Openwrt

Recommended Router

Current:

high traffic: x86 PC

low traffic: ARM / MIPS with the following:

* uboot bootloader
* doesn't require multiple hoops to install (i.e. no 'two different' serial speeds on the same UART. moron ubiquiti...)
* promotes FOSS and is ok with LEDE/openwrt

Tips

port forwarding

Port forwarding is two steps:

redirect port from outside to internal (NAT)
allow access from outside to inside via this port (firewall)

Contents of /etc/config/firewall

config redirect
        option name 'PassthroughformyServer'
        option src 'wan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.1.100'
        option dest_port '80'
        option target 'DNAT'
        option dest 'lan'

config rule
        option src 'wan'
        option proto 'tcp'
        option dest_port '80'
        option target 'ACCEPT'

Note: Proto can be 'tcp' OR 'tcpudp' OR 'udp'

reserved ip / static lease

Contents of /etc/config/dhcp

config host
        option ip 192.168.1.122
        option mac c2:44:32:18:cd:ab
        option name reservedipcomputer

ref: https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#static_leases

I tried to add this to the wiki, but someone (https://openwrt.org/docs/guide-user/base-system/dhcp_configuration?rev=1596434574) decided to replace my simple solution with an obfuscated one that requires uci commands. So instead, it will remain here. EDIT: I added it back. See how long that lasts...

openvpn

opkg install openvpn-openssl

Contents of /etc/config/openvpn

 config openvpn 'custom_config'
        option config '/etc/openvpn/myconfigfile.ovpn'

And your .ovpn in /etc/openvpn/.

aliases

Put in /etc/profile. e.g.

export TERM=xterm
alias vpnme= 'openvpn --config /etc/openvpn/myconfigfile.ovpn & ./script.sh &'

mwan3

Mwan3 can be tricky. The wiki lacks a quick start*. The following files get edited:

/etc/config/network
/etc/config/mwan3
/etc/config/firewall

Tips Page: Mwan3_On_Openwrt

If you add a new WAN interface, (e.g. wanb or wan2) you must add wanb to the existing wan firewall zone for outgoing comms. How this is handled differs from 17 to 19.*2

Balanced policies can have issues with connections jumping from one wan to another.

* the current mwan3 page is a lengthy multi-page behemoth (which has grown over time) that expects no less of you than to understand all functional and architectural details of how the failover works. It's a lot for someone that just wants to setup backup internet. But mwan3 can and does work.

2 ctrl-f for firewall comes up with half a dozen mentions of firewall masking (something done automatically) and one easily missable note, for GUI setup only, about adding the new wan2 to the firewall zone. An absolutely required step.

iptables vs fw3

In the firewall:

iptables -L

will list current rules, but the iptables rule generator is fw3.

fw3 print

Will display iptables commands that make up the firewall. fw3 script is described in firewall pages on official wiki. Please review that. 22 now uses nft.

nft list tables

less with / search

The stock 'less' command does not include '/' search.

opkg install less

To get forward slash search https://dev.archive.openwrt.org/ticket/7132

remove poweroff command

cd /sbin/
rm ./poweroff

Now to power off, you must type

busybox poweroff

This will keep you from accidentally shutting down a router.

misc

start wifi

wifi up  
wifi status

transfer files using nc / scp on lean embedded devices

Logging

display (RAM based) logs (note that this is not in /var/log/messages...)

logread

https://openwrt.org/docs/guide-user/perf_and_log/start e.g. https://openwrt.org/docs/guide-user/perf_and_log/statistic.custom and https://openwrt.org/docs/guide-user/perf_and_log/log.messages

Blink LEDs

If you poke around the Linux Kernel you will come across core Netfilter configuration. It's not in an obvious place, but in 5.4 here:

Location:                                                                                                                            │
  │     -> Networking support (NET [=y])                                                                                                   │
  │       -> Networking options                                                                                                            │
  │         -> Network packet filtering framework (Netfilter) (NETFILTER [=y])                                                             │
  │           -> Core Netfilter Configuration                                                                                              │
  │             -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])

Why am I poking around xtables support? Wireguard needs it for <5.6. But, in this page, you will find some familiar sights: REDIRECT,MASQUERADE,DROP,LOG, etc... All parameters for iptables. Here you will learn what the difference between REDIRECT and MASQUERADE is (one is input, one is output)(which is interesting, because it might be a thing people commonly get wrong, on online tips for using iptables, or if you don't know which does what, you won't know what to look for). Forget about that, there's one named LED. Hey that sounds interesting. That means I can control a LED from the firewall?

Does this work with Openwrt? No idea, but from here I went to the official owrt docs

https://openwrt.org/docs/guide-user/base-system/led_configuration

And you may already know the leds are there, but here's how to configure them. Some of them require modules. e.g.

The LED flashes with link status and/or send and receive activity on the configured interface. If not installed already, install it with: 
 opkg install kmod-ledtrig-netdev

will enable netdev, which will enable led activity on any NIC. so it requires that module and some configuration... e.g.

#:/sys/devices/platform/leds/leds/:green:wan# ls
brightness      device_name     link            rx              trigger         uevent
device          interval        max_brightness  subsystem       tx
#:/sys/devices/platform/leds/leds/:green:wan# cat *
0
cat: read error: Is a directory
eth0.2
50
0
255
1
cat: read error: Is a directory
none switch0 timer default-on [netdev] phy0rx phy0tx phy0assoc phy0radio phy0tpt
0
OF_NAME=wan
OF_FULLNAME=/leds/wan
OF_COMPATIBLE_N=0

I had to set rx or tx to 1 (only 1 of them). and also needed to set device_name (not device like docs say) to eth0.2

Just set a ping, then tweak the knobs; should start blinking.

"But what if I want to blink more LEDs from userspace?" See Arduino for ulisp.

Quick TFTP

This is purported to work easy. From: http://web.archive.org/web/20211017192705/https://sagacioussuricata.com/posts/meraki-mr33/

On Windows, there
is the excellent tftpd64 project, but unfortunately there doesn’t seem to be
anything similar to it on Linux. The solution that finally worked for me was
py3tftp, as I was able to put up a functional TFTP server serving the current
working directory by simply running sudo py3tftp -v -p 69.

https://github.com/sirMackk/py3tftp The only downside is the need for pip.

Periodic Reboot

One of my routers had DHCP fail after 60 days. It's not common, but a good idea might be a periodic reboot. This is taken from the owrt site.

Reboot at 4:30am every day
Note: To avoid infinite reboot loop, wait 70 seconds
and touch a file in /etc so clock will be set
properly to 4:31 on reboot before cron starts.

30 4 * * * sleep 70 && touch /etc/banner && reboot

NOTE: I've never had issues with reboot, but above looks like a good idea.

Run Script on Boot

You can use rc.local, however sometimes you need more control. It's also possible to put scripts in /etc/hotplug.d that run after certain events. (e.g. [1])

Always test with RAM only images

Test firmware images without writing them to flash by using ramdisk images.

In make menuconfig select Target Images and then you can select the ramdisk option.

This will create an image with kernel + initramfs, that will have initramfs in the name. The resulting image can be loaded in the device through the bootloader's tftp function and should boot to a prompt without relying on flash/filesystem support.

various links i found interesting

https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm - speed test, and traffic shaping to speed up a 'slow' network. protip: use x86 instead of arm if openwrt is slow.

https://openwrt.org/docs/guide-user/services/nas/netatalk_configuration - apple time machine backup server

https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3 - failover for wan. i have used this before, and it worked well.

https://openwrt.org/tag/faq - FAQs

https://openwrt.org/docs/techref/flash.layout - Partitions on ~~HDD~~ flash. And overlay fs.

https://openwrt.org/docs/techref/start - Technical Reference. Has some informative dives into various aspects of low power routers. As an example see this link on flash: https://openwrt.org/docs/techref/flash IME, flash is built in obsolescence. usb drives, sd cards, and onboard flash tend to last much less than advertised. not recommended. SD and SSDs are a trap. from this: even 'reading' flash can cause bad blocks. that's right, even reading. therefore flash is guaranteed to fail. tech companies love it.

https://openwrt.org/docs/guide-developer/security

https://forum.openwrt.org/t/favor-to-do-custom-build-for-anyone-w-dev-toolchain/138275 Appears to be a basic device add to the owrt tree, copying existing code.

http://web.archive.org/web/20211017192705/https://sagacioussuricata.com/posts/meraki-mr33/ Showing how to flash to nand from owrt running in ram, i think.

web.archive.org/web/https://cybergibbons.com/hardware-hacking/recovering-firmware-through-u-boot/

https://forum.openwrt.org/t/x86-booting-two-instances-of-openwrt/106282 have a backup owrt partition on x86 (possibly useful for upgrades)