MikroTik RouterBoard RB532A: Difference between revisions

From Wildsong
Jump to navigationJump to search
Brian Wilson (talk | contribs)
Brian Wilson (talk | contribs)
m Brian Wilson moved page MikroTik RouterBoard to MikroTik RouterBoard RB532A: more accurate
 
(47 intermediate revisions by the same user not shown)
Line 1: Line 1:
== RouterBoard 532A ==
2014-Mar-18 Currently has [http://x-wrt.org X-Wrt] software installed on it.


In DNS, it's called OpenWRT and can be reached via ssh or https://openwrt
== Overview ==
or from outside the lan at https://alseageo.dyndns.biz/


Support for it in [[OpenWrt]] seems to be pretty good, they have the latest releases prebuilt for it. I used instructions in this page to get it loaded.
This page is about RB532A. is a surplus piece of hardware that worked for a time as a firewall at work, then as an openvpn server at my house.
 
See also [[Mikrotik RouterBoard RB411]]
 
Official documentation can be found at http://www.routerboard.com/rb500.html
A local copy of the user guide is here:
[[File:RouterBoard500_userguide.pdf]]
 
Command line access: serial console 115200 8N1 (usually from [[Roaring]] using minicom) or ssh
 
Web interface: http://10.127.32.1/ or https://routerboard/ or from outside the lan at https://alseageo.dyndns.biz/
 
 
'''KAMIKAZE with X-Wrt Extensions 8.09'''
Web management console Webif2
 
        Board type: 532A                                                       
    Serial number: 16C901CD44DB                                               
  Firmware version: 2.10                                                       
    CPU frequency: 399 MHz                                                   
      Memory size: 64 MB                                                     
  eth1 MAC address: 00:0C:42:10:1C:6C                                         
  eth2 MAC address: 00:0C:42:10:1C:6D                                         
  eth3 MAC address: 00:0C:42:10:1C:6E
 
== To-do ==
 
* QoS
* dmz - allow OpenVpn access ?
* OpenVPN - switch over from Kilchis?
* Scheduled QoS control?
* Crow? or similar
* WoL
 
I tried to override the WAN interface default MAC address so that Comcast would not change our public IP address but for some reason that feature in the GUI fails.
 
=== Reflashing ===
 
http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532
 
The simplest way is to simply download the CF image file from http://downloads.x-wrt.org/xwrt/kamikaze/ and then use 'dd' to copy it to a CF card, then put the CF into the RouterBoard and off you go.
 
Get the 128k image. The '''128k''' refers to the block size in the filesystem and it's good for CF cards.
 
The healthy way to copy binary images to CF is 'dd' under Linux.
Cygwin includes a 'dd' command so if you are burdened with Windows you can still use dd. I did not get it working and ended up simply usng Linux. YMMV http://www.groupsrv.com/linux/about17777.html
 
dd if=/dev/sdb of=backupimage.bin
dd if=openwrt-rb532-jffs2-128k.bin of=/dev/sdb
 
The backup image is 256MB because that's the device size. Wastes some disk space but then again I delete it as soon as the RouterBoard is up and running again.
 
== Available distributions ==
 
OpenWRT and X-WRT are installed.
 
Support for it in OpenWrt seems to be pretty good, they have the latest releases prebuilt for the RouterBoard. I used instructions in this page to get it loaded.


I installed KAMIKAZE (7.09) then later I found out about X-WRT and installed
I installed KAMIKAZE (7.09) then later I found out about X-WRT and installed
their version from http://downloads.x-wrt.org/xwrt/kamikaze/7.09/
their version from http://downloads.x-wrt.org/xwrt/kamikaze/


I no longer put all 4 screws into the MicroTik case. :-)  
I no longer put all 4 screws into the MicroTik case. :-)  
Line 13: Line 68:
Install took 10 minutes including opening up the case. [http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532?highlight=%28OpenWrtDocs/Hardware%29 OpenWrtDocs/Hardware/Mikrotik/RB532]
Install took 10 minutes including opening up the case. [http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532?highlight=%28OpenWrtDocs/Hardware%29 OpenWrtDocs/Hardware/Mikrotik/RB532]


Support in dd-wrt is not good. There is an old beta.
'''DD-WRT''' Support in dd-wrt is not good. There is an old beta.


=== CF layout ===
=== CF layout ===
Line 26: Line 81:
By default in Kamikaze eth0 is in DHCP so it would make a good WAN port
By default in Kamikaze eth0 is in DHCP so it would make a good WAN port


MAC numbers
== Miscellaneous configuration notes ==


* eth0 00:0c:42:10:1c:6c
=== Password ===
* eth1 00:0c:42:10:1c:6d
* eth2 00:0c:42:10:1c:6e


=== Miscellaneous onfiguration ===
Root password set from the console port command line using "passwd".
Set to the usual root password.


==== Password ====
=== Network ===


Root password set from the console port command line using "passwd".
I hand edited this config file to create three networks. Should be possible to do it all from the GUI but maybe that did not work back when I originally set it up.
Set to the usual root password.
 
The WAN interface has its MAC address overridden so that it uses the same MAC as the old D-Link router. That way switching back and forth between the RouterBoard and the D-Link should not cause our Comcast DHCP address to change.
 
Note this did not work -- maybe I have the syntax wrong in the file? I had to go into the command line and override the setting like this
 
ifconfig eth0 down
ifconfig eth0 hw ether '00:0D:88:5F:E8:90'
 
It loses the settings when I reboot, so I am ignoring it for the moment. We have a new IP address, darn.
 
Contents of /etc/config/network file.
<pre>
config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'
 
config 'interface' 'wan'
        option 'ifname' 'eth0'
        option 'proto' 'dhcp'
        option 'macaddr' '00:0D:88:5F:E8:90'
 
config 'interface' 'lan'
        option 'ifname' 'eth1'
        option 'proto' 'static'
        option 'ipaddr' '10.127.32.1'
        option 'netmask' '255.0.0.0'
 
config 'interface' 'dmz'
        option 'ifname' 'eth2'
        option 'proto'  'static'
        option 'ipaddr' '192.168.123.249' # at home for testing
        option 'netmask' '255.255.255.0'
</pre>
 
=== Route command ===
 
Adding a default route so that you can get the webif stuff running initially; you need to add some packages.
 
route add default gw 192.168.123.254
 
=== Packages added ===
 
After getting webif running I use it to make these package additions/deletions.
 
etherwake
ntpd
openvpn
tcpdump
wol
nbd's QoS scripts
 
Packages removed
 
ppp
ppp-mod-pppoe


==== Network ====
=== DHCP ===


Putting the D-Link mac address assures we wull get the same IP address
We provide DHCP only to the DMZ zone.  
assigned by Comcast.


<pre>
<pre>
/etc/config/network
/etc/config/dhcp
config dhcp                                                                   
        option interface        lan                                           
        option ignore  1                                                     
                                                                               
config dhcp                                                                   
        option interface        dmz                                           
        option start    190                                                   
        option limit    199                                                   
        option leasetime        1h                                           
                                                                               
config dhcp                                                                   
        option interface        wan                                           
        option ignore  1
</pre>
 
=== DNS ===
 
dnsmasq is installed but I am not currently using it.
 
I put this in /etc/resolv.conf so that it will use Kilchis to resolve names.
 
nameserver 10.127.32.27
domain alseageo.com
 
=== Dyndns ===
 
There is a DynDNS tab under Network in the GUI. You can install and configure dyndns service.
 
Another way to do this is via ddclient on Kilchis, which is currently disabled.
It used to run once per hour from /etc/cron.hourly/ddclient.
 
The config file for dyndns on the routerboard is /etc/config/updatedd:
 
config 'updatedd'
        option 'update' '0'
        option 'service' 'changeip'
        option 'username' 'alseageo'
        option 'password' 'ice9viva'
        option 'host' 'members.dyndns.org'
 
=== Firewall ===


config interface loopback                                                     
Set up from WebIf.
         option ifname  lo                                                     
Note that the rule names cannot have spaces in them
         option proto    static                                                 
 
         option ipaddr  127.0.0.1                                                
<pre>
         option netmask  255.0.0.0                                                
config 'defaults'                                                             
         option 'syn_flood' '1'                                                 
         option 'input' 'ACCEPT'                                               
        option 'output' 'ACCEPT'                                               
         option 'forward' 'REJECT'                                                
                                                                               
config 'zone'                                                                 
        option 'name' 'lan'                                                   
         option 'input' 'ACCEPT'                                               
        option 'output' 'ACCEPT'                                               
        option 'forward' 'REJECT'                                                
                                                                                  
                                                                                  
config interface wan                                                          
config 'zone'                                                                 
         option ifname  eth0                                                   
        option 'name' 'wan'                                                   
         option proto    dhcp
        option 'input' 'REJECT'                                               
         option macaddr xx:xx:xx:xx:xx      put the dlink mac here                                   
         option 'output' 'ACCEPT'                                               
         option 'forward' 'REJECT'                                             
         option 'masq' '1'                                                     
                                                                                  
                                                                                  
config interface lan                                                           
config 'forwarding'                                                           
         option ifname  eth1                                                   
         option 'src' 'lan'                                                     
        option proto    static                                                 
         option 'dest' 'wan'                                                   
        option ipaddr  10.127.32.5                                           
         option netmask  255.0.0.0                                             
                                                                                  
                                                                                  
config interface dmz                                                             
config 'redirect' 'Kilchis_SSH'                                               
         option ifname   eth2                                                  
        option 'src' 'wan'                                                     
         option proto   static                                                
        option 'dest_ip' '10.127.32.27'                                       
         option ipaddr   192.168.123.1                                         
        option 'dest_port' '22'                                               
         option netmask 255.255.255.0    
        option 'proto' 'tcp'                                                   
        option 'src_ip' ''                                                     
        option 'src_dport' '22'                                               
                                                                               
config 'redirect' 'AsteriskIAX2'                                               
        option 'src' 'wan'                                                     
        option 'dest_ip' '10.127.32.28'                                       
        option 'dest_port' '4569'                                             
        option 'proto' 'udp'                                                   
        option 'src_ip' ''                                                     
        option 'src_dport' '4569'                                             
                                                                               
config 'redirect' 'ODOT_ProdDemo'                                             
        option 'src' 'wan'                                                     
        option 'dest_ip' '10.127.32.34'                                       
        option 'dest_port' '80'                                               
        option 'proto' 'tcp'                                                   
        option 'src_ip' ''                                                     
        option 'src_dport' '80'                                               
                                                                               
config 'redirect' 'OpenVpn'                                                   
        option 'src' 'wan'                                                     
        option 'proto' 'udp'                                                   
        option 'dest_ip' '10.127.32.27'                                       
        option 'dest_port' '1194'                                             
        option 'src_ip' ''                                                     
        option 'src_dport' '1194'                                             
                                                                               
config 'redirect' 'Subversion'                                                 
        option 'src' 'wan'                                                     
        option 'proto' 'tcp'                                                   
        option 'dest_port' '44555'                                             
        option 'dest_ip' '10.127.32.27'                                       
        option 'src_ip' ''                                                     
        option 'src_dport' '44555'                                             
           
config 'forwarding'                                                           
        option 'src' 'lan'                                                     
        option 'dest' 'dmz'                                                   
                                                                               
config 'forwarding'                                                           
        option 'src' 'dmz'                                                     
        option 'dest' 'wan'       
</pre>
 
=== NTP ===
 
Set timezone to US/Pacific
Set servers to {0,1,2}.pool.ntp.org
 
'''NOTE:''' The standard WebIF ntp client has been removed from the GUI package manager.
 
I enabled the ntpd like this:
 
cd /etc/rc.d
ln -s ../init.d/ntpd S99ntpd
 
All I had to change in ntp.conf was to add a rule allowing our 10.x.x.x clients.
 
cat ntp.conf
<pre>
# use a random selection of 8 public stratum 2 servers
# see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers
 
#restrict default nomodify notrap noquery
#restrict default noquery
 
restrict 127.0.0.1
restrict 10.0.0.0 netmask 255.0.0.0
 
driftfile  /tmp/ntp.drift
 
server 0.openwrt.pool.ntp.org iburst
server 1.openwrt.pool.ntp.org iburst
server 2.openwrt.pool.ntp.org iburst
server 3.openwrt.pool.ntp.org iburst
 
# GPS(NMEA)+PPS
#server 127.127.20.0 minpoll 4 prefer
#fudge 127.127.20.0 flag3 1 flag2 0
 
# SMA PPS
#server 127.127.28.0 minpoll 4 prefer
#fudge 127.127.28.0 refid PPS flag3 1
 
#server 192.168.1.253
</pre>
 
=== QoS ===
 
Install but not configured yet.
I'd like to use this to control bandwidth used for offsite backups.
I want full utilization at night and 200 Kbps during business hours.
A way to switch it down to a low bandwidth manually would be good.
 
=== SNMP ===
 
Installed but not configured yet. Could be set to log to [[Cacti]] on Kilchis
 
=== SSL ===
 
Installed MatrixSSL so that we can connect to router using a secure connection.
 
=== Syslog ===
 
Set to log to Kilchis. 10.127.32.27/514
 
=== Wake-On-Lan ===
 
Installed not configured
 
=== VPN ===
 
==== OpenVPN ====
 
Installed package. Not configured yet.
 
== dmesg output ==
 
<pre>
# dmesg                                                         
Linux version 2.6.24.7 ([email protected]) (gcc version 4.1.2) #1 Fr8
CPU revision is: 0001800a (MIPS 4Kc)                                           
Determined physical RAM map:                                                   
memory: 03fffa00 @ 00000400 (usable)                                         
Wasting 32 bytes for tracking 1 unused pages                                   
Entering add_active_range(0, 1, 16383) 0 entries of 256 used                   
Initrd not found or empty - disabling initrd                                   
Zone PFN ranges:                                                               
  Normal          1 ->    16383                                               
Movable zone start PFN for each node                                           
early_node_map[1] active PFN ranges                                           
    0:        1 ->    16383                                                   
On node 0 totalpages: 16382                                                   
  Normal zone: 127 pages used for memmap                                       
  Normal zone: 0 pages reserved                                               
  Normal zone: 16255 pages, LIFO batch:3                                       
  Movable zone: 0 pages used for memmap                                       
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16255     
Kernel command line: console=ttyS0,115200 gpio=16383 kmac=00:0C:42:10:1C:6C boa
korina mac = 00:0C:42:10:1C:6C                                                 
Primary instruction cache 8kB, VIPT, 4-way, linesize 16 bytes.                 
Primary data cache 8kB, 4-way, VIPT, no aliases, linesize 16 bytes             
Synthesized clear page handler (26 instructions).                             
Synthesized copy page handler (46 instructions).                               
Synthesized TLB refill handler (20 instructions).                             
Synthesized TLB load handler fastpath (32 instructions).                       
Synthesized TLB store handler fastpath (32 instructions).                     
Synthesized TLB modify handler fastpath (31 instructions).                     
Initializing IRQ's: 168 out of 256                                             
PID hash table entries: 256 (order: 8, 1024 bytes)                             
calculating r4koff... 001e846c(1999980)                                       
CPU frequency 400.00 MHz                                                       
console [ttyS0] enabled                                                       
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)                 
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)                   
Memory: 60992k/65528k available (2069k kernel code, 4468k reserved, 566k data, )
Calibrating delay loop... 398.95 BogoMIPS (lpj=1994752)                       
Mount-cache hash table entries: 512                                           
net_namespace: 64 bytes                                                       
NET: Registered protocol family 16                                             
PCI: Initializing PCI                                                         
registering PCI controller with io_map_base unset                             
NET: Registered protocol family 2                                             
Time: MIPS clocksource has been installed.                                     
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)                 
TCP established hash table entries: 2048 (order: 2, 16384 bytes)               
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)                       
TCP: Hash tables configured (established 2048 bind 2048)                       
TCP reno registered                                                           
squashfs: version 3.0 (2006/03/15) Phillip Lougher                             
JFFS2 version 2.2. (NAND) (SUMMARY)  �© 2001-2006 Red Hat, Inc.               
yaffs Nov  7 2008 15:30:24 Installing.                                         
io scheduler noop registered                                                   
io scheduler deadline registered (default)                                     
Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled     
serial8250: ttyS0 at MMIO 0x0 (irq = 104) is a 16550A                         
cf-mips module loaded                                                         
cf-mips: resetting..                                                            
cf-mips: identify drive..                                                     
cf-mips: CF card detected, C/H/S=998/16/32 sectors=510976 (249MB) Serial=ASH  0
cf-mips: detecting block size                                                 
cf-mips: multiple sectors = 1                                                 
init done<6> cfa: cfa1 cfa2                                                   
eth0: Rx IRQ 40, Tx IRQ 41, 00:0c:42:10:1c:6c                                 
via-rhine.c:v1.10-LK1.4.3 2007-03-06 Written by Donald Becker                 
PCI: Enabling device 0000:00:02.0 (0080 -> 0083)                               
PCI: Setting latency timer of device 0000:00:02.0 to 64                       
io_map_base of root PCI bus 0000:00 unset.  Trying to continue but you better 
fix this issue or report it to [email protected] or your vendor.       
To avoid data corruption io_map_base MUST be set with multiple PCI domains.<6>e.
eth1: MII PHY found at address 1, status 0x7849 advertising 05e1 Link 0000.   
PCI: Enabling device 0000:00:03.0 (0080 -> 0083)                               
PCI: Setting latency timer of device 0000:00:03.0 to 64                       
eth2: VIA Rhine III at 0xb8800100, 00:0c:42:10:1c:6e, IRQ 143.                 
eth2: MII PHY found at address 1, status 0x7849 advertising 05e1 Link 0000.   
block2mtd: version $Revision: 1.30 $                                           
Creating 1 MTD partitions on "/dev/cfa2":                                     
0x00000000-0x03020000 : "/dev/cfa2"                                           
block2mtd: mtd0: [/dev/cfa2] erase_size = 128KiB [131072]                     
NAND device: Manufacturer ID: 0xad, Chip ID: 0xf1 (Hynix NAND 128MiB 3,3V 8-bit)
Scanning device for bad blocks                                                 
Bad eraseblock 61 at 0x007a0000                                               
Creating 2 MTD partitions on "NAND 128MiB 3,3V 8-bit":                         
0x00000000-0x00400000 : "Routerboard NAND boot"                               
0x00400000-0x08000000 : "rootfs"                                               
mtd: partition "rootfs" set to be root filesystem                             
split_squashfs: no squashfs found in "NAND 128MiB 3,3V 8-bit"                 
No IRQF_TRIGGER set_type function for IRQ 1 (RB500)                           
input: gpio-keys as /devices/platform/gpio-keys/input/input0                   
Registered led device: rb500led:amber                                         
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)                           
TCP vegas registered                                                           
NET: Registered protocol family 1                                             
NET: Registered protocol family 17                                             
802.1Q VLAN Support v1.8 Ben Greear <[email protected]>                 
All bugs added by David S. Miller <[email protected]>                           
jffs2_scan_eraseblock(): End of filesystem marker found at 0x220000           
jffs2_build_filesystem(): unlocking the mtd device... done.                   
jffs2_build_filesystem(): erasing all blocks after the end marker... done.     
VFS: Mounted root (jffs2 filesystem) readonly.                                 
Freeing unused kernel memory: 128k freed                                       
Please be patient, while OpenWrt loads ...                                     
Algorithmics/MIPS FPU Emulator v1.5                                           
PPP generic driver version 2.4.2                                               
ip_tables: (C) 2000-2006 Netfilter Core Team                                   
wlan: trunk                                                                   
ath_hal: module license 'Proprietary' taints kernel.                           
ath_hal: 2008-10-02 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF)
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk)       
ath_rate_minstrel: look around rate set to 10%                                 
ath_rate_minstrel: EWMA rolloff level set to 75%                               
ath_rate_minstrel: max segment size in the mrr set to 6000 us                 
wlan: mac acl policy registered                                               
ath_pci: trunk                                                                 
root@OpenWrt:/#
 
</pre>
 
== Hardware ==
 
It's installed in a plain black box and powered by a wall wart power supply that were both purchased directly from Microtik.
 
=== RouterBOARD 532A Specifications ===
 
{| border=1
|-
| CPU || MIPS 32 4Kc based 266MHz (BIOS adjustable from 200 to 400MHz; 400MHz default and recommended) embedded processor
|-
| Memory || 64MB DDR onboard memory chip
|-
| Root loader || RouterBOOT, 1Mbit Flash chip
|-
| Data storage || 128MB onboard NAND memory chip,
CompactFlash type I/II slot (also supports IBM/Hitachi Microdrive)
|-
| Ethernet ports || One IDT Korina 10/100 Mbit/s Fast Ethernet port supporting Auto-MDI/X,
Two VIA VT6105 10/100 Mbit/s Fast Ethernet ports supporting Auto-MDI/X
|-
| MiniPCI slot || Two MiniPCI Type IIIA/IIIB slots
|-
| Daughterboard connector || Present
|-
| Serial ports || One DB9 RS232C asynchronous serial port
|-
| LEDs || Power, 2 LED pairs for MiniPCI slots, 1 user LED
|-
| Watchdog || IDT internal SoC hardware watchdog timer
|-
| Power options || IEEE802.3af Power over Ethernet: 12V or 48V DC,
Power jack/header 6..22V or 25..56V DC jumper selectable. PoE does not support power over datalines
|-
| Dimensions || 14.0 cm x 14.0 cm (5.51 in x 5.51 in)
|-
| Temperature || Operational: -20°C to +70°C (-4°F to 158°F)
|-
| Humidity || Operational: 70% relative humidity (non-condensing)
|-
| Currently supported OS || RouterOS 2.9, Linux 2.4
|}
 
 
 
 
== Board specs ==
 
        Board type: 532A                                                       
    Serial number: 16C901CD44DB                                               
  Firmware version: 2.10                                                       
    CPU frequency: 399 MHz                                                   
      Memory size: 64 MB                                                     
  eth1 MAC address: 00:0C:42:10:1C:6C                                         
  eth2 MAC address: 00:0C:42:10:1C:6D                                         
  eth3 MAC address: 00:0C:42:10:1C:6E 
 
= Set up =
 
Support for the RouterBoard in [[OpenWrt]] seems to be pretty good, they have the latest releases prebuilt for the RouterBoard.
 
Install took 10 minutes including opening up the case. [http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532?highlight=%28OpenWrtDocs/Hardware%29 OpenWrtDocs/Hardware/Mikrotik/RB532]
 
Support in dd-wrt is not good. There is an old beta.
 
== Reflashing with OpenWrt X-Wrt ==
 
http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532
 
The simplest way is to download the CF image file from http://downloads.x-wrt.org/xwrt/kamikaze/ and then use 'dd' to copy it to a CF card, then put the CF into the RouterBoard and off you go.
 
Get the 128k image. The '''128k''' refers to the block size in the filesystem and it's good for CF cards.
 
Use the 'dd' command under Linux or Macintosh to copy the image to the CF card.
Cygwin includes a 'dd' command so if you are burdened with Windows you can still use dd. I did not get it working and ended up simply usng Linux. YMMV http://www.groupsrv.com/linux/about17777.html
 
dd if=/dev/sdb of=backupimage.bin
dd if=openwrt-rb532-jffs2-128k.bin of=/dev/sdb
 
The backup image is 256MB because that's the device size. Wastes some disk space but then again I delete it as soon as the RouterBoard is up and running again.
 
On my Macintosh with a USB card reader the command is almost the same, Macs are pretty cool actually.
 
sudo dd if=openwrt-rb532-jffs2-12k.bin of=/dev/disk1
 
 
= Configuration as gateway router =
 
== To-do ==
 
* Fix routing table
* dyndns updates
* ntp server? (client is working) (ntpd is installed)
* QoS
* netmeeting - use dmz
* dmz - allow OpenVpn access ?
* WiFi -
* DHCP for LAN?
* [[OpenVPN]]
* Scheduled QoS control?
* Crow? or similar
* WoL
 
== Serial console setting ==
 
Connect a serial cable and use "screen /dev/ttyS0 115200"
 
== Password ==
 
Root password set from the console port command line using "passwd".
Set to the usual root password.
 
== Ethernet ports ==
 
There are three, the one to the left of the serial port is eth0
To the right are eth1 and eth2
 
== Network ==
 
This is the '''/etc/config/network''' file, hand edited to create two networks.
There is a third etherport port (eth1) that is currently unused.
 
<pre>
config 'interface' 'loopback'
         option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'
 
config 'interface' 'wan'
        option 'ifname' 'eth0'
        option 'proto' 'dhcp'
 
config 'interface' 'lan'
        option 'ifname' 'eth2'
         option 'proto' 'static'
         option 'ipaddr' '192.168.123.254'
         option 'netmask' '255.255.255.0'
</pre>
</pre>


==== Route command ====
=== Route command ===
 
At the console, add a default route through the old router (bellman) so that you can get the webif stuff running initially; you need to add some packages.


Adding a default route so that you can get the webif stuff running initially
route add default gw 192.168.123.1


route add -net 0.0.0.0 gw 192.168.123.254
=== Update resolv.conf ===
==== DHCP ====


We provide DHCP only to the DMZ zone.  
search wildsong.biz
nameserver 192.168.123.1
 
=== Packages added ===
 
After getting webif running use it to make these package additions/deletions.
Dependencies are shown in parentheses.
 
asterisk16-sounds (asterisk16, libncurses, libopenssl, libpopt, librt, libpthread, zlib)
asterisk16-chan-iax2
 
etherwake
ntpd
openvpn (kmod-tun liblzo)
updatedd-mod-dyndns (updatedd)
 
=== Packages removed ===
 
ppp
ppp-mod-pppoe
 
=== DHCP ===


<pre>
<pre>
Line 89: Line 645:
config dhcp                                                                     
config dhcp                                                                     
         option interface        dmz                                             
         option interface        dmz                                             
         option start    100                                                      
         option start    190                                                      
         option limit    150                                                      
         option limit    199                                                      
         option leasetime        12h                                              
         option leasetime        1h                                              
                                                                                  
                                                                                  
config dhcp                                                                     
config dhcp                                                                     
Line 98: Line 654:
</pre>
</pre>


==== Dyndns ====
=== Dyndns ===


Installed changeip client.
Comes with changeip client, which can be configured with your
username password


==== Firewall ====
=== Firewall ===


Not set up yet.
Set up from WebIf.
Note that the rule names cannot have spaces in them


==== NTP ====
<pre>
config 'defaults'                                                             
        option 'syn_flood' '1'                                                 
        option 'input' 'ACCEPT'                                               
        option 'output' 'ACCEPT'                                               
        option 'forward' 'REJECT'                                             
                                                                               
config 'zone'                                                                 
        option 'name' 'lan'                                                   
        option 'input' 'ACCEPT'                                               
        option 'output' 'ACCEPT'                                               
        option 'forward' 'REJECT'                                             
                                                                               
config 'zone'                                                                 
        option 'name' 'wan'                                                   
        option 'input' 'REJECT'                                               
        option 'output' 'ACCEPT'                                               
        option 'forward' 'REJECT'                                             
        option 'masq' '1'                                                     
                                                                               
config 'forwarding'                                                           
        option 'src' 'lan'                                                     
        option 'dest' 'wan'                                                   
                                                                               
config 'redirect' 'Bellman_SSH'                                               
        option 'src' 'wan'                                                     
        option 'dest_ip' '192.168.123.1'                                       
        option 'dest_port' '22'                                               
        option 'proto' 'tcp'                                                   
        option 'src_ip' ''                                                     
        option 'src_dport' '22'                                               
                                                                               
config 'redirect' 'AsteriskIAX2'                                               
        option 'src' 'wan'                                                     
        option 'dest_ip' '10.127.32.28'                                       
        option 'dest_port' '4569'                                             
        option 'proto' 'udp'                                                   
        option 'src_ip' ''                                                     
        option 'src_dport' '4569'                                             
                                                                                                                                                                                                       
config 'redirect' 'OpenVpn'                                                   
        option 'src' 'wan'                                                     
        option 'proto' 'udp'                                                   
        option 'dest_ip' '10.127.32.27'                                       
        option 'dest_port' '1194'                                             
        option 'src_ip' ''                                                     
        option 'src_dport' '1194'                                             
                                                                                                                           
                                                                               
config 'forwarding'                                                           
        option 'src' 'lan'                                                     
        option 'dest' 'dmz'                                                   
                                                                               
config 'forwarding'                                                           
        option 'src' 'dmz'                                                     
        option 'dest' 'wan'       
</pre>
 
=== NTP ===


Set timezone to US/Pacific
Set timezone to US/Pacific
Installed client.
Set servers to {0,1,2}.pool.ntp.org


==== QoS ====
Add this line to ntp.conf
 
restrict 192.168.123.0 mask 255.255.255.0
 
Add link to /etc/rc.d so that ntpd will start, you can do this in webIf services page.
 
=== QoS ===


Install but not configured yet.
Install but not configured yet.
Line 118: Line 740:
A way to switch it down to a low bandwidth manually would be good.
A way to switch it down to a low bandwidth manually would be good.


==== SNMP ====
=== SNMP ===


Not installed or configured yet. Could be set to log to cacti on Kilchis
Installed but not configured yet.


==== SSL ====
=== SSL ===


Installed MatrixSSL so that we can connect to router using a secure connection.
Installed MatrixSSL so that we can connect to router using a secure connection.


==== Syslog ====
=== Syslog ===


Set to log to Kilchis. 10.127.32.27/514
Set to log to Bellman.  
Do a MARK every 20 minutes.


==== Wake-On-Lan ====
=== Wake-On-Lan ===


12/22/07 Not available yet in X-Wrt. This would allow us to power on Desktop machines remotely.
Installed not configured yet


=== VPN ===
=== VPN ===


==== L2TPns ====
=== OpenVPN ===


Have not looked into this one yet.
This end will connect with AGI's and keep the connection nailed up.
I suppose I could also allow access back in from the world at large but that is not my primary objective.


==== OpenVPN ====
So I do the usual - copy the config files from the AGI server and then start it up.
                                             
== Phone server options ==
 
These are available as packages for OpenWrt


Installed package. Not configured yet.
# Asterisk 1.4, 1.6 - a pain to debug configurations
# FreeSwitch - B2BUA/media gateway
# kamailio
# OpenSER 1.0.1-1 - Outdated version, it's called OpenSIPS now
# OpenSIPS 1.5.3-1 - SIP Proxy


==== PPTP ====
FreeSwitch is divided into many packages. I am installing it on the system that I have been running Asterisk on, so that I can try it out on a real computer.


12/22/07 Not set up yet for X-WRT
[[Category: Network]]
[[Category: System Administration]]
[[Category: Wireless]]

Latest revision as of 18:32, 9 August 2015

2014-Mar-18 Currently has X-Wrt software installed on it.

Overview

This page is about RB532A. is a surplus piece of hardware that worked for a time as a firewall at work, then as an openvpn server at my house.

See also Mikrotik RouterBoard RB411

Official documentation can be found at http://www.routerboard.com/rb500.html A local copy of the user guide is here: File:RouterBoard500 userguide.pdf

Command line access: serial console 115200 8N1 (usually from Roaring using minicom) or ssh

Web interface: http://10.127.32.1/ or https://routerboard/ or from outside the lan at https://alseageo.dyndns.biz/


KAMIKAZE with X-Wrt Extensions 8.09 Web management console Webif2

       Board type: 532A                                                        
    Serial number: 16C901CD44DB                                                
 Firmware version: 2.10                                                        
    CPU frequency: 399 MHz                                                     
      Memory size: 64 MB                                                       
 eth1 MAC address: 00:0C:42:10:1C:6C                                           
 eth2 MAC address: 00:0C:42:10:1C:6D                                           
 eth3 MAC address: 00:0C:42:10:1C:6E

To-do

  • QoS
  • dmz - allow OpenVpn access ?
  • OpenVPN - switch over from Kilchis?
  • Scheduled QoS control?
  • Crow? or similar
  • WoL

I tried to override the WAN interface default MAC address so that Comcast would not change our public IP address but for some reason that feature in the GUI fails.

Reflashing

http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532

The simplest way is to simply download the CF image file from http://downloads.x-wrt.org/xwrt/kamikaze/ and then use 'dd' to copy it to a CF card, then put the CF into the RouterBoard and off you go.

Get the 128k image. The 128k refers to the block size in the filesystem and it's good for CF cards.

The healthy way to copy binary images to CF is 'dd' under Linux. Cygwin includes a 'dd' command so if you are burdened with Windows you can still use dd. I did not get it working and ended up simply usng Linux. YMMV http://www.groupsrv.com/linux/about17777.html

dd if=/dev/sdb of=backupimage.bin
dd if=openwrt-rb532-jffs2-128k.bin of=/dev/sdb

The backup image is 256MB because that's the device size. Wastes some disk space but then again I delete it as soon as the RouterBoard is up and running again.

Available distributions

OpenWRT and X-WRT are installed.

Support for it in OpenWrt seems to be pretty good, they have the latest releases prebuilt for the RouterBoard. I used instructions in this page to get it loaded.

I installed KAMIKAZE (7.09) then later I found out about X-WRT and installed their version from http://downloads.x-wrt.org/xwrt/kamikaze/

I no longer put all 4 screws into the MicroTik case. :-)

Install took 10 minutes including opening up the case. OpenWrtDocs/Hardware/Mikrotik/RB532

DD-WRT Support in dd-wrt is not good. There is an old beta.

CF layout

Kamikaze fits in a 16MB flash so any old CF card will do for booting.

Ethernet ports

There are three, the one to the left of the serial port is eth0 To the right are eth1 and eth2

By default in Kamikaze eth0 is in DHCP so it would make a good WAN port

Miscellaneous configuration notes

Password

Root password set from the console port command line using "passwd". Set to the usual root password.

Network

I hand edited this config file to create three networks. Should be possible to do it all from the GUI but maybe that did not work back when I originally set it up.

The WAN interface has its MAC address overridden so that it uses the same MAC as the old D-Link router. That way switching back and forth between the RouterBoard and the D-Link should not cause our Comcast DHCP address to change.

Note this did not work -- maybe I have the syntax wrong in the file? I had to go into the command line and override the setting like this

ifconfig eth0 down
ifconfig eth0 hw ether '00:0D:88:5F:E8:90'

It loses the settings when I reboot, so I am ignoring it for the moment. We have a new IP address, darn.

Contents of /etc/config/network file.

 config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'wan'
        option 'ifname' 'eth0'
        option 'proto' 'dhcp'
        option 'macaddr' '00:0D:88:5F:E8:90'

config 'interface' 'lan'
        option 'ifname' 'eth1'
        option 'proto' 'static'
        option 'ipaddr' '10.127.32.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'dmz'
        option 'ifname' 'eth2'
        option 'proto'  'static'
        option 'ipaddr' '192.168.123.249' # at home for testing
        option 'netmask' '255.255.255.0'

Route command

Adding a default route so that you can get the webif stuff running initially; you need to add some packages.

route add default gw 192.168.123.254

Packages added

After getting webif running I use it to make these package additions/deletions.

etherwake
ntpd
openvpn
tcpdump
wol
nbd's QoS scripts

Packages removed

ppp
ppp-mod-pppoe

DHCP

We provide DHCP only to the DMZ zone.

/etc/config/dhcp
config dhcp                                                                     
        option interface        lan                                             
        option ignore   1                                                       
                                                                                
config dhcp                                                                     
        option interface        dmz                                             
        option start    190                                                     
        option limit    199                                                     
        option leasetime        1h                                             
                                                                                
config dhcp                                                                     
        option interface        wan                                             
        option ignore   1 

DNS

dnsmasq is installed but I am not currently using it.

I put this in /etc/resolv.conf so that it will use Kilchis to resolve names.

nameserver 10.127.32.27
domain alseageo.com

Dyndns

There is a DynDNS tab under Network in the GUI. You can install and configure dyndns service.

Another way to do this is via ddclient on Kilchis, which is currently disabled. It used to run once per hour from /etc/cron.hourly/ddclient.

The config file for dyndns on the routerboard is /etc/config/updatedd:

config 'updatedd'
       option 'update' '0'
       option 'service' 'changeip'
       option 'username' 'alseageo'
       option 'password' 'ice9viva'
       option 'host' 'members.dyndns.org'

Firewall

Set up from WebIf. Note that the rule names cannot have spaces in them

config 'defaults'                                                               
        option 'syn_flood' '1'                                                  
        option 'input' 'ACCEPT'                                                 
        option 'output' 'ACCEPT'                                                
        option 'forward' 'REJECT'                                               
                                                                                
config 'zone'                                                                   
        option 'name' 'lan'                                                     
        option 'input' 'ACCEPT'                                                 
        option 'output' 'ACCEPT'                                                
        option 'forward' 'REJECT'                                               
                                                                                
config 'zone'                                                                   
        option 'name' 'wan'                                                     
        option 'input' 'REJECT'                                                 
        option 'output' 'ACCEPT'                                                
        option 'forward' 'REJECT'                                               
        option 'masq' '1'                                                       
                                                                                
config 'forwarding'                                                             
        option 'src' 'lan'                                                      
        option 'dest' 'wan'                                                     
                                                                                
config 'redirect' 'Kilchis_SSH'                                                 
        option 'src' 'wan'                                                      
        option 'dest_ip' '10.127.32.27'                                         
        option 'dest_port' '22'                                                 
        option 'proto' 'tcp'                                                    
        option 'src_ip' ''                                                      
        option 'src_dport' '22'                                                 
                                                                                
config 'redirect' 'AsteriskIAX2'                                                
        option 'src' 'wan'                                                      
        option 'dest_ip' '10.127.32.28'                                         
        option 'dest_port' '4569'                                               
        option 'proto' 'udp'                                                    
        option 'src_ip' ''                                                      
        option 'src_dport' '4569'                                               
                                                                                
config 'redirect' 'ODOT_ProdDemo'                                               
        option 'src' 'wan'                                                      
        option 'dest_ip' '10.127.32.34'                                         
        option 'dest_port' '80'                                                 
        option 'proto' 'tcp'                                                    
        option 'src_ip' ''                                                      
        option 'src_dport' '80'                                                
                                                                                
config 'redirect' 'OpenVpn'                                                     
        option 'src' 'wan'                                                      
        option 'proto' 'udp'                                                    
        option 'dest_ip' '10.127.32.27'                                         
        option 'dest_port' '1194'                                               
        option 'src_ip' ''                                                      
        option 'src_dport' '1194'                                               
                                                                                
config 'redirect' 'Subversion'                                                  
        option 'src' 'wan'                                                      
        option 'proto' 'tcp'                                                    
        option 'dest_port' '44555'                                              
        option 'dest_ip' '10.127.32.27'                                         
        option 'src_ip' ''                                                      
        option 'src_dport' '44555'                                              
            
config 'forwarding'                                                             
        option 'src' 'lan'                                                      
        option 'dest' 'dmz'                                                     
                                                                                
config 'forwarding'                                                             
        option 'src' 'dmz'                                                      
        option 'dest' 'wan'         

NTP

Set timezone to US/Pacific Set servers to {0,1,2}.pool.ntp.org

NOTE: The standard WebIF ntp client has been removed from the GUI package manager.

I enabled the ntpd like this:

cd /etc/rc.d
ln -s ../init.d/ntpd S99ntpd

All I had to change in ntp.conf was to add a rule allowing our 10.x.x.x clients.

cat ntp.conf

# use a random selection of 8 public stratum 2 servers
# see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers

#restrict default nomodify notrap noquery
#restrict default noquery

restrict 127.0.0.1
restrict 10.0.0.0 netmask 255.0.0.0

driftfile  /tmp/ntp.drift

server 0.openwrt.pool.ntp.org iburst
server 1.openwrt.pool.ntp.org iburst
server 2.openwrt.pool.ntp.org iburst
server 3.openwrt.pool.ntp.org iburst

# GPS(NMEA)+PPS
#server 127.127.20.0 minpoll 4 prefer
#fudge 127.127.20.0 flag3 1 flag2 0

# SMA PPS
#server 127.127.28.0 minpoll 4 prefer
#fudge 127.127.28.0 refid PPS flag3 1

#server 192.168.1.253

QoS

Install but not configured yet. I'd like to use this to control bandwidth used for offsite backups. I want full utilization at night and 200 Kbps during business hours. A way to switch it down to a low bandwidth manually would be good.

SNMP

Installed but not configured yet. Could be set to log to Cacti on Kilchis

SSL

Installed MatrixSSL so that we can connect to router using a secure connection.

Syslog

Set to log to Kilchis. 10.127.32.27/514

Wake-On-Lan

Installed not configured

VPN

OpenVPN

Installed package. Not configured yet.

dmesg output

# dmesg                                                           
Linux version 2.6.24.7 ([email protected]) (gcc version 4.1.2) #1 Fr8
CPU revision is: 0001800a (MIPS 4Kc)                                            
Determined physical RAM map:                                                    
 memory: 03fffa00 @ 00000400 (usable)                                           
Wasting 32 bytes for tracking 1 unused pages                                    
Entering add_active_range(0, 1, 16383) 0 entries of 256 used                    
Initrd not found or empty - disabling initrd                                    
Zone PFN ranges:                                                                
  Normal          1 ->    16383                                                 
Movable zone start PFN for each node                                            
early_node_map[1] active PFN ranges                                             
    0:        1 ->    16383                                                     
On node 0 totalpages: 16382                                                     
  Normal zone: 127 pages used for memmap                                        
  Normal zone: 0 pages reserved                                                 
  Normal zone: 16255 pages, LIFO batch:3                                        
  Movable zone: 0 pages used for memmap                                         
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16255      
Kernel command line: console=ttyS0,115200 gpio=16383 kmac=00:0C:42:10:1C:6C boa 
korina mac = 00:0C:42:10:1C:6C                                                  
Primary instruction cache 8kB, VIPT, 4-way, linesize 16 bytes.                  
Primary data cache 8kB, 4-way, VIPT, no aliases, linesize 16 bytes              
Synthesized clear page handler (26 instructions).                               
Synthesized copy page handler (46 instructions).                                
Synthesized TLB refill handler (20 instructions).                               
Synthesized TLB load handler fastpath (32 instructions).                        
Synthesized TLB store handler fastpath (32 instructions).                       
Synthesized TLB modify handler fastpath (31 instructions).                      
Initializing IRQ's: 168 out of 256                                              
PID hash table entries: 256 (order: 8, 1024 bytes)                              
calculating r4koff... 001e846c(1999980)                                         
CPU frequency 400.00 MHz                                                        
console [ttyS0] enabled                                                         
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)                   
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)                    
Memory: 60992k/65528k available (2069k kernel code, 4468k reserved, 566k data, )
Calibrating delay loop... 398.95 BogoMIPS (lpj=1994752)                         
Mount-cache hash table entries: 512                                             
net_namespace: 64 bytes                                                         
NET: Registered protocol family 16                                              
PCI: Initializing PCI                                                           
registering PCI controller with io_map_base unset                               
NET: Registered protocol family 2                                               
Time: MIPS clocksource has been installed.                                      
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)                  
TCP established hash table entries: 2048 (order: 2, 16384 bytes)                
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)                        
TCP: Hash tables configured (established 2048 bind 2048)                        
TCP reno registered                                                             
squashfs: version 3.0 (2006/03/15) Phillip Lougher                              
JFFS2 version 2.2. (NAND) (SUMMARY)  �© 2001-2006 Red Hat, Inc.                 
yaffs Nov  7 2008 15:30:24 Installing.                                          
io scheduler noop registered                                                    
io scheduler deadline registered (default)                                      
Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled       
serial8250: ttyS0 at MMIO 0x0 (irq = 104) is a 16550A                           
cf-mips module loaded                                                           
cf-mips: resetting..                                                            
cf-mips: identify drive..                                                       
cf-mips: CF card detected, C/H/S=998/16/32 sectors=510976 (249MB) Serial=ASH   0
cf-mips: detecting block size                                                   
cf-mips: multiple sectors = 1                                                   
init done<6> cfa: cfa1 cfa2                                                     
eth0: Rx IRQ 40, Tx IRQ 41, 00:0c:42:10:1c:6c                                   
via-rhine.c:v1.10-LK1.4.3 2007-03-06 Written by Donald Becker                   
PCI: Enabling device 0000:00:02.0 (0080 -> 0083)                                
PCI: Setting latency timer of device 0000:00:02.0 to 64                         
io_map_base of root PCI bus 0000:00 unset.  Trying to continue but you better   
fix this issue or report it to [email protected] or your vendor.        
To avoid data corruption io_map_base MUST be set with multiple PCI domains.<6>e.
eth1: MII PHY found at address 1, status 0x7849 advertising 05e1 Link 0000.     
PCI: Enabling device 0000:00:03.0 (0080 -> 0083)                                
PCI: Setting latency timer of device 0000:00:03.0 to 64                         
eth2: VIA Rhine III at 0xb8800100, 00:0c:42:10:1c:6e, IRQ 143.                  
eth2: MII PHY found at address 1, status 0x7849 advertising 05e1 Link 0000.     
block2mtd: version $Revision: 1.30 $                                            
Creating 1 MTD partitions on "/dev/cfa2":                                       
0x00000000-0x03020000 : "/dev/cfa2"                                             
block2mtd: mtd0: [/dev/cfa2] erase_size = 128KiB [131072]                       
NAND device: Manufacturer ID: 0xad, Chip ID: 0xf1 (Hynix NAND 128MiB 3,3V 8-bit)
Scanning device for bad blocks                                                  
Bad eraseblock 61 at 0x007a0000                                                 
Creating 2 MTD partitions on "NAND 128MiB 3,3V 8-bit":                          
0x00000000-0x00400000 : "Routerboard NAND boot"                                 
0x00400000-0x08000000 : "rootfs"                                                
mtd: partition "rootfs" set to be root filesystem                               
split_squashfs: no squashfs found in "NAND 128MiB 3,3V 8-bit"                   
No IRQF_TRIGGER set_type function for IRQ 1 (RB500)                             
input: gpio-keys as /devices/platform/gpio-keys/input/input0                    
Registered led device: rb500led:amber                                           
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)                             
TCP vegas registered                                                            
NET: Registered protocol family 1                                               
NET: Registered protocol family 17                                              
802.1Q VLAN Support v1.8 Ben Greear <[email protected]>                   
All bugs added by David S. Miller <[email protected]>                            
jffs2_scan_eraseblock(): End of filesystem marker found at 0x220000             
jffs2_build_filesystem(): unlocking the mtd device... done.                     
jffs2_build_filesystem(): erasing all blocks after the end marker... done.      
VFS: Mounted root (jffs2 filesystem) readonly.                                  
Freeing unused kernel memory: 128k freed                                        
Please be patient, while OpenWrt loads ...                                      
Algorithmics/MIPS FPU Emulator v1.5                                             
PPP generic driver version 2.4.2                                                
ip_tables: (C) 2000-2006 Netfilter Core Team                                    
wlan: trunk                                                                     
ath_hal: module license 'Proprietary' taints kernel.                            
ath_hal: 2008-10-02 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF)
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk)        
ath_rate_minstrel: look around rate set to 10%                                  
ath_rate_minstrel: EWMA rolloff level set to 75%                                
ath_rate_minstrel: max segment size in the mrr set to 6000 us                   
wlan: mac acl policy registered                                                 
ath_pci: trunk                                                                  
root@OpenWrt:/# 

Hardware

It's installed in a plain black box and powered by a wall wart power supply that were both purchased directly from Microtik.

RouterBOARD 532A Specifications

CPU MIPS 32 4Kc based 266MHz (BIOS adjustable from 200 to 400MHz; 400MHz default and recommended) embedded processor
Memory 64MB DDR onboard memory chip
Root loader RouterBOOT, 1Mbit Flash chip
Data storage 128MB onboard NAND memory chip,

CompactFlash type I/II slot (also supports IBM/Hitachi Microdrive)

Ethernet ports One IDT Korina 10/100 Mbit/s Fast Ethernet port supporting Auto-MDI/X,

Two VIA VT6105 10/100 Mbit/s Fast Ethernet ports supporting Auto-MDI/X

MiniPCI slot Two MiniPCI Type IIIA/IIIB slots
Daughterboard connector Present
Serial ports One DB9 RS232C asynchronous serial port
LEDs Power, 2 LED pairs for MiniPCI slots, 1 user LED
Watchdog IDT internal SoC hardware watchdog timer
Power options IEEE802.3af Power over Ethernet: 12V or 48V DC,

Power jack/header 6..22V or 25..56V DC jumper selectable. PoE does not support power over datalines

Dimensions 14.0 cm x 14.0 cm (5.51 in x 5.51 in)
Temperature Operational: -20°C to +70°C (-4°F to 158°F)
Humidity Operational: 70% relative humidity (non-condensing)
Currently supported OS RouterOS 2.9, Linux 2.4



Board specs

       Board type: 532A                                                        
    Serial number: 16C901CD44DB                                                
 Firmware version: 2.10                                                        
    CPU frequency: 399 MHz                                                     
      Memory size: 64 MB                                                       
 eth1 MAC address: 00:0C:42:10:1C:6C                                           
 eth2 MAC address: 00:0C:42:10:1C:6D                                           
 eth3 MAC address: 00:0C:42:10:1C:6E   

Set up

Support for the RouterBoard in OpenWrt seems to be pretty good, they have the latest releases prebuilt for the RouterBoard.

Install took 10 minutes including opening up the case. OpenWrtDocs/Hardware/Mikrotik/RB532

Support in dd-wrt is not good. There is an old beta.

Reflashing with OpenWrt X-Wrt

http://wiki.openwrt.org/OpenWrtDocs/Hardware/Mikrotik/RB532

The simplest way is to download the CF image file from http://downloads.x-wrt.org/xwrt/kamikaze/ and then use 'dd' to copy it to a CF card, then put the CF into the RouterBoard and off you go.

Get the 128k image. The 128k refers to the block size in the filesystem and it's good for CF cards.

Use the 'dd' command under Linux or Macintosh to copy the image to the CF card. Cygwin includes a 'dd' command so if you are burdened with Windows you can still use dd. I did not get it working and ended up simply usng Linux. YMMV http://www.groupsrv.com/linux/about17777.html

dd if=/dev/sdb of=backupimage.bin
dd if=openwrt-rb532-jffs2-128k.bin of=/dev/sdb

The backup image is 256MB because that's the device size. Wastes some disk space but then again I delete it as soon as the RouterBoard is up and running again.

On my Macintosh with a USB card reader the command is almost the same, Macs are pretty cool actually.

sudo dd if=openwrt-rb532-jffs2-12k.bin of=/dev/disk1


Configuration as gateway router

To-do

  • Fix routing table
  • dyndns updates
  • ntp server? (client is working) (ntpd is installed)
  • QoS
  • netmeeting - use dmz
  • dmz - allow OpenVpn access ?
  • WiFi -
  • DHCP for LAN?
  • OpenVPN
  • Scheduled QoS control?
  • Crow? or similar
  • WoL

Serial console setting

Connect a serial cable and use "screen /dev/ttyS0 115200"

Password

Root password set from the console port command line using "passwd". Set to the usual root password.

Ethernet ports

There are three, the one to the left of the serial port is eth0 To the right are eth1 and eth2

Network

This is the /etc/config/network file, hand edited to create two networks. There is a third etherport port (eth1) that is currently unused.

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'wan'
        option 'ifname' 'eth0'
        option 'proto' 'dhcp'

config 'interface' 'lan'
        option 'ifname' 'eth2'
        option 'proto' 'static'
        option 'ipaddr' '192.168.123.254'
        option 'netmask' '255.255.255.0'

Route command

At the console, add a default route through the old router (bellman) so that you can get the webif stuff running initially; you need to add some packages.

route add default gw 192.168.123.1

Update resolv.conf

search wildsong.biz
nameserver 192.168.123.1

Packages added

After getting webif running use it to make these package additions/deletions. Dependencies are shown in parentheses.

asterisk16-sounds (asterisk16, libncurses, libopenssl, libpopt, librt, libpthread, zlib)
asterisk16-chan-iax2
etherwake
ntpd
openvpn (kmod-tun liblzo)
updatedd-mod-dyndns (updatedd)

Packages removed

ppp
ppp-mod-pppoe

DHCP

/etc/config/dhcp
config dhcp                                                                     
        option interface        lan                                             
        option ignore   1                                                       
                                                                                
config dhcp                                                                     
        option interface        dmz                                             
        option start    190                                                     
        option limit    199                                                     
        option leasetime        1h                                             
                                                                                
config dhcp                                                                     
        option interface        wan                                             
        option ignore   1 

Dyndns

Comes with changeip client, which can be configured with your username password

Firewall

Set up from WebIf. Note that the rule names cannot have spaces in them

config 'defaults'                                                               
        option 'syn_flood' '1'                                                  
        option 'input' 'ACCEPT'                                                 
        option 'output' 'ACCEPT'                                                
        option 'forward' 'REJECT'                                               
                                                                                
config 'zone'                                                                   
        option 'name' 'lan'                                                     
        option 'input' 'ACCEPT'                                                 
        option 'output' 'ACCEPT'                                                
        option 'forward' 'REJECT'                                               
                                                                                
config 'zone'                                                                   
        option 'name' 'wan'                                                     
        option 'input' 'REJECT'                                                 
        option 'output' 'ACCEPT'                                                
        option 'forward' 'REJECT'                                               
        option 'masq' '1'                                                       
                                                                                
config 'forwarding'                                                             
        option 'src' 'lan'                                                      
        option 'dest' 'wan'                                                     
                                                                                
config 'redirect' 'Bellman_SSH'                                                 
        option 'src' 'wan'                                                      
        option 'dest_ip' '192.168.123.1'                                         
        option 'dest_port' '22'                                                 
        option 'proto' 'tcp'                                                    
        option 'src_ip' ''                                                      
        option 'src_dport' '22'                                                 
                                                                                
config 'redirect' 'AsteriskIAX2'                                                
        option 'src' 'wan'                                                      
        option 'dest_ip' '10.127.32.28'                                         
        option 'dest_port' '4569'                                               
        option 'proto' 'udp'                                                    
        option 'src_ip' ''                                                      
        option 'src_dport' '4569'                                               
                                                                                                                                                                                                        
config 'redirect' 'OpenVpn'                                                     
        option 'src' 'wan'                                                      
        option 'proto' 'udp'                                                    
        option 'dest_ip' '10.127.32.27'                                         
        option 'dest_port' '1194'                                               
        option 'src_ip' ''                                                      
        option 'src_dport' '1194'                                               
                                                                                                                             
                                                                                
config 'forwarding'                                                             
        option 'src' 'lan'                                                      
        option 'dest' 'dmz'                                                     
                                                                                
config 'forwarding'                                                             
        option 'src' 'dmz'                                                      
        option 'dest' 'wan'         

NTP

Set timezone to US/Pacific Set servers to {0,1,2}.pool.ntp.org

Add this line to ntp.conf

restrict 192.168.123.0 mask 255.255.255.0

Add link to /etc/rc.d so that ntpd will start, you can do this in webIf services page.

QoS

Install but not configured yet. I'd like to use this to control bandwidth used for offsite backups. I want full utilization at night and 200 Kbps during business hours. A way to switch it down to a low bandwidth manually would be good.

SNMP

Installed but not configured yet.

SSL

Installed MatrixSSL so that we can connect to router using a secure connection.

Syslog

Set to log to Bellman.

Wake-On-Lan

Installed not configured yet

VPN

OpenVPN

This end will connect with AGI's and keep the connection nailed up. I suppose I could also allow access back in from the world at large but that is not my primary objective.

So I do the usual - copy the config files from the AGI server and then start it up.

Phone server options

These are available as packages for OpenWrt

  1. Asterisk 1.4, 1.6 - a pain to debug configurations
  2. FreeSwitch - B2BUA/media gateway
  3. kamailio
  4. OpenSER 1.0.1-1 - Outdated version, it's called OpenSIPS now
  5. OpenSIPS 1.5.3-1 - SIP Proxy

FreeSwitch is divided into many packages. I am installing it on the system that I have been running Asterisk on, so that I can try it out on a real computer.