☰
Current Page
Main Menu
Home
Home
Editing
WRT54GL
Edit
Preview
h1
h2
h3
Keybinding
default
vim
emacs
Markup
Markdown
Plain Text
Pod
RDoc
reStructuredText
AsciiDoc
BibTeX
Creole
MediaWiki
Org-mode
Textile
Help 1
Help 1
Help 1
Help 2
Help 3
Help 4
Help 5
Help 6
Help 7
Help 8
Autosaved text is available. Click the button to restore it.
Restore Text
--- title: WRT54GL --- [[_TOC_]] # Gargoyle ## Fix Disk Space * <https://dev.openwrt.org/changeset/13650> echo "option overlay_root /jffs" >> /etc/opkg.conf ## [IPv6][35] * Attempted on Gargoyle (OpenWRT 8.09-beta) * <http://wiki.openwrt.org/IPv6_howto> * NOTE: opkg has replaced ipkg opkg update opkg install kmod-ipv6 kmod-ip6tables opkg install radvd ip ip6tables insmod ipv6 # doesn't fucking work! Insmod ipv6 fails with: `> insmod: unresolved symbol tcp_destroy_sock` ## TFTP Upgrade * Upgrading OpenWRT via TFTP * Run tftp `atftp --trace --option "timeout 10" --option "mode octet" --put --local-file openwrt-xxx-x.x-xxx.bin 192.168.1.1` * Power cycle the router * With boot_wait already configured no need to press reset button # X-WRT ## [IPv6][35] take 2 #### 2009-08-20 * Attempted on OpenWRT 8.09 X-WRT * <https://forum.openwrt.org/viewtopic.php?id=19603> opkg update opkg install ip kmod-ipv6 kmod-ip6tables radvd * Still doesn't fucking work. 2.6 kernel only. ### Remove opkg remove kmod-ipv6tables kmod-ipv6 radvd ip6tables * Ha! Fix opkg repos vi /etc/opkg.conf * cat /etc/opkg.conf ``` #src/gz snapshots http://downloads.openwrt.org/kamikaze/8.09.1/brcm47xx/packages src/gz snapshots http://downloads.openwrt.org/kamikaze/8.09.1/brcm-2.4/packages dest root / dest ram /tmp lists_dir ext /var/opkg-lists option overlay_root /jffs #src X-Wrt http://downloads.x-wrt.org/xwrt/kamikaze/8.09.1/brcm47xx/packages src X-Wrt http://downloads.x-wrt.org/xwrt/kamikaze/8.09/brcm-2.4/packages ``` ### Reinstall packages opkg update opkg install -force-downgrade ip kmod-ipv6 kmod-ip6tables radvd ip6tables ### Configure PPP * <http://nuwiki.openwrt.org/oldwiki/IPv6_howto> * Activate PPP [IPv6][35] support. Add following lines to /etc/ppp/options : ``` +ipv6 #logfile /var/log/ppp.log ``` * No v6CP response so e-mailed Entanet (ipv6 at enta dot net) ## Iodine * `opkg install kmod-tun iodine` ## httpd listen address * Set httpd port to LAN IP and port ``` # cat /etc/config/httpd config 'httpd' option 'port' '192.168.1.1:80' option 'home' '/www' ``` ## Port Forwarding Lockups * Stops forwarding ports after a while ### Reduce TCP established timeout * /proc echo -n 900 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established * vim /etc/sysctl.conf net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=900 ## NTP Time Synchronization * <http://martybugs.net/wireless/openwrt/timesync.cgi> * Install ntpclient opkg update opkg install ntpclient * Run once /usr/sbin/ntpclient -c 1 -s -h 0.openwrt.pool.ntp.org ## SSH listen address * Set SSH port to LAN IP and port ``` # cat /etc/config/dropbear config dropbear option PasswordAuth 'on' option Port '192.168.1.1:22' ``` ## Fix BT iptables forwarding * Change live iptables rules iptables -t nat -nv --list zone_wan_prerouting --line-number iptables -t nat -I zone_wan_prerouting 4 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.4 iptables -t nat -I zone_wan_prerouting 5 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.4 iptables -t nat -D zone_wan_prerouting 7 # delete old rule iptables -t nat -D zone_wan_prerouting 6 # delete old rule * Edit saved rules * Modified dest_port '6881-6889' to '' ``` # vim /etc/config/firewall config 'redirect' 'BT' option 'src' 'wan' option 'proto' 'tcpudp' option 'src_ip' '' option 'dest_ip' '192.168.1.4' option 'dest_port' '' option 'src_dport' '6881-6889' ``` ## Configure [IPv6][35] tunnel * Create he.net tunnelbroker account * Let he.net ping the router ``` # vim /etc/firewall.user iptables -A input_wan -p icmp -m icmp --icmp-type echo-request -m limit --limit 10/s -j zone_wan_ACCEPT ``` * Set [IPv6][35] Address in WebIf to 2001:470:1f09:471::1/64 ### Tunnel Script * [http://blog.silviosilva.com/index.php/2009/03/15/ipv6\_tunnelbroker\_openwrt/][38] * <http://www.tunnelbroker.net/forums/index.php?action=printpage;topic=106.0> ``` # cat /etc/init.d/ipv6tunnel #!/bin/sh /etc/rc.common #Information from the "Tunnel Details" page SERVER_v4=216.66.80.26 SERVER_v6=2001:470:1f08:471::1 CLIENT_v4=78.32.119.229 CLIENT_v6=2001:470:1f08:471::2 # Uncomment if you have a /48 #ROUTED_48=Your /48 netblock's gateway address, e.g., 2001:a:b::1 ROUTED_64=2001:470:1f09:471::1 START=50 start() { echo "Starting he.net IPv6 tunnel: " ip tunnel add henet mode sit remote $SERVER_v4 local $CLIENT_v4 ttl 255 ip link set henet up ip -6 addr add $CLIENT_v6/64 dev henet ip -6 ro add default via $SERVER_v6 dev henet # Set by WebIf #ip -6 addr add $ROUTED_64/64 dev br-lan # Uncomment if you have a /48 #ip -6 addr add $ROUTED_48/48 dev br-lan ip -f inet6 addr echo "Done." } stop() { echo -n "Stopping he.net IPv6 tunnel: " ip link set henet down ip tunnel del henet # Set by WebIf #ip -6 addr delete $ROUTED_64/64 dev br-lan # Uncomment if you have a /48 #ip -6 addr delete $ROUTED_48/48 dev br-lan echo "Done." } restart() { stop start } ``` ### radvd ``` # cat /etc/config/radvd config interface option interface 'lan' option AdvSendAdvert 1 option AdvManagedFlag 0 option AdvOtherConfigFlag 0 option ignore 0 config prefix option interface 'lan' # If not specified, a non-link-local prefix of the interface is used option prefix '2001:db8:feed:b00::/64' option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 0 config rdnss option interface 'lan' # If not specified, the link-local address of the interface is used option addr '' option ignore 1 ``` ### Enable WebIf services * Enable ipv6tunnel, radvd ### Official OpenWRT [IPv6][35] howto * <http://nuwiki.openwrt.org/oldwiki/IPv6_howto> ### ip6tables * <http://ipv6.debian.net/> * Add to /etc/modules.d ``` # echo ip6_tables >> /etc/modules.d/20-ipv6 # echo ip6table_filter >> /etc/modules.d/20-ipv6 ``` * Adapt ip6-stateless script * network/Firewall/router.fw.sh * cat >> firewall.user ``` #-------------------------------------------------- #-- IP6TABLES #-------------------------------------------------- PORTS_IN_TCP_ALLOW="" PORTS_IN_UDP_ALLOW="" PORTS_FWD_TCP_ALLOW="22" PORTS_FWD_UDP_ALLOW="" IPTABLES="/usr/sbin/iptables" IP6TABLES="/usr/sbin/ip6tables" IP6_WAN_IF=henet # Defailt rate limiting #RLIMIT="-m limit --limit 3/s --limit-burst 8" RLIMIT="" # Logging options. LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" LOG="$LOG --log-ip-options" # Unprivileged ports. PHIGH="1024:65535" PSSH="1000:1023" #-------------------------------------------------- # Sysctl #-------------------------------------------------- echo "1" > /proc/sys/net/ipv6/conf/all/forwarding #-------------------------------------------------- # Default policies. #-------------------------------------------------- # Drop everything by default. $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP $IP6TABLES -P OUTPUT DROP # Set the nat/mangle/raw tables' chains to ACCEPT $IP6TABLES -t mangle -P PREROUTING ACCEPT $IP6TABLES -t mangle -P INPUT ACCEPT $IP6TABLES -t mangle -P FORWARD ACCEPT $IP6TABLES -t mangle -P OUTPUT ACCEPT $IP6TABLES -t mangle -P POSTROUTING ACCEPT #-------------------------------------------------- # Cleanup. #-------------------------------------------------- # Delete all $IP6TABLES -F $IP6TABLES -t mangle -F # Delete all $IP6TABLES -X $IP6TABLES -t mangle -X # Zero all packets and counters. $IP6TABLES -Z $IP6TABLES -t mangle -Z #-------------------------------------------------- # Basic user-defined chains #-------------------------------------------------- # LOG packets, then ACCEPT. $IP6TABLES -N ACCEPTLOG #$IP6TABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT " $IP6TABLES -A ACCEPTLOG -j ACCEPT # LOG packets, then DROP. $IP6TABLES -N DROPLOG #$IP6TABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP " $IP6TABLES -A DROPLOG -j DROP # LOG packets, then REJECT. # TCP packets are rejected with a TCP reset. $IP6TABLES -N REJECTLOG #$IP6TABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT " $IP6TABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset $IP6TABLES -A REJECTLOG -j REJECT #-------------------------------------------------- # Vulnerabilities #-------------------------------------------------- #Remove RH0 vulnerability # https://lists.ubuntu.com/archives/kernel-bugs/2007-June/027320.html # https://www.sixxs.net/forum/?msg=general-573582 #$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP #$IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP #$IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP #-------------------------------------------------- # ICMP #-------------------------------------------------- # Allow IPv6 ICMP $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT $IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT #-------------------------------------------------- # Basic allowed traffic - loopback, outgoing #-------------------------------------------------- $IP6TABLES -A INPUT -i lo -j ACCEPT $IP6TABLES -A OUTPUT -o lo -j ACCEPT # Allow incoming connections related to existing allowed connections. #$IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A INPUT -p tcp ! --syn -j ACCEPT # Allow outgoing connections EXCEPT invalid #$IP6TABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A OUTPUT -j ACCEPT # Allow incoming connections related to existing allowed connections. #$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A FORWARD -p tcp ! --syn -j ACCEPT # Allow new outgoing forwarded connections #$IP6TABLES -A FORWARD -o ${IP6_WAN_IF} -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -o ${IP6_WAN_IF} -j ACCEPT ##-------------------------------------------------- ## Drop MS ports - SMB, CIFS, etc ##-------------------------------------------------- #$IP6TABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP #$IP6TABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP #-------------------------------------------------- # Drop Invalid traffic #-------------------------------------------------- #$IP6TABLES -A INPUT -m state --state INVALID -j DROP #$IP6TABLES -A OUTPUT -m state --state INVALID -j DROP #$IP6TABLES -A FORWARD -m state --state INVALID -j DROP #-------------------------------------------------- # Port scans and SYN floods #-------------------------------------------------- $IP6TABLES -N SYN_FLOOD $IP6TABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN $IP6TABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j LOG --log-prefix SYN-DROP: $IP6TABLES -A SYN_FLOOD -j DROP $IP6TABLES -A INPUT -p tcp --syn -j SYN_FLOOD $IP6TABLES -A FORWARD -i ${IP6_WAN_IF} -p tcp --syn -j SYN_FLOOD #-------------------------------------------------- # Drop bad IPs #-------------------------------------------------- ## Block lists ## $IP6TABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG ## $IP6TABLES -A FORWARD -s INSERT-BAD-IP-HERE -j DROPLOG # IANA reserved and unallocated # http://www.iana.org/assignments/ipv6-address-space/ # http://www.iana.org/assignments/ipv6-unicast-address-assignments/ ##-------------------------------------------------- #-------------------------------------------------- # Inbound #-------------------------------------------------- # Allowed ports for PORT in ${PORTS_IN_TCP_ALLOW} ; do #${IP6TABLES} -A INPUT -m state --state NEW -p tcp --dport ${PORT} -j ACCEPT ${IP6TABLES} -A INPUT -p tcp --syn --dport ${PORT} -j ACCEPT done for PORT in ${PORTS_IN_UDP_ALLOW} ; do #${IP6TABLES} -A INPUT -m state --state NEW -p udp --dport ${PORT} -j ACCEPT ${IP6TABLES} -A INPUT -p udp --dport ${PORT} -j ACCEPT done #-------------------------------------------------- # Forward #-------------------------------------------------- # Allowed ports for PORT in ${PORTS_FWD_TCP_ALLOW} ; do #${IP6TABLES} -A FORWARD -i ${IP6_WAN_IF} -m state --state NEW -p tcp --dport ${PORT} -j ACCEPT ${IP6TABLES} -A FORWARD -i ${IP6_WAN_IF} -p tcp --syn --dport ${PORT} -j ACCEPT done for PORT in ${PORTS_FWD_UDP_ALLOW} ; do #${IP6TABLES} -A FORWARD -i ${IP6_WAN_IF} -m state --state NEW -p udp --dport ${PORT} -j ACCEPT ${IP6TABLES} -A FORWARD -i ${IP6_WAN_IF} -p udp --dport ${PORT} -j ACCEPT done ##-------------------------------------------------- ## Reject the rest ##-------------------------------------------------- #$IP6TABLES -A INPUT -j REJECTLOG #$IP6TABLES -A OUTPUT -j REJECTLOG #$IP6TABLES -A FORWARD -j REJECTLOG <<EOF ``` ### Allow [IPv6][35]-in-IPv4 through iptables $IPTABLES -A input_wan -p ipv6 -j zone_wan_ACCEPT ## Public Wifi ### nodogsplash wget http://kokoro.ucsd.edu/nodogsplash/latest.ipk ### Network Configuration config 'interface' 'public' option 'proto' 'static' option 'type' 'bridge' option 'macaddr' '' option 'ipaddr' '172.16.0.1' option 'ip6addr' '2001:470:903c:ac10::1/64' option 'netmask' '255.255.255.0' option 'gateway' '' option 'ip6gw' '' option 'dns' ' 195.74.113.58 195.74.113.62' ### Wireless Configuration config 'wifi-iface' option 'device' 'wl0' option 'network' 'public' option 'mode' 'ap' option 'hidden' '0' option 'encryption' 'none' option 'network' 'public' option 'ssid' '30 Rustat Public' option 'bssid' '' option 'server' '' option 'port' '' option 'isolate' '0' option 'txpower' '' option 'bgscan' '0' option 'frag' '' option 'rts' '' option 'wds' '0' option 'key1' '' option 'key2' '' option 'key3' '' option 'key4' '' option '80211h' '' option 'compression' '' option 'bursting' '' option 'ff' '' option 'wmm' '' option 'xr' '' option 'ar' '' option 'turbo' '' option 'macpolicy' 'none' option 'maclist' '' ### Firewall config 'zone' option 'name' 'public' option 'input' 'REJECT' option 'output' 'ACCEPT' option 'forward' 'REJECT' option 'masq' '1' config 'forwarding' option 'src' 'public' option 'dest' 'wan' option 'mtu_fix' '1' ### DHCP config 'dhcp' 'public' option 'interface' 'public' option 'start' '100' option 'limit' '150' option 'leasetime' '720m' option 'ignore' '0' ### radvd ``` # cat /etc/config/radvd config interface option interface 'public' option AdvSendAdvert 1 option AdvManagedFlag 0 option AdvOtherConfigFlag 0 option ignore 0 config prefix option interface 'public' # If not specified, a non-link-local prefix of the interface is used option prefix '2001:470:903c:ac10::/64' option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 0 config rdnss option interface 'lan' # If not specified, the link-local address of the interface is used option addr '' option ignore 1 ``` ## Recovery #### 2009-12-16 * Borked router deleting stuff from /jffs ### Reboot to Failsafe * Power cycle * When DMZ light comes on press and hold Reset button until DMZ light flashes (~3Hz) telnet 192.168.1.1 > firstboot > reboot ### QoS opkg update opkg install qos-scripts ### Nodogsplash opkg update opkg install nodogsplash * <http://nuwiki.openwrt.org/oldwiki/hotspothowto#configure.nodogsplash> * Abandon for now. Too buggy. ### SSH access * dropbear * authorized keys ### Reconfigure * From host scp etc/config/* router:/etc/config/ scp etc/firewall.user router:/etc/ * OpenDNS configuration cat >> /etc/resolv.conf.opendns nameserver 208.67.222.222 nameserver 208.67.220.220 EOF * And replace DNS entries in /etc/config/network with these * ppp ``` cat >> /etc/ppp/options +ipv6 #logfile /var/log/ppp.log EOF ``` ### Reinstall opkg update opkg install kmod-ipv6 kmod-ip6tables opkg install radvd ip6tables 6scripts opkg install qos-scripts nptclient opkg install nodogsplash ### Services /usr/sbin/ntpclient -c 1 -s -h 0.openwrt.pool.ntp.org /etc/init.d/radvd start /etc/init.d/firewall restart ### Status root@router:~# df /dev/mtdblock/4 Filesystem 1k-blocks Used Available Use% Mounted on /dev/mtdblock/4 1792 1192 600 67% /jffs # OpenWRT ## Upgrade * Upgrade to OpenWrt 8.09.2 * ipv6 broken on x-wrt as it was on Gargoyle ### Backup config scp -r router:/etc ./ ssh router 'opkg list_installed' > installed_packages ### Download * <http://downloads.openwrt.org/kamikaze/8.09.2/brcm-2.4/openwrt-brcm-2.4-squashfs.trx> * <http://downloads.openwrt.org/kamikaze/8.09.2/brcm-2.4/openwrt-wrt54g-squashfs.bin> ### Upgrade * Via web interface with .trx ### Reinstall opkg install kmod-ipv6 ip ip6tables kmod-ip6tables qos-scripts 6scripts radvd ntpclient ### Reconfigure scp etc/config/* router:/etc/config/ scp etc/firewall.user router:/etc/ scp etc/hosts router:/etc/hosts.local scp etc/dropbear/authorized_keys etc/dropbear/ * Fix dnsmasq, was using /etc/resolv.conf.opendns sed -i -e 's%/etc/resolv.conf.opendns%/tmp/resolv.conf.auto%' /etc/config/dhcp * Fix ppp ipv6 ``` cat >> /etc/ppp/options +ipv6 #logfile /var/log/ppp.log EOF ``` ## SNMP ### Install * <http://members.aon.at/linuxfreak/linux/mini_snmpd.html> opkg install mini-snmpd ### Configure #### /etc/config/mini_snmpd * [http://wlan-lj.net/browser/branches/openwrt/packages/net/mini\_snmpd/files/mini\_snmpd.config?order=date][43] config mini_snmpd option enabled 1 option community public option location '' option contact '' option disks '/tmp,/jffs' option interfaces 'ppp0,br-lan,br-public' # Max 4 #### /etc/init.d/mini_snmpd * [http://wlan-lj.net/browser/branches/openwrt/packages/net/mini\_snmpd/files/mini\_snmpd.init?order=date][44] ``` #!/bin/sh /etc/rc.common # Copyright (C) 2009 OpenWrt.org NAME=mini_snmpd PROG=/sbin/$NAME START=50 append_string() { local section="$1" local option="$2" local value="$3" local _val config_get _val "$section" "$option" [ -n "$_val" ] && append args "$3 $_val" } mini_snmpd_config() { local cfg="$1" args="" append_string "$cfg" community "-c" append_string "$cfg" location "-L" append_string "$cfg" contact "-C" append_string "$cfg" disks "-d" append_string "$cfg" interfaces "-i" config_get_bool enabled "$cfg" "enabled" '1'c [ "$enabled" -gt 0 ] && $PROG $args & } start() { config_load mini_snmpd config_foreach mini_snmpd_config mini_snmpd } stop() { killall mini_snmpd } ``` * Make executable chmod a+x /etc/init.d/mini_snmpd ### Run mini_snmpd -i ppp0 ## Upgrade to 10.03 * <http://backfire.openwrt.org/10.03/brcm-2.4/openwrt-brcm-2.4-squashfs.trx> * <http://backfire.openwrt.org/10.03/brcm-2.4/openwrt-wrt54g-squashfs.bin> * Upgraded via web interface with .bin ### Config Changes from Kamikaze * /etc/config/httpd replaced with /etc/config/uhttpd * Delegated block in /etc/config/6tunnel * 6tunnel.init script fix <https://dev.openwrt.org/ticket/7203> * add services to init: 6tunnel, radvd, mini_snmpd ## Geolocation Tunneling ### SSH ``` # opkg install tinyproxy autossh ``` * Set for transparent proxying * <http://open-wrt.ru/forum/viewtopic.php?id=2069> ### VPN * <http://forum.openwrt.org/viewtopic.php?pid=8495> ## UPNP ``` # opkg install miniupnpd cat /etc/config/upnp config upnpd config option enabled 1 option secure_mode 1 option log_output 1 option download 1024 option upload 512 option external_iface wan option internal_iface lan ``` ## Native [IPv6][35] * Divide Entanet allocated /56 into three subnets * 2001:4d48:ad51:xxx0::/64 for edge * 2001:4d48:ad51:xxx1::/64 for lan * 2001:4d48:ad51:xxx2::/64 for public ### Multihoming NOTE: native ipv6 only works alongside tunnelled ipv6 if multihoming is supported. Adding native [IPv6][35] didn't work initially because hosts were using their first assigned (tunnelled) ipv6 address and replies couldn't be routed back via native ipv6 ### Network * /etc/config/network config 'interface' 'wan' ... option 'ipv6' '1' option 'ip6addr' '2001:4d48:ad51:xxx0::1/64' # not necessary ... config 'interface' 'lan' ... option 'ip6addr' '2001:4d48:ad51:xxx1::1/64' ... config 'interface' 'public' ... option 'ip6addr' '2001:4d48:ad51:xxx2::1/64' * ip6addr option doesn't work for pppoe - can be added manually ip addr add 2001:4d48:ad51:xxx0::1/64 dev ppp0 ### Router Advertisements * Add /64 adverts to /etc/config/radvd ``` config prefix # Native Entanet prefix option interface 'lan' option prefix '2001:4d48:ad51:xxx1::/64' option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 0 config prefix # Native Entanet prefix option interface 'public' option prefix '2001:4d48:ad51:xxx2::/64' option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 0 ``` ### Firewall * /etc/firewall.user * Adapt script to support multiple ipv6 endpoints (henet and ppp0) ### Disable 6tunnel service `rm /etc/rc.d/S46_6tunnel` ### AAISP [IPv6][35] Divide AAISP allocated /48 * 2001:8b0:16b9:xxxx::/60 for location 1 * 2001:8b0:16b9:xxx1::/64 for lan * 2001:8b0:16b9:xxx8::/64 for public ## Upgrade to 12.09 [openwrt-wrt54g-squashfs.bin][45] Does not support [WRT54GL][46]. Recommended version is 10.03. ## Remote Logging Recent watchdog resets (probably from rtorrent's ~700 connections). Uptime in the range of minutes. * <http://wiki.openwrt.org/doc/uci/system> * <https://forum.openwrt.org/viewtopic.php?id=11912> * <http://www.rsyslog.com/receiving-messages-from-a-remote-system/> * <http://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/> ### Log server Accept logging on [Hastur][47]: Enable imudp plugin `/etc/rsyslog.conf` ``` # provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 ``` Log remote messages from router to a file `/etc/rsyslog.d/router.conf` ``` ## Match router hostname :source, isequal, "router" /var/log/phase1/router.log & ~ ``` Configure rsyslogd ### OpenWRT Set log\_ip and log\_port. Default port is 514 /etc/config/system option 'log_ip' '192.168.0.4' option 'log_port' '514' # Linksys * [Linksys 4.30.11][48] tftp 192.168.1.1 tftp> binary tftp> rexmt 1 tftp> timeout 60 tftp> trace tftp> put WRT54GL_v4.30.11_012_ETSI_EN_code.bin # Replacement Replaced by WDR-3600, see [Mobile Router][50] # Log #### 2009-01-21 Turned on QoS. Prioritized www and ssh over bittorrent #### 2009-01-25 Installed DD-WRT. #### 2009-01-27 Installed OpenWRT Configure [IPv6][35] #### 2009-04-02 Fix OpenDNS configuration <http://forum.openwrt.org/viewtopic.php?id=12408> cat >> /etc/resolv.conf.opendns nameserver 208.67.222.222 nameserver 208.67.220.220 EOF vi /etc/config/dhcp ... config dnsmasq .... option resolvfile '/etc/resolv.conf.opendns' #### 2009-08-18 * Replaced Gargoyle with x-wrt OpenWRT 8.09 * Web interface upgrade didn't work so flashed via TFTP * [X-WRT Kamikaze 8.09 brcm-2.4 default][52] * Configured WAN in pppoe mode, no bridge * Configured LAN, bridge mode (for wireless) * Set LAN DNS servers to OpenDNS #### 2009-08-19 * Configured wireless * Configured port forwarding * Set PPPoE MTU to 1472 #### 2009-08-20 * [IPv6][35] * Force kernel downgrade #### 2009-08-21 * Testing iodine #### 2009-09-?? * Set httpd to listen on LAN only #### 2009-09-08 * Port forwarding lockups * Reduced TCP conntrack timeout to 900 seconds * Adjusted bittorrent forwarding rule iptables -t nat -nv --list zone_wan_prerouting --line-number iptables -t nat -I zone_wan_prerouting 4 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.4 iptables -t nat -I zone_wan_prerouting 5 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.4 iptables -t nat -D zone_wan_prerouting 7 # delete old rule iptables -t nat -D zone_wan_prerouting 6 # delete old rule * Time synchronization * Dropbear SSH on LAN only #### 2009-09-12 * Switch wireless to channel 6, distance to 18m * Configure he.net tunnel #### 2009-09-16 * Initial ip6tables config #### 2009-09-18 * Fix ip6tables tunnel and synflood $IPTABLES -A input_wan -p ipv6 -j zone_wan_ACCEPT $IP6TABLES -A FORWARD -i ${IP6_WAN_IF} -p tcp --syn -j SYN_FLOOD #### 2009-11-24 * Upgrade packages - Fails due to lack of disk space * Fix [IPv6][35] * Upgrade deleted firewall.user #### 2009-12-10 * Removed iodined * Started public wifi configuration #### 2009-12-12 * Public wifi configuration #### 2009-12-13 * install 6scripts * fix misconfigured public wifi * * [No ifname stanza][54] #### 2009-12-14 * Block INPUT from public network by default #### 2009-12-15 * configured public wifi * firewall rules for br-public #### 2009-12-16 * opkg remove ip (freespace 288k) * opkg install qos-scripts * Nope. Still not enough space * remove /etc/init.d/6bridge /etc/config/6bridge * Remove unused ip6tables modules root@router:/jffs# df /dev/mtdblock/4 Filesystem 1k-blocks Used Available Use% Mounted on /dev/mtdblock/4 1792 1512 280 84% /jffs root@router:/jffs/lib/modules/2.4.35.4# lsmod | grep ip6 ip6t_LOG 4556 1 ip6t_IMQ 684 0 (unused) ip6t_owner 1020 0 (unused) ip6t_limit 892 2 ip6t_frag 924 0 (unused) ip6t_eui64 684 0 (unused) ip6table_mangle 2284 0 (unused) ip6table_filter 1740 1 ip6_tables 17440 8 [ip6t_LOG ip6t_IMQ ip6t_owner ip6t_limit ip6t_frag ip6t_eui64 ip6table_mangle ip6table_filter] root@router:/jffs/lib/modules/2.4.35.4# rmmod ip6t_owner ip6t_frag ip6t_eui64 root@router:/jffs/lib/modules/2.4.35.4# rm ip6t_owner.o ip6t_frag.o ip6t_eui64.o root@router:/jffs/lib/modules/2.4.35.4# df /dev/mtdblock/4 root@router:/# vim /etc/modules.d/49-ip6tables Filesystem 1k-blocks Used Available Use% Mounted on /dev/mtdblock/4 1792 1508 284 84% /jffs * Borked router - reset required #### 2010-01-03 * Suspicious rules found in iptables Chain zone_wan (1 references) pkts bytes target prot opt in out source destination 60899 4775K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 * Rules accepted all traffic. DNS was externally visible. * Rules removed * Fixed [IPv6][35] ip -6 addr add 2001:470:903c:c0a8::1/64 dev br-lan ip -6 addr add 2001:470:903c:ac10::1/64 dev br-public * Broken by missing addresses on router br-lan and br-public interfaces * Should br-lan and br-public also get autoconfigured by radvd? #### 2010-01-19 * Give Michelle a static IP 172.16.0.100 * NAT GRE iptables -t nat -A zone_wan_prerouting -p gre -j DNAT --to-destination 172.16.0.100 #### 2010-02-26 * Switch br-lan back to 192.168.1.0/24 * Rename "30 Rustat Public" to "SavePublicWifi.org" #### 2010-03-02 * Set wl0 txpower to 25dBm `iwconfig wl0 txpower 25dBm` #### 2010-03-03 * Upgrade to OpenWrt-8.09.2 * Fix configuration of dnsmasq (used to have /etc/resolv.conf.opendns) #### 2010-03-04 * Install mini-snmpd #### 2010-03-16 * Reverted to Linksys firmware #### 2010-05-04 * OpenWrt 10.03 * Got snmp and ipv6 working again #### 2010-10-27 * Installed miniupnpd #### 2010-12-16 * Reenabled ppp ipv6 following [Proto 41 Filtering][56] #### 2011-06-06 * Configure native [IPv6][35] * Enable ipv6 on PPP link through Luci (AdministrationInterfaces) #### 2011-06-14 * Change remove host address from bridged interfaces. (Replaced :1 with ::) * Restarted wan to fix ipv6 routing issue ``` # ifdown wan ; sleep 3 ; ifup wan ``` #### 2011-11-09 * Move to AAISP * [IPv6][35] routing failure fixed by restarting radvd #### 2013 * On hiatus while at #25. * 192.168.0.13 DHCP must be reserved for Pivos Xios #### 2013-10-20 * Investigate and abandon upgrade to OpenWrt-12.09 "attitude adjustment" * Create git repo for settings #### 2013-10-22 * Configure for PPTP-to-PPPoA with Sky # To Do ## QoS ## OpenWrt 12.03 Attitude Adjustment * <http://downloads.openwrt.org/attitude_adjustment/12.09/brcm47xx/generic/> ## Nodogplash * Add nodogsplash, need to free space first ## [IPv6][35] UDP broken * UDP responses aren't passed in by stateless firewall * Breaks DNS over [IPv6][35] ## Public Wifi * Route SavePublicWifi.org through tor * <http://hardy.dropbear.id.au/blog/2008/02/hosting-multiple-wireless-networks-on-openwrt> * <http://kokoro.ucsd.edu/nodogsplash/> * Needs a reflash upgrade * <http://p3f.gmxhome.de/OpenWRT/Configure-OpenVPN.html> * <https://forum.openwrt.org/viewtopic.php?id=19137&p=1> 1. vim: set syntax=pmwiki: [35]: IPv6 [38]: http://blog.silviosilva.com/index.php/2009/03/15/ipv6_tunnelbroker_openwrt/ [43]: http://wlan-lj.net/browser/branches/openwrt/packages/net/mini_snmpd/files/mini_snmpd.config?order=date [44]: http://wlan-lj.net/browser/branches/openwrt/packages/net/mini_snmpd/files/mini_snmpd.init?order=date [45]: http://downloads.openwrt.org/attitude_adjustment/12.09/brcm47xx/generic/openwrt-wrt54g-squashfs.bin [46]: WRT54GL [47]: Hastur [48]: http://downloads.linksysbycisco.com/downloads/firmware/1224638744664/WRT54GL_v4.30.11_012_ETSI_EN_code.rar [50]: MobileRouter [52]: http://downloads.x-wrt.org/xwrt/kamikaze/8.09/brcm-2.4/default/openwrt-brcm-2.4-squashfs.trx [54]: http://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg03862.html [56]: Proto41Filtering
Uploading file...
Sidebar
# SideBar * [Home][1] * [Projects][2] * * * <!-- --> * [Code][3] * [Tech][4] * [Network][5] * [MediaCentre][6] * [UAV][7] * * * <!-- --> * [Travel][8] * [Music][9] * [Horse Riding][10] * [Study][11] * [Games][12] * [Other Activities][13] * * * <!-- --> * [Car][14] * [House][15] * [Watch][16] * [Clothing][17] * [Miscellany][18] * * * [1]: /Home [2]: /Projects [3]: /Code/Code [4]: /Tech/Tech [5]: /Network/Network [6]: /MediaCentre/MediaCentre [7]: /UAV/UAV [8]: /Travel/Travel [9]: /Music/Music [10]: /HorseRiding/HorseRiding [11]: /Study/Study [12]: /Games/Games [13]: /Do/Do [14]: /Car/Car [15]: /House/House [16]: /Watch/Watch [17]: /Clothing/Clothing [18]: /Miscellany/Miscellany
Edit message:
Cancel