Dec 282014
 
 December 28, 2014  Posted by at 12:19 am hardware, Tutorial, wireless Tagged with: , , ,  No Responses »

I have many open-mesh OM1P units laying around from failed wireless projects. Needless to say I’m not a big fan of open-mesh and have some other projects in mind for this hardware. It was a painful process but well worth it. Now I have nice little OpenWRT units for any hacking pleasure.

I have made a concise synopsis of the openwrt wiki page for flashing proper firmware on the OM1p/Fon/Fonera/Accton/etc. Please visit http://wiki.openwrt.org/toh/fon/fonera#openwrt for more detail.

Begin with serial access
serial-ttl-om1p
You will need a TTL serial to usb or similar like this https://www.adafruit.com/products/284

Consult the openwrt wiki for pinout of om1p

Use minicom or screen to access it.

We need a tftp server (don’t worry its super easy if your using Debian :-).
I tried with http (apache) and it doesn’t work.

apt-get install atftpd

cd /srv/tftp/
wget http://downloads.openwrt.org/backfire/10.03.1/atheros/openwrt-atheros-vmlinux.lzma
wget http://downloads.openwrt.org/backfire/10.03.1/atheros/openwrt-atheros-root.squashfs

(don’t install anything newer than 10.03.1, this little thing is old)

stop network manager so we can assign static ip:
/etc/init.d/network-manager stop
assign static ip:
ip address add 192.168.0.2/24 dev eth0

connect to the usb serial:
screen /dev/ttyUSB0 9600

a few seconds into the boot you will see the following:

Board: ap51 
RAM: 0x80000000-0x82000000, [0x8003f640-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 3.000 seconds - enter ^C to abort

You have 3 seconds to press ctrl+c to interrupt the boot process and enter into redboot boot loader

On the om1p, in RedBoot, run the following commands.

Set the ip of redboot and the tftp server:
(Don’t forget to connect them with ethernet cable.)

RedBoot> ip_address -h 192.168.0.2 -l 192.168.0.1/24

IP: 192.168.0.1/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.0.2

download linux onto the om1p:
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma

Using default protocol (TFTP)
Raw file loaded 0x8003f800-0x8011f7ff, assumed entry at 0x8003f800

initialize the current flash partition, this will erase openmesh firmware, yay!:
RedBoot> fis init

About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

Now flash the kernel image to memory:
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7

... Erase from 0xa8030000-0xa8110000: ..............
... Program from 0x8003f800-0x8011f800 at 0xa8030000: ..............
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

Now load the rootfs:
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs

Using default protocol (TFTP)
Raw file loaded 0x8003f800-0x8021f7ff, assumed entry at 0x8003f800

And then flash the rootfs:
RedBoot> fis create rootfs

... Erase from 0xa8110000-0xa82f0000: ..............................
... Program from 0x8003f800-0x8021f800 at 0xa8110000: ..............................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

Reboot the om1p:
RedBoot> reset

You will see OpenWRT booting and creating filesystems and such.

...
jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
jffs2_build_filesystem(): unlocking the mtd device... done.
jffs2_build_filesystem(): erasing all blocks after the end marker... done.
mini_fo: using base directory: /
mini_fo: using storage directory: /overlay
BusyBox v1.15.3 (2011-11-24 02:38:24 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 Backfire (10.03.1, r29592) ------------------------
  * 1/3 shot Kahlua    In a shot glass, layer Kahlua 
  * 1/3 shot Bailey's  on the bottom, then Bailey's, 
  * 1/3 shot Vodka     then Vodka.
 ---------------------------------------------------
root@OpenWrt:/#

Now we need to set a heartbeat for the hardware watchdog otherwise the om1p reboots every 5 minutes.

vi /etc/config/om1pwatchdog

#!/bin/sh
gpioctl dirout 3 ; gpioctl clear 3
sleep 1
gpioctl set 3

Make it executable:
chmod 755 /etc/config/om1pwatchdog

Run every 2 minutes:
crontab -e
add the following and save
*/2 * * * * /etc/config/om1pwatchdog

Start NM again, you will now get an ip from the om1p openwrt dhcp server.
/etc/init.d/network-manager start

connect with firefox at http://192.168.1.1

yay, no more crap open-mesh!

Jul 072013
 
 July 7, 2013  Posted by at 12:54 pm firewall, networking, Tutorial, wireless Tagged with: , ,  10 Responses »

In this scenario we will be implementing a openWRT as a wireless access point only. One wireless essid will be LAN accessible and the other will be segregated from the LAN but able to access the WAN. The openWRT in this example will not be the gateway to the network. Another device is the gateway and there is an existing dhcp server.

                            PUBLIC wifi
                         172.16.134.0/24
                                  |
                     public gateway and dhcp server
                            172.16.134.1
                                  \
                   Source NAT to 10.101.101.10
                                              \
ISP <-Gateway-> LAN wired 10.101.101.0/24 <-openWRT-> 
                                              /
                           LAN wifi (wpa2+aes)
                           10.101.101.0/24

1. Add a new wireless access point

wifinogw.1.add-wireless-essid

2. Settings for the new wireless access point. Create a new network interface of “public”. Don’t use any encryption, as this is for general public use.

wifinogw.2.wifi-settings

3. Edit network interface for the public network

wifinogw.3.public-interface-edit

4. Edit PUBLIC interface settings. Set to static address and enable DHCP server for this new network.

wifinogw.4.pub-int-settings

5. Edit the LAN interface. Set the lan interface to an un-used ip of the existing network. Don’t set to “dhcp client” as you will lose connectivity and need to perform a recovery on your openwrt device. Be sure to disabled the DHCP server as the existing network already has one.

wifinogw.5.lan-settings

6. Add a new zone and call it “public_zone”. Masquarade it and put it in the public network. Allow forwarding to and from “lan” zone. We will limit this later with specific firewall rules.

fw_public_zone

7. This is what the general firewall zones should look like

wifinogw.7.fw-general-overview

8. Under the Firewall -> Traffic Rules section add a new Source NAT Rule. Call it “pub2lan“. Set the “Source zone” to “public_zone” and the “Destination zone” to “lan” and set the drop down option “To source IP” to br-lan interface, in this example its 10.101.101.10. Leave “To source port” blank. This SNAT rule will translate all traffic on the public wireless network of 172.16.134.0/24 into the IP of 10.101.101.10. This is the redirect rule from /etc/config/firewall
wifinogw.8.fw-tr-snat

config redirect
option target 'SNAT'
option src 'public_zone'
option dest 'lan'
option proto 'all'
option name 'pub2lan'
option src_dip '10.101.101.10'
option enabled '1'

9. Setup a “New forward rule:” Set name to allow2gw or similar. Source zone to “public_zone” Destination zone to “lan” Click “Add and edit…” Protocols should be “Any”, Destination address is the gateway of the network. In this case 10.101.101.1. The following is the /etc/config/firewall rule for reference. This will allow traffic from the public_zone to reach the gateway of the network.

wifinogw.9.fw-tr-forward-allow2gw

config rule
option target 'ACCEPT'
option proto 'all'
option name 'allow2gw'
option src 'public_zone'
option dest 'lan'
option dest_ip '10.101.101.1'

10. Setup a “New forward rule”. Set the name to drop2lan or similar. Set the Source zone to “public_zone” and Destination zone to “lan”. Click “Add and edit…” Set Protocol to “Any”, Destination address to custom and enter the subnet of the LAN. In this case its 10.101.101.0/24, set “Action” to “drop”. You can add more rules like this one to limit access to other networks or hosts as needed.

drop2lan

config rule
option name 'drop2lan'
option src 'public_zone'
option proto 'all'
option target 'DROP'
option dest 'lan'
option dest_ip '10.101.101.0/24'

 

11. Firewall Traffic Rule overview. There is an error on this view. The following rules have “option proto ‘all'” set and the luci web interface shows “Any TCP+UDP”. This is simply a bug in the luci interface and can be ignored. The order of these rules is very important. In this case you can see we added the “Allow to 10.101.101.1” before the “Drop to 10.101.101.0/24”. If reversed, the lan including the gateway would not be accessible from the public wireless AP. Therefore, you would not be able to reach the Internet.

wifinogw.11.fw-tr-overview

May 232013
 
 May 23, 2013  Posted by at 10:59 am firewall, networking, wireless Tagged with: , ,  No Responses »

In this post I will outline how to use zones to create public firewalled networks. A device that can bring up multiple interfaces per radio is very attractive here. One essid for private wireless and another for open public wireless. The Atheros ath9k chipsets are very well supported in this regard because they are free software.
This post is different than my older post where we have a private LAN behind our WAN interface that we need to protect… In this scenario we have our ISP connected directly to the openWRT WAN port and we need to bring up a public wireless that is segregated from the LAN. Like so:

                                         "public wifi"
                                                 /
ISP <-openWRT fw-> LAN 192.168.1.0/24 <-public_zone-> PUBLIC 172.16.134.0/24
                        \ 
                 "private LAN wifi"

Obviously the zone can be utilized however you like. Another common option would be to firewall a open wireless network from the LAN. And forgo the insecure nature of a “secured” wireless altogether. The OpenWRT could be running openvpn, that you connect to over the “insecure” wireless, now thats secure!

The following steps are done via the web interface (luci).

1. Start by adding a new wireless interface. In this case to the 5ghz radio. You can do this again for the 2.4ghz radio. wireless 1. add

2. Set the essid and network name “public”. This will allow us to use firewall zones to segregate the networks, rather than excluding individual rfc1918 subnets like in the first example.wireless 2. new wifi settings

 

3. Edit the interface “PUBLIC” so that we can set it as a static ip.wireless 3. edit interface

4. Change the protocol to “static address” set a ip for it and a subnet. DO NOT set a gateway. This will write a new default gateway to the routing table and cause the internet to break occasionally. Setup a dhcp server for this network.wireless 4. public interface

5. In the firewall section. Setup a zone called something like “public_zone” and assign it to the “public” network. And allow it to forward to “WAN” zone.wireless 5. firewall zone

6. This is what the general firewall zone’s should look like now.wireless 6. general firewall zone

Be sure to test it. Connect to the public and try and nmap a known host on the private and vice versa. A few times I have needed to reboot the router for everything to start working properly. It could be because I tinkered too much and caused a hickup. Just something to keep in mind..

 

Oct 132009
 
 October 13, 2009  Posted by at 2:25 pm documentation, networking, wireless Tagged with: , , , , , , ,  No Responses »

start -> run -> regedit
make a backup, if you want.
goto:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}

look through the list of subkeys (0000, 0001, etc)
DriverDesc keyword will tell you which network adapter. For example, “NVIDIA nForce Networking Controller”
when you find it, right click and add -> new -> string value

new keyword:

Value Name: = NetworkAddress
Value Data: = your new MAC, with no space or : For example, 0019DB71C830

then type:

ipconfig /release
ipconfig /renew
ipconfig /all   (to verify the new mac took)

Now your a l33t Winblows H4|<3r! If you want to go back to your hardware MAC, remove the NetworkAddress key and restart the interface. FYI, in gnu/linux follow these simple steps to change your MAC address

ifconfig eth0 hw ether 00:19:DB:71:C8:30

if you get this error

SIOCSIFHWADDR: Device or resource busy - you may need to down the interface

do this

ifconfig eth0 down

and try to change the MAC again.

Oct 122009
 
 October 12, 2009  Posted by at 11:13 am wireless Tagged with: ,  No Responses »

Here is a list of free wireless spots in Santa Fe. I’m sure I will miss some or make errors, please let me know. I don’t list locations that use a password, as it irritates me when people inconvenience patrons for some ignorant reason.

* Santa Fe Baking Company (one of the first and best wireless spots in town, lots of seating and ample power, food and kitchen smell can be harsh)
* Pyramid Cafe (VERY fast internet, Amazing Mediterranean food)
* Second Street Brewery (very solid reliable connection, inside or out. great beer too!)
* Counter Culture Cafe (the qwest connection goes down a lot, the ap is too far from the seating area, but great place to hang, eat and work)
* Teahouse (The best selection of teas and generally good internet, very relaxing place. great food too)
* Aztec Cafe (small but friendly environment, good coffee and sandwiches)
* Blue Corn (the bar downtown has it, ask the bar tender for password (indiapaleale). The southside is open AP and I think the essid is jaguar)
* Flying Star Cafe (the wireless is always slow, food is overpriced and not very good. They use sputnik as a captive portal, its annoying to ask users to sign up for internet. I login with user: free pass: wireless There is a lot of space and the air is fresh)
* Santa Fe Brewing Company (its awesome they provide internet so far out of town)
* Backroad Pizza (south side location has it, not sure about the 2nd street location)
* Joe’s Good food, friendly staff, good internet
* Body (great healthy food, limited seating in front cafe area, back dining area reserved for no computers and no cell phones :-)

Oct 072009
 
 October 7, 2009  Posted by at 7:14 pm firewall, wireless Tagged with: , , ,  No Responses »

The updated and more flexible way to do this is outlined here. It also requires updated hardware. The wrt54gl only supports openwrt v10 (backfire). I would like to add that despite the wrt54gl literally being ancient, its still a rock solid device today. Of course, only if openwrt is installed!

A while ago Second Street Brewery asked for a good stable public wireless internet connection. Of course, the solution was obvious, openwrt! In this case a linksys wrt54gl. The office, point of sale and public networks all share the same gateway. The problem was segregating the public wireless network from the private office lan. Sam (http://thepromisedlan.org) and I set out to setup a firewall to protect them. This is what we came up with:

         "secured office wifi"
                /
ISP <-fw-> office LAN 10.1.10.0/24 <-fw-> (linksys) "open public wifi" 
(clients on public wifi cannot reach 10.1.10.0/24 or any other private subnet)

check if the following is in /etc/config/firewall otherwise, add it

config include
option path /etc/firewall.user

and in /etc/firewall.user we put:

#Insert this into the chain, so 10.1.10.0/24 (office) can connect to public 192.168.10.0/24.
#This rule gets repeated by the setup script /etc/init.d/firewall.
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

#block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*)
iptables -I FORWARD 2 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD 2 -d 172.16.0.0/12 -j DROP
iptables -I FORWARD 2 -d 10.0.0.0/8 -j DROP

If you would like to have remote administration on the openwrt so you can access the luci web interface and ssh from the wan side of the router, you can change /etc/config/firewall wan zone to allow it. !!WARNING!! If you are directly connected to the internet, this will expose your open ports to the world. You should take precautions to secure them before changing this firewall rule.

config 'zone'
  option 'name' 'wan'
  option 'input' 'REJECT' #

or if you just want to allow remote ssh access

config rule
  option target 'ACCEPT'
  option src 'wan'
  option proto 'tcp'
  option dest_port '22'
  option name 'ssh'