Setting up a gateway on OpenWRT: Difference between revisions

From 44Net Wiki
Jump to navigation Jump to search
(Undo revision 464 by Kb3vwg (talk))
(add RIP44.lua link)
(22 intermediate revisions by one other user not shown)
Line 1: Line 1:
[[ampr-ripd]] has been compiled for Atheros 71xx
[[ampr-ripd]] has been compiled for the AppliedMicro APM82181 and Atheros 71xx router CPUs


'''NOTE: To operate a [[Gateway]] on [[AMPRNet]], you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol, named [[RIP]]44 is used. [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] is not the same as [[RIP]]44.''' [[rip44d]] is written in the Perl programming language by Heikki Hannikainen, OH7LZB. [[ampr-ripd]] is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. [[ampr-ripd]] is used in this instance, so no other prerequisite software is required to run the [[RIP]]44 daemon.
'''NOTE: To operate a [[Gateway]] on [[AMPRNet]], you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] protocol, named [[RIP]]44 is used. [https://en.wikipedia.org/wiki/Routing_Information_Protocol RIP version 2] is not the same as [[RIP]]44.''' [[rip44d]] is written in the Perl programming language by Heikki Hannikainen, OH7LZB. [[ampr-ripd]] is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. [[ampr-ripd]] is used in this instance, so no other prerequisite software is required to run the [[RIP]]44 daemon.


* '''You must have access to a binary [https://en.wikipedia.org/wiki/Executable executable] of [[ampr-ripd]] that is compatible with the [https://en.wikipedia.org/wiki/Central_processing_unit CPU] in your OpenWRT device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must [https://en.wikipedia.org/wiki/Compiler compile] ampr-ripd yourself, or install the packages necessary to run [[rip44d]].'''
* '''You must have access to a binary [https://en.wikipedia.org/wiki/Executable executable] of [[ampr-ripd]] that is compatible with the [https://en.wikipedia.org/wiki/Central_processing_unit CPU] in your OpenWRT device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must [https://en.wikipedia.org/wiki/Compiler compile] ampr-ripd yourself, or install the packages necessary to run [[rip44d]].'''
There is also an experimental LUA daemon at [[RIP44.lua]] which should run with standard packages.


== '''See''' ==
== '''See''' ==


* [http://wiki.openwrt.org/doc/devel/crosscompile Cross Compile - OpenWRT]
* [https://openwrt.org/docs/guide-developer/crosscompile Cross Compile - OpenWRT]
* [http://wiki.openwrt.org/start OpenWRT Manual]
* [https://openwrt.org/docs/start OpenWRT Manual]


== Summary ==
== Summary ==


'''NOTE: These instructions assume that you intend to configure your OpenWRT-based AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN. These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own [https://en.wikipedia.org/wiki/Virtual_routing_and_forwarding virtual routing and forwarding] instance; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire). Since the OpenWRT Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets).'''
'''NOTE: These instructions assume first that you have been assigned AMPRNet IP address allocations that are properly assigned and configured to your account in the [[Portal]]. Next, that you intend to configure your OpenWRT-based (version 14.07 or greater) AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN. These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own [https://en.wikipedia.org/wiki/Policy-based_routing policy-based routing] sernario; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire). Since the OpenWRT Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets). Lastly, it assumes that the user can navigate the default OpenWRT LuCI web-based graphical user interface locally (and that they are using a device capable of having the package installed), are familiar with the [https://en.wikipedia.org/wiki/Chmod chmod] command, and/or familiar with entering OpenWRT UCI (Unified Configuration Interface) commands by serial console or SSH.'''


Install:
Install:
Line 18: Line 20:
* kmod-ipip
* kmod-ipip
* ip-full
* ip-full
* libstdcpp
* [[ampr-ripd]] to '''/etc/config/''' (always run [[RIP]]44 software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
* [[ampr-ripd]] to '''/etc/config/''' (always run [[RIP]]44 software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
* the following to '''Firewall > Custom Rules:'''
* diffutils (optional for dynamic IP filtering)
* (optional) dynamic firewall script to /etc/config/load_ipipfilter.sh (see the iptables section of the [[Firewalls]] wiki)
* the following to '''System > Startup > Local Startup:'''
 
ip tunnel add tunl0
ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc
ip link set tunl0 mtu 1480 up
'''# This directory is not persistent on OpenWRT, it must be made on boot for dynamic filtering
mkdir /var/lib/ampr-ripd
# A blank bootstrap file must be created at /etc/config/encap.txt for this to work
# Running '''touch /etc/config/encap.txt''' once can create it
# after which, you may run ampr-ripd to populate it
ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# Dynamic filter, script executed by -x argument
# Dynamic filter, -s argument creates encap.txt
'''# ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh &'''
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr
 
'''UPDATE 2018 (routes and rules have been added to the UCI):'''
 
# add IP Route to /etc/config/network
config route
option interface 'amprwan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway ''''<AMPRGW>''''
option onlink '1'
option table '44'


  ifconfig tunl0 mtu 1480 up
  # add IP Rules to /etc/config/network
ip tunnel change tunl0 mode ipip ttl 64 pmtudisc
ip route add default dev tunl0 via '''<AMPRGW>''' onlink proto 44 table 44
  #OPTIONAL AMPR TO LAN RULES (NUMBER 22-2X ACCORDINGLY)
'''# ./etc/config/ampr-ripd -p <PASSWORD> -t 44 -a <44.xxx.xxx.xxx/xx>'''
config rule
  #OPTIONAL LAN ### ip rule add from '''<44.xxx.xxx.xxx/xx>''' to '''<192.168.xxx.xxx/16>''' table main priority 22
option src '44.xxx.xxx.0/24'
  #ADD A RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY)  
option dest '192.168.xxx.0/24'
  ip rule add to '''<44.xxx.xxx.xxx/xx>''' table main priority 44
option priority '22'
option lookup 'main'
  #ADD A MAIN RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY)
  config rule
option dest '44.xxx.xxx.0/24'
option priority '44'
option lookup 'main'
### This ensures all traffic received on tunl0 uses table 44
config rule
option in 'amprwan'
option dest '0.0.0.0/0'
option priority '45'
option lookup '44'
  ###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
  ###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
  ip rule add dev br-amprlan table 44 priority 45
  config rule
  ### This ensures all traffic received on tunl0 uses table 44
option in 'amprnet'
  ip rule add dev tunl0 table 44 priority 46
option dest '0.0.0.0/0'
option priority '46'
option lookup '44'
  ### You must add an IP rule for all 44net IPs residing on the device
  config rule
option src '44.xxx.xxx.0/24
option priority '47'
option lookup '44'


* '''reboot'''
* '''reboot'''
* an unmanaged interface instance for tunl0 (AMPRWAN) '''(set to not bring up on boot)''', adding it to its own firewall zone using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). '''Be sure to enable connection tracking if you will not masquerade'''
* create an unmanaged Interface instance for tunl0 ('''AMPRWAN''') '''(set to not bring up on boot)''', adding it to its own firewall zone '''amprwan''' using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). '''(OpenWRT 14.07 or lower - Be sure to enable connection tracking if you will not masquerade)'''
* an interface instance for a new VLAN and bridge (AMPRLAN), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). '''Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.'''
* an interface instance for a new VLAN and bridge (the example above uses AMPRNET), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). '''Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.'''
* '''reboot'''
* '''reboot'''
* Permit forwarding from AMPRLAN to AMPRWAN
* Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN)
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
* Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned)
* Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned)
Line 43: Line 98:
* Create Traffic Forward rules for any inbound services (as desired)
* Create Traffic Forward rules for any inbound services (as desired)
* the VLAN to any switch/trunk ports (as desired)
* the VLAN to any switch/trunk ports (as desired)
* make ampr-ripd and load_ipipfilter.sh executable using '''chmod +x'''
* test ampr-ripd in console using the '''-d''' argument
* test ampr-ripd in console using the '''-d''' argument
* add password to Custom Rule and uncomment ampr-ripd line
* add password to the '''Local Startup''' entry and uncomment ampr-ripd line
* '''reboot'''
* '''reboot'''

Revision as of 17:35, 9 June 2018

ampr-ripd has been compiled for the AppliedMicro APM82181 and Atheros 71xx router CPUs

NOTE: To operate a Gateway on AMPRNet, you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of RIP version 2 protocol, named RIP44 is used. RIP version 2 is not the same as RIP44. rip44d is written in the Perl programming language by Heikki Hannikainen, OH7LZB. ampr-ripd is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. ampr-ripd is used in this instance, so no other prerequisite software is required to run the RIP44 daemon.

  • You must have access to a binary executable of ampr-ripd that is compatible with the CPU in your OpenWRT device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must compile ampr-ripd yourself, or install the packages necessary to run rip44d.

There is also an experimental LUA daemon at RIP44.lua which should run with standard packages.

See

Summary

NOTE: These instructions assume first that you have been assigned AMPRNet IP address allocations that are properly assigned and configured to your account in the Portal. Next, that you intend to configure your OpenWRT-based (version 14.07 or greater) AMPRNet Gateway to be a stateful firewall for your AMPRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN. These instructions configure your AMPRNet Tunnel and AMPRNet Local Interfaces in their own policy-based routing sernario; and places all local AMPRNet allocations in the main routing instance (you must provide routing rules for your local AMPR subnets to reach local subnets, if you desire). Since the OpenWRT Kernel is aware that your AMPRNet allocations exist locally (and are populated on the MAIN ROUTING TABLE), you must provide routing rules for AMPRLAN to reach these local subnets, or omit those rules (not permitting your AMPRLAN to route to your local subnets). Lastly, it assumes that the user can navigate the default OpenWRT LuCI web-based graphical user interface locally (and that they are using a device capable of having the package installed), are familiar with the chmod command, and/or familiar with entering OpenWRT UCI (Unified Configuration Interface) commands by serial console or SSH.

Install:

  • kmod-ipip
  • ip-full
  • libstdcpp
  • ampr-ripd to /etc/config/ (always run RIP44 software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
  • diffutils (optional for dynamic IP filtering)
  • (optional) dynamic firewall script to /etc/config/load_ipipfilter.sh (see the iptables section of the Firewalls wiki)
  • the following to System > Startup > Local Startup:
ip tunnel add tunl0
ip tunnel change tunl0 mode ipip ttl 64 tos inherit pmtudisc
ip link set tunl0 mtu 1480 up
# This directory is not persistent on OpenWRT, it must be made on boot for dynamic filtering
mkdir /var/lib/ampr-ripd
# A blank bootstrap file must be created at /etc/config/encap.txt for this to work
# Running touch /etc/config/encap.txt once can create it
# after which, you may run ampr-ripd to populate it
ln -s /etc/config/encap.txt /tmp/lib/ampr-ripd/encap.txt
# Dynamic filter, script executed by -x argument
# Dynamic filter, -s argument creates encap.txt
# ./etc/config/ampr-ripd -p <PASSWORD> -s -t 44 -a <44.xxx.xxx.xxx/xx> -x ./etc/config/load_ipipfilter.sh &
## Allows traceroute to respond using 44net IP of tunl0 or br-amprlan ##
echo 1 > /proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr

UPDATE 2018 (routes and rules have been added to the UCI):

# add IP Route to /etc/config/network

config route
	option interface 'amprwan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option gateway '<AMPRGW>'
	option onlink '1'
	option table '44'
# add IP Rules to /etc/config/network

#OPTIONAL AMPR TO LAN RULES (NUMBER 22-2X ACCORDINGLY)
config rule
	option src '44.xxx.xxx.0/24'
	option dest '192.168.xxx.0/24'
	option priority '22'
	option lookup 'main'

#ADD A MAIN RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY)
config rule
	option dest '44.xxx.xxx.0/24'
	option priority '44'
	option lookup 'main'

### This ensures all traffic received on tunl0 uses table 44
config rule
	option in 'amprwan'
	option dest '0.0.0.0/0'
	option priority '45'
	option lookup '44'

###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
config rule
	option in 'amprnet'
	option dest '0.0.0.0/0'
	option priority '46'
	option lookup '44'

### You must add an IP rule for all 44net IPs residing on the device
config rule
	option src '44.xxx.xxx.0/24
	option priority '47'
	option lookup '44'
  • reboot
  • create an unmanaged Interface instance for tunl0 (AMPRWAN) (set to not bring up on boot), adding it to its own firewall zone amprwan using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). (OpenWRT 14.07 or lower - Be sure to enable connection tracking if you will not masquerade)
  • an interface instance for a new VLAN and bridge (the example above uses AMPRNET), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.
  • reboot
  • Permit forwarding from AMPRLAN to AMPRWAN and WAN (you must masquerade this traffic when using WAN)
  • Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
  • Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned)
  • Create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
  • Create Traffic Forward rules for any inbound services (as desired)
  • the VLAN to any switch/trunk ports (as desired)
  • make ampr-ripd and load_ipipfilter.sh executable using chmod +x
  • test ampr-ripd in console using the -d argument
  • add password to the Local Startup entry and uncomment ampr-ripd line
  • reboot