HowTos: Difference between revisions
Line 596: | Line 596: | ||
The C++ environment is configured! | The C++ environment is configured! | ||
1.Download the linksys firmware source | *1. Download the linksys firmware source | ||
2. Copy the brcm/ directory from /tools to /opt | *2. Copy the brcm/ directory from /tools to /opt | ||
3. add /opt/brcm/hndtools-mipsel-linux/bin to your path | *3. add /opt/brcm/hndtools-mipsel-linux/bin to your path | ||
4. add /opt/brcm/hndtools-mipsel-uclibc/bin to your path | *4. add /opt/brcm/hndtools-mipsel-uclibc/bin to your path | ||
*Use mipsel-linux-g++ compiler to compile any c++ code | |||
*Don't use the mipsel-uclibc-g++ compiler - this was my mistake! | |||
*Now we can try compile mobile mesh for linksys | |||
=HowTo create/be part of a VPN= | =HowTo create/be part of a VPN= |
Revision as of 20:13, 19 June 2006
Getting started
NEW! The first edition of "Wireless Networking in the Deveolping World" is available as e-book now. Prints can be ordered on demand at lulu.com. The e-book is available at no cost under a creative commons license. Get your copy at wndw or locally and share it.
Step 1. Check where you are on the planet:
Your very first step is to find your current position on a map and then see what other wireless nodes are nearby. The best way to do this is to get a GPS and find out your coordinates and then to enter these into google earth - you can also use google earth to find your coordinates by identifying your house on the satellite image.
Step 2. Check who else is around that you can connect to
Once you have entered your google earth position - have a look at the positions of other wifi installations around you. For the Pretoria Mesh we have stored all the google earth positions in this file. You can also have a look on sites like NodeDB to see if there are other wireless installations near you. Once you have identified someone that you want to connect to, the best way to check connectivity is to use a WiFi sniffer such as netsumbler for windows or Kismet on linux loaded on a laptop with a Wifi card fitted with an external antenna. For people in Pretoria we have a kit like this that can be borrowed from our WiFi tuckshop. Find the highest point at your house such as your roof and slowly rotate the directional antenna around you to see if you can pick up any WiFi access points. You will want to find an access point that is in ad-hoc mode and is mesh enabled - the wifi sniffer will tell you if the wireless node is in ad-hoc mode but you will have to contact the owner to check what mesh protocol, if any, they are running.
Step 3. Build a mesh node
Now that you know where you are located and you have hopefully found someone you can connect to, you will need to construct your mesh hardware.
A mesh network node consists of a wireless router, antenna, routing software and settings.
Wireless Router
Your wireless router can either be a PC with a wireless card, a dedicated Wireless Router unit or SBC Single Board Computer with a wireless card. A dedicated Wireless Router is the most popular choice because it is relatively cheap, easy to configure and low power making it practicle for a device that is meant to be on most of the time. Have a look at Cost Tables to get an idea of all the possible types of mesh nodes you can build together with the cost implications
Antennae:
The first step is to select an antenna that suits your situation best. There are several types of Antennae:
1) Omnidirectional 2) Yagi-Uda 3) Grid 4) Flat-panel 5) Wave-guide
The main difference between these antennae is the Radiation Pattern. Each type is also available with different Gain specifications. Typical Wireless Routers are sold with 2 omnidirectional antennae and these can be re-used as part of your node, depending on your situation. If you have other nodes in your vicinity that are spread out in all directions but are fairly close (i.e. < 3Km), then an omni-directional antenna should suffice. If the other nodes are concentrated in one direction, for example, if you have a hill on one side of your house and theres no point in radiating the hill, then you may want to choose a more directional antenna, like a 180 degree Flat-panel. For point-to-point links, a smaller radiation angle is needed and Grid or Yagi-Uda type antennae are probably best suited.
Step 4. Install latest mesh networking firmware
The type of software that needs to be installed will typically be implmentations of mesh routing protocols like OLSR, as well as security software, like VPN clients. On dedicated wireless routers, this is typically implemented on Firmware, while on standard PC's its implemented in Software.
WRT54G Firmware update
Wireless Routers like the WRT54G are not mesh capable as is. One of the reasons for selecting the Linksys is that the Firmware is upgradeable.
Caution: Please note, that fiddling with the firmware will void your warranty!!!
The following instructions apply to networks running the OLSR routing protocl, like the Pretoria Mesh.
1. Download freifunk firmware from Freifunk site or Local
2. Set boot wait on linksys
Web method:
Navigate to web page were you can send pings and type each of these lines one line at a time
;cp${IFS}*/*/nvram${IFS}/tmp/n ;*/n${IFS}set${IFS}boot_wait=on ;*/n${IFS}commit ;*/n${IFS}show>tmp/ping.log
NVRAM method:
telnet into box and type the following
nvram set boot_wait=on nvram commit reboot
3. Upload firmware
Give yourself a fixed IP in the 192.168.1.x range e.g. 192.168.1.100
Use tftp to upload firmware
tftp 192.168.1.1 tftp> binary tftp> rexmt 1 tftp> trace Packet tracing on. tftp> put openwrt-g-freifunk-1.0.2-en.bin
Wait for the power light to stop flashing Power cycle the box
Step 5. Install mesh node
HowTo Water-proof your equipment
Step 6. Setup mesh configuration
1. Check that the web interface is working. Visit the site http://192.168.1.1 on your web browser - you should see the main freifunk web interface appear
2. Set up the wireless interface
WLAN protocol: Static Ip Address: 192.168.2.5 Netmask: 255.255.255.0 WLAN Mode: Ad Hoc (Peer to Peer) ESSID: mesh Channel: 6 TX Power: 100
3. Set up the LAN interface
LAN protocol: Static LAN IP: 192.168.4.1 LAN Netmask: 255.255.255.0 Disable NAT: yes Disable Firewall: yes
4. Set up the WAN interface
WAN Protocol: DHCP Host name: Lawrence
5. Set up OLSR
HNA4: 192.168.4.1 255.255.255.0
6. Restart the Linksys
You should now be given an IP address in the 192.168.3.x range You should be able to connect to another mesh access point and even get a default gateway to an internet point, if one exists
Step 7. Start surfing
Hopefully you`re now hooked up to the internet and you can start surfing the web or hooking up to other PCś on the mesh
Step 8. Troubleshoot
Start with Layer 1:
Is everything switched on? Is the LAN plugged in? Is the Antenna connected? Is it facing the right direction? Is it polarised correctly?
Check software settings:
Is the correct antenna selected? Is the routing daemon running?
WRT54G HowTos
HowTo choose which antenna port to use on the WRT54G for an external antenna
Where to connect the external antenna
WRT54g v1, v1.1, v2 look at the backside and connect the external antenna to the right antenna connector
WRT54g v2.2 v3 3.1 v4 and the WRT54GL v1.0 look at the backside and connect the external antenna to the left antenna connector
HowTo create an ipk package
TOOLS
Get the script rightfully called ipkg-build at, among other places, ftp://ftp.handhelds.org/packages/ipkg-utils, or http://www.mizi.com/download/mz20/ipkg-build.
CREATING THE PACKAGE STRUCTURE
Say you wanna create a package called MyPackage; you further wanna package the project called MyProject. Then do the following:
1. Create a directory called MyPackage. 2. Inside directory MyPackage, create a directory called CONTROL. 3. Copy your project (MyProject) to the MyPackage directory. 4. Inside directory CONTORL creating a file called control.
NOTE:
When the package is installed on the target, the MyPAckage directory will be created with respect to root. So if you wanted your files to be installed in /usr/bin on the target system, then our project would in this case be “/usr/bin”. That is you create inside directory MyPackage a directory called /usr/bin.
FORMAT AND CONTENTS OF /CONTROL/control
Package: MyPackage
Priority: optional // default
Version: 1.0 //package version
Architecture: mipsel
Maintainer: I_maintain@you.com
Source: ftp:ftp:122.122.122.122 //See Note below
Section: misc //See Note below
Description: This is an attempt to create ipkg.
NOTE:
The fields Section and Source seem rather useless to me in this example and I initially left them out; however the ipkg-build script complained requiring them, so I just put them in as a workaround without knowing/”caring” of their need. There are other fields not included here which you might need for your purposes, check the web for more.
Further the comments are mine for this documentation purposes only and the script MIGHT NOT permit comments.
RUNNING THE ipkg-build SCRIPT
Now simply run (of course being outside of the directory MyPackage):
“./ipkg-build –c –o root –g root MyPackage” // as root or non-root, or
“./ipkg-build –c MyPackage” //as root
IF all’s well, a package on the current directory will be created.
NOTE:
Without the “-c” option, I could not get the package installed successfully, you can try with or without and see for yourself.
HowTo run Kismet on a WRT54G
- Install either the kismet or kismet_drone package.
- Edit /etc/kismet_drone.conf and change the source from wrt54g,eth1,wrt45g to wrt54g,prism0,wrt54g.
- Run kismet from your host, pc and off u go!
HowTo check your Linksys WRT54G version
Finally some good info about finding the version number from outside markings and using NVRAM settings - info from www.openwrt.org
Linksys WRT54G
1. Hardware versions 1. Identification by S/N 1. WRT54G v1.0 2. WRT54G v1.1 3. WRT54G v2.0 4. WRT54G v2.2 5. WRT54G v3.0 & WRT54G v3.1 6. WRT54G v4.00 2. Table summary 3. Hardware hacking
1. Hardware versions
There are currently seven versions of the WRT54G (v1.0, v1.1, v2.0, v2.2, v3.0, v3.1, v4.00). With the exception of v4.00 devices (it is currently marked as untested for White Russian RC1), the WRT54G units are supported by OpenWrt 1.0 (White Russian) and later. boot_wait is off by default on these routers, so you should turn it on. The version number is found on the label on the bottom of the front part of the case below the Linksys logo. 1.0.1. Identification by S/N
Useful for identifying shrinkwrapped units. The S/N can be found on the box, below the UPC barcode.
(!) Please contribute to this list. (!)
Model | S/N | CVS | EXP |
WRT54G v1.1 | CDF20xxxxxxx CDF30xxxxxxx | (./) | (./) |
WRT54G v2 | CDF50xxxxxxx | (./) | (./) |
WRT54G v2.2 | CDF70xxxxxxx | {X} | (./) |
WRT54G v3 | CDF80xxxxxxx | {X} | (./) |
WRT54G v3.1 (AU?) | CDF90xxxxxxx | {X} | (./) |
1.1. WRT54G v1.0
The WRT54G v1.0 is based on the Broadcom 4710 board. It has a 125MHz CPU, 4Mb flash and 16Mb SDRAM. The wireless NIC is a mini-PCI card. The switch is an ADM6996. 1.2. WRT54G v1.1
The WRT54G v1.1 is based on the Broadcom 4710 board. It has a 125MHz CPU, 4Mb flash and 16Mb SDRAM. The wireless NIC is soldered to the board. The switch is an ADM6996.
Hardware informations (nvram) :
boardtype=bcm94710dev
1.3. WRT54G v2.0
The WRT54G v2.0 is based on the Broadcom 4712 board. It has a 200MHz CPU, 4Mb flash and 16Mb SDRAM. The wireless NIC is integrated to the board. The switch is an ADM6996.
Hardware informations (nvram) :
boardtype=0x0101 boardflags=0x0188
1.4. WRT54G v2.2
The WRT54G v2.2 is based on the Broadcom 4712 board. It has a 200MHz CPU, 4Mb flash and 16Mb DDR-SDRAM. The wireless NIC is integrated to the board. The switch is a BCM5325.
Hardware informations (nvram) :
boardtype=0x0708 boardflags=0x0118
1.5. WRT54G v3.0 & WRT54G v3.1
This unit is just like the V2.2 Except it has an extra reboot button on the left front panel behind a Cisco logo. 1.6. WRT54G v4.00
Please add information for this revision.
Hardware informations (nvram) :
boardrev=0x10 boardtype=0x0708 boardflags2=0 boardflags=0x0118 boardnum=42
/!\ To take the front cover off of this unit you must first remove the small screws under the rubber covers of the front feet! 2. Table summary
how to get info :
- board info: nvram show | grep board | sort
- cpu model: cat /proc/cpuinfo | grep cpu
Model | boardrev | boardtype | boardflags | boardflags2 | boardnum | wl0_corerev | cpu model |
WRT54G v1.1 | bcm94710dev | 42 | 5 | BCM4710 V0.0 | |||
WRT54G v2.0 | 0x0101 | 0x0188 | BCM3302 V0.7 | ||||
WRT54G v2.2 | 0x0708 | 0x0118 | 7 | ||||
WRT54G v3.0 | 0x10 | 0x0708 | 0x0118 | 0 | 42 | 7 | BCM3302 V0.7 |
WRT54G v3.1 (AU?) | 0x10 | 0x0708 | 0x0118 | 0 | 42 | 7 | BCM3302 V0.7 |
WRT54G v4.0 | 0x10 | 0x0708 | 0x0118 | 0 | 42 | 7 | BCM3302 V0.7 |
WRT54GS v1.0 | 0x10 | 0x0101 | 0x0388 | 0 | 42 | 7 | BCM3302 V0.7 |
WRT54GS v1.1 | 0x10 | 0x0708 | 0x0318 | 0 | 42 | ||
Buffalo WBR-54G | 0x10 | bcm94710ap | 0x0188 | 2 | 42 | ||
Toshiba WRC1000 | bcm94710r4 | 100 | |||||
Buffalo WBR2-G54S | 0x10 | 0x0101 | 0x0188 | 0 | 00 | ||
Asus WL-500G Deluxe | 0x10 | bcm95365r | 45 | 5 | BCM3302 V0.7 |
- other variables (nvram) of interest : boot_ver, pmon_ver, firmware_version, os_version
please complete this table. Look at this thread : [WWW] http://openwrt.org/forum/viewtopic.php?pid=8127#p8127 May be this table should move up to OpenWrtDocs/Hardware. 3. Hardware hacking
There are revision XH units of the WRT54G v2.0. These units have 32Mb of memory, but they are locked to 16Mb. You can unlock the remaining memory with changing some of the variables. Afterburner (aka. Speedbooster) mode can be enabled with some variables, too.
/!\ However, there are no guaranties, that these will work, and changing the memory configuration on a non-XH unit will give You a brick. Check the forums for more info. If you have a look at the WRT54G v2.2 board, you can find on the left corner, near the power LED, an empty place for a 4 pins button. On the board it is printed as SW2. This is the second reset button you can find on WRT54G v3.0, except that it has not been soldered.
HowTo Stabilise a ver 2.2 WRT54G running OpenWRT based firmware
After a lot of tweaking OLSR running on Linksys has had no "ping down" messages for about 5 days now. Some of the tips to getting OLSR on OpenWRT stable.
1. Lock all the nodes to 802.11B don't let it auto sense 2. If there are any v2.2 hardware devices, change the clock speed to 216MHz with the following commands1
- nvram set clkfreq=216
- nvram commit
- reboot
3. Lock the RX and TX antenna to the one you connected your external antenna too, don't use AUTO. TAKE NOTE!!! On Version 2.0 hardware Antenna A is on the left looking from the front of the linksys and and on Version 2.,2 hardware Antenna A is on the right looking from the fron of the linksys. This caught me out a few times.
HowTo configure netmasks on OLSR/Freifunk
I had this problem with the OLSR web interface on the Freifunk openwrt implementation. If entered the following for the HNA4 field
HNA4: 10.3.13.1 255.255.255.0
Which should advertise the whole 10.3.13.x net it would advertise the 10.0.0.0 net. I discovered that it needs the subnet mask in this format instead
HNA4: 10.3.13.1/24
A few other things I learnt
1. NVRAM variable ff_hna4 stores the HNA4 setting 2. /etc/olsr.conf is ignored by freifunk 3. /rom/etc/olsrd.conf stores a permanent copy of the olsrd setup 4. /var/etc/olsrd.conf is a symbolic link to /tmp/etc/olsrd.conf ... this file is copied from /rom/etc/olsrd.conf into RAM (ramfs filesystem) and is the one called by olsrd.
ps -A will reveal that olsrd is called as follows
olsrd -f /var/etc/olsrd.conf -d 0
HowTo Brick and De-Brick a WRT54G
Theres nothing like learning the hard way! As a result of my usual "If it ain't broke, it hasn't been fixed enough" approach to life, I fiddled with the Linksys until it innevitably went into a coma/ vegetative state. How did I manage this you ask? Simple, I started by doing a firmware upgrade using the wrong sveasoft image, which resulted in a moderately upset linksys which refused to talk to me on the web interface. With the help of our trusted Android (Andrew), I managed to do a reset-hold/ ping / tftp recovery and then flashed the poor bugger with OpenWRT, which according to OpenWRT is still not supported by them for the version 2.2 Linksys, which I subsequently found out I was using! So alas, all that remained was a perfectly dead Linksys, not responding to anything. It was time to go in, screwdrivers a blazing. I shorted out pins 15 and 16 and started up the Linksys, this created a crc error which was detected on boot, this then started up an emergency TFTP server which allowed me to ping and finally tftp the original Linksys firmware back onto it!
More details on the recovery processes can be found here: OpenWrtDocs/Troubleshooting - OpenWrt
Whew!
How to set up Linksys as a RIP2 router with client mode
How to set up Linksys as a RIP2 router with client mode
1. Load Alchemy pre-release 5.2.3 onto the linksys
2. Set the Linksys Wireless interface to Client mode and set SSID to "pta-mesh"
Using the web interface select Wireless - Basic Settings Wireless Mode : Client SSID: pta-mesh Select Save Settings - continue
3. Choose your IP addresses for the Wireless interface and the LAN interface
I chose the following WAN interface: 10.50.1.13 LAN interface: 10.3.11.1
Using the Web interface select Setup - Basic Setup Internet Connection Type: Static IP Internet IP Address: 10.50.1.13 Subnet Mask: 255.255.255.0 Router Name: Something you like eg. david_home Local IP Address: 10.3.11.1 Subnet Mask: 255.255.255.0
Select Save Settings - continue
4. Add router configuration files to the target directory
Enter the router directory ($LINKSYS/src/router)
- cd /mipsel-uclibc/target
- mkdir /usr/local
- mkdir /usr/local/etc
Download my RIP configuration files for linksys ripd.conf zebra.conf
Copy these files to $LINKSYS/src/router/mipsel-uclibc/target/usr/local/etc
Download my image making script which will build files in the code.bin image makeimage.sh
Copy this script to $LINKSYS/src/router Run the script ./makeimage.sh
You should now have a code.bin with the router config files in /usr/local/etc Upload this new firmware to the linksys
5. Add commands to rc_startup to startup RIP, Flush iptables (so that RIP messages can arrive on RIP port) and remove NAT
zebra -d -f /usr/local/etc/zebra.conf ripd -d -f /usr/local/etc/ripd.conf iptables -F iptables -F -t nat
8. You should now have a rip enabled linksys client - Try ping the network connected to the wireless interface from a machine connected to the LAN
Things to improve in this recipe
1. Don't flush all iptables - just enable the port for RIP routing
2. Find location in Makefile where the code.bin image is made - don't need my custom script
HowTo route between WLAN and LAN on a WRT54G with Sveasoft
Make sure you have installed Sveasoft Alchemy 5.2.4
Go to Administration - Diagnostics and enter the following into the command line
brctl delif br0 eth1 ifconfig eth1 down ifconfig eth1 up if addr add 192.168.2.1/24 dev eth1
Click on "save startup" Reboot linksys
This will create a new subnet for the wireless side of the router on the 192.168.2.0 network The LAN side of the router will remain on the 192.168.1.0 network
HowTo Cross compile for the WRT54G
Got a c++ program compiled for linksys
The C++ environment is configured!
- 1. Download the linksys firmware source
- 2. Copy the brcm/ directory from /tools to /opt
- 3. add /opt/brcm/hndtools-mipsel-linux/bin to your path
- 4. add /opt/brcm/hndtools-mipsel-uclibc/bin to your path
- Use mipsel-linux-g++ compiler to compile any c++ code
- Don't use the mipsel-uclibc-g++ compiler - this was my mistake!
- Now we can try compile mobile mesh for linksys
HowTo create/be part of a VPN
Establishing IPsec tunnel/connection between FreeBSD and Linux (openswan IPsec Cisco WRT54G Router)
Establishing IPsec tunnel/connection between FreeBSD and Linux (openswan IPsec Cisco WRT54G Router)
Below is a simple setup demonstrating steps to establish an IPsec connection/tunnel between two machines one running Ipsec/racoon (on FreeBSD) and the other running openswan Ipsec (on WRT54G running Linux) using pre-shared key: This IPsec setup example shows how to control the Private LAN_A (146.64.0.0) network access.
.........(INTERNET)
.........|
.........|
..| FreeBSD | ......10.50.1.3..............................10.50.1.80| Openswan IPsec|
.| Router_A |<========> (“NETWORK”)<=======>| Router_B |
.| 146.64.17.1 |................................................................| 10.1.13.1 |
............ ||.........................................................................||
...Private LAN_A....................................................PPrivate LAN_B
...........|.......................................................................................|........... ....Client_A (146.64.17.12) ..................................Client_B (10.1.13.130)
NOTE: Before running racoon/ipsec and openswan ipsec, ensure that all nodes can successfully reach (ping) each other.
INSTALLING OPENSWAN ON WRT54G
To install, add the following to /etc/ipkg.conf:
src openswan ftp://ftp.openswan.org/openswan/binaries/openwrt/buildroot-20040509/ipkg/
and then run:
ipkg update
ipkg install gmp mawk openswan-module openswan
NOTE: Since /etc/ipkg.conf would normally be a link to the file in /rom directory; You can simple delete the link, and then copy the file over.
CONFIGURATION (Router_A IPsec)
There are three (3) configuration files on Router_A that needs to be edited: ipsec.conf (found in /etc on FreeBSD), psk.conf.(found in /usr/local/etc/racoon/ on FreeBSD) and racoon.conf.(found in /usr/local/etc/racoon/ on FreeBSD).
Add the following two lines in ipsec.conf: (This file defines the ends points of the tunnel to be established. There’d be two lines for each LAN_B client )
spdadd 146.64.0.0/16 10.1.13.0/24 any -P out ipsec esp/tunnel/10.50.1.3-10.50.1.80/require;
spdadd 10.1.13.0/24 146.64.0.0/16 any -P in ipsec esp/tunnel/10.50.1.80-10.50.1.3/require;
Roughly; the first line says “traffic coming from 146.64.0.0 network destined for 10.1.13.0 network must be transported via an IPsec tunnel with local endpoint 10.50.1.3 and far endpoint 10.50.1.80”.
The second line says “traffic coming from 10.1.13.0 network destined for 146.64.0.0 network must/would use an IPsec tunnel with a far endpoint 10.50.1.80 and local endpoint 10.50.1.3”.
Add the following line to psk.conf (This file defines the pre-shared key to be used between Router_A and Router_B).
10.50.1.80 presharedkey
NOTE: Comments must be on a different line to the pre-shared key entry, otherwise the comments are interpreted as part of the pre-shared key.
Add the following lines to racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
remote anonymous
{
- exchange_mode aggressive,main ;
exchange_mode main ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des ;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
IMPORTANT: The IPsec version (2.3.1) used in this example did not seem to support “aggressive” exchange_mode hence “main” is specified. However, it is possible to include more than mode by separating them with comma; i.e.
exchange_mode aggressive, main ;
Both ways (specifying one or more modes) works! Further other lines with more than one values separated by comma may contain only one value as described for exchange_mode above.
CONFIGURATION (Openswan IPsec, Router_B)
There are two (2) files on Router_B that needs editing: ipsec.conf (found in /etc on Linux) and ipsec.secrets (found in /etc on Linux).
Add the following line in ipsec.secrets: (This file defines the ends points of the tunnel to be established and also the pre-shared key to be used)
10.50.1.3 10.50.1.80: PSK “presharedkey”
NOTE: 1. Place the string after PSK in quotes if it does not start with 0x (as in a hexadecimal number), otherwise openswan will complain.
2. The string after PSK must be the same as that specified in psk.conf on Router_A.
Add the following lines in ipsec.conf: (This file defines among other things, the network to be protected, authentication methods, type of connection, etc.)
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
uniqueids=yes
conn %default
keyingtries=0
authby=secret #rsasig
conn crypt
left=10.50.1.80
leftid=10.50.1.80
leftsubnet=10.1.13.1/24
right=10.50.1.3
rightid=10.50.1.3
rightsubnet=146.64.8.8/16
auto=start
type=tunnel
NOTE: The name of our connection is called “crypt”. Under “config setup”, the line interfaces=”ipsec0=eth1” must refer to a real interface (ifconfig will show available interfaces) and also must be the interface through which the data to be protected will travel, in case of more than one NIC. The line “auto=start” says, the connection “crypt” must be brought up when openswan ipsec starts up; to bring up the connection manually either comment out the line or specify “auto=ignore”. The explanation given for ipsec.conf on Router_A is pretty much the same as for Router_B.
STARTING UP IPsec and Racoon (FreeBSD).
At this point all machines are able to reach (ping) each other successfully. Next ensure ipsec and racoon are not running. On my machine I do:
verdi2istc#/etc/rc.d/ipsec stop
Clearing ipsec manual keys/policies.
to stop ipsec if it was already running; and do
verdi2istc# setkey -P -D
No SPD entries.
To ensure there are no IPsec SA/SP database entries; and next do
verdi2istc#killall racoon
to stop racoon.
Next issue
verdi2istc# /etc/rc.d/ipsec restart
to start ipsec, and to verify ipsec started successfully then do
verdi2istd# setkey -P -D
10.1.13.0/24[any] 146.64.0.0/16[any] any
in ipsec
esp/tunnel/10.50.1.80-10.50.1.3/require
created: Aug 30 09:27:39 2005 lastused: Aug 30 09:27:39 2005
lifetime: 0(s) validtime: 0(s)
spid=16531 seq=1 pid=583
refcnt=1
146.64.0.0/16[any] 10.1.13.0/24[any] any
out ipsec
esp/tunnel/10.50.1.3-10.50.1.80/require
created: Aug 30 09:27:39 2005 lastused: Aug 30 09:27:39 2005
lifetime: 0(s) validtime: 0(s)
spid=16530 seq=0 pid=583
refcnt=1
From Router_A, type either racoon (to run in the backgroung) or racoon –F
verdi2istd#racoon
or to fun in foreground type
verdi2istd#racoon -F -d
Foreground mode.
2005-08-30 09:51:59: INFO: main.c:172:main(): @(#)package version freebsd-20040818a
2005-08-30 09:51:59: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net
2005-08-30 09:51:59: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
2005-08-30 09:51:59: DEBUG: pfkey.c:434:pfkey_init(): call pfkey_send_register for AH
2005-08-30 09:51:59: DEBUG: pfkey.c:434:pfkey_init(): call pfkey_send_register for ESP
2005-08-30 09:51:59: DEBUG: pfkey.c:434:pfkey_init(): call pfkey_send_register for IPCOMP
2005-08-30 09:51:59: DEBUG: cftoken.l:578:yycf_set_buffer(): reading config file /usr/local/etc/racoon/racoon.conf
2005-08-30 09:51:59: DEBUG: pfkey.c:2379:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.
2005-08-30 09:51:59: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: 10.50.1.3 (ath0)
2005-08-30 09:51:59: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: fe80::202:6fff:fe21:2e71%ath0 (ath0)
2005-08-30 09:51:59: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: 146.64.8.1 (sis0)
2005-08-30 09:51:59: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: fe80::200:24ff:fec2:b684%sis0 (sis0)
2005-08-30 09:51:59: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: 127.0.0.1 (lo0)
2005-08-30 09:51:59: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: ::1 (lo0)
2005-08-30 09:51:59: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: fe80::1%lo0 (lo0)
2005-08-30 09:51:59: DEBUG: grabmyaddr.c:474:autoconf_myaddrsport(): configuring default isakmp port.
2005-08-30 09:52:00: DEBUG: grabmyaddr.c:496:autoconf_myaddrsport(): 7 addrs are configured successfully
2005-08-30 09:52:00: INFO: isakmp.c:1368:isakmp_open(): fe80::1%lo0[500] used as isakmp port (fd=5)
2005-08-30 09:52:00: INFO: isakmp.c:1368:isakmp_open(): ::1[500] used as isakmp port (fd=6)
2005-08-30 09:52:00: INFO: isakmp.c:1368:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=7)
2005-08-30 09:52:00: INFO: isakmp.c:1368:isakmp_open(): fe80::200:24ff:fec2:b684%sis0[500] used as isakmp port (fd=8)
2005-08-30 09:52:00: INFO: isakmp.c:1368:isakmp_open(): 146.64.8.1[500] used as isakmp port (fd=9)
2005-08-30 09:52:00: INFO: isakmp.c:1368:isakmp_open(): fe80::202:6fff:fe21:2e71%ath0[500] used as isakmp port (fd=10)
2005-08-30 09:52:00: INFO: isakmp.c:1368:isakmp_open(): 10.50.1.3[500] used as isakmp port (fd=11)
2005-08-30 09:52:00: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey X_SPDDUMP message
2005-08-30 09:52:00: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey X_SPDDUMP message
2005-08-30 09:52:00: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfea30: 146.64.0.0/16[0] 10.1.13.0/24[0] proto=any dir=out
2005-08-30 09:52:00: DEBUG: policy.c:185:cmpspidxstrict(): db :0x809dc08: 10.1.13.0/24[0] 146.64.0.0/16[0] proto=any dir=in
The –d option is for debug, to see more output add extra –d.
IMPORTANT: At this point if all went well Client_A should not be reachable (try ping) from Router_B and Client_B; meaning private LAN_A is now protected. However, Router_A and Router_B should be able reach/see each other. Do not continue until this is accomplished.
STARTING UP OPENSWAN IPSEC
Now, on Router_B do:
root@Lawrence:/# ipsec setup restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.3.1...
verify that the IPsec tunnel has been established correctly by issuing:
root@Lawrence:/# ipsec whack --status
000 interface ipsec0/eth1 10.50.1.80
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "crypt": 10.1.13.0/24===10.50.1.80...10.50.1.3===146.64.0.0/16; erouted; eroute owner: #2
000 "crypt": srcip=unset; dstip=unset
000 "crypt": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "crypt": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,16; interface: eth1;
000 "crypt": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "crypt": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000
000 #2: "crypt":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27961s; newest IPSEC; eroute owner
000 #2: "crypt" esp.2ec9213@10.50.1.3 esp.aa7dc439@10.50.1.80 tun.1002@10.50.1.3 tun.1001@10.50.1.80
000 #1: "crypt":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2625s; newest ISAKMP; nodpd
000
root@Lawrence:/#
At this point Client_A should be reachable by Client_B. On each/either Router do a tcpdump; and any packets with ESP indicates that the setup tunnel is currently handling data from the clients.
NOTE: ESP packets will only appear if there are packets from either client to the other client.
DEBUGGING (Openswan IPsec)
Earlier I showed how to stop a connection from being started up automatically by openswan. IPsec. So now with ipsec running but our connection “crypt” NOT up, we will debug the starting up of the connection (crypt). To debug the key exchange with racoon, first create a script with following content:
ipsec pluto --debug-all
ipsec whack \
--name crypt \
--tunnel \
--host 10.50.1.80 \
--nexthop 10.50.1.3 \
--client 10.1.13.1/24 \
--updown 'ipsec _updown' --id 10.50.1.80 \
--to \
--host 10.50.1.3 \
--client 146.64.8.1/16 \
--updown 'ipsec _updown' --id 10.50.1.3 \
--psk \
--esp 3des-md5,3des-sha1 \
--ike 3des-md5,3des-sha1 \
--encrypt
ipsec whack --listen
ipsec whack --route --name crypt
ipsec whack --initiate --name crypt
Running this script will show the various key exchange messages. The messages are pretty much clear to see what it’s happening.
HowTo stop DHCP client over-writing resolv.conf
Finally I found out how to do it
Edit the /etc/dhcp3/dhclient.conf file Find the line that says request
Comment out the line that requests for domain-name, domain-name-servers and host-name
request subnet-mask, broadcast-address, time-offset, routers, # domain-name, domain-name-servers, host-name, netbios-name-servers, netbios-scope;
HowTo setup DHCP with OLSR
There have been so many misleading postings on this - I will finally set the record straight.
You will need to reserve a block of IP's for non OLSR wireless clients that want to connect onto the mesh network such as a laptop. Here is an example setup:
Wireless router 1: Wireless IP: 10.51.1.13 LAN IP: 10.3.13.1 Subnet for Wireless DHCP clients: 10.51.1.64/28 (This would mean that 16 machines could potentially connect to this wireless router. The IP leases will be in the range from 10.51.1.64 to 10.51.1.79)
Wireless router 2: Wireless IP: 10.51.1.14 LAN IP: 10.3.14.1 Subnet for Wireless DHCP clients : 10.51.1.80/28 (IP leases will be in the range from 10.51.1.80 to 10.51.1.93)
To set this up On Friefunk firmware Wireless Router 1: OLSR: OLSR DHCP: 10.51.1.64/28
Wireless Router 2: OLSR: OLSR DHCP: 10.51.1.80/28
Most people gave strange values for OLSR DHCP in their postings the most common one was:
OLSR DHCP: 10.51.1.80/28, 255.255.255.240
The subnet mask after the comma (255.255.255.240) is an alternative to the slash format /28. Why does everyone have this reduntant subnet mask on their postings???
Linux HowTos
HowTo setup your own network profiles on a laptop
I have always wanted to write some good scripts that configure my laptop for home and work wireless/ethernet automatically in ubuntu and so I set about building up a set of scripts that I can call.
I have four scenarios: 1. use laptop at home with wireless access point 2. use laptop at home with ethernet 3. use laptop at work with wireless access point 4. use laptop at work with ethernet
I created two files in /etc/network: interfaces.work and interfaces.home with all the ethernet and wireless settings for home and work in this file
/etc/network/interfaces.home
- This file describes the network interfaces available on your system
- and how to activate them. For more information, see interfaces(5).
- The loopback network interface
auto lo iface lo inet loopback
- The primary network interface
iface eth0 inet static address 10.3.13.102 netmask 255.255.255.0 gateway 10.3.13.1
- The wireless network interface
iface eth1 inet dhcp wireless-essid pta-mesh wireless-mode Ad-Hoc wireless-channel 1 wireless-key off
/etc/network/interfaces.work
- This file describes the network interfaces available on your system
- and how to activate them. For more information, see interfaces(5).
- The loopback network interface
auto lo iface lo inet loopback
- The primary network interface
iface eth0 inet dhcp
- The wireless network interface
iface eth1 inet dhcp wireless-essid icomtek wireless_mode Managed wireless-key off
I also created two files with my dns and domain settings for home and work in /etc/ called resolv.home and resolv.work
resolv.home search icomtek.csir.co.za elarduspark.org.za cids.org.za nameserver 146.64.28.1 10.3.13.1
resolv.work search icomtek.csir.co.za cids.org.za nameserver 146.64.28.1
Here are my scripts that configure my interfaces based on the above files
1. Setup for wireless networking at home /usr/local/bin/homenet-wireless
- !/bin/bash
echo Setting up network for home wireless network sudo cp /etc/network/interfaces.home /etc/network/interfaces
eth0_status=`ifconfig | grep eth0` eth1_status=`ifconfig | grep eth1`
if [ -n "$eth0_status" ]; then sudo ifdown eth0 fi
if [ -n "$eth1_status" ]; then sudo ifdown eth1 fi
sudo ifup eth1
sudo cp /etc/resolv.home /etc/resolv.conf
2. Setup for ethernet networking at home /usr/local/bin/homenet-fixed
- !/bin/bash
echo Setting up network for home ethernet sudo cp /etc/network/interfaces.home /etc/network/interfaces sudo cp /etc/resolv.home /etc/resolv.conf
eth0_status=`ifconfig | grep eth0` eth1_status=`ifconfig | grep eth1`
if [ -n "$eth0_status" ]; then sudo ifdown eth0 fi
if [ -n "$eth1_status" ]; then sudo ifdown eth1 fi
sudo ifup eth0
3. Setup for wireless at work /usr/local/bin/worknet-wireless
- !/bin/bash
echo Setting up network for work wireless network sudo cp /etc/network/interfaces.work /etc/network/interfaces sudo cp /etc/resolv.work /etc/resolv.conf
eth0_status=`ifconfig | grep eth0` eth1_status=`ifconfig | grep eth1`
if [ -n "$eth0_status" ]; then sudo ifdown eth0 fi
if [ -n "$eth1_status" ]; then sudo ifdown eth1 fi
sudo ifup eth1
4. Setup for ethernet at work /usr/local/bin/worknet-fixed
- !/bin/bash
echo Setting up network for work ethernet sudo cp /etc/network/interfaces.work /etc/network/interfaces sudo cp /etc/resolv.work /etc/resolv.conf
eth0_status=`ifconfig | grep eth0` eth1_status=`ifconfig | grep eth1`
if [ -n "$eth0_status" ]; then sudo ifdown eth0 fi
if [ -n "$eth1_status" ]; then sudo ifdown eth1 fi
sudo ifup eth0
HowTo Setup a Linux machine to become an access point
1. Make sure you install dhcpd off the Mandrake disks
2. Put the Wireless card into access point mode with the following example script /etc/sysconfig/network-scripts/ifcfg-wifi0
DEVICE=wifi0 BOOTPROTO=static IPADDR=192.168.0.1 ONBOOT=yes NETMASK=255.255.255.0 NETWORK=192.168.0.0 BROADCAST=192.168.0.255 DHCP_TIMEOUT=5 WIRELESS_MODE=Master WIRELESS_ESSID=mesh WIRELESS_CHANNEL=10
3. run ifup wifi0
4. copy /etc/dhcpd.conf.sample (this file only exisits the first time you install dhcpd) to dhcpd.conf ... Change the IP address allocations in this file to suite your needs
5. start dhcpd with /etc/rc.d/init.d/dhcpd
6. Check the /var/lib/dhcpd/dhcpd.leases to check which IP addresses are being assigned
HowTo Set up the SENOA card in linux
1. Download the hostap driver from ftp://edna.icomtek.csir.co.za/pub/drivers ... This driver ensures that the SENOA card can run in Access point mode as well as Ad-Hoc and Infrastructure
2. Unzip using gunzip < hostap-driver-0.2.4.tar.gz | tar xvf -
3. Change Makefile to include KERNEL_PATH ... KERNEL_PATH=/usr/src/linux
4. Run 'make'
5. run 'make install'
6. Restart card manager using /etc/rc.d/init.d/pcmcia restart
If you are using the PCI to PCMCIA bridge card with the RLSC475 chipset follow these steps
1. Edit the file /etc/sysconfig/pcmcia to include these lines
PCMCIA=yes PCIC=RLSC475
2. Run /etc/rc.d/init.d/pcmcia restart
Linux network configurations tips
1. Setting IP address and modes of interface
The file /etc/sysconfig/network-scripts/ifcfg-eth0 contains all the settingsfor interface eth0 including
IP allocation type (static or dynamic) IP Address Subnet mask Broadcast address Wireless mode wireless channel
type
# man ifcfg
to see all the options for this config file
Use
# ifup eth0
to bring eth0 network interface up using the script ifcfg-eth0
#ifdown eth0
to pull the eth0 interface down
2. The DNS nameserver
The file /etc/resolve.conf contains the nameserver (dns) to use for the network
3. The gateway and other network routes
To see the current network routes type
# route
This will show you all the routes which the network is currently using
To add a new route for interface eth0 type
# route add -net 10.0.0.0 netmask 255.255.255.0 dev eth0
This adds a route to the network 10.0.0.0 using device eth0
# route add default gw 10.0.0.8
Adds a default route which will be used if no other route matches.
There should be an existing route, in this case, to 10.0.0.8 through some interface.
HowTo use the freespace loss equation
From: Radio theory and link planning for Wireless LAN (WLAN)
Everyone should know the free space loss equation in their head
Loss [ dB] = 32.44 + 20(Log(distance[km]) + Log(freq[MHz]))
Useful cable losses
RG58 = 1 dB/m RG213 = -.6 dB/m RG174 = 2 dB/m (often used in pigtails) LMR-400 = 0.22 dB/m
Typical WiFi sensitivity for orinoco cards
11Mbps = -82dBm 5.5Mbps = -87dBm 2Mbps = -92dBm 1Mbps = -94dBm
Typical allowed signal to noise ratios for orinoco cards
11Mbps = 16dB 5.5Mbps = 11dB 2Mbps = 7dB 1Mbps = 4dB
Typical Noise level at 2.4GHz = -100dBm. Compute S/N level eg. at 11Mbps = -84dBm but sensitivity is -82dBm so sensitivity is the limiting factor.
Just worked out that with our 2 8dBi omnis, 2dB loss in the RF cable each side of the link and the 200mW SENOA cards it is possible to acheive a theoretical distance of 5km with a 3dB margin (margin probably a bit tight), 4km will give you a 5dB margin - probably more realistic.