19 Oct 08 Linux on a Mikrotik 532a , Part 5 Final – OpenWRT and Custom Scripts
I’ve used OpenWrt previously to this project to build some firmwards for the Linksys Router WRT54 range. OpenWrt is an incredibly powerful and small Linux distro. Although debian is probably better suited to the reasonably powerful hardware, I wanted to give OpenWrt a go anyway.
Unless you’re running a MIPS 4Kc processor on your host which I’m guessing you’re not, you’ll either need to cross compile your binaries, or just compile them natively on the device itself. Compiling on the device works fine as long as you have the relevant packages, however if I was going to build a 2.6 kernel, I’d rather do it on an x86 quad core intel host, rather than waiting a week for the device to do it. I also wanted to minimize the writes on the CF card.
OpenWrt comes with a nice buildroot environment which you can read about and download from www.openwrt.org using Subversion.
Here http://downloads.openwrt.org/kamikaze/docs/openwrt.html#x1-310002 is a great HOWTO on getting the build root environment set up on your x86 host.
Also, see: http://wiki.mikrotik.com/wiki/RB500_Linux_SDK – this is a very complete HOWTO, which is why I’ve not covered most of the installation process and just detailed customizations.
You’ll need to select the RB5xx target for the kernel. Also, run:
In your build root top directory, and add USB support (as my one is modded for USB which is not RB5xx default.
While you’re there, browse to the networking options and make sure you have everything you want, specifically the schedulers for traffic shaping.
Here is my precompiled image:
MD5: aa3df2923b31afe2ae94fc04f65d80be
I haven’t uploaded my actual buildroot as it’s about 6Gb in size including all of my packages. If anyone would like to see it, please let me know – I’ll make it available via svn. The only changes I’ve made to the actual buildroot environment are to allow for USB support, as well as madwifi (to drive the Atheros 5212 wifi card). I also specified the size of the target image.
The image is a CF disk image, not a single partition image. If you are building yourself via the buildroot, you’ll need to remember to create a partition for the kernel to be written to (Mikrotik board ‘feature’)
I have created /dev/cfa1 /dev/cfa2 and /dev/cfa3 as three partitions.
/dev/cfa1 is of tye 0×27 and is 8Mb. Your kernel needs to be written directly to this partition, not inside a file system.
Now you can deploy your created rootfs.tgz to /dev/cfa2 in any partition/filesystem that you like as long as the kernel supports it. I have chosen to use jffs2 as opposed to ext2/ext3. I have created a 64Mb partition as /dev/cfa3 which is a swap partition. This should not necessarily be done as we don’t want to use the CF card as swap due to writes. I’ve only done it for test purposes.
After installation, the device will boot up into OpenWrt. My network configuration is:
eth0 [PoE LAN interface] (bridged to br-lan)
eth1 [Provider 1]
eth2 [Provider 2]
wlan0 [Madwifi interface]
ath0 [Created AP interface with madwifi] (bridged to br-lan)
lo [Local device]
br-lan is assigned 192.168.100.1 (192.168.100.0/24) and is connected to a separate switch.
Here is my startup script:
#!/bin/sh
IF1=eth1
IF2=eth2
IP1=PROVIDER_ONE_IP
IP2=PROVIDER_TWO_IP
P1=PROVIDER_ONE_GW
P2=PROVIDER_TWO_GW
P1_NET=PROVIDER_ONE_NETWORK
P2_NET=PROVIDER_TWO_NETWORK
#now bring up eth1 and eth2
ifconfig eth1 0.0.0.0
ifconfig eth2 0.0.0.0
ifup eth1
ifup eth2
#now set up multiple routes with iproute2
ip route add $P1_NET dev $IF1 src $IP1 table 1
ip route add default via $P1 table 1
ip route add $P2_NET dev $IF2 src $IP2 table 2
ip route add default via $P2 table 2
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2
#ip route add default via $P1
ip rule add from $IP1 table 1
ip rule add from $IP2 table 2
ip route add default scope global nexthop via $P1 dev $IF1 weight 1 nexthop via $P2 dev $IF2 weight 1
# set up iptables and masquerading
IPTABLES=iptables
EXTIF=eth1
EXTIF2=eth2
INTIF=br-lan
EXTIP=”PROVIDER_TWO_IP”
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t filter -F
$IPTABLES -t filter -X
killall miniupnpd
killall simpleproxy
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -I POSTROUTING -s 192.168.100.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -A FORWARD -i $INTIF -s 192.168.100.0/24 -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
#adding the MINIUPNPD chain for nat – this is for upnp between your clients.
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -d $EXTIP -i $EXTIF -j MINIUPNPD
#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
#start miniupnpd
/usr/bin/miniupnpd -f /etc/miniupnpd.conf -i eth1 -L -U -p 1900 -a 192.168.100.1
#set up some proxies
/bin/simpleproxy -L 0.0.0.0:443 -R Slingbox.lan:5001 -d
/bin/simpleproxy -L 0.0.0.0:3389 -R 192.168.100.2:3389 -d
#/bin/simpleproxy -L 0.0.0.0:8080 -R 192.168.100.4:80 -d
/bin/simpleproxy -L 0.0.0.0:5500 -R SOME_IP:5500 -d
/bin/simpleproxy -L 0.0.0.0:222 -R 192.168.100.5:22 -d
#/bin/simpleproxy -L 0.0.0.0:2222 -R 192.168.100.4:22 -d
/bin/simpleproxy -L 0.0.0.0:55555 -R 192.168.100.2:55555 -d
/bin/simpleproxy -L 0.0.0.0:45923 -R 192.168.100.170:45923 -d
#set our [split] route cache to 40 hours
echo “144000″ > /proc/sys/net/ipv4/route/secret_interval
# run ntp client
/usr/sbin/ntpclient -h ntp.demon.co.uk -s
#fix strange SSH bug (See http://www.adamsinfo.com/split-access-ssh-problems/)
iptables -I PREROUTING -t mangle -i br-lan -s 192.168.100.0/24 -p tcp -m tcp –dport 22 -j MARK –set-mark 22
ip rule add fwmark 22 table 2
#SL through preferred connection (Mark all UDP packets from 192.168.100.3 to 0.0.0.0:13000 with a mark of 13000.
iptables -I PREROUTING -t mangle -i br-lan -s 192.168.100.3 -p udp -m udp –dport 13000 -j MARK –set-mark 13000
#add a rule that all packets marked with 13000 go out provider 1
ip rule add fwmark 13000 table 1
#iptables -I PREROUTING -t mangle -i br-lan -s 192.168.100.0/24 -j MARK –set-mark 2
#ip rule add fwmark 2 table 1
#clear current cache
ip route flush cache
#start ssh
dropbear
This is the only script that I’m running on here now. I have added the following packages:
iptables-mod-conntrack_1.4.0-1_mipsel.ipk
iptables-mod-extra_1.4.0-1_mipsel.ipk
iptables-mod-ipopt_1.4.0-1_mipsel.ipk
kmod-ipt-conntrack_2.6.23.16-rb532-1_mipsel.ipk
kmod-ipt-extra_2.6.23.16-rb532-1_mipsel.ipk
kmod-ipt-ipopt_2.6.21.5-rb532-1_mipsel.ipk
kmod-ipt-ipopt_2.6.23.16-rb532-1_mipsel.ipk
ntpclient_2003_194-6_mipsel.ipk
miniupnp.ipk
And that’s about all of it – as I said earlier if anyone wants parts of my buildroot or just access to the buildroot as a whole, I will make it available via svn. My buildroot is a few months old by now also, so if anyone wants to update it, that would be great.
Tags: /dev/cfa1, /dev/cfa2, /dev/cfa3, bridge, build root, buildroot, debian, dropbear, ifconfig, iptables, kamikaze, mikrotik, miniupnp, miniupnpd, mips 4kc, multiple isps, multiple providers, ntp, ntp client, openwrt, precompiled image, rb532a, rbxxx, split route, subversion, svn kernel, uplink, usb, usb support, x86
Leave a Comment
You must be logged in to post a comment.
|
I'm Adam Palmer, and I'm a PHP Programmer, Web Security Consultant, and Linux Consultant.
I run 'APNIC Solutions Ltd' and spend most of my time consulting, managing server clusters, and writing PHP, whilst what little spare time I have is dedicated to playing with gadgets.
|
