Difference between revisions of "Setting up a gateway on OpenWRT"

From ARDC
Jump to navigation Jump to search
Line 11: Line 11:
  
 
== Summary ==
 
== Summary ==
 +
 +
'''NOTE: These instructions assume that you intend to configure your OpenWRT-based AMPRNet [[Gateway]] to be a [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewall] for your AMRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN.'''
  
 
Install:
 
Install:
Line 34: Line 36:
 
* an unmanaged interface instance for tunl0 (AMPRWAN) '''(set to not bring up on boot)''', adding it to its own firewall zone using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). '''Be sure to enable connection tracking if you will not masquerade'''
 
* an unmanaged interface instance for tunl0 (AMPRWAN) '''(set to not bring up on boot)''', adding it to its own firewall zone using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). '''Be sure to enable connection tracking if you will not masquerade'''
 
* an interface instance for a new VLAN and bridge (AMPRLAN), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). '''Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.'''
 
* an interface instance for a new VLAN and bridge (AMPRLAN), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). '''Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.'''
 +
* '''reboot'''
 
* Permit forwarding from AMPRLAN to AMPRWAN
 
* Permit forwarding from AMPRLAN to AMPRWAN
 
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
 
* Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)

Revision as of 01:33, 24 November 2015

ampr-ripd has been compiled for Atheros 71xx

NOTE: To operate a Gateway on AMPRNet, you must have a method of obtaining up-to-date route information. On AMPRNet, a variant of RIP version 2 protocol, named RIP44 is used. RIP version 2 is not the same as RIP44. rip44d is written in the Perl programming language by Heikki Hannikainen, OH7LZB. ampr-ripd is written in C by YO2LOJ. The routing table is relatively small, so the performance or memory consumption of this daemon isn't very critical. ampr-ripd is used in this instance, so no other prerequisite software is required to run the RIP44 daemon.

  • You must have access to a binary executable of ampr-ripd that is compatible with the CPU in your OpenWRT device (e.g. i386, i586, x86_64, MIPS, PPC, etc.). If you do not, you must compile ampr-ripd yourself, or install the packages necessary to run rip44d.

See

Summary

NOTE: These instructions assume that you intend to configure your OpenWRT-based AMPRNet Gateway to be a stateful firewall for your AMRNet allocations (i.e. enabling connection tracking). If you prefer to forward all traffic to your allocated AMPRNet IP addresses, you may follow these instructions; but configure your Firewall Zones to forward all traffic to/from AMPRLAN to AMPRWAN.

Install:

  • kmod-ipip
  • ip-full
  • ampr-ripd to /etc/config/ (always run RIP44 software in console mode FIRST after installation to verify execution and obtain the password, the execution of the file is commented-out below)
  • the following to Firewall > Custom Rules:
ifconfig tunl0 mtu 1480 up
ip tunnel change tunl0 mode ipip ttl 64 pmtudisc
ip route add default dev tunl0 via <AMPRGW> onlink proto 44 table 44
# ./etc/config/ampr-ripd -p <PASSWORD> -t 44 -a <44.xxx.xxx.xxx/xx>
#OPTIONAL LAN ### ip rule add from <44.xxx.xxx.xxx/xx> to <192.168.xxx.xxx/16> table main priority 22
#ADD A RULE FOR EVERY LOCAL AMPR SUBNET, RENUMBER 44-4X ACCORDINGLY) 
ip rule add to <44.xxx.xxx.xxx/xx> table main priority 44
###Add this after you create the AMPRLAN bridge, this ensures all traffic from AMPRLAN uses table 44
ip rule add dev br-amprlan table 44 priority 45
### This ensures all traffic received on tunl0 uses table 44
ip rule add dev tunl0 table 44 priority 46
  • reboot
  • an unmanaged interface instance for tunl0 (AMPRWAN) (set to not bring up on boot), adding it to its own firewall zone using Input: Drop (or Reject), Output: Drop (or Reject) and Forward: Drop (or Reject). Be sure to enable connection tracking if you will not masquerade
  • an interface instance for a new VLAN and bridge (AMPRLAN), add it to its own firewall zone using Input: Accept (if you wish for you AMPRLAN devices to reach the router), Output: Accept and Forward: Drop (or Reject). Assign an IP from your allocation to this interface, you will configure this IP on your devices as the Default Route/Gateway address.
  • reboot
  • Permit forwarding from AMPRLAN to AMPRWAN
  • Permit forwarding from LAN to AMPRLAN (as desired, NOTE: you must make an IP Rule for the AMPRLAN to use the LAN's route on the Main Routing Table)
  • Create Traffic Input rule to allow IPv4 IPENCAP (IP protocol type 4) from Any IP on WAN to any IP on Router (or specify WAN IP if statically assigned)
  • Create Traffic Input rule to allow IPv4 udp/520 from 44.0.0.1 in AMPRWAN to 224.0.0.9 at port udp/520 IP on Router
  • Create Traffic Forward rules for any inbound services (as desired)
  • the VLAN to any switch/trunk ports (as desired)
  • test ampr-ripd in console using the -d argument
  • add password to Custom Rule and uncomment ampr-ripd line
  • reboot