OpenWrt on a Buffalo WHRG54S

These are some instructions describing one way to construct an OpenWrt-loaded Buffalo WHR-G54S, an inexpensive wireless router (around $40 new, as of 2007-02).

Build OpenWrt Kamikaze

make a directory

TOPDIR=/src/openwrt-2.4 (or whatever)
mkdir $TOPDIR

checkout stuff

cd $TOPDIR
svn co https://svn.openwrt.org/openwrt/trunk/
svn co https://svn.openwrt.org/openwrt/packages

my local hacks:

create a symlink to a download directory that may already be populated:
```
TRUNK=${TOPDIR}/trunk
cd $TRUNK
ln -s /src_archive/openwrt/dl dl
```

link packages in the packages tree into trunk/package

cd ${TRUNK}/package
for i in $(find ../../packages -type d | grep -v .svn | awk -F/ 'NF==5') ; do echo $i ; ln -s $i $(echo $i | awk -F/ '{ print $5 }') ; done

configure
```
cd $TRUNK
make menuconfig
```
- For the Buffalo:
  - Target System (Broadcom BCM947xx/953xx [2.4])
  - Target Profile (Generic Broadcom WiFi)
  - Select all packages by default (y)
build (this can take a few hours, and might fail in the middle)
```
cd $TRUNK
make
```
- if it does fail somewhere, get more information about why by restarting with:
```
make V=99
```
- either fix the problems, or just find the option in the menuconfig and disable the broken package.

when it finishes, you should have a bunch of .trx and .bin binaries in /src/openwrt-2.4/trunk/bin, as well as the .ipk files in /src/openwrt-2.4/trunk/bin/packages. Move them to some place useful:

cd $TRUNK
REV=$(echo r$(svn info | grep '^Revision: ' | cut -d' ' -f2))
cp ${TRUNK}/bin/openwrt-brcm-2.4-squashfs.trx /var/lib/tftpboot/whrg54s/openwrt-brcm-2.4-squashfs-${REV}.trx
cp ${TRUNK}/openwrt-brcm-2.4-jffs2-64k.trx /var/lib/tftpboot/whrg54s/openwrt-brcm-2.4-jffs2-64k-${REV}.trx
rsync -v -a -H ${TRUNK}/bin/packages/ russell@donk.personaltelco.net:public_html/openwrt/2.4-${REV}/

Flash Firmware

Using tftp

Install a tftp client. On debian I use tftp-hpa, which works fine.
Connect a cat5 cable to a LAN port (not the WAN port) on the AP.
Configure an interface on your flashing PC on the same network with 192.168.11.2/24
Power on the WHRG54S and make sure you can ping it at 192.168.11.1
Remove power

From the flashing PC, issue the following commands, except for the last one don't press enter:

cd ${TRUNK}/bin
tftp 192.168.11.1
tftp> binary
tftp> trace
tftp> rexmt 1
tftp> timeout 60
tftp> put openwrt-brcm-2.4-jffs2-64k.trx

Hold the reset button on the WHRG54S
Start the tftp put
Apply power
Release the reset button
Watch while tftp transfer occurs, then reboots, be patient
If the flash fails, just retry the tftp
After the reboot, the LAN interface will be at 192.168.1.1, ping that
When pings succeed, try telnet'ing to 192.168.1.1 to get a shell

Configuration

After telnet'ing, immediately change the password:
```
passwd
```

Configure /etc/ipkg.conf (in this case for r6348):

src snapshots http://www.personaltelco.net/~russell/openwrt/2.4-r6348
dest root /
dest ram /tmp

Configuring a Wifidog AP

Configure /etc/config/wireless (adjust temporary ssid when installation is complete):

config wifi-device  wl0
        option type     broadcom
        option channel  1

config wifi-iface
        option device   wl0
        option mode     ap
        option ssid     www.personaltelco.net/notyet
        option hidden   0
        option encryption none

Configure /etc/config/network:

#### VLAN configuration
config switch eth0
        option vlan0    "1 2 3 4 5*"
        option vlan1    "0 5"


#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0


#### LAN configuration
config interface lan
#        option type     bridge
        option ifname   "eth0.0"
        option proto    static
        option ipaddr   192.168.1.1
        option netmask  255.255.255.0


#### WAN configuration               
config interface        wan          
        option ifname   "eth0.1"
        option proto    dhcp


#### Wireless configuration
config interface        wireless
        option ifname   "wl0"
        option proto    static
        option ipaddr   10.11.x.y
        option netmask  255.255.255.z

Configure /etc/dnsmasq.conf:

# filter what we send upstream
domain-needed
bogus-priv
filterwin2k
localise-queries

# allow /etc/hosts and dhcp lookups via *.lan
local=/lan/
domain=personaltelco.net
expand-hosts
resolv-file=/tmp/resolv.conf

dhcp-range=eth0.0,192.168.1.100,192.168.1.250,255.255.255.0,10m
dhcp-range=wl0,10.11.0.140,10.11.0.191,255.255.255.192,10m
dhcp-authoritative
dhcp-leasefile=/tmp/dhcp.leases
except-interface=eth0.1

# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>
read-ethers

# other useful options:
# default route(s): dhcp-option=3,192.168.1.1,192.168.1.2
#    dns server(s): dhcp-option=6,192.168.1.1,192.168.1.2
# change the following to use the upstream dns servers, 4.2.2.2 will work, but closer is better
dhcp-option=6,4.2.2.2

Configure /etc/init.d/dnsmasq, removing some odd garbage that overwrites whatever it gets from dhcp. This probably relates to dnsmasq's dns not actually working (and I haven't figured out why). The odd garbage would be okay if local dns was working. The end of the start() function could/should look like this:
```
                [...]
                cat /etc/dnsmasq.conf
        ) | awk -f /lib/config/template.awk | dnsmasq -C /proc/self/fd/0
}
```
Disable firewall by deleting /etc/rc.d/S45firewall
```
rm /etc/rc.d/S45firewall
```

Enable masquerading in /etc/init.d/network:

# Copyright (C) 2006 OpenWrt.org

START=40
start() {
        setup_switch() { return 0; }

        include /lib/network
        setup_switch
        [ -e /etc/config/wireless ] || \
                /sbin/wifi detect > /etc/config/wireless
        /sbin/wifi up
        iptables -t nat -I POSTROUTING -o eth0.1 -j MASQUERADE
}

Install packages:

ipkg install ip
ipkg install wifidog
ipkg install libpthread
ipkg install snmpd

Configure Wifidog in /etc/wifidog.conf. Set:

GatewayID NodeSlabtown

ExternalInterface eth0.1

GatewayInterface wl0

AuthServer {
        Hostname wifidog.personaltelco.net
        SSLAvailable yes
        Path /
}
                                                                        
AuthServer {
        Hostname wifidog.smallwhitecube.com
        SSLAvailable yes
        Path /
}

After configuring the auth server to know about the new node, add a symlink in /etc/rc.d to start wifidog during init:
```
cd /etc/rc.d
ln -s /etc/init.d/wifidog S75wifidog
```

Configure /etc/snmp/snmpd.conf:

rocommunity sPecial0ps
rocommunity public 127.0.0.1

# Use exec to pull up the association count
exec assoc_count /usr/local/bin/assoc_count
# OID = 1.3.6.1.4.1.2021.8.1.101.1

# Or, alternately, you can use 'extend' instead of 'exec'
# extend assoc-count /usr/local/bin/assoc_count
# OID = .1.3.6.1.4.1.8072.1.3.2.4.1.2.11.97.115.115.111.99.45.99.111.117.110.116.1

Make the directory and install the /usr/local/bin/assoc_count script:

mkdir -p /usr/local/bin

echo $((`iptables -L WiFiDog_Outgoing -v -t mangle | grep 'MARK set 0x2' | wc -l`))

chmod 755 /usr/local/bin/assoc_count

Configuring as a client device

Edit /etc/config/wireless:

config wifi-device  wifi0                                                       
        option type     atheros                                                 
#       option channel  5                                                       
                                                                                
config wifi-iface                                                               
        option device   wifi0                                                   
#       option network  lan                                                     
        option mode     sta                                                     
        option ssid     www.personaltelco.net                                   
        option hidden   0                                                       
        option encryption none

Edit /etc/config/network

#### VLAN configuration 
config switch eth0
        option vlan0    "1 2 3 4 5*"
        option vlan1    "0 5"


#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0


#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0.0 eth0.1"
        option proto    static
        option ipaddr   192.168.1.1
        option netmask  255.255.255.0


#### WAN configuration
config interface        wan
        option ifname   "wl0"
        option proto    dhcp

reboot and then ssh to root at 192.168.1.1

modify /etc/ipkg.conf:

src snapshots http://www.personaltelco.net/~russell/openwrt/2.4-r6348
dest root /
dest ram /tmp

update packages:
```
ipkg update
```
install iproute tools:
```
ipkg install ip
```

fix firewall:

move firewall script:

mv /etc/init.d/firewall /etc/init.d/firewall_

replace with a masquerade rule:

cat > /etc/init.d/firewall
#!/bin/sh
iptables -t nat -I POSTROUTING -o wl0 -j MASQUERADE

make it executable:
```
chmod 755 /etc/init.d/firewall
```

to isolate the wired lan from the public wireless, this is one solution: create a file /etc/init.d/filter:

# Copyright (C) 2006 OpenWrt.org

START=96
STOP=96

PUBLIC=ath0
PRIVATE=eth0.0

boot() {
        iptables -I FORWARD -o ${PRIVATE} -i ${PUBLIC} -j DROP
}

start() {
        iptables -I FORWARD -o ${PRIVATE} -i ${PUBLIC} -j DROP
}

restart() {
        iptables -I FORWARD -o ${PRIVATE} -i ${PUBLIC} -j DROP
}

stop() {
        iptables -D FORWARD -o ${PRIVATE} -i ${PUBLIC} -j DROP
}

then:

chmod 755 /etc/init.d/filter 
/etc/init.d/filter enable

to get signal levels:
```
ipkg install wl
wl rssi
```

OLDER STUFF

Steps for creating a NoCat Openwrt Build on a Linksys WRT54g or gs

"OpenWRT is a linux distribution for the Linksys WRT54G. Instead of trying to cram every possible feature into one firmware, OpenWRT provides only a minimal firmware with support for add-on packages. For users this means the ability to custom tune features, removing unwanted packages to make room for other packages and for developers this means being able to focus on packages without having to test and release an entire firmware."

To use nocatsplash on openwrt, you need to do some fiddling.

Get a current version of a prebuilt OpenWRT binary image with MAC support and iptables enabled here:

OpenWRT binary (CVS 10-Dec-2004) WRT54G md5sum: 37664add5eafd051ec07e339d26f0e37
OpenWRT binary (CVS 10-Dec-2004) WRT54GS md5sum: 459df29183d7afcb8ffbbac3b7726c3f

Or
Get a working buildroot following the instructions on the openwrt site.
- First, you need to enable the MAC matching support in iptables, both in the kernel and as an iptables module.
  - To enable the iptables module
    - edit buildroot/sources/iptables-openwrt-extensions.patch
    - add 'mac' to the end of the PF_EXT_SLIB line.
  - For the kernel module
    - Edit buildroot/sources/openwrt/kernel/linux.config
    - Set CONFIG_IP_NF_MATCH_MAC=y
- Do a full build ("make"). This will need some fiddling, mostly with the snapshot date in the main Makefile.
Load the image onto your WRT. The openwrt website has some good instructions on how to do this.
At this point you should telnet to the WRT, edit /etc/ipkg.conf to add the main openwrt package directory
```
src openwrt http://www.openwrt.org/ipkg
```
ipkg update and ipkg install dropbear. Start sshd, and make an initscript to start it on boot. Then disable telnet, and use ssh to log in from now on.
Now, you can either use the ipk I built
- Or
build it yourself. I recommend building it yourself, so you can tweak it later more easily.
To build it yourself
- make libglib: make `pwd`/build_mipsel/staging_dir/lib/libglib.a
- unpack the tarball into your buildroot
- run 'make packages'.
- To modify it
  - edit the patch buildroot/sources/nocatsplash.patch,
  - edit make/nocatsplash.mk and increment the version number
  - then make nocatsplash-dirclean; make packages.

(The patch adds mac address logging, and more levels of logging. I recommend level 1, which shows auths and timeouts only. The logging part was by the ewrt people)

After installing, configure by editing /etc/nocat.conf. Check all the options in there. Also, add the option InsideIP 10.11.x.y, or the redirects won't work (IE, no way to auth).

TODO

Update package to use release version of NoCatSplash
This list of NVRAM variables can be handy when setting up your OpenWRT
More packages to add to your OpenWRT can be found on the OpenWRT wiki or the OpenWRT Package Tracker

The wiring of the WRT network devices: There are 2 'real' devices, eth0 and eth1. eth0 is an interface to the switch on the back. eth1 is the wireless link. eth0 uses vlans. vlan0 is the 'lan' set of ports, and vlan1 is the 'wan' port. The default configuration creates a bridge, br0, of eth1 and vlan0. OpenWRT networking is configured with *_ipaddr, *_proto, etc. These are documented more extensively on the OpenWRT site. The default config is lan_* is br0, wan_* is vlan1. If you want to break the bridge, and treat lan, wan, and wifi separately, you use lan_* for vlan0, wifi_* for eth1, and wan_* for vlan1.

Troubleshooting

Q) I have flashed the OpenWrt bin on but whenI try to telnet in my old username/pswd simply do not work. I even reflashed it with the previous firmware (ewrt) and test the username/password just to be sure. Any thoughts? (TomHiggins)

A) You're using the old broken image. Get the 10 december one and try again. This problem is due to using the wrong /bin/login file, one that was actually trying to check credentials. However, there aren't any credentials, so it will always deny. The correct /bin/login just logs you in without asking anything. (Worked like a charm, thanks Ben! (TomHiggins))

!!!!WARNING!!!!

The firmare and package needs libpthread. But even with it, the rotuer *FAILS* to capture pages. It does not do anything but drop packets. DO NOT USE THIS, IT IS BROKEN!