OpenWRT
This OS is used on router/switch/AP.
Resources
- configuration
- supported devices
- configuration syntax update from 19 to 21
- Tri-band supported devices
Web GUI (Luci)
opkg update
opkg install luci-ssl
Note: It's also possible to install ''luci'' package without ssl
To start luci automatically :
/etc/init.d/uhttpd enable
First start :
/etc/init.d/uhttpd start
Change WEB-UI:
opkg install luci-theme-bootstrap
Then, go on ''System > System > Language and Style > Design > Bootstrap''.
Commands
Always run this command first time connection to install a new package.
opkg update
Network
Routing
Failover IP - double wan
Installation: opkg install mwan3
Status: mwan3 status
/etc/config/mwan3:
config globals 'globals'
option mmx_mask '0x3F00'
config interface 'wan'
option enabled '1'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '1'
config interface 'wan6'
option enabled '0'
list track_ip '2001:4860:4860::8844'
list track_ip '2001:4860:4860::8888'
list track_ip '2620:0:ccd::2'
list track_ip '2620:0:ccc::2'
option family 'ipv6'
option reliability '2'
config interface 'wanb'
option enabled '1'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '1'
config interface 'wanb6'
option enabled '0'
list track_ip '2001:4860:4860::8844'
list track_ip '2001:4860:4860::8888'
list track_ip '2620:0:ccd::2'
list track_ip '2620:0:ccc::2'
option family 'ipv6'
option reliability '1'
config member 'wan_m1_w3'
option interface 'wan'
option metric '1'
option weight '3'
config member 'wan_m2_w3'
option interface 'wan'
option metric '2'
option weight '3'
config member 'wanb_m1_w2'
option interface 'wanb'
option metric '1'
option weight '2'
config member 'wanb_m2_w2'
option interface 'wanb'
option metric '2'
option weight '2'
config member 'wan6_m1_w3'
option interface 'wan6'
option metric '1'
option weight '3'
config member 'wan6_m2_w3'
option interface 'wan6'
option metric '2'
option weight '3'
config member 'wanb6_m1_w2'
option interface 'wanb6'
option metric '1'
option weight '2'
config member 'wanb6_m2_w2'
option interface 'wanb6'
option metric '2'
option weight '2'
#config policy 'wan_only'
# list use_member 'wan_m1_w3'
# list use_member 'wan6_m1_w3'
#config policy 'wanb_only'
# list use_member 'wanb_m1_w2'
# list use_member 'wanb6_m1_w2'
#config policy 'balanced'
# list use_member 'wan_m1_w3'
# list use_member 'wanb_m1_w2'
# list use_member 'wan6_m1_w3'
# list use_member 'wanb6_m1_w2'
config policy 'wan_wanb'
list use_member 'wan_m1_w3'
list use_member 'wanb_m2_w2'
list use_member 'wan6_m1_w3'
# list use_member 'wanb6_m2_w2'
#config rule 'https'
# option sticky '1'
# option dest_port '443'
# option proto 'tcp'
# option use_policy 'balanced'
config rule 'default_rule_v4'
option dest_ip '0.0.0.0/0'
option use_policy 'wan_wanb'
option family 'ipv4'
option sticky '0'
#config rule 'default_rule_v6'
# option dest_ip '::/0'
# option use_policy 'wan_wanb'
# option family 'ipv6'
Note: please add option metric in /etc/config/network for each interface
References:
List connected client
cat /tmp/dhcp.leases
ubus call dhcp ipv4leases
ubus call dhcp ipv6leases
On wifi:
# Universal
iwinfo wlan0 assoclist
# Proprietary Broadcom (wl)
wl -i wl0 assoclist
# Proprietary Atheros (madwifi)
wlanconfig ath0 list sta
# MAC80211
iw dev wlan0 station dump
List wireless network
iwinfo wlan0 scan
Add dhcp to an interface
/etc/config/dhcp
config dhcp 'management'
option interface 'management'
option start '100'
option limit '150'
option leasetime '12h'
DHCP options
config dhcp 'management'
...
list dhcp_option '6,192.168.1.10,192.168.1.11'
list dhcp_option '66,192.168.0.15'
Notes:
6for DNS server followg byprimary,secondary(optional for secondary)66for tftp/ipxe
Configure an interface as a dhclient
/etc/config/network
config interface 'lan'
...
option proto 'dhcp'
Add a vlan
/etc/config/network
config bridge-vlan
option device 'br-lan'
option vlan '100'
list ports 'eth0:t'
IMPORTANT: if its the first time you add a vlan and the interface has a DHCP protocol, change the device of the interface to make it works (see below with br-lan.100), else the device will not be accessible anymore.
/etc/config/network
config interface 'lan'
option device 'br-lan.100'
option proto 'dhcp'
Set static ip to an interface
/etc/config/network
config device
option name 'management'
option type 'bridge'
list ports 'lan8'
config interface 'management'
option device 'management'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.20.1'
Note: replace lan8, use ls -l /sys/class/net/ to find existing ports
Select DNS Server for a network interface
/etc/config/network
config interface 'lan'
...
list dns '192.168.2.227'
dnsmasq with PXE
/etc/dnsmasq.conf
dhcp-match=set:ipxeclient,60,IPXEClient*
dhcp-match=set:bios,60,PXEClient:Arch:00000
dhcp-boot=tag:bios,netboot.xyz.kpxe,,192.168.4.146
dhcp-match=set:efi32,60,PXEClient:Arch:00002
dhcp-boot=tag:efi32,netboot.xyz.efi,,192.168.4.146
dhcp-match=set:efi32-1,60,PXEClient:Arch:00006
dhcp-boot=tag:efi32-1,netboot.xyz.efi,,192.168.4.146
dhcp-match=set:efi64,60,PXEClient:Arch:00007
dhcp-boot=tag:efi64,netboot.xyz.efi,,192.168.4.146
dhcp-match=set:efi64-1,60,PXEClient:Arch:00008
dhcp-boot=tag:efi64-1,netboot.xyz.efi,,192.168.4.146
dhcp-match=set:efi64-2,60,PXEClient:Arch:00009
dhcp-boot=tag:efi64-2,netboot.xyz.efi,,192.168.4.146
Note:
- ensure a tftp server is running at
192.168.4.146 - not sure but i think it is only required if you need to change the default boot filenames
.efi, .kpxe
Add static lease on the DHCP
/etc/config/dhcp
config host
option ip '192.168.2.227'
option mac '62:34:29:95:F9:56'
Spanning Tree Protocol (STP)
/etc/config/network
config interface 'lan'
...
option stp 1
Port Mirroring
/etc/firewall.user
iptables -A POSTROUTING -t mangle -o br-lan ! -s 192.168.2.227 -j TEE --gateway 192.168.2.227
iptables -A PREROUTING -t mangle -i br-lan ! -d 192.168.2.227 -j TEE --gateway 192.168.2.227
Note: require opkg install iptables-mod-tee kmod-ipt-tee
Then /etc/init.d/firewall restart
Failsafe
If the router has problem, and is still inaccessible you will need to enter in this mode. If failsafe doesn't work, i'm sorry to say you will need to reinstall os see hard flash failsafe.
-
Shutdown the device
-
Set up your computer to static ip 192.168.1.2 with submask 255.255.255.0
-
Turn on the device and press button "reset" > depend to the experience, sometime i keep push during 10 secondes, sometime i push/unpsh during 10 secs
-
Then you can
ssh root@192.168.1.1and run different commands:
mount_roottry to debug and change/etc/config/*before rebooting- reset everyting:
firstboot
Note: Don't forget to change root password !
Wireless network
Resources
- wireless configuration
- https://www.open-mesh.org/projects/batman-adv/wiki/Batman-adv-openwrt-config
- https://forum.openwrt.org/t/home-set-up-with-openwrt-and-ubiquiti/104502/4
- https://forum.openwrt.org/t/mesh-with-batman-and-dhcp-per-vlan-only-one-vlan-get-an-ip/106679
- https://forum.openwrt.org/t/internet-issue-in-a-mesh-network/88937/28?u=lpyparmentier
- https://forum.openwrt.org/t/mesh-network-bad-performance/97447/6
- https://cgomesu.com/blog/Mesh-networking-openwrt-batman/
Set-up mesh
opkg update
opkg install kmod-batman-adv
opkg install batctl-full
# on snapshot version:
opkg remove wpad-basic
opkg install wpad-mesh-openssl
# on 21.02.1:
opkg remove wpad-basic
opkg remove wpad-basic-wolfssl
opkg install wpad-mesh-openssl
Notes (on snapshot version - first time I did the installation):
- removing
wpad-basicdid not work, I had to remove other packages, check withopkg find wpad*. - I think to make it worked I installed
wpad-mesh-wolfssl
If you have no internet access you can directly install the .ipk package:
scp network/misc/mesh-packages-mt7622/*.ipk mesg-node:/tmp/
opkg install /tmp/*.ipk
Important: here is for ubiquiti with mt7622 on 21.02.1 version, it could be completely different from a chip to another and an OpenWRT version to another.
Verify the files:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
efb940fbf405318e59e31afe51767f949a6337213546018f21f3ddfdf9527eb4 batctl-full_2021.1-1_aarch64_cortex-a53.ipk
6f555c784d672366e7874459238529c21e4e68e17fdaae47f6a029b7a8cdaaa8 batctl-tiny_2021.1-1_aarch64_cortex-a53.ipk
a9531f2450c53c243087475c4af19fcb3db23723fd21304550120afc75cd7756 kmod-batman-adv_5.4.154+2021.1-4_aarch64_cortex-a53.ipk
3690620c28de5d79549fa1b9dea5d802d9af312401d9e3023f66bc32b4278cdb kmod-crypto-crc32c_5.4.154-1_aarch64_cortex-a53.ipk
4c7b75d334b203ed5cc69e7a5522c1202909d3938a2e94f42bddea01043bdc36 kmod-crypto-hash_5.4.154-1_aarch64_cortex-a53.ipk
fcdd9ac54677afb5454cc7ab585aecfac39cdd70dd8e4e2a01005ee98e310687 kmod-lib-crc16_5.4.154-1_aarch64_cortex-a53.ipk
b06f53f514c892b3116ba93b0d75add2ab52a4ddf01f5a4671b860b1b499990e kmod-lib-crc32c_5.4.154-1_aarch64_cortex-a53.ipk
0f0e65f4538e63eae8d02444a92faecdeb49dad6c0d397f63d0a869af674a09e libopenssl1.1_1.1.1l-1_aarch64_cortex-a53.ipk
f5bd1e22c354b67d569572934a958e80ab42a1e1e1a75f081f2f2df57d23285a librt_1.1.24-3_aarch64_cortex-a53.ipk
1eb8c9aab04e5c043e1d4fb713ff15df66cdcef1310a5efe6bf1b42ca39a87a6 wpad-mesh-openssl_2020-06-08-5a8b3662-35_aarch64_cortex-a53.ipk
-----BEGIN PGP SIGNATURE-----
iHUEAREIAB0WIQS6FrUxin3X0/uI3zRD+jfzTY+N4AUCYYPreQAKCRBD+jfzTY+N
4G5RAP9opkPozSaJ61jYZRcM8sU1fYHtgFoqqG/z3niHDThk+QD/Rg6YDDHMVeJK
k/pDZyZ5Tv7MCanVYtuMRr8kMKbeVxA=
=j0cq
-----END PGP SIGNATURE-----
/etc/config/wireless
config wifi-device 'radio1'
option type 'mac80211'
option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option hwmode '11a'
option channel '36'
option band '5g'
option htmode 'HE80'
option disabled '0'
option cell_density '0'
option country 'FR'
config wifi-iface 'mesh0'
option device 'radio1'
option ifname 'mesh0'
option network 'nwi_mesh0'
option mode 'mesh'
option mesh_fwding '0'
option mesh_id 'meshlr6'
option key 'xxx'
option mesh_rssi_threshold '0'
option encryption 'sae'
Notes:
- specify the
key - some encryption are incompatible with 802.11s (e.g., wpa2-psk)
saeis a WPA3-SAE encryption
/etc/config/network
config interface 'bat0'
option proto 'batadv'
option routing_algo 'BATMAN_IV'
option aggregated_ogms 1
option ap_isolation 0
option bonding 0
option fragmentation 1
#option gw_bandwidth '10000/2000'
option gw_mode 'off'
#option gw_sel_class 20
option log_level 0
option orig_interval 1000
option bridge_loop_avoidance 1
option distributed_arp_table 1
option multicast_mode 1
option network_coding 0
option hop_penalty 30
option isolation_mark '0x00000000/0x00000000'
config interface 'wlan'
option mtu '2304'
option proto 'batadv_hardif'
option master 'bat0'
Debug Mesh
Listening everything on the wifi-iface: batctl tcpdump mesh0
Check mesh connectivity:
iw dev mesh0 station dumpiw dev mesh0 mpath dump
Through logs with logread -l 20 -f:
root@lr6-node1:/etc/config# logread -l 20 -f
Fri Sep 17 07:43:47 2021 daemon.notice netifd: Network device 'mesh0' link is up
Fri Sep 17 07:43:47 2021 daemon.notice netifd: Interface 'nwi_mesh0' has link connectivity
Fri Sep 17 07:43:47 2021 daemon.notice netifd: Interface 'nwi_mesh0' is setting up now
Fri Sep 17 07:43:47 2021 daemon.notice wpa_supplicant[4056]: mesh0: CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed [id=0 id_str=]
Fri Sep 17 07:43:47 2021 daemon.notice wpa_supplicant[4056]: mesh0: MESH-GROUP-STARTED ssid="meshlr6" id=0
Fri Sep 17 07:43:47 2021 kern.info kernel: [ 2457.705513] IPv6: ADDRCONF(NETDEV_CHANGE): mesh0: link becomes ready
Fri Sep 17 07:43:47 2021 kern.info kernel: [ 2457.724934] batman_adv: bat0: Adding interface: mesh0
Fri Sep 17 07:43:47 2021 kern.info kernel: [ 2457.730120] batman_adv: bat0: Interface activated: mesh0
Fri Sep 17 07:43:47 2021 daemon.notice netifd: Interface 'nwi_mesh0' is now up
Fri Sep 17 07:43:52 2021 daemon.notice wpa_supplicant[4056]: mesh0: new peer notification for 26:5a:4c:99:f4:15
Fri Sep 17 07:43:53 2021 daemon.notice wpa_supplicant[4056]: mesh0: mesh plink with 26:5a:4c:99:f4:15 establis
The output of batctl o and/or batctl n should indicate that the various batman-adv nodes are “seeing” each other over the mesh.
Since watch is not available:
while true; do batctl o; sleep 1s; clear; done
Resources:
- https://openwrt.org/docs/guide-user/network/wifi/mesh/80211s
- https://openwrt.org/docs/guide-user/network/wifi/mesh/batman
- https://bmaupin.github.io/wiki/other/openwrt/openwrt-80211s.html
- https://cgomesu.com/blog/Mesh-networking-openwrt-batman/
- https://www.radiusdesk.com/old_wiki/technical_discussions/batman_basic
Check mesh performance
root@lr6-gw:~# batctl tp 26:5a:4c:99:a8:c5
Test duration 10720ms.
Sent 769373856 Bytes.
Throughput: 68.45 MB/s (574.16 Mbps)
Issues
WNDR 3700 wifi button
opkg update
opkg install wifitoggle
uci set wifitoggle.@wifitoggle[0].button=BTN_2
uci set wifitoggle.@wifitoggle[0].timer=0
uci commit wifitoggle
Configure ssh (dropbear)
Go to luci or /etc/config/dropbear.
Note: ensure that if you change the port on the config file it is also open on the firewall
Generate host key
dropbearkey -t rsa -s 4096 -f /etc/dropbear/dropbear_rsa_host_key
Verify the key
dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key | grep "^ssh-rsa "
Note: ssh-keygen is not available on OpenWRT, extract the public key (see above), save it on a computer and check with ssh-keygen -lf
Add the public key
/etc/dropbear/authorized_keys
Tips
Access between vlans
Configurations:
- vlan 1 (home) : 192.168.2.1/24
- vlan 2 (services) : 192.168.4.1/24 (http service on port 8081 at 192.168.4.2)
Two equivalent accesses:
- one direct access
- one through dnat
# access with curl http://192.168.4.2:8081 (from home network)
config rule
option src 'home'
option dest 'services'
option dest_ip '192.168.4.2'
option dest_port '8081'
option proto 'tcp'
option target 'ACCEPT'
# dnat access with curl http://192.168.2.1:8081 (from home network)
config redirect
option target 'DNAT'
option src 'home'
option src_dport '8081'
option proto 'tcp'
option dest 'services'
option dest_ip '192.168.4.2'
option dest_port '8081'
option family 'ipv4'