Knowledgebase/OpenWrt OLSR Setup: Unterschied zwischen den Versionen
(Found out why same IPv4 on all interfaces did not work) |
|||
Zeile 163: | Zeile 163: | ||
This firewall zone needs to have a rule set, that allows forward to itself (so in Firewall -> Traffic Rules create a new rule with accept forward from WAN to WAN with any protocol if you are using the WAN zone for Funkfeuer). | This firewall zone needs to have a rule set, that allows forward to itself (so in Firewall -> Traffic Rules create a new rule with accept forward from WAN to WAN with any protocol if you are using the WAN zone for Funkfeuer). | ||
It works to have the same IPv4 address on all interfaces. | |||
Important for this is, to disable masquerading for the firewall zone which all the Funkfeuer interfaces are in. | |||
If you need LAN -> Funkfeuer masquerading, please create a firewall rule manually that limits masquerading to your LAN IP range as source IP (and the Funkfeuer zone as destination zone). | |||
=== OLSRD2 === | === OLSRD2 === |
Aktuelle Version vom 2. September 2024, 13:10 Uhr
Currently there is no easy wizard for setting up OLSR on OpenWrt. This guide shall serve as a base for those that feel komfortable with building their own OpenWrt Systems (or have someone build it for them) and have basic knowledge of SSH and a Linux shell.
This guide is written for a router without Wifi. If you plan on doing routing on a device with Wifi, you'll need some additional packages for Wifi support.
OpenWrt System
To get the Freifunk status page, you'll need to activate the Freifunk package feed. To do this, copy feeds.conf.default
to feeds.conf
and add the following line: src-git freifunk https://github.com/freifunk/openwrt-packages.git
Apart from the default packages for your target, you'll want to install the following packages:
- luci
- alternatively: luci-ssl-openssl (for TLS on Webinterface)
- optional: luci-app-acme (for TLS on Webinterface)
- luci-app-olsr
- luci-app-olsr-services
- luci-app-olsrd2
- optional: luci-app-sqm (if you want to use smart queue management for NAT)
- optional: luci-app-unbound (if you want your own DNS resolver)
- optional: luci-app-openvpn (for use with tunnelserver)
- optional: openvpn-openssl (for use with tunnelserver)
- freifunk-common
- luci-mod-freifunk
- olsrd
- olsrd-mod-arprefresh
- olsrd-mod-jsoninfo
- olsrd-mod-nameservice
- olsrd-mod-txtinfo
- oonf-olsrd2
- oonf-init-scripts
- oonf-olsrd2-lan_import
- oonf-olsrd2-dlep_router
- oonf-olsrd2-lan
- optional: ethtool-full (for ethernet connection debugging)
- optional: iperf3 (for performance debugging)
- optional: tcpdump (for general network debugging)
- optional: vim (or any other text editor. Per default OpenWrt comes with a very minimal vi implementation by BusyBox)
- optional: netdata (will suck quite a lot of RAM and storage space but can be handy for debugging)
All the following files can be added build time by putting them into a new directory in the OpenWrt build tree called files
.
netdata
If you installed Netdata, you can secure it using the following configuration in etc/netdata/netdata.conf
:
[global] update every = 2 memory deduplication (ksm) = no debug log = syslog error log = syslog access log = none run as user = root [web] allow connections from = localhost 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* allow dashboard from = localhost 10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* [plugins] cgroups = no apps = no charts.d = no fping = no node.d = no python.d = no [health] enabled = no [plugin:proc] ipc = no
disable unnecessary services per default
We don't need dlep_proxy
, dlep_radio
and olsrd6
so disable it per default by creating the file /etc/uci-defaults/99_disable_stuff
:
#!/bin/sh /etc/init.d/dlep_proxy disable /etc/init.d/dlep_radio disable /etc/init.d/olsrd6 disable exit 0
and giving the file execute permissions.
If you have installed the packages on a pre compiled OpenWrt installation, disable the services by simply running the three commands in the file manually.
Freifunk Status Page
To configure the data on the Freifunk status page that unauthenticated users will see, create the file /etc/config/freifunk
with the following content (edit at least the nickname to contain a valid Funkfeuer nick):
package 'freifunk' config 'public' 'contact' option 'nickname' '' option 'name' '' option 'mail' '0xff@example.org' option 'phone' '' option 'note' '' config 'public' 'community' option 'name' 'FunkFeuer-Wien' option 'homepage' 'https://funkfeuer.at'
Also create the file /etc/config/profile_FunkFeuer-Wien
with the following content:
config 'community' 'profile' option 'name' 'FunkFeuer-Wien' option 'homepage' 'http://wien.funkfeuer.at'
OLSRD
For OLSRD (IPv4) create the file /etc/config/olsrd
:
config olsrd option IpVersion '4' option FIBMetric 'flat' option LinkQualityLevel '2' option OlsrPort '698' option Willingness '3' option LinkQualityAlgorithm 'etx_ff' option NatThreshold '1.0' # set to your nodes primary funkfeuer IP option MainIp '111.222.333.444' config InterfaceDefaults option Mode 'mesh' option Ip4Broadcast '255.255.255.255' option HelloValidityTime '125.0' option TcValidityTime '500.0' option MidInterval '25.0' option MidValidityTime '500.0' option HnaInterval '25.0' option HnaValidityTime '500.0' config LoadPlugin option library 'olsrd_jsoninfo' option ignore '0' option accept '127.0.0.1' config LoadPlugin option library 'olsrd_nameservice' option ignore '0' config LoadPlugin option library 'olsrd_txtinfo' option ignore '0' option accept '127.0.0.1' config Interface option ignore '0' option interface '0xff_eth0' option Mode 'mesh'
duplicate the interface section for every OLSR interface you have and edit the IP address in MainIp to match the main IPv4 address of the node.
All the interfaces should be in the same firewall zone (usually WAN or a separate Funkfeuer zone). This firewall zone needs to have a rule set, that allows forward to itself (so in Firewall -> Traffic Rules create a new rule with accept forward from WAN to WAN with any protocol if you are using the WAN zone for Funkfeuer).
It works to have the same IPv4 address on all interfaces. Important for this is, to disable masquerading for the firewall zone which all the Funkfeuer interfaces are in. If you need LAN -> Funkfeuer masquerading, please create a firewall rule manually that limits masquerading to your LAN IP range as source IP (and the Funkfeuer zone as destination zone).
OLSRD2
For OLSRD2 you'll have to add your node's IPv6 address to the lo
interface. To do this add the following line to the config interface 'loopback'
section in /etc/config/network
: option ip6addr '2a02:61:0:ff:dead:beef:dead:beef/128'
(obviously you'll have to replace the address with your node address that you can get from the redeemer).
Also add option ip6prefix '2a02:61:d2c:1::/64'
to it (with your node userblock address range), to have an IPv6 prefix available on the device.
Then write the follwing content to /etc/config/olsrd2
:
config global option 'failfast' 'no' option 'pidfile' '/var/run/olsrd2.pid' option 'lockfile' '/var/lock/olsrd2' config log option 'syslog' 'true' option 'stderr' 'true' # option 'file' '/var/log/olsrd2.log' # option 'info' 'all' # option 'debug' 'all' config telnet option 'port' '2009' config olsrv2 list 'originator' '-fe80::/112' list 'originator' '-2a02:61:0:ee:1::0/80' list 'originator' '-2a02:60::0/32' list 'originator' '-0.0.0.0/0' list 'originator' '-::1/128' list 'originator' 'default_accept' # the first /64 subnet of your nodeid/userblock range for the node, if you want to have an IPv6 prefix available for users in the LAN network # list 'lan' '2a02:61:d2c:1::/64' config interface option 'ifname' 'loopback' list 'bindto' '-0.0.0.0/0' list 'bindto' '-::1/128' list 'bindto' 'default_accept' config interface option 'ifname' '0xff_eth0' list 'bindto' '-0.0.0.0/0' list 'bindto' '-::1/128' list 'bindto' 'default_accept'
Duplicate the last interface block for every Funkfeuer interface you have.
Once DLEP support is fixed in OLSRDv2 you might want to add the following section for every DLEP interface (see Network Interfaces section of this wiki page):
config dlep_router option 'ifname' '0xff_eth0' option 'datapath_if' 'eth0.254'
Note that the ifname is an OpenWrt interface name, where the datapath_if name is a Linux network interface name (yay for consistency...).
System Settings
Please set the hostname to the FQDN of your node (for example erx.konst8.wien.funkfeuer.at
).
Also set a strong (!) password for the root account of the device.
Firewall
Apart from the previously mentioned forward accept from your Funkfeuer zone to the same zone, you'll probably change a few things regarding firewall behaviour.
Primarely you might want to restrict access to the webinterface to the IPv4 and IPv6 range of Funkfeuer and allow external access to SSH (maybe also restricted to Funkfeuer IPs).
Network Interfaces
Your Funkfeuer interfaces should be set to static IP with the nodes IPv4 address on the interface (either the same IPv4 on all interfaces or if this still results in link flapping then a different IPv4 address per interface). For IPv6 the automagically assigned link local address is enough as long as you set up the node's IPv6 address on the loopback interface correctly.
Depending on your LAN network, you might want to disable the DHCP server on the LAN interface that is enabled by default on OpenWrt.
As for Management network I usually recommend to use one VLAN per Funkfeuer interface and have one of each VLAN tagged on the Funkfeuer interface. Due to limitations in the switching hardware on most routers it has to be a different VLAN ID for every port. As management network I generally recommend having the LAN network untagged on all ports. This makes it easy to connect and set up new Wifi hardware (as their management network usually is untagged on the ethernet interface) and makes debugging on the roof a lot easier (just plug in your laptop into a free ethernet port without any special VLAN config on the laptop).
DLEP for OLSRv2 (getting layer 2 connection information from the Wifi hardware to the OLSRv2 daemon) is currently broken in OLSRDv2 but once it is working you'll want a second tagged VLAN interface on every ethernet port a Wifi device is connected to. The protocol can be set to "unmanaged" (it still assigns an IPv6 link local address which is enough for DLEP).