• A second life for the linksys

    From Michiel van der Vlist@2:280/5555 to All on Tue Aug 6 11:47:57 2019
    From FidoNews #31 2011


    A SECOND LIFE FOR THE LINKSYS Part 1
    By Michiel van der Vlist 2:280/5555


    Some five years ago, I joined the family of FON and I obtained a
    Linksys WRT54GL, flashed with FON software, for a bargain. It has been
    humming quitly away for almost five years. In March I got a Fonera
    SIMPL, so I replaced the Linksys.

    As you may have noticed from previous articles, I am an IPv6 advocate.
    I have been experimenting with IPv6 for some time now. I started out
    with a tunnel from SixXs. The idea was to have the tunnel terminate on
    the machine that was going to host my web server and my Fido System. A
    machine that would run 24/7 anyway.

    The tunnel works fine for providing IPv6 connectivity to that machine,
    but my plan to have it function as an IPv6 router to provide IPv6
    connectivity to other machine on the LAN failed. It turned out that an
    AYIYA tunnel running on a Windows machine can not route a subnet.

    So I choose another approach. Why not let the routing be done by some-
    thing that was designed for it in the first place: a router? With the
    help of some guys in a Dutch IPv6 forum, I found a version of OpenWRT
    that supports IPv6 and that can run on the Linksys. The binary image
    can be found here:

    http://www.vlist.eu/downloads/openwrt-wrt54g-squashfs-r25759.bin

    Before you flash your linksys with this image be advised that the
    WRT54GL has only 4 MB flash ROM available and the IPv6 add-ons need
    memory space. So some compromise had to be made. This version does not
    have a web interface, it is command line only. For most of us, that
    should not be a problem, us FidoNetters have been using the command
    line for ages. Also be warned that there is no easy "go back to factory defaults button". Frankly, I do not even know how to go back to the
    original firmware. I haven't felt the need yet, it is working fine, so
    why fix what ain't broken?

    No web interface, so you need a telnet/ssh client to access the router.
    Telnet to 192.168.1.1 and you will get a prompt. The first thing you
    will have to do is to configure a password for user root. It won't let
    you do much, other than to use the "passwd" command for entering a
    password after first startup.

    Once you have configured a password for root, the Telnet interface is
    disabled and you can only access the router with ssh. So get yourself
    an ssh client first. A suitable one for windows is putty. To be found
    here: www.putty.org. Putty BTW, is IPv6 capable.

    With ssh you can log in as user root and the password you supplied.
    Write down the password! There is no easy recovery if you forget the
    password.

    To my surprise I found that not only did I have a router, but I had a
    complete Linux system at my hands. The idea of running a disk OS on a stand-alone dedicated system - as I see a router - was completely new
    to me and my first reaction when I saw the command line prompt was a
    bit similar to what happened when I started up that PDP-8 some forty
    five years years ago: Ok, it started up. Now what?

    So I tried "dir" and "type". Eh.. sorry, this isn't CP/M, FLEX or MS-DOS.
    It is linux and the commands are "ls" and "cat" from now on. Ok...

    Many of the standard Linux commands work. The entire configuration is
    done by editing text files with a text editor. Weird idea for a stand
    alone dedicated system, but I got used to it quickly.

    The first thing of course was to get it configured properly for IPv4.
    The machines on the LAN running servers needed a permanent address.
    So we have to edit some files. We want the dhcp server to always issue
    the same (semi-fixed) address to the machine named Fido. The package
    comes with an editor called nano, so we enter the following command:

    nano /etc/config/dhcp

    And we add the following lines to the file:

    [code]

    config host
    option ip '192.168.1.2'
    option mac '00:04:76:8C:25:3C'
    option name Fido

    [/code]

    Note that the address must be ouside the normal dhcp pool which
    defaults to 100-150. Set the MAC address to the one on the NIC of
    the system in question

    Note that changes do not take effect until the router is rebooted.

    Next step is the forwarding of port 80 and port 25445. This is done
    by adding the following lines to the file /ect/config/firewall

    [code]

    # forward port 80 and port 24554 to Fido

    config redirect http
    option src wan
    option dest lan
    option src_dport 80
    option dest_port 80
    option dest_ip 192.168.1.2
    option proto tcp

    config redirect binkp
    option src wan
    option dest lan
    option src_dport 24554
    option dest_port 24554
    option dest_ip 192.168.1.2
    option proto tcp

    [/code]

    If you want to use Wifi, it has to be enabled as it is disabled by
    default. In the file /etc/config/wireless:

    [code]

    config 'wifi-device' 'radio0'
    option 'type' 'mac80211'
    option 'channel' '11'
    option 'macaddr' '00:16:b6:da:3a:b5'
    option 'hwmode' '11g'
    option 'disabled' '1'

    config 'wifi-iface'
    option 'device' 'radio0'
    option 'network' 'lan'
    option 'mode' 'ap'
    option 'ssid' 'OpenWrt'
    option 'encryption' 'none'

    [/code]

    Change "option 'disabled' '1'" to "option 'disabled' '0'"

    That will enable the radio, but it is highly recommended to enable
    encryption as well.

    Change "option 'encryption' 'none'" to "option 'encryption' 'psk2'"
    to enable WPA2 encryption. 'wpa2' as option is for WPA2 with a radius
    server.

    Specify the key with:

    [code]
    option 'key' '<insert passfrase here>'
    [/code]

    You may want to change the channel number and the ssid. Also the para-
    meter "11g" may be changed to "11bg" if you also want to support older
    11b clients.

    As always, changes do not take effect until the router is rebooted.

    That takes care of my IPv4 settings.


    Next step is to configure a 6in4 tunnel.


    If your ISP does not provide native IPv6 you will need to set up a
    tunnel. Some ISP's offer tunnels, but if yours does not, you will
    need a third party tunnel broker. Both SixXs and Hurricane Electric
    offer free tunnels. So set up an account with either one of them
    (or both) and apply for a tunnel. For this tunnel I choose Hurricane
    Electric, because unlike SixXs, they do not let you jump through any
    hoops. Just go to tunnelbroker.net, create an account, choose a site
    for the tunnel ingress and apply for a tunnel. A Hurricane Electric
    tunnel comes with a /64 subnet by default. But you can also get a /48.
    We do not need that. Yet...

    For a static he.net tunnel, you need a static or semi-static IPv4
    address.

    To configure the tunnel on the Linksys, add the following to /etc/config/network

    [code]

    #### The he.net tunnel
    config interface henet
    option proto 6in4
    option peeraddr 216.66.84.46
    option ip6addr 2001:470:1f14:1117::2/64
    option tunnelid XXXXXX
    option username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    option password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    [/code]

    For "peeraddr" substitute the Server IPv4 address that the tunnel
    broker has given you. For ip6addr substitute the client IPv6 address
    that the the tunnel broker gave you. Note that this is te address
    of you tunnel end point, not the subnet. Also do not ommit the /64,
    it won't work without it. For tunnel ID substitie the decimal tunnel
    ID number as supplied by the tunnel broker.

    For Username substitute the 32 digit hex number that is found as
    "User ID" on your account info page of tunnelbroker.net

    The password should be a 32 digit hex number that is the MD5 hash of
    your password for the tunnel broker. So how do we get that? The
    Linksys will give it to you!

    Type "echo -n '<your password>' | md5sum" at the command line and there
    it is. Ain't that magic?

    Rebot the router thave the changes take effct.

    Now you should be able to ping6 ipv6 hosts from the router's command
    line.

    You can try to ping mine by typing:

    [code]

    root@OpenWrt:/# ping6 wrt6.vlist.eu
    PING wrt6.vlist.eu (2001:470:1f14:1117::2): 56 data bytes
    64 bytes from 2001:470:1f14:1117::2: seq=0 ttl=64 time=1.243 ms
    64 bytes from 2001:470:1f14:1117::2: seq=1 ttl=64 time=1.358 ms
    64 bytes from 2001:470:1f14:1117::2: seq=2 ttl=64 time=1.140 ms
    64 bytes from 2001:470:1f14:1117::2: seq=3 ttl=64 time=1.142 ms
    ^C

    [/code]

    If you get this result your tunnel is working. To enable incoming
    pings however you need to open the firewall for protocol 41. Protocol
    41 is the protocol used for 6in4 tunneling. The firewall of openwrt is
    closed for all unsollicited incoming packets by default. Bij pinging
    out over IPv6, the firewall is opened for protocol 41, and it can be
    pinged from outside, but it closes again after a minute or two. Add
    the following lines to /etc/config/firewall to keep the tunnel open permanently:

    [code]

    # Accept proto 41 so it always reaches the tunnel endpoint

    config rule
    option src wan
    option proto 41
    option target ACCEPT

    [/code]

    To check if your router is pingable from outside, you can use a looking
    glass server. Here is one: http://leasewebnoc.com/lg/html.

    As a last step you have to configure the firewall to also apply the
    firewall rules to the IPv6 tunnel.

    In the file /etc/config/firewall find this section:

    [code]

    config zone
    option name wan
    option input REJECT
    option output ACCEPT
    option forward REJECT
    option masq 1
    option mtu_fix 1

    [/code]

    And add this line after the second line:

    [code]

    # to have IPv6 firewall rules apply to the tunnel

    option network 'wan henet'

    [/code]


    This completes the setup of the tunnel on the linksys. Next week's
    article will describe how to let the router issue global IPv6 adresses
    from a subnet to your machines on the LAN.




    ---
    * Origin: he.net certified sage (2:280/5555)