Things have moved on considerably from when I first got OpenWrt up on an RB450G. For one thing it no longer needs patches to the source or any special confg - the standard build will work. A lot of further useful information is available on the OpenWrt Hardware RG450G page.

This is a second look at OpenWrt on the RB450G (for AAISP with IPv6) using the standard build of Attitude Adjustment (12.09), with a few optional enhancements of my own.

In order to get it installed a minimal build is still needed, but otherwise its much easier this time round.

Building the Install Boot Image

In order to install OpenWrt we will need a network bootable image that runs from a RAM disk in order to be able to install the NAND Flash versions. For this we will need to build a minimal image from source.

First up get the source on a machine suitable for building it. I used an Ubuntu 12.04 (Precise) 64-bit VM for this to avoid polluting other machines with cruft.

I have created a minimal OpenWrt Network boot image configuration for the RB450G which can be renamed to .config in the source directory.

After this you should run make menuconfig and customize this if you need anything different in your initial build. Then to build the image simply run make and once it completes you should have an image below your source directory of bin/ar71xx/openwrt-ar71xx-nand-vmlinux-initramfs-lzma.elf

More complex builds are possible if you want to do a more customized image. For more details see the OpenWrt Buid Instructions.

Preparing for network boot

The RB450G bootloader doesn't support full DHCP, only BOOTP. In my case I am leveraging my existing DHCP server (on Debian) so pretty nearly the same config as last time round.

In the /etc/dhcp/dhcpd.conf file add the following options to enable BOOTP:

allow booting;
allow bootp;

And then add a static address and options for the MAC address of the RB450G:

host rb450g {
    hardware ethernet MAC:OF:RB450G;
    fixed-address IP.OF.RB450G;
    next-server IP.OF.TFTP.SERVER;
    filename "openwrt-ar71xx-nand-vmlinux-initramfs-lzma.elf";
}

Restart dhcpd and we are ready to move on.

The image needs to be delivered via TFTP and to do this I installed the tftpd-hpa package on my build VM. Then copy the image (above) to /var/lib/tftpboot/ which is the root of the TFTP server.

We should now be ready to install.

Installation process

The RB450G has a Serial (RS232) connector on the side and with a Null Modem cable and/or a USB-serial adaptor at 115.2K 8N1 access to the console and bootloader is easy.

At boot you should see a menu something like:

RouterBOOT-2.27
What do you want to configure?
   d - boot delay

   k - boot key
   s - serial console
   n - silent boot
   o - boot device
   u - cpu mode
   f - cpu frequency
   r - reset booter configuration
   e - format nand
   g - upgrade firmware
   i - board info
   p - boot protocol
   b - booter options
   t - do memory testing
   x - exit setup
your choice:

Enter o to select the boot device:

Select boot device:
   e - boot over Ethernet
 * n - boot from NAND, if fail then Ethernet
   1 - boot Ethernet once, then NAND
   o - boot from NAND only
   b - boot chosen device
   f - boot Flash Configure Mode
   3 - boot Flash Configure Mode once, then NAND
your choice:

In my case I chose 1 for a one-off boot from the network, then back to NAND Flash booting after that. Then x to exit the menus and boot.

At boot should see something like this:

trying bootp protocol... OK
Got IP address: IP.OF.RB450G
resolved mac address MAC.OF.TFTP.SERVER
Gateway: IP.OF.GATEWAY.ROUTER
transfer started ................. transfer ok, time=1.17s
setting up elf image... OK
jumping to kernel code


OpenWrt kernel loader for AR7XXX/AR9XXX
Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org>
Decompressing kernel... done!
Starting kernel at 80060000...

[    0.000000] Linux version 3.3.8 (gpp@openwrtbuild) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #24
[    0.000000] bootconsole [early0] enabled
......

Once it finishes booting press enter to get shell. The image will boot with the LAN (switch) ports on 192.168.1.1/24 addressing. You will need to reconfigure your networking (potentially changing connections between ports) to ensure you have connectivity to the source webserver to install from. This can be the OpenWrt Image Downloads or you can place openwrt-ar71xx-nand-rootfs.tar.gz and openwrt-ar71xx-nand-vmlinux-lzma.elf on your own local webserver and install from there.

To install run:

# wget2nand http://address.of.webserver/

This should output a load of information on what it is doing. When it's complete reboot and you should see it booting from flash:

loading kernel from nand... OK
setting up elf image... OK
jumping to kernel code


OpenWrt kernel loader for AR7XXX/AR9XXX
Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org>
Decompressing kernel... done!
Starting kernel at 80060000...

[    0.000000] Linux version 3.3.8 (blogic@Debian-60-squeeze-64-minimal) (gcc version 4.6.3 20120201 (prerelease) (Linaro GC3
[    0.000000] bootconsole [early0] enabled
......

Once it finishes booting press enter to get shell. Then set the root password with passwd and then you should be able to ssh into the RB450G:

Configuration

The standard builds include LuCI, the web based configuration manager which can be accessed by putting the IP into your browser, else you can update config from the shell.

Initial settings with LuCI

Under System->System Set:

• Timezone
• NTP server (eg. time.aaisp.net.uk)

Enabling IPv6

OpenWrt doesn't have IPv6 fully working out the box. To get it working you need to install:

• ip6tables
• kmod-ip6tables

Again, this can be done either via LuCI (System->Software) or with opkg from the shell.

Networking

At this point you can go ahead and configure the network. The exact configuration will depend on what you want to achieve. In my case I'm using a routed (no-NAT) setup.

For the AAISP config it can be configured in LuCI similar to this:

Or via the shell yielding an /etc/config/network entry for the WAN something like this:

config interface 'wan'
    option ifname 'eth0'
    option proto 'pppoe'
    option username 'ISPUSERNAME'
    option password 'ISPPASSWORD'
    option keepalive '5,5'
    option ipv6 '1'

At this point you should have a working network and can moving data through the router.

Lock-down

ssh (dropbear)

Out the box this listens on all interfaces, but as a safety measure it's probably best to limit it to the LAN interface. In LuCI this can be done simply by selecting the LAN interface in System->Administration, else via the shell yielding an /etc/config/dropbear file something like:

config dropbear
    option PasswordAuth 'on'
    option Port '22'
    option Interface 'lan'

uhttpd / LuCI

Same here - this can be restricted to only listening on the LAN addresses by changing /etc/config/uhttpd to listening on the LAN IP addresses:

list listen_http        router.lan.ip.addr:80
list listen_http        [router:lan:ipv6::addr]:80
list listen_https       router.lan.ip.addr:443
list listen_https       [router:lan:ipv6::addr]:443

Then to bring this config into use restart uhttpd with /etc/init.d/uhttpd restart

Serial Port

There is no authentication on the serial port with OpenWrt. This means that anyone who can connect a cable to the router has immediate full root access. While there are limits to security when physical access is involved, it should definitely be possible to do better than this.

In /etc/inittab comment the line:

#ttyS0::askfirst:/bin/ash --login

This will simply disable the serial port shell. Note that this will also make recovery more difficult if something breaks ssh access.

Firewall

An important bit is to get a firewall setup. This can be done through LuCI or the shell as always, however if like me you need something more complex then /etc/firewall.user provides a shell scripting option. I've customized mine extensively with over 500 lines of code which processes my own format of rule sets as well as a bunch of sub-scripts which are included for flexibility when configuring the rules and behaviour for both IPv4 and IPv6.

My script is way to complex to share - if you are doing stuff like that then no doubt you will already be intimately familiar with iptables/ip6tables, IP networking and not need an example to work from. For most people I'm guessing LuCI is probably the way to go, but the option is there if you require something more heavy duty.

Refinements

Backup & dropbear keys

I use Dirvish (rsync based) for backups. To be able to use ssh key authentication for this either add the key in /etc/dropbear/authorized_keys or via LuCI in System->Administration.

This also requires installing rsync (automatically adds libpopt).

This brings the backups online and the entire system can be backed up like this.

Remote logging with syslog-ng3

I do remote logging (with log monitoring tools like integrityd) and I've not been happy with the way the busybox syslogd shipped works so I'm using syslog-ng3. Simply install syslog-ng3 via LuCI or shell with opgk and then edit /etc/syslog-ng.conf adding:

destination remote {
        udp("ip.of.log.server");
};

Then change destination(messages) to destination(remote) to make it log to the above configured server. Then to enable it run (or using LuCI):

/etc/init.d/syslog-ng enable

The existing busybox syslogd and klogd will try and start up. It is tempting to remove the execute permission as this is the check done in /etc/init.d/boot if it should start this, but since its actually a symlink to busybox this will completely break everything. Rather just remove the symlinks:

rm /sbin/klogd /sbin/syslogd

Notifications

I run email notifications when events occur (potentially bad ones) on the WAN interface. For these we need to be able to send mail and I used mini-sendmail which will need installing before these can be used.

The /etc/ppp/if-*.d/ scripts are deprecated in Attitude Adjustment, preferring instead to use /etc/hotplug.d/iface/ scripts so I have updated and adapted my previous scripts for this.

Download: OpenWrt Hotplug Mail on Interface Up/Down

This simply emails on Interface up or down events. Configure the variables for mail servers etc. before use.

Download: OpenWrt check for BT test connection and restart WAN

Sometimes faults occur where DSL connections get switched to BTs test connections which are to a private test network. This basically means all internet connectivity is lost and until the connection drops or resets the router remains happily connected to an unusable service. If I'm away from home that means an awful lot of downtime could result so this script takes care of it automatically and both emails and restarts the WAN interface if the expected (static) WAN IP address isn't present. Again, configure the variables for mail servers etc. and the expected IP. If you are with another ISP which uses dynamic addresses then you will need to tweak this script to pattern match rather than use a fixed IP.

So that you can still send email when there are connectivity problems add the mail server into the hosts list in LuCI or in /etc/config/dhcp as follows:

config domain
        option name 'mail.yourdomain.tld'
        option ip 'ip.of.mail.server'

Cacti Monitoring

Previously I provided scripts and templates for Cacti to monitor the router. Little has changed however there have been various improvements and an update to work with uhttpd rather than the busybox httpd.

Download: OpenWrt CGI Monitoring Scripts

Unpack these in /www/cgi-bin/ and they should go into monitor/ providing various monitoring data via http. If required access to these could be locked down further, however as they take no input and are only served on the LAN (by config above) currently they are left open.

Additionally we need to flag the time that the WAN interface came up and for that there is another script to go in /etc/hotplug.d/iface/

Download: OpenWrt Interface Monitoring Script

We are still using largely the same Python Input Scripts for Cacti to collect the data. These should be unpacked into /usr/local/share/cacti/scripts on Debian based systems otherwise where is appropriate for your system and adapt the templates to match.

Download: OpenWrt RB450G Cacti Input Scripts

Plus we have a improved Template.

Download: OpenWrt RB450G Cacti Template

This is what you can expect in the way of graphs:

Update Checking

Occasionally (eg. with openssl Heart Bleed bug) updates are released so worth checking. I've created a very simple script to do this

Download: OpenWrt package Update Check Script

This needs settings updating and then can be run from CRON as often as you want with an appropriate entry in /etc/crontabs/root

Fully featured editor

If as I do you tend to do most of your admin from the shell then a fully featured editor is a must. In my case I used "vim" which is available in OpenWrt.

Install vim-full which will in turn also install libncurses and terminfo. If you want syntax highlighting then also add vim-runtime.