Setting up a gateway on OpenWRT: Difference between revisions

From 44Net Wiki
Jump to navigation Jump to search
Kb3vwg (talk | contribs)
Kb3vwg (talk | contribs)
edited instructions to place WAN and LAN in separate firewall zones
Line 21: Line 21:
  # '''(eth0.2 in this case is the Public-facing WAN (to allow IPENCAP traffic), read your [http://wiki.openwrt.org/toh/start OpenWRT hardware Wiki] for your specific model '''
  # '''(eth0.2 in this case is the Public-facing WAN (to allow IPENCAP traffic), read your [http://wiki.openwrt.org/toh/start OpenWRT hardware Wiki] for your specific model '''
  ifconfig tunl0 mtu 1480 up
  ifconfig tunl0 mtu 1480 up
  iptables -t filter -I INPUT -p 4 -i eth0.2 -j ACCEPT
  ip tunnel change tunl0 mode ipip ttl 64 pmtudisc
### This allows all outbound from 44/8
  ip route add default dev tunl0 via '''<AMPRGW>''' onlink proto 44 table 44
  ip route add default dev tunl0 via '''<AMPRGW>''' onlink proto 44 table 44
### This allows all outbound from 44/8
iptables -I FORWARD -s 44.0.0.0/8 -o tunl0 -j ACCEPT
  '''# ./etc/config/ampr-ripd -p <PASSWORD> -t 44 -a <44.xxx.xxx.xxx/xx>'''
  '''# ./etc/config/ampr-ripd -p <PASSWORD> -t 44 -a <44.xxx.xxx.xxx/xx>'''
  #OPTIONAL LAN ### ip rule add from '''<44.xxx.xxx.xxx/xx>''' to '''<192.168.xxx.xxx/16>''' table main priority 22
  #OPTIONAL LAN ### ip rule add from '''<44.xxx.xxx.xxx/xx>''' to '''<192.168.xxx.xxx/16>''' table main priority 22
  ip rule add to '''<44.xxx.xxx.xxx/xx>''' table main priority 44
  ip rule add to '''<44.xxx.xxx.xxx/xx>''' table main priority 44
  ip rule add from 44.0.0.0/8 table 44 priority 45
  ip rule add from 44.0.0.0/8 table 44 priority 45
### This ensures all traffic received on tunl0 (regardless of IP) only uses table 44
  ip rule add dev tunl0 table 44 priority 46
  ip rule add dev tunl0 table 44 priority 46


* '''reboot'''
* '''reboot'''
* a bridge interface to tunl0 and a new VLAN, adding it to its own firewall zone (assign an IP from your allocation to this interface), using Input: Drop (or Reject), Output: Accept and Forward: Drop (or Reject)
* an unmanaged interface instance for to tunl0 (AMPRWAN) '''(set to not bring up on boot)''', adding it to its own firewall zone using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). '''Be sure to enable connection tracking if you will not masquerade'''
* an interface instance for a new VLAN and bridge (AMPRLAN), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). . '''Assign an IP from your allocation to this interface'''
* Permit forwarding from AMPRLAN to AMPRWAN
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
* Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned)
* Create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
* Create Traffic Forward rules for any inbound services (as desired)
* the VLAN to any switch/trunk ports (as desired)
* the VLAN to any switch/trunk ports (as desired)
* create any forwarding/input firewall Traffic Rules
* test ampr-ripd in console using the '''-d''' argument
* test ampr-ripd in console using the '''-d''' argument
* add password to Custom Rule and uncomment ampr-ripd line
* add password to Custom Rule and uncomment ampr-ripd line
* '''reboot'''
* '''reboot'''

Revision as of 10:49, 23 November 2015

ampr-ripd has been compiled for Atheros 71xx

NOTE: To operate a Gateway on AMPRNet, you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of RIP version 2 protocol, named RIP44 is used. RIP version 2 is not the same as RIP44. rip44d is written in the Perl programming language by Heikki Hannikainen, OH7LZB. ampr-ripd is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. ampr-ripd is used in this instance, so no other prerequisite software is required to run the RIP44 daemon.

  • You must have access to a binary executable of ampr-ripd that is compatible with the CPU in your OpenWRT device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must compile ampr-ripd yourself, or install the packages necessary to run rip44d.

See

Summary

Install:

  • kmod-ipip
  • ip-full
  • ampr-ripd to /etc/config/ (always run RIP44 software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
  • the following to Firewall > Custom Rules:
# (eth0.2 in this case is the Public-facing WAN (to allow IPENCAP traffic), read your OpenWRT hardware Wiki for your specific model 
ifconfig tunl0 mtu 1480 up
ip tunnel change tunl0 mode ipip ttl 64 pmtudisc
### This allows all outbound from 44/8
ip route add default dev tunl0 via <AMPRGW> onlink proto 44 table 44
# ./etc/config/ampr-ripd -p <PASSWORD> -t 44 -a <44.xxx.xxx.xxx/xx>
#OPTIONAL LAN ### ip rule add from <44.xxx.xxx.xxx/xx> to <192.168.xxx.xxx/16> table main priority 22
ip rule add to <44.xxx.xxx.xxx/xx> table main priority 44
ip rule add from 44.0.0.0/8 table 44 priority 45
### This ensures all traffic received on tunl0 (regardless of IP) only uses table 44
ip rule add dev tunl0 table 44 priority 46
  • reboot
  • an unmanaged interface instance for to tunl0 (AMPRWAN) (set to not bring up on boot), adding it to its own firewall zone using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). Be sure to enable connection tracking if you will not masquerade
  • an interface instance for a new VLAN and bridge (AMPRLAN), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). . Assign an IP from your allocation to this interface
  • Permit forwarding from AMPRLAN to AMPRWAN
  • Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
  • Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned)
  • Create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
  • Create Traffic Forward rules for any inbound services (as desired)
  • the VLAN to any switch/trunk ports (as desired)
  • test ampr-ripd in console using the -d argument
  • add password to Custom Rule and uncomment ampr-ripd line
  • reboot