Setting up a gateway on OpenWRT: Difference between revisions
Jump to navigation
Jump to search
edited instructions to place WAN and LAN in separate firewall zones |
|||
Line 21: | Line 21: | ||
# '''(eth0.2 in this case is the Public-facing WAN (to allow IPENCAP traffic), read your [http://wiki.openwrt.org/toh/start OpenWRT hardware Wiki] for your specific model ''' | # '''(eth0.2 in this case is the Public-facing WAN (to allow IPENCAP traffic), read your [http://wiki.openwrt.org/toh/start OpenWRT hardware Wiki] for your specific model ''' | ||
ifconfig tunl0 mtu 1480 up | ifconfig tunl0 mtu 1480 up | ||
ip tunnel change tunl0 mode ipip ttl 64 pmtudisc | |||
### This allows all outbound from 44/8 | |||
ip route add default dev tunl0 via '''<AMPRGW>''' onlink proto 44 table 44 | ip route add default dev tunl0 via '''<AMPRGW>''' onlink proto 44 table 44 | ||
'''# ./etc/config/ampr-ripd -p <PASSWORD> -t 44 -a <44.xxx.xxx.xxx/xx>''' | '''# ./etc/config/ampr-ripd -p <PASSWORD> -t 44 -a <44.xxx.xxx.xxx/xx>''' | ||
#OPTIONAL LAN ### ip rule add from '''<44.xxx.xxx.xxx/xx>''' to '''<192.168.xxx.xxx/16>''' table main priority 22 | #OPTIONAL LAN ### ip rule add from '''<44.xxx.xxx.xxx/xx>''' to '''<192.168.xxx.xxx/16>''' table main priority 22 | ||
ip rule add to '''<44.xxx.xxx.xxx/xx>''' table main priority 44 | ip rule add to '''<44.xxx.xxx.xxx/xx>''' table main priority 44 | ||
ip rule add from 44.0.0.0/8 table 44 priority 45 | ip rule add from 44.0.0.0/8 table 44 priority 45 | ||
### This ensures all traffic received on tunl0 (regardless of IP) only uses table 44 | |||
ip rule add dev tunl0 table 44 priority 46 | ip rule add dev tunl0 table 44 priority 46 | ||
* '''reboot''' | * '''reboot''' | ||
* | * an unmanaged interface instance for to tunl0 (AMPRWAN) '''(set to not bring up on boot)''', adding it to its own firewall zone using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). '''Be sure to enable connection tracking if you will not masquerade''' | ||
* an interface instance for a new VLAN and bridge (AMPRLAN), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). . '''Assign an IP from your allocation to this interface''' | |||
* Permit forwarding from AMPRLAN to AMPRWAN | |||
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table) | |||
* Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned) | |||
* Create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router | |||
* Create Traffic Forward rules for any inbound services (as desired) | |||
* the VLAN to any switch/trunk ports (as desired) | * the VLAN to any switch/trunk ports (as desired) | ||
* test ampr-ripd in console using the '''-d''' argument | * test ampr-ripd in console using the '''-d''' argument | ||
* add password to Custom Rule and uncomment ampr-ripd line | * add password to Custom Rule and uncomment ampr-ripd line | ||
* '''reboot''' | * '''reboot''' |
Revision as of 10:49, 23 November 2015
ampr-ripd has been compiled for Atheros 71xx
NOTE: To operate a Gateway on AMPRNet, you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of RIP version 2 protocol, named RIP44 is used. RIP version 2 is not the same as RIP44. rip44d is written in the Perl programming language by Heikki Hannikainen, OH7LZB. ampr-ripd is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. ampr-ripd is used in this instance, so no other prerequisite software is required to run the RIP44 daemon.
- You must have access to a binary executable of ampr-ripd that is compatible with the CPU in your OpenWRT device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must compile ampr-ripd yourself, or install the packages necessary to run rip44d.
See
Summary
Install:
- kmod-ipip
- ip-full
- ampr-ripd to /etc/config/ (always run RIP44 software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
- the following to Firewall > Custom Rules:
# (eth0.2 in this case is the Public-facing WAN (to allow IPENCAP traffic), read your OpenWRT hardware Wiki for your specific model ifconfig tunl0 mtu 1480 up ip tunnel change tunl0 mode ipip ttl 64 pmtudisc ### This allows all outbound from 44/8 ip route add default dev tunl0 via <AMPRGW> onlink proto 44 table 44 # ./etc/config/ampr-ripd -p <PASSWORD> -t 44 -a <44.xxx.xxx.xxx/xx> #OPTIONAL LAN ### ip rule add from <44.xxx.xxx.xxx/xx> to <192.168.xxx.xxx/16> table main priority 22 ip rule add to <44.xxx.xxx.xxx/xx> table main priority 44 ip rule add from 44.0.0.0/8 table 44 priority 45 ### This ensures all traffic received on tunl0 (regardless of IP) only uses table 44 ip rule add dev tunl0 table 44 priority 46
- reboot
- an unmanaged interface instance for to tunl0 (AMPRWAN) (set to not bring up on boot), adding it to its own firewall zone using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). Be sure to enable connection tracking if you will not masquerade
- an interface instance for a new VLAN and bridge (AMPRLAN), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). . Assign an IP from your allocation to this interface
- Permit forwarding from AMPRLAN to AMPRWAN
- Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
- Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned)
- Create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
- Create Traffic Forward rules for any inbound services (as desired)
- the VLAN to any switch/trunk ports (as desired)
- test ampr-ripd in console using the -d argument
- add password to Custom Rule and uncomment ampr-ripd line
- reboot