Dateihalde

Home of Geiger Counter Logger, Soko-Raupe and more.

LEDE Router Setup

openwrt-router-setup

Parameters

HOSTNAME='core'
DOMAIN='stelas.de'
TFTPDIR='/media/usb1/tftp'
NFSDIR='/media/usb1/nfs'
WLANSSID='Heimdall'
WLANKEY='********'
PPPUSERNAME='*********@easybell.de'
PPPPASSWORD='********'
HENET_username='stelas'
HENET_tunnelid='256718'
HENET_updatekey='****************'
HENET_peeraddr='216.66.86.114'
HENET_ip6addr='2001:470:6c:9b3::2/64'
HENET_ip6prefix='2001:470:52b0::/48'
DDNS_domain='home.dyn.codehal.de'
DDNS_password='****************'

System

  • LuCI + IPv6
    opkg install luci-ssl luci-proto-ipv6 6in4 curl ca-certificates ca-bundle
    uci set uhttpd.main.listen_http='192.168.1.254:80'
    uci set uhttpd.main.listen_https='192.168.1.254:443'
    uci set uhttpd.defaults.commonname="$HOSTNAME.$DOMAIN"
  • Filesystem
    mkdir -p /usr/local/bin /usr/local/etc
    echo '/usr/local/' >> /etc/sysupgrade.conf
  • Hostname, Timezone
    uci set system.@system[0].hostname="$HOSTNAME"
    uci set system.@system[0].timezone='CET-1CEST,M3.5.0,M10.5.0/3'
    uci set system.@system[0].zonename='Europe/Berlin'
    uci set dropbear.@dropbear[0].Interface='lan'
  • NTP
    uci set system.ntp.enable_server=1
    uci set system.ntp.server='0.de.pool.ntp.org'
    uci add_list system.ntp.server='1.de.pool.ntp.org'
    uci add_list system.ntp.server='2.de.pool.ntp.org'
    uci add_list system.ntp.server='3.de.pool.ntp.org'
  • LLDP
    opkg install lldpd
    /etc/init.d/lldpd enable

Network

  • Switch
    • VLAN 1: LAN + WiFi
      uci set network.@switch_vlan[0].ports='0t 2 3' # CPU, LAN1, LAN2
    • VLAN 3: DMZ
      uci add network switch_vlan
      uci set network.@switch_vlan[-1].device='switch0'
      uci set network.@switch_vlan[-1].vlan=3
      uci set network.@switch_vlan[-1].ports='0t 2t 5' # CPU, LAN1, LAN4
    • VLAN 4: VoIP
      uci add network switch_vlan
      uci set network.@switch_vlan[-1].device='switch0'
      uci set network.@switch_vlan[-1].vlan=4
      uci set network.@switch_vlan[-1].ports='0t 2t 4' # CPU, LAN1, LAN3
  • Interfaces
    • LAN
      uci set network.lan.ifname='eth0.1'
      uci set network.lan.ipaddr='192.168.1.254'
    • WAN (PPPoE)
      uci set network.wan.proto='pppoe'
      uci set network.wan.username="$PPPUSERNAME"
      uci set network.wan.password="$PPPPASSWORD"
      uci set network.wan.ipv6='auto'
    • Delete WAN6
      uci delete network.wan6
    • DMZ
      uci set network.dmz='interface'
      uci set network.dmz.proto='static'
      uci set network.dmz.ifname='eth0.3'
      uci set network.dmz.ipaddr='192.168.3.254'
      uci set network.dmz.netmask='255.255.255.0'
    • VoIP
      uci set network.voip='interface'
      uci set network.voip.proto='static'
      uci set network.voip.ifname='eth0.4'
      uci set network.voip.ipaddr='192.168.4.254'
      uci set network.voip.netmask='255.255.255.0'
    • IPv6 tunnel (HE.net)
      uci set network.henet='interface'
      uci set network.henet.proto='6in4'
      uci set network.henet.peeraddr="$HENET_peeraddr"
      uci set network.henet.ip6addr="$HENET_ip6addr"
      uci set network.henet.ip6prefix="$HENET_ip6prefix"
      uci set network.henet.username="$HENET_username"
      uci set network.henet.tunnelid="$HENET_tunnelid"
      uci set network.henet.password="$HENET_updatekey"

      update-ip.sh

Wireless LAN

  • 2.4 GHz
    uci delete wireless.radio0.disabled
    uci set wireless.radio0.channel=6
    uci set wireless.radio0.htmode='HT40'
    uci set wireless.@wifi-iface[0].ssid="$WLANSSID"
    uci set wireless.@wifi-iface[0].encryption='psk-mixed'
    uci set wireless.@wifi-iface[0].key="$WLANKEY"
  • 5 GHz
    uci delete wireless.radio1.disabled
    uci set wireless.radio1.htmode='HT40'
    uci set wireless.@wifi-iface[1].ssid="${WLANSSID}5"
    uci set wireless.@wifi-iface[1].encryption='psk-mixed'
    uci set wireless.@wifi-iface[1].key="$WLANKEY"

Firewall

  • Zones
    • LAN: LAN + VoIP
      uci set firewall.@zone[0].network='lan voip'
    • WAN: WAN + HENET
      uci set firewall.@zone[1].network='wan henet'
    • DMZ
      uci add firewall zone
      uci set firewall.@zone[-1].name='dmz'
      uci set firewall.@zone[-1].input='REJECT'
      uci set firewall.@zone[-1].output='ACCEPT'
      uci set firewall.@zone[-1].forward='REJECT'
      uci set firewall.@zone[-1].network='dmz'
  • Rules
    • Forward: DMZ -> WAN
      uci add firewall forwarding
      uci set firewall.@forwarding[-1].src='dmz'
      uci set firewall.@forwarding[-1].dest='wan'
    • Forward: LAN -> DMZ
      uci add firewall forwarding
      uci set firewall.@forwarding[-1].src='lan'
      uci set firewall.@forwarding[-1].dest='dmz'
    • Allow DHCP requests from DMZ
      uci add firewall rule
      uci set firewall.@rule[-1].name='DMZ-DHCP'
      uci set firewall.@rule[-1].src='dmz'
      uci set firewall.@rule[-1].dest_port=67
      uci set firewall.@rule[-1].proto='udp'
      uci set firewall.@rule[-1].target='ACCEPT'
      uci set firewall.@rule[-1].enabled=1
    • Allow DNS requests from DMZ
      uci add firewall rule
      uci set firewall.@rule[-1].name='DMZ-DNS'
      uci set firewall.@rule[-1].src='dmz'
      uci set firewall.@rule[-1].dest_port=53
      uci set firewall.@rule[-1].proto='tcp udp'
      uci set firewall.@rule[-1].target='ACCEPT'
      uci set firewall.@rule[-1].enabled=1
  • Port forwarding (DNAT)
    • SSH
      uci add firewall redirect
      uci set firewall.@redirect[-1].name='loki-ssh'
      uci set firewall.@redirect[-1].target='DNAT'
      uci set firewall.@redirect[-1].src='wan'
      uci set firewall.@redirect[-1].src_dport=222
      uci set firewall.@redirect[-1].dest='dmz'
      uci set firewall.@redirect[-1].dest_ip='192.168.3.5'
      uci set firewall.@redirect[-1].dest_port=22
      uci set firewall.@redirect[-1].proto='tcp'
      uci set firewall.@redirect[-1].enabled=1
    • HTTPS
      uci add firewall redirect
      uci set firewall.@redirect[-1].name='loki-https'
      uci set firewall.@redirect[-1].target='DNAT'
      uci set firewall.@redirect[-1].src='wan'
      uci set firewall.@redirect[-1].src_dport=8443
      uci set firewall.@redirect[-1].dest='dmz'
      uci set firewall.@redirect[-1].dest_ip='192.168.3.5'
      uci set firewall.@redirect[-1].dest_port=443
      uci set firewall.@redirect[-1].proto='tcp'
      uci set firewall.@redirect[-1].enabled=1
    • VoIP traffic
      uci add firewall redirect
      uci set firewall.@redirect[-1].name='pbx-sip'
      uci set firewall.@redirect[-1].target='DNAT'
      uci set firewall.@redirect[-1].src='wan'
      uci set firewall.@redirect[-1].src_dport=49060
      uci set firewall.@redirect[-1].dest='voip'
      uci set firewall.@redirect[-1].dest_ip='192.168.4.100'
      uci set firewall.@redirect[-1].dest_port=49060
      uci set firewall.@redirect[-1].proto='udp'
      uci set firewall.@redirect[-1].enabled=1
      uci add firewall redirect
      uci set firewall.@redirect[-1].name='pbx-rtp'
      uci set firewall.@redirect[-1].target='DNAT'
      uci set firewall.@redirect[-1].src='wan'
      uci set firewall.@redirect[-1].src_dport='49004-49008'
      uci set firewall.@redirect[-1].dest='voip'
      uci set firewall.@redirect[-1].dest_ip='192.168.4.100'
      uci set firewall.@redirect[-1].dest_port='49004-49008'
      uci set firewall.@redirect[-1].proto='udp'
      uci set firewall.@redirect[-1].enabled=1
    • UltraVnc Single Click
      uci add firewall redirect
      uci set firewall.@redirect[-1].name='vnc-sc'
      uci set firewall.@redirect[-1].target='DNAT'
      uci set firewall.@redirect[-1].src='wan'
      uci set firewall.@redirect[-1].src_dport=55555
      uci set firewall.@redirect[-1].dest='lan'
      uci set firewall.@redirect[-1].dest_ip='192.168.1.100'
      uci set firewall.@redirect[-1].dest_port=5500
      uci set firewall.@redirect[-1].proto='tcp'
      uci set firewall.@redirect[-1].enabled=1

Dynamic DNS (HE.net)

opkg install luci-app-ddns
uci delete ddns.myddns_ipv4
uci delete ddns.myddns_ipv6
uci set ddns.ddns_wan='service'
uci set ddns.ddns_wan.domain="$DDNS_domain"
uci set ddns.ddns_wan.service_name='he.net'
uci set ddns.ddns_wan.username="$DDNS_domain"
uci set ddns.ddns_wan.password="$DDNS_password"
uci set ddns.ddns_wan.interface='wan'
uci set ddns.ddns_wan.ip_source='network'
uci set ddns.ddns_wan.ip_network='wan'
uci set ddns.ddns_wan.enabled=1

QoS / Bufferbloat

Speed test at: https://www.dslreports.com/speedtest

opkg install luci-app-sqm
uci set sqm.eth1.interface='eth0.2'
uci set sqm.eth1.ingress_ecn='ECN'
uci set sqm.eth1.egress_ecn='NOECN'
uci set sqm.eth1.download=12240 # Change me!
uci set sqm.eth1.upload=1024 # Change me!
uci set sqm.eth1.enabled=1
  • For DSL:
    uci set sqm.eth1.linklayer='atm'
    uci set sqm.eth1.overhead=44
  • For VDSL:
    uci set sqm.eth1.linklayer='ethernet'
    uci set sqm.eth1.overhead=8
  • For Cable:
    uci set sqm.eth1.linklayer='none'
    uci delete sqm.eth1.overhead

USB storage

opkg install kmod-usb-storage usbutils kmod-fs-f2fs f2fs-tools
wget -P /etc/init.d http://files.dateihal.de/openwrt/mountusb.sh
chmod +x /etc/init.d/mountusb.sh
/etc/init.d/mountusb.sh enable

mountusb.sh

NFS server

opkg install nfs-kernel-server nfs-kernel-server-utils
sed -i '/^\// s/^/#/g' /etc/exports
echo -e "$NFSDIR\t*(ro,async,subtree_check,all_squash)" >> /etc/exports
/etc/init.d/portmap enable
/etc/init.d/nfsd enable

DNS

  • DNSCrypt proxy
    wget -P /usr/local/bin http://files.dateihal.de/openwrt/update-resolver.sh
    chmod +x /usr/local/bin/update-resolver.sh
    /usr/local/bin/update-resolver.sh
    opkg install dnscrypt-proxy
    uci set dnscrypt-proxy.@dnscrypt-proxy[0].resolvers_list='/usr/local/etc/dnscrypt-resolvers.csv'
    uci set dnscrypt-proxy.@dnscrypt-proxy[0].resolver='dnscrypt.eu-nl'
    (crontab -l -u root; echo -e '33 3 * * *\t[ -x /usr/local/bin/update-resolver.sh ] && /usr/local/bin/update-resolver.sh') | crontab -u root -
    /etc/init.d/dnscrypt-proxy enable
    #sed -i 's_^exit 0_sleep 10\n/etc/init.d/dnscrypt-proxy start\n&_' /etc/rc.local

    update-resolver.sh

  • DNSSec resolver
    touch /usr/local/etc/hosts
    opkg remove dnsmasq
    opkg install dnsmasq-full
    uci set dhcp.@dnsmasq[0].domain="$DOMAIN"
    uci set dhcp.@dnsmasq[0].noresolv=1
    uci add_list dhcp.@dnsmasq[0].addnhosts='/usr/local/etc/hosts'
    uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#5353'
    #uci add_list dhcp.@dnsmasq[0].server='84.200.69.80' # resolver1.dns.watch
    #uci add_list dhcp.@dnsmasq[0].server='91.239.100.100' # anycast.censurfridns.dk
    uci add_list dhcp.@dnsmasq[0].server='/pool.ntp.org/194.150.168.168' # dns.as250.net
    uci set dhcp.@dnsmasq[0].dnssec=1
    uci set dhcp.@dnsmasq[0].dnsseccheckunsigned=1

DHCP

  • PXE server
    uci set dhcp.@dnsmasq[0].enable_tftp=1
    uci set dhcp.@dnsmasq[0].dhcp_boot='pxelinux.0'
    uci set dhcp.@dnsmasq[0].tftp_root="$TFTPDIR"
  • DHCP server
    • LAN
      uci set dhcp.lan.start=101
      uci set dhcp.lan.limit=99
    • DMZ
      uci add dhcp dhcp
      uci set dhcp.@dhcp[-1].interface='dmz'
      uci set dhcp.@dhcp[-1].start=101
      uci set dhcp.@dhcp[-1].limit=99
      uci set dhcp.@dhcp[-1].leasetime='24h'
    • VoIP
      uci add dhcp dhcp
      uci set dhcp.@dhcp[-1].interface='voip'
      uci set dhcp.@dhcp[-1].start=101
      uci set dhcp.@dhcp[-1].limit=99
      uci set dhcp.@dhcp[-1].leasetime='24h'
      uci set dhcp.@dhcp[-1].dynamicdhcp=0

Hosts & Aliases

  • core
    uci add dhcp domain
    uci set dhcp.@domain[-1].name='ntpserver'
    uci set dhcp.@domain[-1].ip='192.168.1.254'
  • filer
    uci add dhcp host
    uci set dhcp.@host[-1].name='filer'
    uci set dhcp.@host[-1].mac='1c:c1:de:18:86:6a'
    uci set dhcp.@host[-1].ip='192.168.1.10'
    uci add dhcp domain
    uci set dhcp.@domain[-1].name='filer'
    uci set dhcp.@domain[-1].ip='192.168.1.10'
  • filer-rac
    uci add dhcp host
    uci set dhcp.@host[-1].name='filer-rac'
    uci set dhcp.@host[-1].mac='d8:d3:85:af:7c:5e'
    uci set dhcp.@host[-1].ip='192.168.1.11'
    uci add dhcp domain
    uci set dhcp.@domain[-1].name='filer-rac'
    uci set dhcp.@domain[-1].ip='192.168.1.11'
  • defiant
    uci add dhcp host
    uci set dhcp.@host[-1].name='defiant'
    uci set dhcp.@host[-1].mac='38:60:77:90:d7:6f'
    uci set dhcp.@host[-1].ip='192.168.1.100'
  • pbx
    uci add dhcp host
    uci set dhcp.@host[-1].name='pbx'
    uci set dhcp.@host[-1].mac='7c:2f:80:bf:20:65'
    uci set dhcp.@host[-1].ip='192.168.4.100'
  • loki
    uci add dhcp host
    uci set dhcp.@host[-1].name='loki'
    uci set dhcp.@host[-1].mac='00:0d:b9:0e:5c:c0'
    uci set dhcp.@host[-1].ip='192.168.3.5'
    uci add dhcp domain
    uci set dhcp.@domain[-1].name='loki'
    uci set dhcp.@domain[-1].ip='192.168.3.5'
    uci add dhcp domain
    uci set dhcp.@domain[-1].name='sesam'
    uci set dhcp.@domain[-1].ip='192.168.3.5'
    uci add dhcp domain
    uci set dhcp.@domain[-1].name='sync'
    uci set dhcp.@domain[-1].ip='192.168.3.5'