OpenWRT notes

From ZS64
Jump to navigationJump to search

Atheros AR81-Based Products

Hardware Comparison

Vendor Product CPU Flash RAM USB OpenWRT info Comment
Linksys WRT160NL MIPS24Kc AR9132r2 400 MHz 8 MB 32 MB 1 Wiki, Forum
TP-Link WR-841N(D) v5 ? 4 MB 32 MB 0 USB on board but unpopulated, missing DC/DC converter
TP-Link WR-941N(D) v3 MIPS24Kc AR9132r2 400 MHz 4 MB 32 MB 0 USB on board but unpopulated, missing DC/DC converter

Updating firmware with mtd

The TP-Link devices and the Cisco WRT160NL have the firmware in the firmware mtd partition.

mtd -r write openwrt.bin firmware

Wireless Configuration

Install CRDA

While basic wireless support works with just the wireless driver, you need the regulatory database to enable all channels that can be legally used in your country. So make sure to install the crda package.

IPTables Configuration

This section is specific to OpenWRT in that the kamikaze standard chains are explained. There must be some document in one of the OpenWRT wikis, but I couldn't easily find it.

In addition, I need EBTables in the picture as well, so a few comments on where you'd add layer 2 rules will be included.

Call Graph and Custom Rules

The OpenWRT standard rule set defines a few more or less default actions that you probably will want to keep: do not accept incoming connectins from the WAN interface (except for DHCP/bootp replies), NAT all outgoing traffic, and allow pretty much anything on the LAN interface. If you want to add your own rules to drop or allow additional things, there's a chain specifically for that. To understand which of these chains to add your rules to, look at this call graph. It is helpful to look at one of the EBTables tutorials, for example ebtables/iptables interaction or this IPTables howto. It contains a good overview of how packets traverse the various points.

mangle Table

OpenWRT does not add any chains to the mangle table. If you want to add custom rules, you can add them to any of the standard chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING).

filter Table

The filter table contains rules that determine whether packets are delivered to their intended destination, or blocked.

Call Graph Applies to packets
INPUT → input_rule Addressed to this host.
INPUT → input → zone_lan → input_lan Addressed to this host, received over the LAN interface.
INPUT → input → zone_wan → input_wan Addressed to this host, received over the WAN interface.
FORWARD → forwarding_rule Addressed to other hosts.
FORWARD → forward → zone_lan_forward → forwarding_lan Addressed to other hosts, received over the LAN interface.
FORWARD → forward → zone_wan_forward → forwarding_wan Addressed to other hosts, received over the WAN interface.
OUTPUT → output_rule Originating from this host.
  • The bridge calls the filter:FORWARD chain for packets traversing the bridge. If you want your wireless devices to be able to talk to the wired ones and vice versa, you need to add a rule to the forwarding_rule chain, since none of the default rules match those ethernet frames:
iptables -A forwarding_lan -m physdev --physdev-is-bridged -j ACCEPT

nat Table

The nat table contains rules that modify packets before they are routed or received, and modify them after they've been sent or routed. Typically, the MASQUERADE action is used.

Call Graph Applies to packets
PREROUTING → zone_wan_prerouting → prerouting_wan Just received on the WAN interface.
PREROUTING → zone_lan_prerouting → prerouting_lan Just received on the LAN interface.
PREROUTING → prerouting_rule Just received.
OUTPUT Being transmitted.
POSTROUTING → postrouting_rule About to be transmitted
POSTROUTING → zone_wan_nat About to be transmitted out the WAN interface.

raw Table

The raw table is used to mark packets that should not be tracked by the conntrack module.

Call Graph Applies to packets
PREROUTING → zone_wan_notrack Just received on the WAN interface.
PREROUTING → zone_lan_notrack Just received on the LAN interface.
OUTPUT Being transmitted.

Web Cam

Using mjpeg-streamer and one of the v4l video drivers, you can easily use the router as a surveilance device. For my Logitech camera, I needed:

  • kmod-usb-video
  • kmod-video-core
  • kmod-video-uvc
  • mjpg-streamer

The OpenWRT package for mjpg-streamer does not include the HTML files, so getting to see the images requires that you know the snapshot and streaming URLs. I downloaded the source tarball myself, and copied the www files into /tmp/www, and started mjpg-streamer like this:

# mjpg_streamer -o "output_http.so -p 8080 -w /tmp/www"

To directly access the image, use /?action=snapshot for a single image, or /?action=stream for an M-JPEG streamed image. mjpg-streamer also includes a Java applet to display M-JPEGs, and includes JavaScript to continously reload an image. See the source package for details

Link List

Building and installing

Configuration

Hardware and software alternatives