how-to block ads
at »OpenWRT Linksys WRT54G to handle my 5 static IP Service )
Following up from my posting from 4/2/06:
»Replace SS5260, Need 5 Static IP Support, What's Best?
Tags: WRT54G, Linux, OpenWRT, Ameritech/AT&T, 5 Static IP, fwbuilder
- I replaced my old home Linux PC router with a Linksys WRT54G, running OpenWRT Linux Distribution
- Key need: continue to support the Ameritech 5 Static IP WAN service (MultiNAT and Source/Destination NATing)
- OpenWRT is powerful enough such that I recreated the routing/firewalling setup I had on my old Linux PC (very nice!)
- I am Linux, iproute, iptables, and fwbuilder savvy, my key learning was OpenWRT and WRT54G
- This whole process took me a few days of homework time, and one evening to actually do
Much longer version:
- Ameritech DSL since 2001
- SpeedStream 5260 ADSL Modem (Bridge Mode, only) -- working well.
- PPP0E running on a dedicated Fedora Linux box, serving as home network router
- 5 static IP package
- Linux router gives me lots of flexibility (I like)
- Service works very well. I am happy.
- My Linux PC router box crashed!
I decided to replace my crashed Linux PC (a 1996 AMDK6-2 384MB) with a Linksys router reflashed with the OpenWRT linux distribution for the Linksys model WRT54G home network routers. I am pretty Linux savvy; I already own a WRT54G, and I have been reading about OpenWRT for awhile.
I used the untimely demise of my Linux PC as an excuse to start a Do-It-Yourself project:
I worked from the included references, and I post this here as a log of my work and for the potential benefit of others.
* * OpenWRT on Linksys WRT54G * *
There's a wonderful open source community surrounding linux distributions for the WRT54G platform. I recommend reading the following to get a background:
There are several linux distributions available that can replace the standard Linksys firmware. I choose OpenWRT; others, like DD-WRT, would also work for what I needed to do. I like DD-WRT because it has done alot of setup for you; I like OpenWRT because you can setup your linux environment yourself -- since I am pretty Linux experienced, I wanted to the DIY experience of using OpenWRT to setup my software environment myself.
Very useful OpenWRT setup guide:
You go to the OpenWRT website (»www.openwrt.org) and download a version that matches the model number of your box. See the README. You then log into the web interface of the WRT54G and do a firmware update. After a reboot, you login to the WRT54G via telnet (and then later ssh) and setup your environment.
Without repeating the whole HOW-TO, here's the key items I configured:
1. Setup SSH. I use putty from one of my home PCs
2. Configured Winscp on my PC to log-in and browse the WRT54G directory structure
3. Set recovery variable:
$ nvram set boot_wait=on $ nvram commit
The remaining setup steps are run from my home PC. I run the program putty (ssh client) to get a shell prompt from the WRT54G; the OpenWRT distribution has a nice WebGUI, and for some steps I use that interface... especially for basic setup.
* * Initial Single IP Setup * *
From the OpenWRT web user interface, I configure my WRT54G as a PPPoE static IP end point.
- on the WAN side, Ameritech parameters:
- PPPoE, Keep Alive, User Name myusername@static_ameritech.net, Password, MTU 1492
The OpenWRT Web user interface has lots of other, normal (e.g. WEP/WPA), settings, that you should set to your specific needs
Once you get the Ameritech PPPoE established, there are few more WRT54G setup things you need to do:
1. Download packages using the OpenWRT package manager
$ ipkg update $ ipkg upgrade $ ipkg install tcpdump on of my standard Linux tools $ ipkg install openntpd Network Time $ ipkg install ip Linux Router $ ipkg install iptables-mod-extra Linux Firewall $ ipkg install iptables-utils $ ipkg install http://openwrt.alphacore.net/mini-sendmail_1.3.5_mipsel.ipk Linux Sendmail, stripped-down
The cool thing is that once the WRT54G is connected to the Internet, you can then download packages, straight from the command-line prompt.
(I run putty from my home PC to my WRT54G). The above steps only take a few minutes.
2. Setup Network Time (useful for accurate log files!)
in /etc/TZ (new file)
in /etc/profile (edit existing file)
if [ -f /etc/TZ ] then export TZ=$(cat /etc/TZ) fi
# The date is not set if y=2000, so try and set it 0-59/2 * * * * ([ "$(date +%y)" = "00" ] && rdate nist1.datum.com)
* * Using fwbuilder to create a 5 static IP firewall configuration shell script (firewall.fw) * *
fwbuilder -- a multiplatform firewall script generator. It uses a very nice GUI and generates a firewall script file for specific hardware platforms. In my case, fwbuilder does the following:
- runs on WinXP,
- it generates the script titled firewall.fw,
- (the script predominantly is composed of iptables and iproute2 commands)
- it installs the script on the Linksys box, and
- executes it.
Very cool, saves you from having to maintain tedious IPtables scripts.
I have been using fwbuilder (»www.fwbuilder.org) for years on my old Linux router. I am comfortable with it; if you want to write your own IPtables script, skip to the next step.
1. Open fwbuilder, right mouse click on the User/Firewall object
2. Select "iptables" firewall software and "Linksys" firewall OS options
3. Select the "Linksys" preconfigured template
4. For the "Outside" interface, right mouse click add an interface
5. Ameritech uses PPP0E, so you need to (right mouse click) change the interface name from vlan1 to ppp0
6. For my static 5 IP service, my IP address is the default one that I have been using + a /29 subnet mask e.g. 66.xx.89.150/255.255.255.248. This part is key. By assigning a /29 subnet mask to the WAN interface, I am allowing 8 IP addresses to enter the router. (only 5 are usable)
7. Under the "Policy" tab, I set rules to allow inbound ftp, ftp data, http, smtp, ssh, and ftp data passive and PINGs are okay
8. Under the "NAT" tab, I set rules to allow inbound traffic to NAT to some selected home LAN servers. I only allow 192.168.x.x addresses on my home LAN.
9. fwbuilder's automatically generates useful rules to block spoofing and other usefule defaults
10.Under the firewall settings, I enter the user id, and IP address of the Linksys router, to allow fwbuilder to directly install the generated firewall.fw script into the Linksys's /etc directory
Most of my rules were taken verbatium from my old Linux PC's fwbuilder rules. Very nice!
* * Installing and executing the firewall.fw script on the Linksys Box * *
By default, when OpenWRT boots up, /etc/init.d/S45firewall sets up a default set of IP tables-based rules, and supports a means for the OpenWRT WebGUI to customize the IPtables rules. This is perfectly fine infrastructure, and I recommend that you look into using this if your requirements are simple and you are generally comfortable with IPtables rules.
My approach (following the recommendations in »www.martin.cc/OpenWrt/ ), I use a hotplug file that runs my firewall.fw script when ever the Ameritech PPPoE connection comes up. When the PPPoE connection goes down, the inittab firewall is executed.
if [ "$INTERFACE" = "wan" ] then logger "hotplug.d/iface/wan: interface=wan" case "$ACTION" in "ifup") logger "hotplug.d/iface/wan: interface=wan, action=ifup" logger "ifup -- running /etc/firewall.fw" . /etc/firewall.fw (echo "To: <email@example.com>" echo "From: <firstname.lastname@example.org> OpenWrt FireWall" echo "Subject: OpenWrt - ppp0 link up" echo echo This mail came from /etc/hotplug.d/iface/wan echo The ifup ppp0 event echo The DSL link has just come up (or restored) echo "<eom>" ) | mini_sendmail -f"email@example.com" -s"mailhost.chi.ameritech.net" -t ;; "ifdown") # Reload the firewall rules # Uncomment this if you are using fwbuilder /etc/init.d/S45firewall start ;; *) # we should not get here. log the event /usr/bin/logger -p ERROR "HOTPLUG: unhandled ACTION=$ACTION in $0" ;; esac fiNote that this script also sends an email (nice that OpenWRT has a little MUA for this)
* * Other * *
Rom vs RAM vs nvram. If you haven't worked with embedded systems before, you need to read some of the references. Here's an example case.
To update the /etc/profile file (see Single IP Setup section above), you can try to edit it directly. I run 'vi /etc/profile'; I edit the file; save it, and everything appears to work. Then I cat the file "cat /etc/profile" and I see that the file is unchanged.
For these cases, what you need to do is:
$ rm /etc/profile $ cp /rom/etc/profile /etc/profile $ vi /etc/profile # changes will be saved correctly
The documentation explains how Rom, Ram, and Nvram data is saved across power cycling, hard resets, and firmware updates.
Backups. From the references, I recommend that you run a backup of your setup. The following steps are good summary:
$ nvram show > /tmp/nvramSettings.txt $ ipkg list_installed > /tmp/ipkgList.txt $ cd /etc; tar -cvf /tmp/etc.tar
From your WinXP PC, use WinSCP to copy these files off of the WRT54G and onto your PC
For this project, I learned about the Open Source Linux world for WRT54Gs. I was able to retain my Linux-based 5 static IP connection routing/firewalling setup, and overall improve the reliability of my home router (Linksys box vs 10year old PC running Linux).
PS - BTW, my "old" Linux PC hadn't been rebooted in over 9 months; it had been running PPPoE and routing my Ameritech DSL traffic for me since 2001. It was very reliable (until it started taking memory errors and the file system got corrupted by a mother board failure). Little gadget-size appliances, like the WRT54G, are the wave of the future for Linux, and I am just getting on board.