2011-09-22 19:55 by pjotrp

1 Linux on the Wireless Router

All my computers run Linux. It gives a shared common platform, which is easy to secure, and update. The investment in understanding workstations and servers (both physical and in the 'cloud') is a one time event. I (secretly) smile when people struggle with Windows issues.

The time was to install a new Wifi router. These things are so powerful that they can act as little servers. The Netgear WNDR3700 runs Linux, even from factory, and I can use it for computing, as well as data storage (it has USB 2.0).

So, why do I want to replace perfectly good firmware? The reason is that I want predictable systems that I can upgrade!

My wifi routers are always on devices which handle some traffic load. I have them open for outsiders. Some advantages I may have with OpenWRT is to provide a closed and open network. In addition I may be able to close down a humming backup server in the house, as well as control heating and play music from the router itself. Stuff I do from a laptop now. Is that all? Probably not. One major advantage of a Linux system is that I get the programmable command prompt. A web interface for managing a device is nice, but being able to program repetitive tasks is much nicer.

First I hooked it up on the network, booted, and attached a laptop through the wifi. The web interface came up. I decided not to worry about the firmware, as Netgear has it for download and you can rescue this device even when 'bricked'.

OpenWRT is a Linux distribution for Wireless routers. Googling 'openwrt install WNDR3700' returned a number of useful sites. In particular the instructions on the OpenWrt Wiki

Choose a binary download for the relevant CPU, in this case something like openwrt-ar71xx-wndr3700-squashfs-factory.img from http://downloads.openwrt.org/ and upload it through the web interface (login admin:password, use router upgrade) using a local cable to the router (could it be that easy?

After the reboot there was no wireless, so I had to hook up a cable to the router itself and use telnet to 192.168.1.1, but first

Shell
  ifconfig wlan0 down
  dhclient eth0
  # or alternatively set up a virtual interface:
  ifconfig eth0:1 192.168.1.10 netmask 255.255.255.0
  telnet 192.168.1.1

Man! That was easy. 

  BusyBox v1.15.3 (2010-04-06 03:14:11 CEST) built-in shell (ash)
  Enter 'help' for a list of built-in commands.
    _______                     ________        __
   |       |.-----.-----.-----.|  |  |  |.----.|  |_
   |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
   |_______||   __|_____|__|__||________||__|  |____|
            |__| W I R E L E S S   F R E E D O M
   Backfire (10.03, r20728) --------------------------
   ---------------------------------------------------
  root@OpenWrt:/#

A command prompt. I have 50Mb of RAM to play with, and a 680 MHz CPU. This is cool.

At this point it is probably a good idea to record settings/configuration in /etc and /overlay/etc. I do that with scp and git.

After downloading some packages, as described on the OpenWRT wiki (http://wiki.openwrt.org/toh/netgear/wndr3700?s).

After

Shell
root@OpenWrt:~# opkg update 
root@OpenWrt:~# opkg install wpad-mini kmod-ath9k kmod-leds-wndr3700-usb 
root@OpenWrt:~# wifi up

a diff shows

Shell
--- a/etc/config/wireless
+++ b/etc/config/wireless
@@ -0,0 +1,36 @@
+config wifi-device  radio0
+       option type     mac80211
+       option channel  5
+       option macaddr  30:46:9a:0b:91:59
+       option hwmode   11ng
+       option htmode   HT20
+       list ht_capab   SHORT-GI-40
+       list ht_capab   DSSS_CCK-40
+       # REMOVE THIS LINE TO ENABLE WIFI:
+       option disabled 1
+
+config wifi-iface
+       option device   radio0
+       option network  lan
+       option mode     ap
+       option ssid     OpenWrt
+       option encryption none
+
+config wifi-device  radio1
+       option type     mac80211
+       option channel  36
+       option macaddr  30:46:9a:0b:91:5b
+       option hwmode   11na
+       option htmode   HT20
+       list ht_capab   SHORT-GI-40
+       list ht_capab   DSSS_CCK-40
+       # REMOVE THIS LINE TO ENABLE WIFI:
+       option disabled 1
+
+config wifi-iface
+       option device   radio1
+       option network  lan
+       option mode     ap
+       option ssid     OpenWrt
+       option encryption none

Remove the disable line and reboot. Done!

There even is a web interface. I used it to install an open and a private network - and you know what, I like it.

1.1 Configuring the network

A fresh install has

Shell
root@OpenWrt:~# uci show network.wan
network.wan=interface
network.wan.ifname=eth1
network.wan.proto=dhcp
root@OpenWrt:~# uci show network.lan
network.lan=interface
network.lan.ifname=eth0
network.lan.type=bridge
network.lan.proto=static
network.lan.ipaddr=192.168.1.1
network.lan.netmask=255.255.255.0

When connecting the WAN it came on and only etc/ppp/resolv.conf was modified. The LAN is a perfect pass through.

My main change is the essid. After editing etc/config/wireless restart

Shell
wifi down
wifi up

Note, at this stage the wlan is combined with the lan.

1.1.1 Blocking unknown MAC addresses

One of the brilliant uses of OpenWrt is standard iptables. Here we only allow some hardware MAC addresses to use the WIFI. First list the connected MAC adresses with

Shell
  cat /proc/net/arp

next add the following rules

Shell
  iptables -A forwarding_rule -i br-lan -j DROP
  iptables -I forwarding_rule -i br-lan -m mac --mac-source 00:1f:e2:14:1f:68 -j ACCEPT
  iptables -I forwarding_rule -i br-lan -m mac --mac -source 00:1d:e0:01:5c:07 -j ACCEPT

These rules can be stored in /etc/firewall.user or /etc/init.d/firewall.

This way you can find MAC addresses without even having to look them up on clients.

1.2 Encryption

Shell
  opkg update
  opkg install wpad-mini
  uci set wireless.@wifi-iface[0].encryption=psk2
  uci set wireless.@wifi-iface[0].key="your_password"
  uci commit wireless
  wifi

1.3 Port forwarding

Port forwarding is easy too. Edit /etc/config/firewall.

For using ssh on the router from a designated IP address:

Shell
config 'rule'
        option '_name' 'ssh'
        option 'src' 'wan'
        option 'target' 'ACCEPT'
        option 'proto' 'tcp'
        option 'dest_port' '22'
        option src_ip '143.99.162.150'

For forwarding a service on a desktop in the network using port 8080:

Shell
config 'redirect' 'torrent'           
        option 'src' 'wan'            
        option 'proto' 'tcp'          
        option 'src_ip' ''            
        option 'src_dport' '8080'    
        option 'dest_ip' '192.168.1.21'
        option 'dest_port' '8080'       
config 'rule'                          
        option 'src' 'wan'             
        option 'proto' 'tcp'              
        option 'src_ip' ''             
        option 'dest_ip' ''            
        option 'dest_port' '8080'     
        option 'target' 'ACCEPT'

and restart the firewall

Shell
  root@linuxwifi01:~# /etc/init.d/firewall restart &

1.4 USB storage

Shell
  opkg install kmod-usb2
  opkg install kmod-usb-storage
  opkg install kmod-fs-ext3
  opkg install kmod-fs-ext4

Add this to /etc/config/fstab

Shell
  config mount
    option target   /mnt/extdrive
    option device   /dev/sda2
    option fstype   ext3
    option options  rw,sync
    option enabled 1

and

Shell
  mount /dev/sda1 /mnt/extdrive

1.5 Monitoring traffic

To monitor the network you can install tcp

Shell
  opkg install tcpdump
  tcpdump -i eth1

An interesting tool is

Shell
  opkg install iftop
  iftop -i br-lan

Which shows the network load for each computer. Weed out those torrent users!

And there is nmap. Problem with nmap is that it needs space. But you can install it on an external drive with opkg! So after mounting the USB drive

tell opkg where install in /etc/opkg.conf, add the line

Shell
  dest usb /mnt/export

and

Shell
  opkg -dest usb install nmap

now run

Shell
  /mnt/export/usr/bin/nmap -sP 10.0.0.1/24

it'll complain about a few libraries, which can be symlinked, e.g.

Shell
  cd /usr/lib
  ln -s /mnt/export/usr/lib/libdnet.so.1

and I needed to get /etc/services from somewhere.

Even though above looks a bit tedious, it is very exciting that it just works:

Shell
  Starting Nmap 4.20 ( http://insecure.org ) at 2011-03-29 18:31 CEST
  Host 10.0.0.11 appears to be up.
  Host 10.0.0.12 appears to be up.
  Host 10.0.0.128 appears to be up.
  Host 10.0.0.132 appears to be up.
  Nmap finished: 256 IP addresses (4 hosts up) scanned in 4.890 seconds

Having an external USB drive opens tons of possibilities!

1.6 External IPv6 on the router

The Internet is running out of the IPv4 address space. OpenWRT is ready for IP6, and can be accessed from outside, provided your ADSL modem can pass it through. See, for example, this tutorial.

1.7 Rebuilding OpenWRT

The next phase required rebuilding the OpenWRT image - I wanted serial-usb support for one. That turned out to be straightforward too - and brought back the days of Linux kernel configuration; so rare these days. Basically, download the source, configure modules and tools using menuconfig and build (all described on mentioned wiki page). Next upload the built img with scp

Shell
  scp openwrt-ar71xx-generic-wndr3700-squashfs-sysupgrade.bin root@192.168.1.1:

and install the image with one command

Shell
  sysupgrade -v openwrt-ar71xx-generic-wndr3700-squashfs-sysupgrade.bin

The system saves config files, flashes the new image, and reboots. This can also be done through the web interface.

Amazingly it just comes up as before. Even the logins are retained. Very, very, impressive.

The package system is 'opkg', and is highly inspired by Debian's apt-get. To list all available packages

Shell
  opkg update
  opkg list

To make the wifi work again, don't forget to upgrade the earlier packages.

Also, rebuilding your image is probably not required as most kernel modules (drivers) are available through opkg. I mounted a USB drive successfully and use it as a backup device now >using secure rsync.

Bibliography

wikiTEXer 0.56 by Pjotr Prins - generated 2011-09-22 19:55 by pjotrp