Setting up a gateway on OpenWRT: Difference between revisions
Jump to navigation
Jump to search
edited instructions to place WAN and LAN in separate firewall zones |
→Setup and configuration of OpenWrt: added update for https://openwrt.org/packages/pkgdata/libstdcpp6 |
||
(39 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
[[ | This Wiki provides operators a straightforward method of configuring your OpenWrt device for use with the [[ARDC]] network. | ||
== Running the [[RIP| RIP44 protocol]] == | |||
'''NOTE:''' | |||
* To operate a [[Gateway]] on [[AMPRNet]], you must run software to obtain up-to-date route information - a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol named [[RIP| RIP44]] is used | |||
* The implementation of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] and RIP44 '''[[RIP#What's the difference?|are not the same]]''' | |||
''Therefore:'' | |||
* '''You must have access to a binary [https://en.wikipedia.org/wiki/Executable executable] of [[ampr-ripd]] that is compatible with the [https://en.wikipedia.org/wiki/Central_processing_unit CPU] in your OpenWrt device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must [https://en.wikipedia.org/wiki/Compiler compile] ampr-ripd yourself, or install the packages necessary to run [[rip44d]].''' | |||
* '''[[ampr-ripd]]''' (written in C by YO2LOJ) is used in this Wiki example, as fewer prerequisite software are required (e.g. C++ library), compared to [[rip44d]] | |||
* ''There is also an experimental [[RIP44.lua]] daemon which should run with standard packages'' | |||
* ''For information about compiling for OpenWrt devices, see:'' | |||
** [https://openwrt.org/docs/guide-developer/crosscompile Cross Compile - OpenWrt] | |||
** [https://openwrt.org/docs/start OpenWrt Manual] | |||
== Before we begin - assumptions == | |||
'''NOTE - ''' ''these instructions assume:'' | |||
* That you have been assigned AMPRNet IP address allocations that are properly claimed; and your [[Gateway]] IP or hostname configured on your account in the [[Portal]] | |||
* ''While not a requirement, that the allocation is /30 (preferablly /29) or larger - that you have enough usable IPs for: tunl0, AMPRLAN and for downstream client usage'' | |||
ip tunnel change tunl0 mode ipip ttl 64 pmtudisc | ** NAT is not used on the AMPRLAN side of this example | ||
### | * '''That you have properly enabled DNS PTR records with your AMPRNet regional coordinator - this enables global IP addresses usage''' | ||
ip | * That you intend to configure your OpenWrt-based (version 14.07 or greater) AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN | ||
'''# ./etc/config/ampr-ripd -p <PASSWORD> -t 44 -a <44.xxx.xxx.xxx/xx>''' | * These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] scenario; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire) | ||
# | * Since the OpenWrt Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets) | ||
* Lastly, that the user: | |||
** can navigate the default OpenWrt LuCI web-based graphical user interface locally; and that they are using a device capable of having the packages installed | |||
### | ** is familiar with the [https://en.wikipedia.org/wiki/Chmod chmod] command, and/or | ||
** familiar with entering OpenWrt UCI (Unified Configuration Interface) commands by serial console or SSH.''' | |||
== Setup and configuration of OpenWrt == | |||
'''Install:''' | |||
* [https://openwrt.org/packages/pkgdata/kmod-ipip kmod-ipip] | |||
* [https://openwrt.org/packages/pkgdata/ip-full ip-full] | |||
* [https://openwrt.org/packages/pkgdata/libstdcpp libstdcpp] (depending on version, it may now be named [https://openwrt.org/packages/pkgdata/libstdcpp6 libstdcpp6]) | |||
'''Paste:''' | |||
* '''[[ampr-ripd]]''' to '''/etc/config/''' (always run [[RIP| RIP44]] software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below) | |||
* ''optional'' - dynamic firewall script to /etc/config/load_ipipfilter.sh (see the [[Firewalls#ipset|ipset]] section of the firewall wiki) | |||
* the following to /etc/rc.local or on web GUI at'''System > Startup > Local Startup:''' | |||
ip tunnel add tunl0 | |||
ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc | |||
# Optional to assign a single /32 IP to tunl0 | |||
# needed if you use -L ampr-ripd argument | |||
# or to test AMPRWAN side of connection | |||
'''# ip addr add 44.xxx.xxx.xxx/32 dev tunl0''' | |||
ip link set tunl0 mtu 1480 up | |||
'''# This directory is not persistent on OpenWrt, it must be made on boot for dynamic filtering | |||
mkdir /var/lib/ampr-ripd | |||
# A blank bootstrap file must be created at /etc/config/encap.txt for this to work | |||
# Running '''touch /etc/config/encap.txt''' once can create it | |||
# after which, you may run ampr-ripd to populate it | |||
ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt | |||
# Dynamic filter, script executed by -x argument | |||
# Dynamic filter, -s argument creates encap.txt | |||
'''# ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh &''' | |||
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ## | |||
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr | |||
''AMPRNet Policy Routes'' | |||
# add IP Route to /etc/config/network | |||
config route | |||
option interface 'amprwan' | |||
option target '0.0.0.0' | |||
option netmask '0.0.0.0' | |||
option gateway ''''<AMPRGW>'''' | |||
option onlink '1' | |||
option table '44' | |||
''AMPRNet Policy Rules'' | |||
# add IP Rules to /etc/config/network | |||
#OPTIONAL AMPR TO LAN RULES (NUMBER 22-2X ACCORDINGLY) | |||
config rule | |||
option src '44.xxx.xxx.0/24' | |||
option dest '192.168.xxx.0/24' | |||
option priority '22' | |||
option lookup 'main' | |||
#ADD A MAIN RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY) | |||
config rule | |||
option dest '44.xxx.xxx.0/24' | |||
option priority '44' | |||
option lookup 'main' | |||
### This ensures all traffic received on tunl0 uses table 44 | |||
config rule | |||
option in 'amprwan' | |||
option dest '0.0.0.0/0' | |||
option priority '45' | |||
option lookup '44' | |||
###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44 | |||
config rule | |||
option in 'amprnet' | |||
option dest '0.0.0.0/0' | |||
option priority '46' | |||
option lookup '44' | |||
### You must add an IP rule for all 44net IPs residing on the device | |||
config rule | |||
option src '44.xxx.xxx.0/24 | |||
option priority '47' | |||
option lookup '44' | |||
* '''reboot''' | * '''reboot''' | ||
* an unmanaged | |||
* an interface instance for a new VLAN and bridge ( | == Enumerating tunnel/VLAN (AMPRWAN/AMPRLAN) Interfaces and firewall zones == | ||
* Permit forwarding from AMPRLAN to AMPRWAN | |||
''REMINDER: In OpenWrt 14.07 or lower - be sure to enable connection tracking if you will not masquerade.'' | |||
'''Interfaces''' | |||
* Create an unmanaged Interface instance for tunl0 ('''AMPRWAN''') - '''set to not bring up on boot''', adding it to a new own firewall zone '''amprwan''' using | |||
**Input: Drop (or Reject) | |||
**Output: Drop (or Reject) | |||
**Forward: Drop (or Reject) | |||
* Create an interface instance for a new VLAN and bridge (AMPRNET). '''Assign an IP from your allocation to this interface - this will become the the Default Route/Gateway IP used on other 44 clients in your VLAN''' - add it to its own new firewall zone using | |||
** Input: Accept (if you wish for you AMPRLAN devices to reach the router) | |||
** Output: Accept; and | |||
** Forward: Drop (or Reject, depending if you have other downstream routers in this VLAN) | |||
* '''reboot''' | |||
'''General Firewalling''' | |||
* Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN) | |||
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table) | * Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table) | ||
* | * ''For IPENCAP in'' - create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router ''(or configure optional dynamic script above, see [[Firewalls#OpenWrt|Firewalls - OpenWrt]])'' | ||
* | ** specify WAN IP instead of ''Any'' - if statically assigned by ISP | ||
* ''For [[RIP| RIP44]] packets in'' - create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router | |||
* Create Traffic Forward rules for any inbound services (as desired) | * Create Traffic Forward rules for any inbound services (as desired) | ||
* the VLAN to any switch/trunk ports (as desired) | * assign the new VLAN to any switch/trunk ports (as desired) | ||
* make ampr-ripd and load_ipipfilter.sh executable using '''chmod +x''' | |||
'''Lastly''' | |||
* test ampr-ripd in console using the '''-d''' argument | * test ampr-ripd in console using the '''-d''' argument | ||
* add password to | * add password to the '''Local Startup''' entry and uncomment ampr-ripd line | ||
* '''reboot''' | * '''reboot''' | ||
== See Also == | |||
* [[ampr-ripd]] | |||
* [[Firewalls#OpenWrt|Firewalls - OpenWrt]] | |||
* [[RIP44.lua]] | |||
* https://openwrt.org/docs/guide-user/network/start |
Latest revision as of 06:51, 7 November 2020
This Wiki provides operators a straightforward method of configuring your OpenWrt device for use with the ARDC network.
Running the RIP44 protocol
NOTE:
- To operate a Gateway on AMPRNet, you must run software to obtain up-to-date route information - a variant of RIP version 2 protocol named RIP44 is used
- The implementation of RIP version 2 and RIP44 are not the same
Therefore:
- You must have access to a binary executable of ampr-ripd that is compatible with the CPU in your OpenWrt device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must compile ampr-ripd yourself, or install the packages necessary to run rip44d.
- ampr-ripd (written in C by YO2LOJ) is used in this Wiki example, as fewer prerequisite software are required (e.g. C++ library), compared to rip44d
- There is also an experimental RIP44.lua daemon which should run with standard packages
- For information about compiling for OpenWrt devices, see:
Before we begin - assumptions
NOTE - these instructions assume:
- That you have been assigned AMPRNet IP address allocations that are properly claimed; and your Gateway IP or hostname configured on your account in the Portal
- While not a requirement, that the allocation is /30 (preferablly /29) or larger - that you have enough usable IPs for: tunl0, AMPRLAN and for downstream client usage
- NAT is not used on the AMPRLAN side of this example
- That you have properly enabled DNS PTR records with your AMPRNet regional coordinator - this enables global IP addresses usage
- That you intend to configure your OpenWrt-based (version 14.07 or greater) AMPRNet Gateway to be a stateful firewall for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN
- These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own policy-based routing scenario; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire)
- Since the OpenWrt Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets)
- Lastly, that the user:
- can navigate the default OpenWrt LuCI web-based graphical user interface locally; and that they are using a device capable of having the packages installed
- is familiar with the chmod command, and/or
- familiar with entering OpenWrt UCI (Unified Configuration Interface) commands by serial console or SSH.
Setup and configuration of OpenWrt
Install:
- kmod-ipip
- ip-full
- libstdcpp (depending on version, it may now be named libstdcpp6)
Paste:
- ampr-ripd to /etc/config/ (always run RIP44 software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
- optional - dynamic firewall script to /etc/config/load_ipipfilter.sh (see the ipset section of the firewall wiki)
- the following to /etc/rc.local or on web GUI atSystem > Startup > Local Startup:
ip tunnel add tunl0 ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc # Optional to assign a single /32 IP to tunl0 # needed if you use -L ampr-ripd argument # or to test AMPRWAN side of connection # ip addr add 44.xxx.xxx.xxx/32 dev tunl0 ip link set tunl0 mtu 1480 up # This directory is not persistent on OpenWrt, it must be made on boot for dynamic filtering mkdir /var/lib/ampr-ripd # A blank bootstrap file must be created at /etc/config/encap.txt for this to work # Running touch /etc/config/encap.txt once can create it # after which, you may run ampr-ripd to populate it ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt # Dynamic filter, script executed by -x argument # Dynamic filter, -s argument creates encap.txt # ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh & ## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ## echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr
AMPRNet Policy Routes
# add IP Route to /etc/config/network config route option interface 'amprwan' option target '0.0.0.0' option netmask '0.0.0.0' option gateway '<AMPRGW>' option onlink '1' option table '44'
AMPRNet Policy Rules
# add IP Rules to /etc/config/network #OPTIONAL AMPR TO LAN RULES (NUMBER 22-2X ACCORDINGLY) config rule option src '44.xxx.xxx.0/24' option dest '192.168.xxx.0/24' option priority '22' option lookup 'main' #ADD A MAIN RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY) config rule option dest '44.xxx.xxx.0/24' option priority '44' option lookup 'main' ### This ensures all traffic received on tunl0 uses table 44 config rule option in 'amprwan' option dest '0.0.0.0/0' option priority '45' option lookup '44' ###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44 config rule option in 'amprnet' option dest '0.0.0.0/0' option priority '46' option lookup '44' ### You must add an IP rule for all 44net IPs residing on the device config rule option src '44.xxx.xxx.0/24 option priority '47' option lookup '44'
- reboot
Enumerating tunnel/VLAN (AMPRWAN/AMPRLAN) Interfaces and firewall zones
REMINDER: In OpenWrt 14.07 or lower - be sure to enable connection tracking if you will not masquerade.
Interfaces
- Create an unmanaged Interface instance for tunl0 (AMPRWAN) - set to not bring up on boot, adding it to a new own firewall zone amprwan using
- Input: Drop (or Reject)
- Output: Drop (or Reject)
- Forward: Drop (or Reject)
- Create an interface instance for a new VLAN and bridge (AMPRNET). Assign an IP from your allocation to this interface - this will become the the Default Route/Gateway IP used on other 44 clients in your VLAN - add it to its own new firewall zone using
- Input: Accept (if you wish for you AMPRLAN devices to reach the router)
- Output: Accept; and
- Forward: Drop (or Reject, depending if you have other downstream routers in this VLAN)
- reboot
General Firewalling
- Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN)
- Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
- For IPENCAP in - create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or configure optional dynamic script above, see Firewalls - OpenWrt)
- specify WAN IP instead of Any - if statically assigned by ISP
- For RIP44 packets in - create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
- Create Traffic Forward rules for any inbound services (as desired)
- assign the new VLAN to any switch/trunk ports (as desired)
- make ampr-ripd and load_ipipfilter.sh executable using chmod +x
Lastly
- test ampr-ripd in console using the -d argument
- add password to the Local Startup entry and uncomment ampr-ripd line
- reboot