/config/radvd config prefix # Native Entanet prefix option interface 'lan' option prefix '2001:4d48:ad51:xxx1::/64' option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 0

    config prefix
            # Native Entanet prefix
            option interface        'public'
            option prefix       '2001:4d48:ad51:xxx2::/64'
            option AdvOnLink        1
            option AdvAutonomous    1
            option AdvRouterAddr    0
            option ignore           0
    

Firewall

  • /etc/firewall.user
  • Adapt script to support multiple ipv6 endpoints (henet and ppp0)

Disable 6tunnel service

rm /etc/rc.d/S46_6tunnel

AAISP IPv6

Divide AAISP allocated /48

  • 2001:8b0:16b9:xxxx::/60 for location 1
    • 2001:8b0:16b9:xxx1::/64 for lan
    • 2001:8b0:16b9:xxx8::/64 for public

Upgrade to 12.09

openwrt-wrt54g-squashfs.bin

Does not support WRT54GL. Recommended version is 10.03.

Remote Logging

Recent watchdog resets (probably from rtorrent's ~700 connections). Uptime in the range of minutes.

Log server

Accept logging on Hastur:

Enable imudp plugin /etc/rsyslog.conf

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

Log remote messages from router to a file /etc/rsyslog.d/router.conf

## Match router hostname
:source, isequal, "router" /var/log/phase1/router.log
& ~

Configure rsyslogd

[OpenWRT][36][?][36]

Set log_ip and log_port. Default port is 514

/etc/config/system

option 'log_ip' '192.168.0.4'
    option 'log_port' '514'

Linksys

  • Linksys 4.30.11

    tftp 192.168.1.1

    tftp> binary tftp> rexmt 1 tftp> timeout 60 tftp> trace tftp> put WRT54GL_v4.30.11_012_ETSI_EN_code.bin

Replacement

Replaced by [WDR-3600][49][?][49], see Mobile Router

Log

2009-01-21

Turned on [QoS][40][?][40]. Prioritized www and ssh over bittorrent

2009-01-25

Installed DD-WRT.

2009-01-27

Installed [OpenWRT][51][?][51]
Configure IPv6

2009-04-02

Fix [OpenDNS][41][?][41] configuration http://forum.openwrt.org/viewtopic.php?id=12408

cat >> /etc/resolv.conf.opendns
nameserver 208.67.222.222
nameserver 208.67.220.220
EOF




vi /etc/config/dhcp
...
config dnsmasq
    ....
    option resolvfile '/etc/resolv.conf.opendns'

2009-08-18

  • Replaced Gargoyle with x-wrt [OpenWRT][36][?][36] 8.09
  • Web interface upgrade didn't work so flashed via TFTP
  • Configured WAN in pppoe mode, no bridge
  • Configured LAN, bridge mode (for wireless)
  • Set LAN DNS servers to [OpenDNS][41][?][41]

2009-08-19

  • Configured wireless
  • Configured port forwarding
  • Set [PPPoE][53][?][53] MTU to 1472

2009-08-20

  • IPv6
  • Force kernel downgrade

2009-08-21

  • Testing iodine

2009-09-??

  • Set httpd to listen on LAN only

2009-09-08

  • Port forwarding lockups
  • Reduced TCP conntrack timeout to 900 seconds
  • Adjusted bittorrent forwarding rule

    iptables -t nat -nv --list zone_wan_prerouting --line-number iptables -t nat -I zone_wan_prerouting 4 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.4 iptables -t nat -I zone_wan_prerouting 5 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.4 iptables -t nat -D zone_wan_prerouting 7 # delete old rule iptables -t nat -D zone_wan_prerouting 6 # delete old rule

  • Time synchronization

  • Dropbear SSH on LAN only

2009-09-12

  • Switch wireless to channel 6, distance to 18m
  • Configure he.net tunnel

2009-09-16

  • Initial ip6tables config

2009-09-18

  • Fix ip6tables tunnel and synflood

    $IPTABLES -A input_wan -p ipv6 -j zone_wan_ACCEPT $IP6TABLES -A FORWARD -i ${IP6_WAN_IF} -p tcp --syn -j SYN_FLOOD

2009-11-24

  • Upgrade packages - Fails due to lack of disk space
  • Fix IPv6
    • Upgrade deleted firewall.user

2009-12-10

  • Removed iodined
  • Started public wifi configuration

2009-12-12

  • Public wifi configuration

2009-12-13

2009-12-14

  • Block INPUT from public network by default

2009-12-15

  • configured public wifi
  • firewall rules for br-public

2009-12-16

  • opkg remove ip (freespace 288k)
  • opkg install qos-scripts
    • Nope. Still not enough space
  • remove /etc/init.d/6bridge /etc/config/6bridge
  • Remove unused ip6tables modules root@router:/jffs# df /dev/mtdblock/4
    Filesystem 1k-blocks Used Available Use% Mounted on /dev/mtdblock/4 1792 1512 280 84% /jffs

    root@router:/jffs/lib/modules/2.4.35.4# lsmod | grep ip6
    ip6t_LOG                4556   1
    ip6t_IMQ                 684   0 (unused)
    ip6t_owner              1020   0 (unused)
    ip6t_limit               892   2
    ip6t_frag                924   0 (unused)
    ip6t_eui64               684   0 (unused)
    ip6table_mangle         2284   0 (unused)
    ip6table_filter         1740   1
    ip6_tables             17440   8 [ip6t_LOG ip6t_IMQ ip6t_owner ip6t_limit ip6t_frag ip6t_eui64 ip6table_mangle ip6table_filter]
    
    root@router:/jffs/lib/modules/2.4.35.4# rmmod ip6t_owner ip6t_frag ip6t_eui64
    root@router:/jffs/lib/modules/2.4.35.4# rm ip6t_owner.o ip6t_frag.o ip6t_eui64.o
    
    root@router:/jffs/lib/modules/2.4.35.4# df /dev/mtdblock/4
    root@router:/# vim /etc/modules.d/49-ip6tables
    Filesystem           1k-blocks      Used Available Use% Mounted on
    /dev/mtdblock/4           1792      1508       284  84% /jffs
    
  • Borked router - reset required

2010-01-03

  • Suspicious rules found in iptables Chain zone_wan (1 references) pkts bytes target prot opt in out source destination
    60899 4775K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0

    • Rules accepted all traffic. DNS was externally visible.
    • Rules removed
  • Fixed IPv6 ip -6 addr add 2001:470:903c:c0a8::1/64 dev br-lan ip -6 addr add 2001:470:903c:ac10::1/64 dev br-public

    • Broken by missing addresses on router br-lan and br-public interfaces
    • Should br-lan and br-public also get autoconfigured by radvd?

2010-01-19

  • Give Michelle a static IP 172.16.0.100
  • NAT GRE iptables -t nat -A zone_wan_prerouting -p gre -j DNAT --to-destination 172.16.0.100

2010-02-26

  • Switch br-lan back to 192.168.1.0/24
  • Rename "30 Rustat Public" to "[SavePublicWifi][55][?][55].org"

2010-03-02

  • Set wl0 txpower to 25dBm

iwconfig wl0 txpower 25dBm

2010-03-03

  • Upgrade to [OpenWrt][42][?][42]-8.09.2
  • Fix configuration of dnsmasq (used to have /etc/resolv.conf.opendns)

2010-03-04

  • Install mini-snmpd

2010-03-16

  • Reverted to Linksys firmware

2010-05-04

  • [OpenWrt][42][?][42] 10.03
  • Got snmp and ipv6 working again

2010-10-27

  • Installed miniupnpd

2010-12-16

2011-06-06

  • Configure native IPv6
    • Enable ipv6 on PPP link through Luci (AdministrationInterfaces)

2011-06-14

  • Change remove host address from bridged interfaces. (Replaced :1 with ::)
  • Restarted wan to fix ipv6 routing issue # ifdown wan ; sleep 3 ; ifup wan

2011-11-09

  • Move to AAISP
  • IPv6 routing failure fixed by restarting radvd

2013

  • On hiatus while at #25.
  • 192.168.0.13 DHCP must be reserved for Pivos Xios

2013-10-20

  • Investigate and abandon upgrade to [OpenWrt][42][?][42]-12.09 "attitude adjustment"
  • Create git repo for settings

2013-10-22

  • Configure for PPTP-to-[PPPoA][57][?][57] with Sky

To Do

[QoS][40][?][40]

[OpenWrt][42][?][42] 12.03 Attitude Adjustment

Nodogplash

  • Add nodogsplash, need to free space first

IPv6 UDP broken

  • UDP responses aren't passed in by stateless firewall
  • Breaks DNS over IPv6

Public Wifi

  1. vim: set syntax=pmwiki: