Knowledgebase/OpenWrt OLSR Setup: Unterschied zwischen den Versionen

Aus FunkFeuer Wiki
Zur Navigation springen Zur Suche springen
(OpenWrt Network Config)
Zeile 216: Zeile 216:
Please set the hostname to the FQDN of your node (for example <code>erx.konst8.wien.funkfeuer.at</code>).
Please set the hostname to the FQDN of your node (for example <code>erx.konst8.wien.funkfeuer.at</code>).
Also set a strong (!) password for the root account of the device.
Also set a strong (!) password for the root account of the device.
=== Firewall ===
Apart from the previously mentioned forward accept from your Funkfeuer zone to the same zone, you'll probably change a few things regarding firewall behaviour.
Primarely you might want to restrict access to the webinterface to the IPv4 and IPv6 range of Funkfeuer and allow external access to SSH (maybe also restricted to Funkfeuer IPs).
=== Network Interfaces ===
Your Funkfeuer interfaces should be set to static IP with the nodes IPv4 address on the interface (either the same IPv4 on all interfaces or if this still results in link flapping then a different IPv4 address per interface). For IPv6 the automagically assigned link local address is enough as long as you set up the node's IPv6 address on the loopback interface correctly.
Depending on your LAN network, you might want to disable the DHCP server on the LAN interface that is enabled by default on OpenWrt.
As for Management network I usually recommend to use one VLAN per Funkfeuer interface and have one of each VLAN tagged on the Funkfeuer interface.
Due to limitations in the switching hardware on most routers it has to be a different VLAN ID for every port.
As management network I generally recommend having the LAN network untagged on all ports. This makes it easy to connect and set up new Wifi hardware (as their management network usually is untagged on the ethernet interface) and makes debugging on the roof a lot easier (just plug in your laptop into a free ethernet port without any special VLAN config on the laptop).

Version vom 31. März 2023, 13:45 Uhr

Currently there is no easy wizard for setting up OLSR on OpenWrt. This guide shall serve as a base for those that feel komfortable with building their own OpenWrt Systems (or have someone build it for them) and have basic knowledge of SSH and a Linux shell.

This guide is written for a router without Wifi. If you plan on doing routing on a device with Wifi, you'll need some additional packages for Wifi support.

OpenWrt System

To get the Freifunk status page, you'll need to activate the Freifunk package feed. To do this, copy feeds.conf.default to feeds.conf and add the following line: src-git freifunk https://github.com/freifunk/openwrt-packages.git

Apart from the default packages for your target, you'll want to install the following packages:

  • luci
  • alternatively: luci-ssl-openssl (for TLS on Webinterface)
  • optional: luci-app-acme (for TLS on Webinterface)
  • luci-app-olsr
  • luci-app-olsr-services
  • luci-app-olsrd2
  • optional: luci-app-sqm (if you want to use smart queue management for NAT)
  • optional: luci-app-unbound (if you want your own DNS resolver)
  • optional: luci-app-openvpn (for use with tunnelserver)
  • optional: openvpn-openssl (for use with tunnelserver)
  • freifunk-common
  • luci-mod-freifunk
  • olsrd
  • olsrd-mod-arprefresh
  • olsrd-mod-jsoninfo
  • olsrd-mod-nameservice
  • olsrd-mod-txtinfo
  • oonf-olsrd2
  • oonf-init-scripts
  • oonf-olsrd2-lan_import
  • oonf-olsrd2-dlep_router
  • oonf-olsrd2-lan
  • optional: ethtool-full (for ethernet connection debugging)
  • optional: iperf3 (for performance debugging)
  • optional: tcpdump (for general network debugging)
  • optional: vim (or any other text editor. Per default OpenWrt comes with a very minimal vi implementation by BusyBox)
  • optional: netdata (will suck quite a lot of RAM and storage space but can be handy for debugging)

All the following files can be added build time by putting them into a new directory in the OpenWrt build tree called files.

netdata

If you installed Netdata, you can secure it using the following configuration in etc/netdata/netdata.conf:

[global]
	update every = 2
	memory deduplication (ksm) = no
	debug log = syslog
	error log = syslog
	access log = none
	run as user = root

[web]
	allow connections from = localhost 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.*
	allow dashboard from = localhost 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.*

[plugins]
	cgroups = no
	apps = no
	charts.d = no
	fping = no
	node.d = no
	python.d = no

[health]
	enabled = no

[plugin:proc]
	ipc = no

disable unnecessary services per default

We don't need dlep_proxy, dlep_radio and olsrd6 so disable it per default by creating the file /etc/uci-defaults/99_disable_stuff:

#!/bin/sh

/etc/init.d/dlep_proxy disable
/etc/init.d/dlep_radio disable
/etc/init.d/olsrd6 disable

exit 0

and giving the file execute permissions.

If you have installed the packages on a pre compiled OpenWrt installation, disable the services by simply running the three commands in the file manually.

Freifunk Status Page

To configure the data on the Freifunk status page that unauthenticated users will see, create the file /etc/config/freifunk with the following content (edit at least the nickname to contain a valid Funkfeuer nick):

package 'freifunk'

config 'public' 'contact'
	option 'nickname' ''
	option 'name' ''
	option 'mail' '0xff@example.org'
	option 'phone' ''
	option 'note' ''

config 'public' 'community'
	option 'name' 'FunkFeuer-Wien'
	option 'homepage' 'https://funkfeuer.at'

Also create the file /etc/config/profile_FunkFeuer-Wien with the following content:

config 'community' 'profile'
	option 'name' 'FunkFeuer-Wien'
	option 'homepage' 'http://wien.funkfeuer.at'

OLSRD

For OLSRD (IPv4) create the file /etc/config/olsrd:

config olsrd
	option IpVersion '4'
	option FIBMetric 'flat'
	option LinkQualityLevel '2'
	option OlsrPort '698'
	option Willingness '3'
	option LinkQualityAlgorithm 'etx_ff'
	option NatThreshold '1.0'
	# set to your nodes primary funkfeuer IP
	option MainIp '111.222.333.444'

config InterfaceDefaults
	option Mode 'mesh'
	option Ip4Broadcast '255.255.255.255'
	option HelloValidityTime '125.0'
	option TcValidityTime '500.0'
	option MidInterval '25.0'
	option MidValidityTime '500.0'
	option HnaInterval '25.0'
	option HnaValidityTime '500.0'

config LoadPlugin
	option library 'olsrd_jsoninfo'
	option ignore '0'
	option accept '127.0.0.1'

config LoadPlugin
	option library 'olsrd_nameservice'
	option ignore '0'

config LoadPlugin
	option library 'olsrd_txtinfo'
	option ignore '0'
	option accept '127.0.0.1'

config Interface
	option ignore '0'
	option interface '0xff_eth0'
	option Mode 'mesh'

duplicate the interface section for every OLSR interface you have and edit the IP address in MainIp to match the main IPv4 address of the node.

All the interfaces should be in the same firewall zone (usually WAN or a separate Funkfeuer zone). This firewall zone needs to have a rule set, that allows forward to itself (so in Firewall -> Traffic Rules create a new rule with accept forward from WAN to WAN with any protocol if you are using the WAN zone for Funkfeuer).

Having the same IPv4 address on all Funkfeuer interfaces should work, the current OpenWrt stable with the current OLSRD version seems to have this non-working right now though so having ine IPv4 address per interface is currently required (tested with OpenWrt 22.03.0 and OLSRD version 1e771b4d31e36f9ffd0a04c3f8f83abb803ec309)

OLSRD2

For OLSRD2 you'll have to add your node's IPv6 address to the lo interface. To do this add the following line to the config interface 'loopback' section in /etc/config/network: option ip6addr '2a02:61:0:ff:dead:beef:dead:beef/128' (obviously you'll have to replace the address with your node address that you can get from the redeemer). Also add option ip6prefix '2a02:61:d2c:1::/64' to it (with your node userblock address range), to have an IPv6 prefix available on the device.

Then write the follwing content to /etc/config/olsrd2:

config global
	option 'failfast'	'no'
	option 'pidfile'	'/var/run/olsrd2.pid'
	option 'lockfile'	'/var/lock/olsrd2'

config log
	option 'syslog'		'true'
	option 'stderr'		'true'
#	option 'file'		'/var/log/olsrd2.log'
#	option 'info'		'all'
#	option 'debug'		'all'

config telnet
	option 'port' '2009'

config olsrv2
	list 'originator' '-fe80::/112'
	list 'originator' '-2a02:61:0:ee:1::0/80'
	list 'originator' '-2a02:60::0/32'
	list 'originator' '-0.0.0.0/0'
	list 'originator' '-::1/128'
	list 'originator' 'default_accept'
	# the first /64 subnet of your nodeid/userblock range for the node, if you want to have an IPv6 prefix available for users in the LAN network
	# list 'lan' '2a02:61:d2c:1::/64'

config interface
	option 'ifname' 'loopback'
	list 'bindto' '-0.0.0.0/0'
	list 'bindto' '-::1/128'
	list 'bindto' 'default_accept'

config interface
	option 'ifname' '0xff_eth0'
	list 'bindto' '-0.0.0.0/0'
	list 'bindto' '-::1/128'
	list 'bindto' 'default_accept'

Duplicate the last interface block for every Funkfeuer interface you have.

System Settings

Please set the hostname to the FQDN of your node (for example erx.konst8.wien.funkfeuer.at). Also set a strong (!) password for the root account of the device.

Firewall

Apart from the previously mentioned forward accept from your Funkfeuer zone to the same zone, you'll probably change a few things regarding firewall behaviour.

Primarely you might want to restrict access to the webinterface to the IPv4 and IPv6 range of Funkfeuer and allow external access to SSH (maybe also restricted to Funkfeuer IPs).

Network Interfaces

Your Funkfeuer interfaces should be set to static IP with the nodes IPv4 address on the interface (either the same IPv4 on all interfaces or if this still results in link flapping then a different IPv4 address per interface). For IPv6 the automagically assigned link local address is enough as long as you set up the node's IPv6 address on the loopback interface correctly.

Depending on your LAN network, you might want to disable the DHCP server on the LAN interface that is enabled by default on OpenWrt.

As for Management network I usually recommend to use one VLAN per Funkfeuer interface and have one of each VLAN tagged on the Funkfeuer interface. Due to limitations in the switching hardware on most routers it has to be a different VLAN ID for every port. As management network I generally recommend having the LAN network untagged on all ports. This makes it easy to connect and set up new Wifi hardware (as their management network usually is untagged on the ethernet interface) and makes debugging on the roof a lot easier (just plug in your laptop into a free ethernet port without any special VLAN config on the laptop).