MikroTik RouterBoard RB532A: Difference between revisions
Brian Wilson (talk | contribs) m →VPN |
Brian Wilson (talk | contribs) m Brian Wilson moved page MikroTik RouterBoard to MikroTik RouterBoard RB532A: more accurate |
||
(47 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
2014-Mar-18 Currently has [http://x-wrt.org X-Wrt] software installed on it. | |||
== Overview == | |||
Support for it in | This page is about RB532A. is a surplus piece of hardware that worked for a time as a firewall at work, then as an openvpn server at my house. | ||
See also [[Mikrotik RouterBoard RB411]] | |||
Official documentation can be found at http://www.routerboard.com/rb500.html | |||
A local copy of the user guide is here: | |||
[[File:RouterBoard500_userguide.pdf]] | |||
Command line access: serial console 115200 8N1 (usually from [[Roaring]] using minicom) or ssh | |||
Web interface: http://10.127.32.1/ or https://routerboard/ or from outside the lan at https://alseageo.dyndns.biz/ | |||
'''KAMIKAZE with X-Wrt Extensions 8.09''' | |||
Web management console Webif2 | |||
Board type: 532A | |||
Serial number: 16C901CD44DB | |||
Firmware version: 2.10 | |||
CPU frequency: 399 MHz | |||
Memory size: 64 MB | |||
eth1 MAC address: 00:0C:42:10:1C:6C | |||
eth2 MAC address: 00:0C:42:10:1C:6D | |||
eth3 MAC address: 00:0C:42:10:1C:6E | |||
== To-do == | |||
* QoS | |||
* dmz - allow OpenVpn access ? | |||
* OpenVPN - switch over from Kilchis? | |||
* Scheduled QoS control? | |||
* Crow? or similar | |||
* WoL | |||
I tried to override the WAN interface default MAC address so that Comcast would not change our public IP address but for some reason that feature in the GUI fails. | |||
=== Reflashing === | |||
http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532 | |||
The simplest way is to simply download the CF image file from http://downloads.x-wrt.org/xwrt/kamikaze/ and then use 'dd' to copy it to a CF card, then put the CF into the RouterBoard and off you go. | |||
Get the 128k image. The '''128k''' refers to the block size in the filesystem and it's good for CF cards. | |||
The healthy way to copy binary images to CF is 'dd' under Linux. | |||
Cygwin includes a 'dd' command so if you are burdened with Windows you can still use dd. I did not get it working and ended up simply usng Linux. YMMV http://www.groupsrv.com/linux/about17777.html | |||
dd if=/dev/sdb of=backupimage.bin | |||
dd if=openwrt-rb532-jffs2-128k.bin of=/dev/sdb | |||
The backup image is 256MB because that's the device size. Wastes some disk space but then again I delete it as soon as the RouterBoard is up and running again. | |||
== Available distributions == | |||
OpenWRT and X-WRT are installed. | |||
Support for it in OpenWrt seems to be pretty good, they have the latest releases prebuilt for the RouterBoard. I used instructions in this page to get it loaded. | |||
I installed KAMIKAZE (7.09) then later I found out about X-WRT and installed | I installed KAMIKAZE (7.09) then later I found out about X-WRT and installed | ||
their version from http://downloads.x-wrt.org/xwrt/kamikaze | their version from http://downloads.x-wrt.org/xwrt/kamikaze/ | ||
I no longer put all 4 screws into the MicroTik case. :-) | I no longer put all 4 screws into the MicroTik case. :-) | ||
Line 13: | Line 68: | ||
Install took 10 minutes including opening up the case. [http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532?highlight=%28OpenWrtDocs/Hardware%29 OpenWrtDocs/Hardware/Mikrotik/RB532] | Install took 10 minutes including opening up the case. [http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532?highlight=%28OpenWrtDocs/Hardware%29 OpenWrtDocs/Hardware/Mikrotik/RB532] | ||
Support in dd-wrt is not good. There is an old beta. | '''DD-WRT''' Support in dd-wrt is not good. There is an old beta. | ||
=== CF layout === | === CF layout === | ||
Line 26: | Line 81: | ||
By default in Kamikaze eth0 is in DHCP so it would make a good WAN port | By default in Kamikaze eth0 is in DHCP so it would make a good WAN port | ||
== Miscellaneous configuration notes == | |||
=== Password === | |||
Root password set from the console port command line using "passwd". | |||
Set to the usual root password. | |||
=== | === Network === | ||
I hand edited this config file to create three networks. Should be possible to do it all from the GUI but maybe that did not work back when I originally set it up. | |||
The WAN interface has its MAC address overridden so that it uses the same MAC as the old D-Link router. That way switching back and forth between the RouterBoard and the D-Link should not cause our Comcast DHCP address to change. | |||
Note this did not work -- maybe I have the syntax wrong in the file? I had to go into the command line and override the setting like this | |||
ifconfig eth0 down | |||
ifconfig eth0 hw ether '00:0D:88:5F:E8:90' | |||
It loses the settings when I reboot, so I am ignoring it for the moment. We have a new IP address, darn. | |||
Contents of /etc/config/network file. | |||
<pre> | |||
config 'interface' 'loopback' | |||
option 'ifname' 'lo' | |||
option 'proto' 'static' | |||
option 'ipaddr' '127.0.0.1' | |||
option 'netmask' '255.0.0.0' | |||
config 'interface' 'wan' | |||
option 'ifname' 'eth0' | |||
option 'proto' 'dhcp' | |||
option 'macaddr' '00:0D:88:5F:E8:90' | |||
config 'interface' 'lan' | |||
option 'ifname' 'eth1' | |||
option 'proto' 'static' | |||
option 'ipaddr' '10.127.32.1' | |||
option 'netmask' '255.0.0.0' | |||
config 'interface' 'dmz' | |||
option 'ifname' 'eth2' | |||
option 'proto' 'static' | |||
option 'ipaddr' '192.168.123.249' # at home for testing | |||
option 'netmask' '255.255.255.0' | |||
</pre> | |||
=== Route command === | |||
Adding a default route so that you can get the webif stuff running initially; you need to add some packages. | |||
route add default gw 192.168.123.254 | |||
=== Packages added === | |||
After getting webif running I use it to make these package additions/deletions. | |||
etherwake | |||
ntpd | |||
openvpn | |||
tcpdump | |||
wol | |||
nbd's QoS scripts | |||
Packages removed | |||
ppp | |||
ppp-mod-pppoe | |||
=== | === DHCP === | ||
We provide DHCP only to the DMZ zone. | |||
<pre> | <pre> | ||
/etc/config/ | /etc/config/dhcp | ||
config dhcp | |||
option interface lan | |||
option ignore 1 | |||
config dhcp | |||
option interface dmz | |||
option start 190 | |||
option limit 199 | |||
option leasetime 1h | |||
config dhcp | |||
option interface wan | |||
option ignore 1 | |||
</pre> | |||
=== DNS === | |||
dnsmasq is installed but I am not currently using it. | |||
I put this in /etc/resolv.conf so that it will use Kilchis to resolve names. | |||
nameserver 10.127.32.27 | |||
domain alseageo.com | |||
=== Dyndns === | |||
There is a DynDNS tab under Network in the GUI. You can install and configure dyndns service. | |||
Another way to do this is via ddclient on Kilchis, which is currently disabled. | |||
It used to run once per hour from /etc/cron.hourly/ddclient. | |||
The config file for dyndns on the routerboard is /etc/config/updatedd: | |||
config 'updatedd' | |||
option 'update' '0' | |||
option 'service' 'changeip' | |||
option 'username' 'alseageo' | |||
option 'password' 'ice9viva' | |||
option 'host' 'members.dyndns.org' | |||
=== Firewall === | |||
config | Set up from WebIf. | ||
option | Note that the rule names cannot have spaces in them | ||
option | |||
option | <pre> | ||
option | config 'defaults' | ||
option 'syn_flood' '1' | |||
option 'input' 'ACCEPT' | |||
option 'output' 'ACCEPT' | |||
option 'forward' 'REJECT' | |||
config 'zone' | |||
option 'name' 'lan' | |||
option 'input' 'ACCEPT' | |||
option 'output' 'ACCEPT' | |||
option 'forward' 'REJECT' | |||
config | config 'zone' | ||
option | option 'name' 'wan' | ||
option | option 'input' 'REJECT' | ||
option | option 'output' 'ACCEPT' | ||
option 'forward' 'REJECT' | |||
option 'masq' '1' | |||
config | config 'forwarding' | ||
option | option 'src' 'lan' | ||
option 'dest' 'wan' | |||
option | |||
config | config 'redirect' 'Kilchis_SSH' | ||
option ifname | option 'src' 'wan' | ||
option proto | option 'dest_ip' '10.127.32.27' | ||
option ipaddr | option 'dest_port' '22' | ||
option netmask | option 'proto' 'tcp' | ||
option 'src_ip' '' | |||
option 'src_dport' '22' | |||
config 'redirect' 'AsteriskIAX2' | |||
option 'src' 'wan' | |||
option 'dest_ip' '10.127.32.28' | |||
option 'dest_port' '4569' | |||
option 'proto' 'udp' | |||
option 'src_ip' '' | |||
option 'src_dport' '4569' | |||
config 'redirect' 'ODOT_ProdDemo' | |||
option 'src' 'wan' | |||
option 'dest_ip' '10.127.32.34' | |||
option 'dest_port' '80' | |||
option 'proto' 'tcp' | |||
option 'src_ip' '' | |||
option 'src_dport' '80' | |||
config 'redirect' 'OpenVpn' | |||
option 'src' 'wan' | |||
option 'proto' 'udp' | |||
option 'dest_ip' '10.127.32.27' | |||
option 'dest_port' '1194' | |||
option 'src_ip' '' | |||
option 'src_dport' '1194' | |||
config 'redirect' 'Subversion' | |||
option 'src' 'wan' | |||
option 'proto' 'tcp' | |||
option 'dest_port' '44555' | |||
option 'dest_ip' '10.127.32.27' | |||
option 'src_ip' '' | |||
option 'src_dport' '44555' | |||
config 'forwarding' | |||
option 'src' 'lan' | |||
option 'dest' 'dmz' | |||
config 'forwarding' | |||
option 'src' 'dmz' | |||
option 'dest' 'wan' | |||
</pre> | |||
=== NTP === | |||
Set timezone to US/Pacific | |||
Set servers to {0,1,2}.pool.ntp.org | |||
'''NOTE:''' The standard WebIF ntp client has been removed from the GUI package manager. | |||
I enabled the ntpd like this: | |||
cd /etc/rc.d | |||
ln -s ../init.d/ntpd S99ntpd | |||
All I had to change in ntp.conf was to add a rule allowing our 10.x.x.x clients. | |||
cat ntp.conf | |||
<pre> | |||
# use a random selection of 8 public stratum 2 servers | |||
# see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers | |||
#restrict default nomodify notrap noquery | |||
#restrict default noquery | |||
restrict 127.0.0.1 | |||
restrict 10.0.0.0 netmask 255.0.0.0 | |||
driftfile /tmp/ntp.drift | |||
server 0.openwrt.pool.ntp.org iburst | |||
server 1.openwrt.pool.ntp.org iburst | |||
server 2.openwrt.pool.ntp.org iburst | |||
server 3.openwrt.pool.ntp.org iburst | |||
# GPS(NMEA)+PPS | |||
#server 127.127.20.0 minpoll 4 prefer | |||
#fudge 127.127.20.0 flag3 1 flag2 0 | |||
# SMA PPS | |||
#server 127.127.28.0 minpoll 4 prefer | |||
#fudge 127.127.28.0 refid PPS flag3 1 | |||
#server 192.168.1.253 | |||
</pre> | |||
=== QoS === | |||
Install but not configured yet. | |||
I'd like to use this to control bandwidth used for offsite backups. | |||
I want full utilization at night and 200 Kbps during business hours. | |||
A way to switch it down to a low bandwidth manually would be good. | |||
=== SNMP === | |||
Installed but not configured yet. Could be set to log to [[Cacti]] on Kilchis | |||
=== SSL === | |||
Installed MatrixSSL so that we can connect to router using a secure connection. | |||
=== Syslog === | |||
Set to log to Kilchis. 10.127.32.27/514 | |||
=== Wake-On-Lan === | |||
Installed not configured | |||
=== VPN === | |||
==== OpenVPN ==== | |||
Installed package. Not configured yet. | |||
== dmesg output == | |||
<pre> | |||
# dmesg | |||
Linux version 2.6.24.7 ([email protected]) (gcc version 4.1.2) #1 Fr8 | |||
CPU revision is: 0001800a (MIPS 4Kc) | |||
Determined physical RAM map: | |||
memory: 03fffa00 @ 00000400 (usable) | |||
Wasting 32 bytes for tracking 1 unused pages | |||
Entering add_active_range(0, 1, 16383) 0 entries of 256 used | |||
Initrd not found or empty - disabling initrd | |||
Zone PFN ranges: | |||
Normal 1 -> 16383 | |||
Movable zone start PFN for each node | |||
early_node_map[1] active PFN ranges | |||
0: 1 -> 16383 | |||
On node 0 totalpages: 16382 | |||
Normal zone: 127 pages used for memmap | |||
Normal zone: 0 pages reserved | |||
Normal zone: 16255 pages, LIFO batch:3 | |||
Movable zone: 0 pages used for memmap | |||
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16255 | |||
Kernel command line: console=ttyS0,115200 gpio=16383 kmac=00:0C:42:10:1C:6C boa | |||
korina mac = 00:0C:42:10:1C:6C | |||
Primary instruction cache 8kB, VIPT, 4-way, linesize 16 bytes. | |||
Primary data cache 8kB, 4-way, VIPT, no aliases, linesize 16 bytes | |||
Synthesized clear page handler (26 instructions). | |||
Synthesized copy page handler (46 instructions). | |||
Synthesized TLB refill handler (20 instructions). | |||
Synthesized TLB load handler fastpath (32 instructions). | |||
Synthesized TLB store handler fastpath (32 instructions). | |||
Synthesized TLB modify handler fastpath (31 instructions). | |||
Initializing IRQ's: 168 out of 256 | |||
PID hash table entries: 256 (order: 8, 1024 bytes) | |||
calculating r4koff... 001e846c(1999980) | |||
CPU frequency 400.00 MHz | |||
console [ttyS0] enabled | |||
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) | |||
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) | |||
Memory: 60992k/65528k available (2069k kernel code, 4468k reserved, 566k data, ) | |||
Calibrating delay loop... 398.95 BogoMIPS (lpj=1994752) | |||
Mount-cache hash table entries: 512 | |||
net_namespace: 64 bytes | |||
NET: Registered protocol family 16 | |||
PCI: Initializing PCI | |||
registering PCI controller with io_map_base unset | |||
NET: Registered protocol family 2 | |||
Time: MIPS clocksource has been installed. | |||
IP route cache hash table entries: 1024 (order: 0, 4096 bytes) | |||
TCP established hash table entries: 2048 (order: 2, 16384 bytes) | |||
TCP bind hash table entries: 2048 (order: 1, 8192 bytes) | |||
TCP: Hash tables configured (established 2048 bind 2048) | |||
TCP reno registered | |||
squashfs: version 3.0 (2006/03/15) Phillip Lougher | |||
JFFS2 version 2.2. (NAND) (SUMMARY) �© 2001-2006 Red Hat, Inc. | |||
yaffs Nov 7 2008 15:30:24 Installing. | |||
io scheduler noop registered | |||
io scheduler deadline registered (default) | |||
Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled | |||
serial8250: ttyS0 at MMIO 0x0 (irq = 104) is a 16550A | |||
cf-mips module loaded | |||
cf-mips: resetting.. | |||
cf-mips: identify drive.. | |||
cf-mips: CF card detected, C/H/S=998/16/32 sectors=510976 (249MB) Serial=ASH 0 | |||
cf-mips: detecting block size | |||
cf-mips: multiple sectors = 1 | |||
init done<6> cfa: cfa1 cfa2 | |||
eth0: Rx IRQ 40, Tx IRQ 41, 00:0c:42:10:1c:6c | |||
via-rhine.c:v1.10-LK1.4.3 2007-03-06 Written by Donald Becker | |||
PCI: Enabling device 0000:00:02.0 (0080 -> 0083) | |||
PCI: Setting latency timer of device 0000:00:02.0 to 64 | |||
io_map_base of root PCI bus 0000:00 unset. Trying to continue but you better | |||
fix this issue or report it to [email protected] or your vendor. | |||
To avoid data corruption io_map_base MUST be set with multiple PCI domains.<6>e. | |||
eth1: MII PHY found at address 1, status 0x7849 advertising 05e1 Link 0000. | |||
PCI: Enabling device 0000:00:03.0 (0080 -> 0083) | |||
PCI: Setting latency timer of device 0000:00:03.0 to 64 | |||
eth2: VIA Rhine III at 0xb8800100, 00:0c:42:10:1c:6e, IRQ 143. | |||
eth2: MII PHY found at address 1, status 0x7849 advertising 05e1 Link 0000. | |||
block2mtd: version $Revision: 1.30 $ | |||
Creating 1 MTD partitions on "/dev/cfa2": | |||
0x00000000-0x03020000 : "/dev/cfa2" | |||
block2mtd: mtd0: [/dev/cfa2] erase_size = 128KiB [131072] | |||
NAND device: Manufacturer ID: 0xad, Chip ID: 0xf1 (Hynix NAND 128MiB 3,3V 8-bit) | |||
Scanning device for bad blocks | |||
Bad eraseblock 61 at 0x007a0000 | |||
Creating 2 MTD partitions on "NAND 128MiB 3,3V 8-bit": | |||
0x00000000-0x00400000 : "Routerboard NAND boot" | |||
0x00400000-0x08000000 : "rootfs" | |||
mtd: partition "rootfs" set to be root filesystem | |||
split_squashfs: no squashfs found in "NAND 128MiB 3,3V 8-bit" | |||
No IRQF_TRIGGER set_type function for IRQ 1 (RB500) | |||
input: gpio-keys as /devices/platform/gpio-keys/input/input0 | |||
Registered led device: rb500led:amber | |||
nf_conntrack version 0.5.0 (1024 buckets, 4096 max) | |||
TCP vegas registered | |||
NET: Registered protocol family 1 | |||
NET: Registered protocol family 17 | |||
802.1Q VLAN Support v1.8 Ben Greear <[email protected]> | |||
All bugs added by David S. Miller <[email protected]> | |||
jffs2_scan_eraseblock(): End of filesystem marker found at 0x220000 | |||
jffs2_build_filesystem(): unlocking the mtd device... done. | |||
jffs2_build_filesystem(): erasing all blocks after the end marker... done. | |||
VFS: Mounted root (jffs2 filesystem) readonly. | |||
Freeing unused kernel memory: 128k freed | |||
Please be patient, while OpenWrt loads ... | |||
Algorithmics/MIPS FPU Emulator v1.5 | |||
PPP generic driver version 2.4.2 | |||
ip_tables: (C) 2000-2006 Netfilter Core Team | |||
wlan: trunk | |||
ath_hal: module license 'Proprietary' taints kernel. | |||
ath_hal: 2008-10-02 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF) | |||
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk) | |||
ath_rate_minstrel: look around rate set to 10% | |||
ath_rate_minstrel: EWMA rolloff level set to 75% | |||
ath_rate_minstrel: max segment size in the mrr set to 6000 us | |||
wlan: mac acl policy registered | |||
ath_pci: trunk | |||
root@OpenWrt:/# | |||
</pre> | |||
== Hardware == | |||
It's installed in a plain black box and powered by a wall wart power supply that were both purchased directly from Microtik. | |||
=== RouterBOARD 532A Specifications === | |||
{| border=1 | |||
|- | |||
| CPU || MIPS 32 4Kc based 266MHz (BIOS adjustable from 200 to 400MHz; 400MHz default and recommended) embedded processor | |||
|- | |||
| Memory || 64MB DDR onboard memory chip | |||
|- | |||
| Root loader || RouterBOOT, 1Mbit Flash chip | |||
|- | |||
| Data storage || 128MB onboard NAND memory chip, | |||
CompactFlash type I/II slot (also supports IBM/Hitachi Microdrive) | |||
|- | |||
| Ethernet ports || One IDT Korina 10/100 Mbit/s Fast Ethernet port supporting Auto-MDI/X, | |||
Two VIA VT6105 10/100 Mbit/s Fast Ethernet ports supporting Auto-MDI/X | |||
|- | |||
| MiniPCI slot || Two MiniPCI Type IIIA/IIIB slots | |||
|- | |||
| Daughterboard connector || Present | |||
|- | |||
| Serial ports || One DB9 RS232C asynchronous serial port | |||
|- | |||
| LEDs || Power, 2 LED pairs for MiniPCI slots, 1 user LED | |||
|- | |||
| Watchdog || IDT internal SoC hardware watchdog timer | |||
|- | |||
| Power options || IEEE802.3af Power over Ethernet: 12V or 48V DC, | |||
Power jack/header 6..22V or 25..56V DC jumper selectable. PoE does not support power over datalines | |||
|- | |||
| Dimensions || 14.0 cm x 14.0 cm (5.51 in x 5.51 in) | |||
|- | |||
| Temperature || Operational: -20°C to +70°C (-4°F to 158°F) | |||
|- | |||
| Humidity || Operational: 70% relative humidity (non-condensing) | |||
|- | |||
| Currently supported OS || RouterOS 2.9, Linux 2.4 | |||
|} | |||
== Board specs == | |||
Board type: 532A | |||
Serial number: 16C901CD44DB | |||
Firmware version: 2.10 | |||
CPU frequency: 399 MHz | |||
Memory size: 64 MB | |||
eth1 MAC address: 00:0C:42:10:1C:6C | |||
eth2 MAC address: 00:0C:42:10:1C:6D | |||
eth3 MAC address: 00:0C:42:10:1C:6E | |||
= Set up = | |||
Support for the RouterBoard in [[OpenWrt]] seems to be pretty good, they have the latest releases prebuilt for the RouterBoard. | |||
Install took 10 minutes including opening up the case. [http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532?highlight=%28OpenWrtDocs/Hardware%29 OpenWrtDocs/Hardware/Mikrotik/RB532] | |||
Support in dd-wrt is not good. There is an old beta. | |||
== Reflashing with OpenWrt X-Wrt == | |||
http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532 | |||
The simplest way is to download the CF image file from http://downloads.x-wrt.org/xwrt/kamikaze/ and then use 'dd' to copy it to a CF card, then put the CF into the RouterBoard and off you go. | |||
Get the 128k image. The '''128k''' refers to the block size in the filesystem and it's good for CF cards. | |||
Use the 'dd' command under Linux or Macintosh to copy the image to the CF card. | |||
Cygwin includes a 'dd' command so if you are burdened with Windows you can still use dd. I did not get it working and ended up simply usng Linux. YMMV http://www.groupsrv.com/linux/about17777.html | |||
dd if=/dev/sdb of=backupimage.bin | |||
dd if=openwrt-rb532-jffs2-128k.bin of=/dev/sdb | |||
The backup image is 256MB because that's the device size. Wastes some disk space but then again I delete it as soon as the RouterBoard is up and running again. | |||
On my Macintosh with a USB card reader the command is almost the same, Macs are pretty cool actually. | |||
sudo dd if=openwrt-rb532-jffs2-12k.bin of=/dev/disk1 | |||
= Configuration as gateway router = | |||
== To-do == | |||
* Fix routing table | |||
* dyndns updates | |||
* ntp server? (client is working) (ntpd is installed) | |||
* QoS | |||
* netmeeting - use dmz | |||
* dmz - allow OpenVpn access ? | |||
* WiFi - | |||
* DHCP for LAN? | |||
* [[OpenVPN]] | |||
* Scheduled QoS control? | |||
* Crow? or similar | |||
* WoL | |||
== Serial console setting == | |||
Connect a serial cable and use "screen /dev/ttyS0 115200" | |||
== Password == | |||
Root password set from the console port command line using "passwd". | |||
Set to the usual root password. | |||
== Ethernet ports == | |||
There are three, the one to the left of the serial port is eth0 | |||
To the right are eth1 and eth2 | |||
== Network == | |||
This is the '''/etc/config/network''' file, hand edited to create two networks. | |||
There is a third etherport port (eth1) that is currently unused. | |||
<pre> | |||
config 'interface' 'loopback' | |||
option 'ifname' 'lo' | |||
option 'proto' 'static' | |||
option 'ipaddr' '127.0.0.1' | |||
option 'netmask' '255.0.0.0' | |||
config 'interface' 'wan' | |||
option 'ifname' 'eth0' | |||
option 'proto' 'dhcp' | |||
config 'interface' 'lan' | |||
option 'ifname' 'eth2' | |||
option 'proto' 'static' | |||
option 'ipaddr' '192.168.123.254' | |||
option 'netmask' '255.255.255.0' | |||
</pre> | </pre> | ||
=== Route command === | |||
At the console, add a default route through the old router (bellman) so that you can get the webif stuff running initially; you need to add some packages. | |||
route add default gw 192.168.123.1 | |||
=== Update resolv.conf === | |||
=== | |||
search wildsong.biz | |||
nameserver 192.168.123.1 | |||
=== Packages added === | |||
After getting webif running use it to make these package additions/deletions. | |||
Dependencies are shown in parentheses. | |||
asterisk16-sounds (asterisk16, libncurses, libopenssl, libpopt, librt, libpthread, zlib) | |||
asterisk16-chan-iax2 | |||
etherwake | |||
ntpd | |||
openvpn (kmod-tun liblzo) | |||
updatedd-mod-dyndns (updatedd) | |||
=== Packages removed === | |||
ppp | |||
ppp-mod-pppoe | |||
=== DHCP === | |||
<pre> | <pre> | ||
Line 89: | Line 645: | ||
config dhcp | config dhcp | ||
option interface dmz | option interface dmz | ||
option start | option start 190 | ||
option limit | option limit 199 | ||
option leasetime | option leasetime 1h | ||
config dhcp | config dhcp | ||
Line 98: | Line 654: | ||
</pre> | </pre> | ||
=== Dyndns === | |||
Comes with changeip client, which can be configured with your | |||
username password | |||
=== Firewall === | |||
Set up from WebIf. | |||
Note that the rule names cannot have spaces in them | |||
<pre> | |||
config 'defaults' | |||
option 'syn_flood' '1' | |||
option 'input' 'ACCEPT' | |||
option 'output' 'ACCEPT' | |||
option 'forward' 'REJECT' | |||
config 'zone' | |||
option 'name' 'lan' | |||
option 'input' 'ACCEPT' | |||
option 'output' 'ACCEPT' | |||
option 'forward' 'REJECT' | |||
config 'zone' | |||
option 'name' 'wan' | |||
option 'input' 'REJECT' | |||
option 'output' 'ACCEPT' | |||
option 'forward' 'REJECT' | |||
option 'masq' '1' | |||
config 'forwarding' | |||
option 'src' 'lan' | |||
option 'dest' 'wan' | |||
config 'redirect' 'Bellman_SSH' | |||
option 'src' 'wan' | |||
option 'dest_ip' '192.168.123.1' | |||
option 'dest_port' '22' | |||
option 'proto' 'tcp' | |||
option 'src_ip' '' | |||
option 'src_dport' '22' | |||
config 'redirect' 'AsteriskIAX2' | |||
option 'src' 'wan' | |||
option 'dest_ip' '10.127.32.28' | |||
option 'dest_port' '4569' | |||
option 'proto' 'udp' | |||
option 'src_ip' '' | |||
option 'src_dport' '4569' | |||
config 'redirect' 'OpenVpn' | |||
option 'src' 'wan' | |||
option 'proto' 'udp' | |||
option 'dest_ip' '10.127.32.27' | |||
option 'dest_port' '1194' | |||
option 'src_ip' '' | |||
option 'src_dport' '1194' | |||
config 'forwarding' | |||
option 'src' 'lan' | |||
option 'dest' 'dmz' | |||
config 'forwarding' | |||
option 'src' 'dmz' | |||
option 'dest' 'wan' | |||
</pre> | |||
=== NTP === | |||
Set timezone to US/Pacific | Set timezone to US/Pacific | ||
Set servers to {0,1,2}.pool.ntp.org | |||
Add this line to ntp.conf | |||
restrict 192.168.123.0 mask 255.255.255.0 | |||
Add link to /etc/rc.d so that ntpd will start, you can do this in webIf services page. | |||
=== QoS === | |||
Install but not configured yet. | Install but not configured yet. | ||
Line 118: | Line 740: | ||
A way to switch it down to a low bandwidth manually would be good. | A way to switch it down to a low bandwidth manually would be good. | ||
=== SNMP === | |||
Installed but not configured yet. | |||
=== SSL === | |||
Installed MatrixSSL so that we can connect to router using a secure connection. | Installed MatrixSSL so that we can connect to router using a secure connection. | ||
=== Syslog === | |||
Set to log to | Set to log to Bellman. | ||
=== Wake-On-Lan === | |||
Installed not configured yet | |||
=== VPN === | === VPN === | ||
=== | === OpenVPN === | ||
This end will connect with AGI's and keep the connection nailed up. | |||
I suppose I could also allow access back in from the world at large but that is not my primary objective. | |||
==== | So I do the usual - copy the config files from the AGI server and then start it up. | ||
== Phone server options == | |||
These are available as packages for OpenWrt | |||
# Asterisk 1.4, 1.6 - a pain to debug configurations | |||
# FreeSwitch - B2BUA/media gateway | |||
# kamailio | |||
# OpenSER 1.0.1-1 - Outdated version, it's called OpenSIPS now | |||
# OpenSIPS 1.5.3-1 - SIP Proxy | |||
FreeSwitch is divided into many packages. I am installing it on the system that I have been running Asterisk on, so that I can try it out on a real computer. | |||
[[Category: Network]] | |||
[[Category: System Administration]] | |||
[[Category: Wireless]] |
Latest revision as of 18:32, 9 August 2015
2014-Mar-18 Currently has X-Wrt software installed on it.
Overview
This page is about RB532A. is a surplus piece of hardware that worked for a time as a firewall at work, then as an openvpn server at my house.
See also Mikrotik RouterBoard RB411
Official documentation can be found at http://www.routerboard.com/rb500.html A local copy of the user guide is here: File:RouterBoard500 userguide.pdf
Command line access: serial console 115200 8N1 (usually from Roaring using minicom) or ssh
Web interface: http://10.127.32.1/ or https://routerboard/ or from outside the lan at https://alseageo.dyndns.biz/
KAMIKAZE with X-Wrt Extensions 8.09
Web management console Webif2
Board type: 532A Serial number: 16C901CD44DB Firmware version: 2.10 CPU frequency: 399 MHz Memory size: 64 MB eth1 MAC address: 00:0C:42:10:1C:6C eth2 MAC address: 00:0C:42:10:1C:6D eth3 MAC address: 00:0C:42:10:1C:6E
To-do
- QoS
- dmz - allow OpenVpn access ?
- OpenVPN - switch over from Kilchis?
- Scheduled QoS control?
- Crow? or similar
- WoL
I tried to override the WAN interface default MAC address so that Comcast would not change our public IP address but for some reason that feature in the GUI fails.
Reflashing
http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532
The simplest way is to simply download the CF image file from http://downloads.x-wrt.org/xwrt/kamikaze/ and then use 'dd' to copy it to a CF card, then put the CF into the RouterBoard and off you go.
Get the 128k image. The 128k refers to the block size in the filesystem and it's good for CF cards.
The healthy way to copy binary images to CF is 'dd' under Linux. Cygwin includes a 'dd' command so if you are burdened with Windows you can still use dd. I did not get it working and ended up simply usng Linux. YMMV http://www.groupsrv.com/linux/about17777.html
dd if=/dev/sdb of=backupimage.bin dd if=openwrt-rb532-jffs2-128k.bin of=/dev/sdb
The backup image is 256MB because that's the device size. Wastes some disk space but then again I delete it as soon as the RouterBoard is up and running again.
Available distributions
OpenWRT and X-WRT are installed.
Support for it in OpenWrt seems to be pretty good, they have the latest releases prebuilt for the RouterBoard. I used instructions in this page to get it loaded.
I installed KAMIKAZE (7.09) then later I found out about X-WRT and installed their version from http://downloads.x-wrt.org/xwrt/kamikaze/
I no longer put all 4 screws into the MicroTik case. :-)
Install took 10 minutes including opening up the case. OpenWrtDocs/Hardware/Mikrotik/RB532
DD-WRT Support in dd-wrt is not good. There is an old beta.
CF layout
Kamikaze fits in a 16MB flash so any old CF card will do for booting.
Ethernet ports
There are three, the one to the left of the serial port is eth0 To the right are eth1 and eth2
By default in Kamikaze eth0 is in DHCP so it would make a good WAN port
Miscellaneous configuration notes
Password
Root password set from the console port command line using "passwd". Set to the usual root password.
Network
I hand edited this config file to create three networks. Should be possible to do it all from the GUI but maybe that did not work back when I originally set it up.
The WAN interface has its MAC address overridden so that it uses the same MAC as the old D-Link router. That way switching back and forth between the RouterBoard and the D-Link should not cause our Comcast DHCP address to change.
Note this did not work -- maybe I have the syntax wrong in the file? I had to go into the command line and override the setting like this
ifconfig eth0 down ifconfig eth0 hw ether '00:0D:88:5F:E8:90'
It loses the settings when I reboot, so I am ignoring it for the moment. We have a new IP address, darn.
Contents of /etc/config/network file.
config 'interface' 'loopback' option 'ifname' 'lo' option 'proto' 'static' option 'ipaddr' '127.0.0.1' option 'netmask' '255.0.0.0' config 'interface' 'wan' option 'ifname' 'eth0' option 'proto' 'dhcp' option 'macaddr' '00:0D:88:5F:E8:90' config 'interface' 'lan' option 'ifname' 'eth1' option 'proto' 'static' option 'ipaddr' '10.127.32.1' option 'netmask' '255.0.0.0' config 'interface' 'dmz' option 'ifname' 'eth2' option 'proto' 'static' option 'ipaddr' '192.168.123.249' # at home for testing option 'netmask' '255.255.255.0'
Route command
Adding a default route so that you can get the webif stuff running initially; you need to add some packages.
route add default gw 192.168.123.254
Packages added
After getting webif running I use it to make these package additions/deletions.
etherwake ntpd openvpn tcpdump wol nbd's QoS scripts
Packages removed
ppp ppp-mod-pppoe
DHCP
We provide DHCP only to the DMZ zone.
/etc/config/dhcp config dhcp option interface lan option ignore 1 config dhcp option interface dmz option start 190 option limit 199 option leasetime 1h config dhcp option interface wan option ignore 1
DNS
dnsmasq is installed but I am not currently using it.
I put this in /etc/resolv.conf so that it will use Kilchis to resolve names.
nameserver 10.127.32.27 domain alseageo.com
Dyndns
There is a DynDNS tab under Network in the GUI. You can install and configure dyndns service.
Another way to do this is via ddclient on Kilchis, which is currently disabled. It used to run once per hour from /etc/cron.hourly/ddclient.
The config file for dyndns on the routerboard is /etc/config/updatedd:
config 'updatedd' option 'update' '0' option 'service' 'changeip' option 'username' 'alseageo' option 'password' 'ice9viva' option 'host' 'members.dyndns.org'
Firewall
Set up from WebIf. Note that the rule names cannot have spaces in them
config 'defaults' option 'syn_flood' '1' option 'input' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'REJECT' config 'zone' option 'name' 'lan' option 'input' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'REJECT' config 'zone' option 'name' 'wan' option 'input' 'REJECT' option 'output' 'ACCEPT' option 'forward' 'REJECT' option 'masq' '1' config 'forwarding' option 'src' 'lan' option 'dest' 'wan' config 'redirect' 'Kilchis_SSH' option 'src' 'wan' option 'dest_ip' '10.127.32.27' option 'dest_port' '22' option 'proto' 'tcp' option 'src_ip' '' option 'src_dport' '22' config 'redirect' 'AsteriskIAX2' option 'src' 'wan' option 'dest_ip' '10.127.32.28' option 'dest_port' '4569' option 'proto' 'udp' option 'src_ip' '' option 'src_dport' '4569' config 'redirect' 'ODOT_ProdDemo' option 'src' 'wan' option 'dest_ip' '10.127.32.34' option 'dest_port' '80' option 'proto' 'tcp' option 'src_ip' '' option 'src_dport' '80' config 'redirect' 'OpenVpn' option 'src' 'wan' option 'proto' 'udp' option 'dest_ip' '10.127.32.27' option 'dest_port' '1194' option 'src_ip' '' option 'src_dport' '1194' config 'redirect' 'Subversion' option 'src' 'wan' option 'proto' 'tcp' option 'dest_port' '44555' option 'dest_ip' '10.127.32.27' option 'src_ip' '' option 'src_dport' '44555' config 'forwarding' option 'src' 'lan' option 'dest' 'dmz' config 'forwarding' option 'src' 'dmz' option 'dest' 'wan'
NTP
Set timezone to US/Pacific Set servers to {0,1,2}.pool.ntp.org
NOTE: The standard WebIF ntp client has been removed from the GUI package manager.
I enabled the ntpd like this:
cd /etc/rc.d ln -s ../init.d/ntpd S99ntpd
All I had to change in ntp.conf was to add a rule allowing our 10.x.x.x clients.
cat ntp.conf
# use a random selection of 8 public stratum 2 servers # see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers #restrict default nomodify notrap noquery #restrict default noquery restrict 127.0.0.1 restrict 10.0.0.0 netmask 255.0.0.0 driftfile /tmp/ntp.drift server 0.openwrt.pool.ntp.org iburst server 1.openwrt.pool.ntp.org iburst server 2.openwrt.pool.ntp.org iburst server 3.openwrt.pool.ntp.org iburst # GPS(NMEA)+PPS #server 127.127.20.0 minpoll 4 prefer #fudge 127.127.20.0 flag3 1 flag2 0 # SMA PPS #server 127.127.28.0 minpoll 4 prefer #fudge 127.127.28.0 refid PPS flag3 1 #server 192.168.1.253
QoS
Install but not configured yet. I'd like to use this to control bandwidth used for offsite backups. I want full utilization at night and 200 Kbps during business hours. A way to switch it down to a low bandwidth manually would be good.
SNMP
Installed but not configured yet. Could be set to log to Cacti on Kilchis
SSL
Installed MatrixSSL so that we can connect to router using a secure connection.
Syslog
Set to log to Kilchis. 10.127.32.27/514
Wake-On-Lan
Installed not configured
VPN
OpenVPN
Installed package. Not configured yet.
dmesg output
# dmesg Linux version 2.6.24.7 ([email protected]) (gcc version 4.1.2) #1 Fr8 CPU revision is: 0001800a (MIPS 4Kc) Determined physical RAM map: memory: 03fffa00 @ 00000400 (usable) Wasting 32 bytes for tracking 1 unused pages Entering add_active_range(0, 1, 16383) 0 entries of 256 used Initrd not found or empty - disabling initrd Zone PFN ranges: Normal 1 -> 16383 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 1 -> 16383 On node 0 totalpages: 16382 Normal zone: 127 pages used for memmap Normal zone: 0 pages reserved Normal zone: 16255 pages, LIFO batch:3 Movable zone: 0 pages used for memmap Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16255 Kernel command line: console=ttyS0,115200 gpio=16383 kmac=00:0C:42:10:1C:6C boa korina mac = 00:0C:42:10:1C:6C Primary instruction cache 8kB, VIPT, 4-way, linesize 16 bytes. Primary data cache 8kB, 4-way, VIPT, no aliases, linesize 16 bytes Synthesized clear page handler (26 instructions). Synthesized copy page handler (46 instructions). Synthesized TLB refill handler (20 instructions). Synthesized TLB load handler fastpath (32 instructions). Synthesized TLB store handler fastpath (32 instructions). Synthesized TLB modify handler fastpath (31 instructions). Initializing IRQ's: 168 out of 256 PID hash table entries: 256 (order: 8, 1024 bytes) calculating r4koff... 001e846c(1999980) CPU frequency 400.00 MHz console [ttyS0] enabled Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) Memory: 60992k/65528k available (2069k kernel code, 4468k reserved, 566k data, ) Calibrating delay loop... 398.95 BogoMIPS (lpj=1994752) Mount-cache hash table entries: 512 net_namespace: 64 bytes NET: Registered protocol family 16 PCI: Initializing PCI registering PCI controller with io_map_base unset NET: Registered protocol family 2 Time: MIPS clocksource has been installed. IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 2048 (order: 2, 16384 bytes) TCP bind hash table entries: 2048 (order: 1, 8192 bytes) TCP: Hash tables configured (established 2048 bind 2048) TCP reno registered squashfs: version 3.0 (2006/03/15) Phillip Lougher JFFS2 version 2.2. (NAND) (SUMMARY) �© 2001-2006 Red Hat, Inc. yaffs Nov 7 2008 15:30:24 Installing. io scheduler noop registered io scheduler deadline registered (default) Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled serial8250: ttyS0 at MMIO 0x0 (irq = 104) is a 16550A cf-mips module loaded cf-mips: resetting.. cf-mips: identify drive.. cf-mips: CF card detected, C/H/S=998/16/32 sectors=510976 (249MB) Serial=ASH 0 cf-mips: detecting block size cf-mips: multiple sectors = 1 init done<6> cfa: cfa1 cfa2 eth0: Rx IRQ 40, Tx IRQ 41, 00:0c:42:10:1c:6c via-rhine.c:v1.10-LK1.4.3 2007-03-06 Written by Donald Becker PCI: Enabling device 0000:00:02.0 (0080 -> 0083) PCI: Setting latency timer of device 0000:00:02.0 to 64 io_map_base of root PCI bus 0000:00 unset. Trying to continue but you better fix this issue or report it to [email protected] or your vendor. To avoid data corruption io_map_base MUST be set with multiple PCI domains.<6>e. eth1: MII PHY found at address 1, status 0x7849 advertising 05e1 Link 0000. PCI: Enabling device 0000:00:03.0 (0080 -> 0083) PCI: Setting latency timer of device 0000:00:03.0 to 64 eth2: VIA Rhine III at 0xb8800100, 00:0c:42:10:1c:6e, IRQ 143. eth2: MII PHY found at address 1, status 0x7849 advertising 05e1 Link 0000. block2mtd: version $Revision: 1.30 $ Creating 1 MTD partitions on "/dev/cfa2": 0x00000000-0x03020000 : "/dev/cfa2" block2mtd: mtd0: [/dev/cfa2] erase_size = 128KiB [131072] NAND device: Manufacturer ID: 0xad, Chip ID: 0xf1 (Hynix NAND 128MiB 3,3V 8-bit) Scanning device for bad blocks Bad eraseblock 61 at 0x007a0000 Creating 2 MTD partitions on "NAND 128MiB 3,3V 8-bit": 0x00000000-0x00400000 : "Routerboard NAND boot" 0x00400000-0x08000000 : "rootfs" mtd: partition "rootfs" set to be root filesystem split_squashfs: no squashfs found in "NAND 128MiB 3,3V 8-bit" No IRQF_TRIGGER set_type function for IRQ 1 (RB500) input: gpio-keys as /devices/platform/gpio-keys/input/input0 Registered led device: rb500led:amber nf_conntrack version 0.5.0 (1024 buckets, 4096 max) TCP vegas registered NET: Registered protocol family 1 NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear <[email protected]> All bugs added by David S. Miller <[email protected]> jffs2_scan_eraseblock(): End of filesystem marker found at 0x220000 jffs2_build_filesystem(): unlocking the mtd device... done. jffs2_build_filesystem(): erasing all blocks after the end marker... done. VFS: Mounted root (jffs2 filesystem) readonly. Freeing unused kernel memory: 128k freed Please be patient, while OpenWrt loads ... Algorithmics/MIPS FPU Emulator v1.5 PPP generic driver version 2.4.2 ip_tables: (C) 2000-2006 Netfilter Core Team wlan: trunk ath_hal: module license 'Proprietary' taints kernel. ath_hal: 2008-10-02 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF) ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk) ath_rate_minstrel: look around rate set to 10% ath_rate_minstrel: EWMA rolloff level set to 75% ath_rate_minstrel: max segment size in the mrr set to 6000 us wlan: mac acl policy registered ath_pci: trunk root@OpenWrt:/#
Hardware
It's installed in a plain black box and powered by a wall wart power supply that were both purchased directly from Microtik.
RouterBOARD 532A Specifications
CPU | MIPS 32 4Kc based 266MHz (BIOS adjustable from 200 to 400MHz; 400MHz default and recommended) embedded processor |
Memory | 64MB DDR onboard memory chip |
Root loader | RouterBOOT, 1Mbit Flash chip |
Data storage | 128MB onboard NAND memory chip,
CompactFlash type I/II slot (also supports IBM/Hitachi Microdrive) |
Ethernet ports | One IDT Korina 10/100 Mbit/s Fast Ethernet port supporting Auto-MDI/X,
Two VIA VT6105 10/100 Mbit/s Fast Ethernet ports supporting Auto-MDI/X |
MiniPCI slot | Two MiniPCI Type IIIA/IIIB slots |
Daughterboard connector | Present |
Serial ports | One DB9 RS232C asynchronous serial port |
LEDs | Power, 2 LED pairs for MiniPCI slots, 1 user LED |
Watchdog | IDT internal SoC hardware watchdog timer |
Power options | IEEE802.3af Power over Ethernet: 12V or 48V DC,
Power jack/header 6..22V or 25..56V DC jumper selectable. PoE does not support power over datalines |
Dimensions | 14.0 cm x 14.0 cm (5.51 in x 5.51 in) |
Temperature | Operational: -20°C to +70°C (-4°F to 158°F) |
Humidity | Operational: 70% relative humidity (non-condensing) |
Currently supported OS | RouterOS 2.9, Linux 2.4 |
Board specs
Board type: 532A Serial number: 16C901CD44DB Firmware version: 2.10 CPU frequency: 399 MHz Memory size: 64 MB eth1 MAC address: 00:0C:42:10:1C:6C eth2 MAC address: 00:0C:42:10:1C:6D eth3 MAC address: 00:0C:42:10:1C:6E
Set up
Support for the RouterBoard in OpenWrt seems to be pretty good, they have the latest releases prebuilt for the RouterBoard.
Install took 10 minutes including opening up the case. OpenWrtDocs/Hardware/Mikrotik/RB532
Support in dd-wrt is not good. There is an old beta.
Reflashing with OpenWrt X-Wrt
http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532
The simplest way is to download the CF image file from http://downloads.x-wrt.org/xwrt/kamikaze/ and then use 'dd' to copy it to a CF card, then put the CF into the RouterBoard and off you go.
Get the 128k image. The 128k refers to the block size in the filesystem and it's good for CF cards.
Use the 'dd' command under Linux or Macintosh to copy the image to the CF card. Cygwin includes a 'dd' command so if you are burdened with Windows you can still use dd. I did not get it working and ended up simply usng Linux. YMMV http://www.groupsrv.com/linux/about17777.html
dd if=/dev/sdb of=backupimage.bin dd if=openwrt-rb532-jffs2-128k.bin of=/dev/sdb
The backup image is 256MB because that's the device size. Wastes some disk space but then again I delete it as soon as the RouterBoard is up and running again.
On my Macintosh with a USB card reader the command is almost the same, Macs are pretty cool actually.
sudo dd if=openwrt-rb532-jffs2-12k.bin of=/dev/disk1
Configuration as gateway router
To-do
- Fix routing table
- dyndns updates
- ntp server? (client is working) (ntpd is installed)
- QoS
- netmeeting - use dmz
- dmz - allow OpenVpn access ?
- WiFi -
- DHCP for LAN?
- OpenVPN
- Scheduled QoS control?
- Crow? or similar
- WoL
Serial console setting
Connect a serial cable and use "screen /dev/ttyS0 115200"
Password
Root password set from the console port command line using "passwd". Set to the usual root password.
Ethernet ports
There are three, the one to the left of the serial port is eth0 To the right are eth1 and eth2
Network
This is the /etc/config/network file, hand edited to create two networks. There is a third etherport port (eth1) that is currently unused.
config 'interface' 'loopback' option 'ifname' 'lo' option 'proto' 'static' option 'ipaddr' '127.0.0.1' option 'netmask' '255.0.0.0' config 'interface' 'wan' option 'ifname' 'eth0' option 'proto' 'dhcp' config 'interface' 'lan' option 'ifname' 'eth2' option 'proto' 'static' option 'ipaddr' '192.168.123.254' option 'netmask' '255.255.255.0'
Route command
At the console, add a default route through the old router (bellman) so that you can get the webif stuff running initially; you need to add some packages.
route add default gw 192.168.123.1
Update resolv.conf
search wildsong.biz nameserver 192.168.123.1
Packages added
After getting webif running use it to make these package additions/deletions. Dependencies are shown in parentheses.
asterisk16-sounds (asterisk16, libncurses, libopenssl, libpopt, librt, libpthread, zlib) asterisk16-chan-iax2
etherwake ntpd openvpn (kmod-tun liblzo) updatedd-mod-dyndns (updatedd)
Packages removed
ppp ppp-mod-pppoe
DHCP
/etc/config/dhcp config dhcp option interface lan option ignore 1 config dhcp option interface dmz option start 190 option limit 199 option leasetime 1h config dhcp option interface wan option ignore 1
Dyndns
Comes with changeip client, which can be configured with your username password
Firewall
Set up from WebIf. Note that the rule names cannot have spaces in them
config 'defaults' option 'syn_flood' '1' option 'input' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'REJECT' config 'zone' option 'name' 'lan' option 'input' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'REJECT' config 'zone' option 'name' 'wan' option 'input' 'REJECT' option 'output' 'ACCEPT' option 'forward' 'REJECT' option 'masq' '1' config 'forwarding' option 'src' 'lan' option 'dest' 'wan' config 'redirect' 'Bellman_SSH' option 'src' 'wan' option 'dest_ip' '192.168.123.1' option 'dest_port' '22' option 'proto' 'tcp' option 'src_ip' '' option 'src_dport' '22' config 'redirect' 'AsteriskIAX2' option 'src' 'wan' option 'dest_ip' '10.127.32.28' option 'dest_port' '4569' option 'proto' 'udp' option 'src_ip' '' option 'src_dport' '4569' config 'redirect' 'OpenVpn' option 'src' 'wan' option 'proto' 'udp' option 'dest_ip' '10.127.32.27' option 'dest_port' '1194' option 'src_ip' '' option 'src_dport' '1194' config 'forwarding' option 'src' 'lan' option 'dest' 'dmz' config 'forwarding' option 'src' 'dmz' option 'dest' 'wan'
NTP
Set timezone to US/Pacific Set servers to {0,1,2}.pool.ntp.org
Add this line to ntp.conf
restrict 192.168.123.0 mask 255.255.255.0
Add link to /etc/rc.d so that ntpd will start, you can do this in webIf services page.
QoS
Install but not configured yet. I'd like to use this to control bandwidth used for offsite backups. I want full utilization at night and 200 Kbps during business hours. A way to switch it down to a low bandwidth manually would be good.
SNMP
Installed but not configured yet.
SSL
Installed MatrixSSL so that we can connect to router using a secure connection.
Syslog
Set to log to Bellman.
Wake-On-Lan
Installed not configured yet
VPN
OpenVPN
This end will connect with AGI's and keep the connection nailed up. I suppose I could also allow access back in from the world at large but that is not my primary objective.
So I do the usual - copy the config files from the AGI server and then start it up.
Phone server options
These are available as packages for OpenWrt
- Asterisk 1.4, 1.6 - a pain to debug configurations
- FreeSwitch - B2BUA/media gateway
- kamailio
- OpenSER 1.0.1-1 - Outdated version, it's called OpenSIPS now
- OpenSIPS 1.5.3-1 - SIP Proxy
FreeSwitch is divided into many packages. I am installing it on the system that I have been running Asterisk on, so that I can try it out on a real computer.