OpenWRT

    This OS is used on router/switch/AP.

    Resources

    Web GUI (Luci)

    opkg update
    opkg install luci-ssl
    

    Note: It's also possible to install ''luci'' package without ssl

    To start luci automatically :

    /etc/init.d/uhttpd enable

    First start : /etc/init.d/uhttpd start

    Change WEB-UI: opkg install luci-theme-bootstrap

    Then, go on ''System > System > Language and Style > Design > Bootstrap''.

    Auto upgrade

    ASU: AttendedSysUpgrade (project)

    AUC: AttendedsysUpgrade Cli (package)

    Use carefully:

    • (-) no signature control
    • (-) image build by an external worker however it is possible to self-host to build locally, you can specify the url through /etc/config/attendedsysupgrade on the device. (no ARM support yet)
    • (+) practical to build an image containing the packages on the current installation.
    opkg install auc
    

    Example for a specific version:

    auc -b 22.03
    

    Note if you obtain an error Bad message (74), just do /etc/init.d/rpcd restart source

    Commands

    Always run this command first time connection to install a new package.

    opkg update

    Network

    Routing

    source

    Failover IP - double wan

    Installation: opkg install mwan3

    Status: mwan3 status

    /etc/config/mwan3:

    config globals 'globals'
            option mmx_mask '0x3F00'
    
    config interface 'wan'
            option enabled '1'
            list track_ip '8.8.4.4'
            list track_ip '8.8.8.8'
            list track_ip '208.67.222.222'
            list track_ip '208.67.220.220'
            option family 'ipv4'
            option reliability '1'
    
    config interface 'wan6'
            option enabled '0'
            list track_ip '2001:4860:4860::8844'
            list track_ip '2001:4860:4860::8888'
            list track_ip '2620:0:ccd::2'
            list track_ip '2620:0:ccc::2'
            option family 'ipv6'
            option reliability '2'
    
    config interface 'wanb'
            option enabled '1'
            list track_ip '8.8.4.4'
            list track_ip '8.8.8.8'
            list track_ip '208.67.222.222'
            list track_ip '208.67.220.220'
            option family 'ipv4'
            option reliability '1'
    
    config interface 'wanb6'
            option enabled '0'
            list track_ip '2001:4860:4860::8844'
            list track_ip '2001:4860:4860::8888'
            list track_ip '2620:0:ccd::2'
            list track_ip '2620:0:ccc::2'
            option family 'ipv6'
            option reliability '1'
    
    config member 'wan_m1_w3'
            option interface 'wan'
            option metric '1'
            option weight '3'
    
    config member 'wan_m2_w3'
            option interface 'wan'
            option metric '2'
            option weight '3'
    
    config member 'wanb_m1_w2'
            option interface 'wanb'
            option metric '1'
            option weight '2'
    
    config member 'wanb_m2_w2'
            option interface 'wanb'
            option metric '2'
            option weight '2'
    
    config member 'wan6_m1_w3'
            option interface 'wan6'
            option metric '1'
            option weight '3'
    
    config member 'wan6_m2_w3'
            option interface 'wan6'
            option metric '2'
            option weight '3'
    
    config member 'wanb6_m1_w2'
            option interface 'wanb6'
            option metric '1'
            option weight '2'
    
    config member 'wanb6_m2_w2'
            option interface 'wanb6'
            option metric '2'
            option weight '2'
    
    #config policy 'wan_only'
    #       list use_member 'wan_m1_w3'
    #       list use_member 'wan6_m1_w3'
    
    #config policy 'wanb_only'
    #       list use_member 'wanb_m1_w2'
    #       list use_member 'wanb6_m1_w2'
    
    #config policy 'balanced'
    #       list use_member 'wan_m1_w3'
    #       list use_member 'wanb_m1_w2'
    #       list use_member 'wan6_m1_w3'
    #       list use_member 'wanb6_m1_w2'
    
    config policy 'wan_wanb'
            list use_member 'wan_m1_w3'
            list use_member 'wanb_m2_w2'
            list use_member 'wan6_m1_w3'
    #       list use_member 'wanb6_m2_w2'
    
    #config rule 'https'
    #       option sticky '1'
    #       option dest_port '443'
    #       option proto 'tcp'
    #       option use_policy 'balanced'
    
    config rule 'default_rule_v4'
            option dest_ip '0.0.0.0/0'
            option use_policy 'wan_wanb'
            option family 'ipv4'
            option sticky '0'
    
    #config rule 'default_rule_v6'
    #       option dest_ip '::/0'
    #       option use_policy 'wan_wanb'
    #       option family 'ipv6'
    

    Note: please add option metric in /etc/config/network for each interface

    References:

    List connected client

    cat /tmp/dhcp.leases
    ubus call dhcp ipv4leases
    ubus call dhcp ipv6leases
    

    source

    On wifi:

    # Universal
    iwinfo wlan0 assoclist
    
    # Proprietary Broadcom (wl)
    wl -i wl0 assoclist
    
    # Proprietary Atheros (madwifi)
    wlanconfig ath0 list sta
    
    # MAC80211
    iw dev wlan0 station dump
    

    source

    List wireless network

    iwinfo wlan0 scan
    

    source

    Add dhcp to an interface

    /etc/config/dhcp

    config dhcp 'management'
            option interface 'management'
            option start '100'
            option limit '150'
            option leasetime '12h'
    

    DHCP options

    config dhcp 'management'
      ...
      list dhcp_option '6,192.168.1.10,192.168.1.11'
      list dhcp_option '66,192.168.0.15'
    

    Notes:

    • 6 for DNS server followg by primary,secondary (optional for secondary)
    • 66 for tftp/ipxe

    Configure an interface as a dhclient

    /etc/config/network

    config interface 'lan'
            ...
            option proto 'dhcp'
    

    Add a vlan

    /etc/config/network

    config bridge-vlan
            option device 'br-lan'
            option vlan '100'
            list ports 'eth0:t'
    

    IMPORTANT: if its the first time you add a vlan and the interface has a DHCP protocol, change the device of the interface to make it works (see below with br-lan.100), else the device will not be accessible anymore.

    /etc/config/network

    config interface 'lan'
            option device 'br-lan.100'
            option proto 'dhcp'
    

    Set static ip to an interface

    /etc/config/network

    config device
            option name 'management'
            option type 'bridge'
            list ports 'lan8'
    
    config interface 'management'
            option device 'management'
            option proto 'static'
            option netmask '255.255.255.0'
            option ipaddr '192.168.20.1'
    

    Note: replace lan8, use ls -l /sys/class/net/ to find existing ports

    Select DNS Server for a network interface

    /etc/config/network

    config interface 'lan'
      ...
      list dns '192.168.2.227'
    

    dnsmasq with PXE

    /etc/dnsmasq.conf

    dhcp-match=set:ipxeclient,60,IPXEClient*
    dhcp-match=set:bios,60,PXEClient:Arch:00000
    dhcp-boot=tag:bios,netboot.xyz.kpxe,,192.168.4.146
    dhcp-match=set:efi32,60,PXEClient:Arch:00002
    dhcp-boot=tag:efi32,netboot.xyz.efi,,192.168.4.146
    dhcp-match=set:efi32-1,60,PXEClient:Arch:00006
    dhcp-boot=tag:efi32-1,netboot.xyz.efi,,192.168.4.146
    dhcp-match=set:efi64,60,PXEClient:Arch:00007
    dhcp-boot=tag:efi64,netboot.xyz.efi,,192.168.4.146
    dhcp-match=set:efi64-1,60,PXEClient:Arch:00008
    dhcp-boot=tag:efi64-1,netboot.xyz.efi,,192.168.4.146
    dhcp-match=set:efi64-2,60,PXEClient:Arch:00009
    dhcp-boot=tag:efi64-2,netboot.xyz.efi,,192.168.4.146
    

    Note:

    • ensure a tftp server is running at 192.168.4.146
    • not sure but i think it is only required if you need to change the default boot filenames .efi, .kpxe

    source

    Add static lease on the DHCP

    /etc/config/dhcp

    config host
            option ip '192.168.2.227'
            option mac '62:34:29:95:F9:56'
    

    Spanning Tree Protocol (STP)

    /etc/config/network

    config interface 'lan'
            ...
            option stp      1
    

    example in mesh

    Port Mirroring

    /etc/firewall.user

    iptables -A POSTROUTING -t mangle -o br-lan ! -s 192.168.2.227 -j TEE --gateway 192.168.2.227
    iptables -A PREROUTING -t mangle -i br-lan ! -d 192.168.2.227 -j TEE --gateway 192.168.2.227
    

    Note: require opkg install iptables-mod-tee kmod-ipt-tee

    Then /etc/init.d/firewall restart

    Source

    Failsafe

    If the router has problem, and is still inaccessible you will need to enter in this mode. If failsafe doesn't work, i'm sorry to say you will need to reinstall os see hard flash failsafe.

    Sources

    1. Shutdown the device

    2. Set up your computer to static ip 192.168.1.2 with submask 255.255.255.0

    3. Turn on the device and press button "reset" > depend to the experience, sometime i keep push during 10 secondes, sometime i push/unpsh during 10 secs

    4. Then you can ssh root@192.168.1.1 and run different commands:

    • mount_root try to debug and change /etc/config/* before rebooting
    • reset everyting: firstboot

    Note: Don't forget to change root password !

    Wireless network

    Resources

    • wireless configuration
    • https://www.open-mesh.org/projects/batman-adv/wiki/Batman-adv-openwrt-config
    • https://forum.openwrt.org/t/home-set-up-with-openwrt-and-ubiquiti/104502/4
    • https://forum.openwrt.org/t/mesh-with-batman-and-dhcp-per-vlan-only-one-vlan-get-an-ip/106679
    • https://forum.openwrt.org/t/internet-issue-in-a-mesh-network/88937/28?u=lpyparmentier
    • https://forum.openwrt.org/t/mesh-network-bad-performance/97447/6
    • https://cgomesu.com/blog/Mesh-networking-openwrt-batman/

    Set-up mesh

    source

    opkg update
    opkg install kmod-batman-adv
    opkg install batctl-full
    
    # on snapshot version:
    opkg remove wpad-basic
    opkg install wpad-mesh-openssl
    
    # on 21.02.1:
    opkg remove wpad-basic
    opkg remove wpad-basic-wolfssl
    opkg install wpad-mesh-openssl
    

    Notes (on snapshot version - first time I did the installation):

    • removing wpad-basic did not work, I had to remove other packages, check with opkg find wpad*.
    • I think to make it worked I installed wpad-mesh-wolfssl

    If you have no internet access you can directly install the .ipk package:

    scp network/misc/mesh-packages-mt7622/*.ipk mesg-node:/tmp/
    opkg install /tmp/*.ipk
    

    Important: here is for ubiquiti with mt7622 on 21.02.1 version, it could be completely different from a chip to another and an OpenWRT version to another.

    Verify the files:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    efb940fbf405318e59e31afe51767f949a6337213546018f21f3ddfdf9527eb4  batctl-full_2021.1-1_aarch64_cortex-a53.ipk
    6f555c784d672366e7874459238529c21e4e68e17fdaae47f6a029b7a8cdaaa8  batctl-tiny_2021.1-1_aarch64_cortex-a53.ipk
    a9531f2450c53c243087475c4af19fcb3db23723fd21304550120afc75cd7756  kmod-batman-adv_5.4.154+2021.1-4_aarch64_cortex-a53.ipk
    3690620c28de5d79549fa1b9dea5d802d9af312401d9e3023f66bc32b4278cdb  kmod-crypto-crc32c_5.4.154-1_aarch64_cortex-a53.ipk
    4c7b75d334b203ed5cc69e7a5522c1202909d3938a2e94f42bddea01043bdc36  kmod-crypto-hash_5.4.154-1_aarch64_cortex-a53.ipk
    fcdd9ac54677afb5454cc7ab585aecfac39cdd70dd8e4e2a01005ee98e310687  kmod-lib-crc16_5.4.154-1_aarch64_cortex-a53.ipk
    b06f53f514c892b3116ba93b0d75add2ab52a4ddf01f5a4671b860b1b499990e  kmod-lib-crc32c_5.4.154-1_aarch64_cortex-a53.ipk
    0f0e65f4538e63eae8d02444a92faecdeb49dad6c0d397f63d0a869af674a09e  libopenssl1.1_1.1.1l-1_aarch64_cortex-a53.ipk
    f5bd1e22c354b67d569572934a958e80ab42a1e1e1a75f081f2f2df57d23285a  librt_1.1.24-3_aarch64_cortex-a53.ipk
    1eb8c9aab04e5c043e1d4fb713ff15df66cdcef1310a5efe6bf1b42ca39a87a6  wpad-mesh-openssl_2020-06-08-5a8b3662-35_aarch64_cortex-a53.ipk
    -----BEGIN PGP SIGNATURE-----
    
    iHUEAREIAB0WIQS6FrUxin3X0/uI3zRD+jfzTY+N4AUCYYPreQAKCRBD+jfzTY+N
    4G5RAP9opkPozSaJ61jYZRcM8sU1fYHtgFoqqG/z3niHDThk+QD/Rg6YDDHMVeJK
    k/pDZyZ5Tv7MCanVYtuMRr8kMKbeVxA=
    =j0cq
    -----END PGP SIGNATURE-----
    

    /etc/config/wireless

    config wifi-device 'radio1'
            option type 'mac80211'
            option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
            option hwmode '11a'
            option channel '36'
            option band '5g'
            option htmode 'HE80'
            option disabled '0'
            option cell_density '0'
            option country 'FR'
    
    config wifi-iface 'mesh0'
            option device 'radio1'
            option ifname 'mesh0'
            option network 'nwi_mesh0'
            option mode 'mesh'
            option mesh_fwding '0'
            option mesh_id 'meshlr6'
            option key 'xxx'
            option mesh_rssi_threshold '0'
            option encryption 'sae'
    
    

    Notes:

    • specify the key
    • some encryption are incompatible with 802.11s (e.g., wpa2-psk)
    • sae is a WPA3-SAE encryption

    /etc/config/network

    config interface 'bat0'
            option proto 'batadv'
            option routing_algo 'BATMAN_IV'
            option aggregated_ogms 1
            option ap_isolation 0
            option bonding 0
            option fragmentation 1
            #option gw_bandwidth '10000/2000'
            option gw_mode 'off'
            #option gw_sel_class 20
            option log_level 0
            option orig_interval 1000
            option bridge_loop_avoidance 1
            option distributed_arp_table 1
            option multicast_mode 1
            option network_coding 0
            option hop_penalty 30
            option isolation_mark '0x00000000/0x00000000'
    
    config interface 'wlan'
            option mtu '2304'
            option proto 'batadv_hardif'
            option master 'bat0'
    

    Debug Mesh

    Listening everything on the wifi-iface: batctl tcpdump mesh0

    Check mesh connectivity:

    • iw dev mesh0 station dump
    • iw dev mesh0 mpath dump

    Through logs with logread -l 20 -f:

    root@lr6-node1:/etc/config# logread -l 20 -f
    Fri Sep 17 07:43:47 2021 daemon.notice netifd: Network device 'mesh0' link is up
    Fri Sep 17 07:43:47 2021 daemon.notice netifd: Interface 'nwi_mesh0' has link connectivity
    Fri Sep 17 07:43:47 2021 daemon.notice netifd: Interface 'nwi_mesh0' is setting up now
    Fri Sep 17 07:43:47 2021 daemon.notice wpa_supplicant[4056]: mesh0: CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed [id=0 id_str=]
    Fri Sep 17 07:43:47 2021 daemon.notice wpa_supplicant[4056]: mesh0: MESH-GROUP-STARTED ssid="meshlr6" id=0
    Fri Sep 17 07:43:47 2021 kern.info kernel: [ 2457.705513] IPv6: ADDRCONF(NETDEV_CHANGE): mesh0: link becomes ready
    Fri Sep 17 07:43:47 2021 kern.info kernel: [ 2457.724934] batman_adv: bat0: Adding interface: mesh0
    Fri Sep 17 07:43:47 2021 kern.info kernel: [ 2457.730120] batman_adv: bat0: Interface activated: mesh0
    Fri Sep 17 07:43:47 2021 daemon.notice netifd: Interface 'nwi_mesh0' is now up
    Fri Sep 17 07:43:52 2021 daemon.notice wpa_supplicant[4056]: mesh0: new peer notification for 26:5a:4c:99:f4:15
    Fri Sep 17 07:43:53 2021 daemon.notice wpa_supplicant[4056]: mesh0: mesh plink with 26:5a:4c:99:f4:15 establis
    

    The output of batctl o and/or batctl n should indicate that the various batman-adv nodes are “seeing” each other over the mesh.

    Since watch is not available:

    while true; do batctl o; sleep 1s; clear; done
    

    Resources:

    • https://openwrt.org/docs/guide-user/network/wifi/mesh/80211s
    • https://openwrt.org/docs/guide-user/network/wifi/mesh/batman
    • https://bmaupin.github.io/wiki/other/openwrt/openwrt-80211s.html
    • https://cgomesu.com/blog/Mesh-networking-openwrt-batman/
    • https://www.radiusdesk.com/old_wiki/technical_discussions/batman_basic

    Check mesh performance

    root@lr6-gw:~# batctl tp 26:5a:4c:99:a8:c5
    Test duration 10720ms.
    Sent 769373856 Bytes.
    Throughput: 68.45 MB/s (574.16 Mbps)
    

    Issues

    WNDR 3700 wifi button

    opkg update
    opkg install wifitoggle
    uci set wifitoggle.@wifitoggle[0].button=BTN_2
    uci set wifitoggle.@wifitoggle[0].timer=0
    uci commit wifitoggle
    

    Configure ssh (dropbear)

    Go to luci or /etc/config/dropbear.

    Note: ensure that if you change the port on the config file it is also open on the firewall

    Generate host key

    dropbearkey -t rsa -s 4096 -f /etc/dropbear/dropbear_rsa_host_key
    

    source

    Verify the key

    dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key  | grep "^ssh-rsa "
    

    Note: ssh-keygen is not available on OpenWRT, extract the public key (see above), save it on a computer and check with ssh-keygen -lf

    Add the public key

    /etc/dropbear/authorized_keys

    Tips

    Access between vlans

    Configurations:

    • vlan 1 (home) : 192.168.2.1/24
    • vlan 2 (services) : 192.168.4.1/24 (http service on port 8081 at 192.168.4.2)

    Two equivalent accesses:

    • one direct access
    • one through dnat
    # access with curl http://192.168.4.2:8081 (from home network)
    config rule
            option src  'home'
            option dest 'services'
            option dest_ip '192.168.4.2'
            option dest_port '8081'
            option proto   'tcp'
            option target  'ACCEPT'
    
    # dnat access with curl http://192.168.2.1:8081 (from home network)
    config redirect
            option target 'DNAT'
            option src 'home'
            option src_dport '8081'
            option proto 'tcp'
            option dest 'services'
            option dest_ip '192.168.4.2'
            option dest_port '8081'
            option family 'ipv4'