From FidoNews #31 2011
A SECOND LIFE FOR THE LINKSYS Part 1
By Michiel van der Vlist 2:280/5555
Some five years ago, I joined the family of FON and I obtained a
Linksys WRT54GL, flashed with FON software, for a bargain. It has been
humming quitly away for almost five years. In March I got a Fonera
SIMPL, so I replaced the Linksys.
As you may have noticed from previous articles, I am an IPv6 advocate.
I have been experimenting with IPv6 for some time now. I started out
with a tunnel from SixXs. The idea was to have the tunnel terminate on
the machine that was going to host my web server and my Fido System. A
machine that would run 24/7 anyway.
The tunnel works fine for providing IPv6 connectivity to that machine,
but my plan to have it function as an IPv6 router to provide IPv6
connectivity to other machine on the LAN failed. It turned out that an
AYIYA tunnel running on a Windows machine can not route a subnet.
So I choose another approach. Why not let the routing be done by some-
thing that was designed for it in the first place: a router? With the
help of some guys in a Dutch IPv6 forum, I found a version of OpenWRT
that supports IPv6 and that can run on the Linksys. The binary image
can be found here:
http://www.vlist.eu/downloads/openwrt-wrt54g-squashfs-r25759.bin
Before you flash your linksys with this image be advised that the
WRT54GL has only 4 MB flash ROM available and the IPv6 add-ons need
memory space. So some compromise had to be made. This version does not
have a web interface, it is command line only. For most of us, that
should not be a problem, us FidoNetters have been using the command
line for ages. Also be warned that there is no easy "go back to factory defaults button". Frankly, I do not even know how to go back to the
original firmware. I haven't felt the need yet, it is working fine, so
why fix what ain't broken?
No web interface, so you need a telnet/ssh client to access the router.
Telnet to 192.168.1.1 and you will get a prompt. The first thing you
will have to do is to configure a password for user root. It won't let
you do much, other than to use the "passwd" command for entering a
password after first startup.
Once you have configured a password for root, the Telnet interface is
disabled and you can only access the router with ssh. So get yourself
an ssh client first. A suitable one for windows is putty. To be found
here: www.putty.org. Putty BTW, is IPv6 capable.
With ssh you can log in as user root and the password you supplied.
Write down the password! There is no easy recovery if you forget the
password.
To my surprise I found that not only did I have a router, but I had a
complete Linux system at my hands. The idea of running a disk OS on a stand-alone dedicated system - as I see a router - was completely new
to me and my first reaction when I saw the command line prompt was a
bit similar to what happened when I started up that PDP-8 some forty
five years years ago: Ok, it started up. Now what?
So I tried "dir" and "type". Eh.. sorry, this isn't CP/M, FLEX or MS-DOS.
It is linux and the commands are "ls" and "cat" from now on. Ok...
Many of the standard Linux commands work. The entire configuration is
done by editing text files with a text editor. Weird idea for a stand
alone dedicated system, but I got used to it quickly.
The first thing of course was to get it configured properly for IPv4.
The machines on the LAN running servers needed a permanent address.
So we have to edit some files. We want the dhcp server to always issue
the same (semi-fixed) address to the machine named Fido. The package
comes with an editor called nano, so we enter the following command:
nano /etc/config/dhcp
And we add the following lines to the file:
[code]
config host
option ip '192.168.1.2'
option mac '00:04:76:8C:25:3C'
option name Fido
[/code]
Note that the address must be ouside the normal dhcp pool which
defaults to 100-150. Set the MAC address to the one on the NIC of
the system in question
Note that changes do not take effect until the router is rebooted.
Next step is the forwarding of port 80 and port 25445. This is done
by adding the following lines to the file /ect/config/firewall
[code]
# forward port 80 and port 24554 to Fido
config redirect http
option src wan
option dest lan
option src_dport 80
option dest_port 80
option dest_ip 192.168.1.2
option proto tcp
config redirect binkp
option src wan
option dest lan
option src_dport 24554
option dest_port 24554
option dest_ip 192.168.1.2
option proto tcp
[/code]
If you want to use Wifi, it has to be enabled as it is disabled by
default. In the file /etc/config/wireless:
[code]
config 'wifi-device' 'radio0'
option 'type' 'mac80211'
option 'channel' '11'
option 'macaddr' '00:16:b6:da:3a:b5'
option 'hwmode' '11g'
option 'disabled' '1'
config 'wifi-iface'
option 'device' 'radio0'
option 'network' 'lan'
option 'mode' 'ap'
option 'ssid' 'OpenWrt'
option 'encryption' 'none'
[/code]
Change "option 'disabled' '1'" to "option 'disabled' '0'"
That will enable the radio, but it is highly recommended to enable
encryption as well.
Change "option 'encryption' 'none'" to "option 'encryption' 'psk2'"
to enable WPA2 encryption. 'wpa2' as option is for WPA2 with a radius
server.
Specify the key with:
[code]
option 'key' '<insert passfrase here>'
[/code]
You may want to change the channel number and the ssid. Also the para-
meter "11g" may be changed to "11bg" if you also want to support older
11b clients.
As always, changes do not take effect until the router is rebooted.
That takes care of my IPv4 settings.
Next step is to configure a 6in4 tunnel.
If your ISP does not provide native IPv6 you will need to set up a
tunnel. Some ISP's offer tunnels, but if yours does not, you will
need a third party tunnel broker. Both SixXs and Hurricane Electric
offer free tunnels. So set up an account with either one of them
(or both) and apply for a tunnel. For this tunnel I choose Hurricane
Electric, because unlike SixXs, they do not let you jump through any
hoops. Just go to tunnelbroker.net, create an account, choose a site
for the tunnel ingress and apply for a tunnel. A Hurricane Electric
tunnel comes with a /64 subnet by default. But you can also get a /48.
We do not need that. Yet...
For a static he.net tunnel, you need a static or semi-static IPv4
address.
To configure the tunnel on the Linksys, add the following to /etc/config/network
[code]
#### The he.net tunnel
config interface henet
option proto 6in4
option peeraddr 216.66.84.46
option ip6addr 2001:470:1f14:1117::2/64
option tunnelid XXXXXX
option username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
option password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[/code]
For "peeraddr" substitute the Server IPv4 address that the tunnel
broker has given you. For ip6addr substitute the client IPv6 address
that the the tunnel broker gave you. Note that this is te address
of you tunnel end point, not the subnet. Also do not ommit the /64,
it won't work without it. For tunnel ID substitie the decimal tunnel
ID number as supplied by the tunnel broker.
For Username substitute the 32 digit hex number that is found as
"User ID" on your account info page of tunnelbroker.net
The password should be a 32 digit hex number that is the MD5 hash of
your password for the tunnel broker. So how do we get that? The
Linksys will give it to you!
Type "echo -n '<your password>' | md5sum" at the command line and there
it is. Ain't that magic?
Rebot the router thave the changes take effct.
Now you should be able to ping6 ipv6 hosts from the router's command
line.
You can try to ping mine by typing:
[code]
root@OpenWrt:/# ping6 wrt6.vlist.eu
PING wrt6.vlist.eu (2001:470:1f14:1117::2): 56 data bytes
64 bytes from 2001:470:1f14:1117::2: seq=0 ttl=64 time=1.243 ms
64 bytes from 2001:470:1f14:1117::2: seq=1 ttl=64 time=1.358 ms
64 bytes from 2001:470:1f14:1117::2: seq=2 ttl=64 time=1.140 ms
64 bytes from 2001:470:1f14:1117::2: seq=3 ttl=64 time=1.142 ms
^C
[/code]
If you get this result your tunnel is working. To enable incoming
pings however you need to open the firewall for protocol 41. Protocol
41 is the protocol used for 6in4 tunneling. The firewall of openwrt is
closed for all unsollicited incoming packets by default. Bij pinging
out over IPv6, the firewall is opened for protocol 41, and it can be
pinged from outside, but it closes again after a minute or two. Add
the following lines to /etc/config/firewall to keep the tunnel open permanently:
[code]
# Accept proto 41 so it always reaches the tunnel endpoint
config rule
option src wan
option proto 41
option target ACCEPT
[/code]
To check if your router is pingable from outside, you can use a looking
glass server. Here is one:
http://leasewebnoc.com/lg/html.
As a last step you have to configure the firewall to also apply the
firewall rules to the IPv6 tunnel.
In the file /etc/config/firewall find this section:
[code]
config zone
option name wan
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
[/code]
And add this line after the second line:
[code]
# to have IPv6 firewall rules apply to the tunnel
option network 'wan henet'
[/code]
This completes the setup of the tunnel on the linksys. Next week's
article will describe how to let the router issue global IPv6 adresses
from a subnet to your machines on the LAN.
---
* Origin: he.net certified sage (2:280/5555)