OpenWRT on a Buffalo WHR-HP-G54 or similar device (brcm) David Cantrell Don't bother with the latest development tree of OpenWRT. It's too large to fit on the Buffalo device. Just go with the Whiterussian release as it's stable. Once you get this thing running, you won't care about it. DO NOT INSTALL X-WRT ON TOP OF OPENWRT. IT'S MOSTLY POINTLESS (FROM MY POINT OF VIEW) AND EATS ALL OF THE 4 MEGABYTES OF AVAILABLE SPACE ON THIS DEVICE. 1) Download firmware (use default or micro): SITE=http://downloads.openwrt.org/whiterussian/0.9/default curl -O ${SITE}/openwrt-brcm-2.4-squashfs.trx 3) Flash it using the TFTP instructions: http://wiki.openwrt.org/OpenWrtDocs/Installing/TFTP 4) Set a password for root: telnet 192.168.1.1 # passwd 5) Log out and back in using ssh. Do a key exchange so it's easy to log in later. OpenWRT uses dropbear ssh, so you need to put the authorized_keys file in /etc/dropbear: scp ~/.ssh/id_dsa.pub root@192.168.1.1:/etc/dropbear/authorized_keys ssh root@192.168.1.1 chmod 0600 /etc/dropbear/authorized_keys 5a) You can also disable the telnet server at this point since you don't really need it. chmod 0644 /etc/init.d/S50telnet 6) If you installed the default image, you can use the HTTP interface to set up basic settings like hostname and WAN connection. Go to http://192.168.1.1 in your web browser and set it all up. Do as much as you can through this interface. The login information is root's account. If you installed the micro version, you can either install the webif package or you can follow instructions on wiki.openwrt.org to set the various nvram variables. This page makes me prefer the HTTP configuration interface for basic stuff: http://wiki.openwrt.org/OpenWrtNVRAM http://wiki.openwrt.org/OpenWrtDocs/Configuration is also useful for basic system configuration. Cycle power after configuring the WAN interface. 7) Get dnsmasq configured for your LAN. dnsmasq does DHCP and DNS for your LAN. Its man page and config file leave a bit to be desired, but so does ISC software, so whatever. First, disable S60dnsmasq as shipped with OpenWRT: chmod -x /etc/init.d/S60dnsmasq Now create a new file: vim /etc/init.d/S61dnsmasq Put the following in the new file: #!/bin/sh killall -q dnsmasq if [ ! -f /tmp/dhcp.leases ]; then touch /tmp/dhcp.leases fi dnsmasq -C /etc/dnsmasq.conf Save the file and exit the editor. Make sure it's executable: chmod 0755 /etc/init.d/S61dnsmasq Why not just overwrite S60dnsmasq? The ipkg utility will drive over it if the dnsmasq package ever supplies an update. Yeah, I learned that the hard way. Now create /etc/dnsmasq.conf with all of our settings. Here's mine: interface=br0 domain-needed bogus-priv filterwin2k localise-queries log-queries local=/honolulu.burdell.org/172.31.1.1 domain=honolulu.burdell.org expand-hosts no-negcache resolv-file=/tmp/resolv.conf.auto dhcp-authoritative dhcp-range=172.31.1.10,172.31.1.100,255.255.255.0,24h dhcp-leasefile=/tmp/dhcp.leases read-ethers Remember the router has limited storage space, so avoid comments in these files. Reference is available elsewhere. My dnsmasq configuration assigns DHCP addresses from 172.31.1.10 to 172.31.1.100 for a 24 hour period. My local domain is called honolulu.burdell.org and I answer DNS requests on 172.31.1.1 using my DHCP and DNS configuration. I listen for everything on the br0 interface (LAN bridge). dnsmasq is a pain, but once you get it set up, it seems ok. I can also do PXE stuff too, which I will add later. Now, I also have static hosts. I put that information in /etc/hosts and /etc/ethers. First, the contents of /etc/hosts: 127.0.0.1 localhost OpenWrt 172.31.1.1 flame.honolulu.burdell.org flame 172.31.1.10 mortise.honolulu.burdell.org mortise 172.31.1.11 tenon.honolulu.burdell.org tenon 172.31.1.12 dado.honolulu.burdell.org dado # and so on Now the contents of /etc/ethers: 00:11:25:12:9D:A0 mortise 00:13:20:F5:F9:06 tenon The hosts with the above MAC addresses will always get the specified hostname (address in /etc/hosts). Simple. Way nicer than ISC's method. I mentioned the hosts+ethers method to ISC developers and they thought that would be a cool feature. We'll see if they do that or not. Cycle power to restart the router and see that dnsmasq fires up. It's good to cycle power on the box to make sure your settings are reboot proof. Try to bring up your laptop with the new dnsmasq settings. Try to look up a LAN hostname you've configured (e.g., dado.honolulu.burdell.org). It works? Awesome. Proceed. 8) There is no hardware clock in the router. It has to be set each time it boots. Install ntpclient to do this: ipkg install ntpclient Set the NTP server to use: nvram set ntp_server=0.pool.ntp.org nvram commit Now set your time zone using the abbreviations from this page: http://wiki.openwrt.org/OpenWrtDocs/Configuration nvram set time_zone=HAW10 nvram commit Create /etc/init.d/tz containing these lines: #!/bin/sh tz=$(nvram get time_zone) tz=${tz:-"HAW10"} echo $tz > /etc/TZ Set the clock with either a reboot or by running: ntpclient -c 1 -d -s -h 0.pool.ntp.org 9) If you configured your wireless interface to have WPA encryption, you will need to install the nas package: ipkg install nas 10) It's nice to have remote logging set up on the box. Log to another host on your network by setting this nvram variable: nvram set log_ipaddr=192.168.1.2 nvram commit Cycle the power. syslogd will start with the remote logging option and the IP address specified in the log_ipaddr setting. Read logs locally with the logread command. 11) Add the backports repository to /etc/ipkg.conf. Add it under the last src line: src backports http://downloads.openwrt.org/backports/0.9 Save the file, exit, and run: ipkg update 12) Install vpnc: ipkg install vpnc Make the changes to /etc/vpnc/vpnc-script as indicated on this page: http://wiki.openwrt.org/VPNC I modified my LED light functions since the Buffalo router doesn't let you change the color of some of the lights. I turn on the diag light to indicate the VPN is coming up and once it's up, I turn on the bridge light. Mess around with /proc/diag/led to see what different values written to it do. In my case, /proc/diag/led is a subdirectory and I have three files for the three LEDs I can change. All I can do is on or off. Create your vpnc configuration files in /etc/vpnc. I create one for each of the company's VPN sites. Select the one you want to use and setting the nvram variable. If you want to use /etc/vpnc/company.conf, run these commands: nvram set vpnc_conf=company nvram commit Copy S75vpnc from the etc/init.d directory to /etc/init.d/S75vpnc on the router. If you want keepalive ability, copy vpncd from the usr/sbin directory to /usr/sbin on the router. To enable the keepalive script, you need to set two more nvram variables: nvram set vpn_keepalive_host1="host1.example.net" nvram set vpn_keepalive_host2="host2.example.net" nvram commit 13) It's a good idea to back up the router using rsync. First, install rsync: ipkg install rsync Now on your laptop, write a script called 'backup-router' or something with this text: #!/bin/sh if [ ! -d router ]; then mkdir router fi rsync -Pavz --delete --exclude /dev --exclude /proc root@flame:/ router/ Skip the /dev and /proc directories. The above script will just copy the entire root filesystem to your non-router system. 14) Assuming you have a PXE boot server somewhere on your network, you can have dnsmasq advertise that information. On my network, tenon is my PXE server, so I have this line in /etc/dnsmasq.conf: dhcp-boot=pxelinux.0,tenon,172.31.1.11 The arguments are filename (pxelinux.0), server name (tenon), and server address (172.31.1.11). Set up PXELINUX on that host and configure tftp and you're good to go. 15) dnsmasq will get upset with the default permissions on the /etc directory. Normally this isn't a problem because by default, OpenWRT runs dnsmasq will all command line switches rather than reading the /etc/dnsmasq.conf file. Since we've set it up to read dnsmasq.conf, we need to open read access to /etc for the dnsmasq process: chmod 2755 /etc 16) Turning on extended wireless send/receive support on the WHR-G54-HP may be useful to you. You have to edit the boardflags in nvram to change this setting: nvram set boardflags=0x3758 nvram commit The possible boardflags for this device are: 0x0758 - no amp and receive sensitivity normal 0x1758 - enhanced receive sensitivity 0x2758 - amp on, normal receive 0x3758 - both amp and BroadRange enhanced receive sensitivity on The default is 0x1758, which works for almost all situations. If 0x3758 does not work for you, I recommend going back to 0x1758. 17) I would recommend changing the default banner login message to something like this: WARNING: To protect the system from unauthorized use and to ensure that the system is functioning properly, activities on this system are monitored and recorded and subject to audit. Use of this system is expressed consent to such monitoring and recording. Any unauthorized access or use of this Automated Information System is prohibited and could be subject to criminal and civil penalties. A copy of this banner can be found in etc/banner in this directory. It's best to not advertise what you're running on the router should anyone find a way in to the point of seeing this message. 18) If you use a SIP device or software behind the router, you will most likely want the iptables SIP modules for the kernel. Unfortuantely, the whiterussian 0.9 release of OpenWRT lacks these modules. They are not even available as addon packages. 02-Nov-2008 I ran in to many problems trying to get the patch for the 2.4.30 kernel source and get modules compiled for this platform. It required learning far more about the OpenWRT development environment than I really wanted to know. At one point, I came close to moving to DD-WRT, but there was no proof I could find that it would solve my SIP problems. I learned that the OpenWRT developers removed the SIP kernel patch in 2006 due to linking errors with other modules as well as concerns over the licensing. The 3289 svn revision of the whiterussian branch was the last one to contain the SIP patch. What I did was check out this revision, extract the patch, and move it in to the whiterussian_0.9 tree I had checked out. That didn't quite work right because in the years since the SIP patch was removed, other patches changed to the point of the SIP one having too many hunk failures for patch(1) to deal with. The next thing I tried was going back to the 3289 revision tree and try building in there. The kernel version is still the same, so hopefully things would work. svn co -r 3289 https://svn.openwrt.org/openwrt/branches/whiterussian/ cd whiterussian/openwrt The kernel modules lack MODULE_LICENSE("GPL"); There are three things you can do at this point: * Solve the SIP problem another way. * Add MODULE_LICENSE("GPL"); to ip_nat_sip.c and ip_conntrack_sip.c * Patch busybox modutils to load tainted modules. I added the MODULE_LICENSE("GPL"); lines since that was a bit easier for me. The patch I used is whiterussian-0.9-sip-license-symbol.patch With that patch in place, we can type: make When menuconfig appears, just exit and save. The default selections are fine. After exiting, type: make The build system will proceed to download many pieces of software and start compiling them. Depending on your system, this may or may not take a long time. The end result will be two kernel modules we want in: build_mipsel/linux-2.4-brcm/modules/lib/modules/2.4.30/ kernel/net/ipv4/netfilter/ The files we are looking for are: ip_conntrack_sip.o ip_nat_sip.o scp these modules to /lib/modules/2.4.30 on your router. Login to the router and load them this way: cd /lib/modules/2.4.30 insmod ip_conntrack_sip.o insmod ip_nat_sip.o Add the etc/modules.d/90-ipt-sip file to /etc/modules.d on your router. This file will ensure the modules are loaded each time the router reboots. 19) Configure iptables for the SIP modules. We need to add some lines to /etc/firewall.user: EXT_IP="$(ifconfig vlan1 | grep 'inet addr:' | \ cut -d ':' -f 2 | cut -d ' ' -f 1)" iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p udp --dport 5060 -j ACCEPT iptables -A FORWARD -o vlan1 -p udp --dport 5060 -j ACCEPT iptables -t nat -A POSTROUTING -o vlan1 -j SNAT --to-source $EXT_IP This allows the SIP signalling traffic through initially. The iptables modules take over after that. The EXT_IP variable gets set with your external IP address. We need this for the SNAT rule. 20) UPDATE: 07-Nov-2008 The ip_nat_sip and ip_conntrack_sip kernel modules seem to fall over after a few days and require a reload. I noticed my phone was not registered all day. A look at the router's ring buffer showed this: ip_nat_mangle_udp_packet: undersized packet I wrote /usr/sbin/cksipmodules to run once an hour via cron to see if we have that message in the ring buffer and, if so, dump the modules and reload them. Total hack, but whatever. And that's it. The router is more or less ready to use. There are other things you can set up on OpenWRT. Maybe you want to set up a captive auth wifi access point. Or maybe you want to set up tc for traffic shaping. The above is all I've done on my router. If I add more, I'll update this document. ------------------------------------------ Last updated: Mon Nov 3 10:32:37 HST 2008 Resources: http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html