Parameters
HOSTNAME='core'
DOMAIN='stelas.de'
TFTPDIR='/media/usb1/tftp'
NFSDIR='/media/usb1/nfs'
WLANSSID='Heimdall'
WLANKEY='********'
PPPUSERNAME='*********@easybell.de'
PPPPASSWORD='********'
HENET_username='stelas'
HENET_tunnelid='529812'
HENET_updatekey='****************'
HENET_peeraddr='216.66.80.30'
HENET_ip6addr='2001:470:1f0a:169b::2/64'
HENET_ip6prefix='2001:470:9b13::/48'
DDNS_domain='home.dyn.codehal.de'
DDNS_password='****************'
System
- LuCI + IPv6
opkg install luci-ssl luci-proto-ipv6 6in4
uci set uhttpd.main.listen_http='192.168.1.254:80'
uci set uhttpd.main.listen_https='192.168.1.254:443'
uci set uhttpd.defaults.commonname="$HOSTNAME.$DOMAIN"
- Filesystem
mkdir -p /usr/local/bin /usr/local/etc
echo '/usr/local/' >> /etc/sysupgrade.conf
- Hostname, Timezone
uci set system.@system[0].hostname="$HOSTNAME"
uci set system.@system[0].timezone='CET-1CEST,M3.5.0,M10.5.0/3'
uci set system.@system[0].zonename='Europe/Berlin'
uci set dropbear.@dropbear[0].Interface='lan'
- NTP
uci set system.ntp.enable_server=1
uci set system.ntp.server='0.de.pool.ntp.org'
uci add_list system.ntp.server='1.de.pool.ntp.org'
uci add_list system.ntp.server='2.de.pool.ntp.org'
uci add_list system.ntp.server='3.de.pool.ntp.org'
Switch
TP-Link TL-WDR3600
VLAN ID |
CPU/eth0 (Port 0) |
LAN 1 (Port 2) |
LAN 2 (Port 3) |
LAN 3 (Port 4) |
LAN 4 (Port 5) |
WAN (Port 1) |
1 (LAN) |
T |
U |
U |
- |
- |
- |
2 (WAN) |
T |
- |
- |
- |
- |
U |
110 (VoIP) |
T |
T |
- |
U |
- |
- |
200 (DMZ) |
T |
T |
- |
- |
U |
- |
- VLAN 1: LAN + WiFi
uci set network.@switch_vlan[0].ports='0t 2 3' # CPU, LAN1, LAN2
- VLAN 110: VoIP
uci add network switch_vlan
uci set network.@switch_vlan[-1].device='switch0'
uci set network.@switch_vlan[-1].vlan=110
uci set network.@switch_vlan[-1].ports='0t 2t 4' # CPU, LAN1, LAN3
- VLAN 200: DMZ
uci add network switch_vlan
uci set network.@switch_vlan[-1].device='switch0'
uci set network.@switch_vlan[-1].vlan=200
uci set network.@switch_vlan[-1].ports='0t 2t 5' # CPU, LAN1, LAN4
Xiaomi Mi Router 3G
VLAN ID |
CPU/eth0 (Port 6) |
LAN 1 (Port 3) |
LAN 2 (Port 2) |
WAN (Port 1) |
1 (LAN) |
T |
U |
- |
- |
2 (WAN) |
T |
- |
- |
U |
110 (VoIP) |
T |
T |
U |
- |
200 (DMZ) |
T |
T |
- |
- |
- VLAN 1: LAN + WiFi
uci set network.@switch_vlan[0].ports='6t 3' # CPU, LAN1
- VLAN 110: VoIP
uci add network switch_vlan
uci set network.@switch_vlan[-1].device='switch0'
uci set network.@switch_vlan[-1].vlan=110
uci set network.@switch_vlan[-1].ports='6t 3t 2' # CPU, LAN1, LAN2
- VLAN 200: DMZ
uci add network switch_vlan
uci set network.@switch_vlan[-1].device='switch0'
uci set network.@switch_vlan[-1].vlan=200
uci set network.@switch_vlan[-1].ports='6t 3t' # CPU, LAN1
Network
- LAN
uci set network.lan.ifname='eth0.1'
uci set network.lan.ipaddr='192.168.1.254'
- WAN (PPPoE)
uci set network.wan.proto='pppoe'
uci set network.wan.username="$PPPUSERNAME"
uci set network.wan.password="$PPPPASSWORD"
uci set network.wan.ipv6='auto'
- Delete WAN6
uci delete network.wan6
- VoIP
uci set network.voip='interface'
uci set network.voip.proto='static'
uci set network.voip.ifname='eth0.110'
uci set network.voip.ipaddr='192.168.110.254'
uci set network.voip.netmask='255.255.255.0'
- DMZ
uci set network.dmz='interface'
uci set network.dmz.proto='static'
uci set network.dmz.ifname='eth0.200'
uci set network.dmz.ipaddr='192.168.200.254'
uci set network.dmz.netmask='255.255.255.0'
- IPv6 tunnel (HE.net)
uci set network.henet='interface'
uci set network.henet.proto='6in4'
uci set network.henet.peeraddr="$HENET_peeraddr"
uci set network.henet.ip6addr="$HENET_ip6addr"
uci set network.henet.ip6prefix="$HENET_ip6prefix"
uci set network.henet.username="$HENET_username"
uci set network.henet.tunnelid="$HENET_tunnelid"
uci set network.henet.password="$HENET_updatekey"
update-ip.sh
Wireless LAN
- 2.4 GHz
uci delete wireless.radio0.disabled
uci set wireless.radio0.channel=6
uci set wireless.radio0.htmode='HT40'
uci set wireless.@wifi-iface[0].ssid="$WLANSSID"
uci set wireless.@wifi-iface[0].encryption='psk-mixed'
uci set wireless.@wifi-iface[0].key="$WLANKEY"
- 5 GHz
uci delete wireless.radio1.disabled
uci set wireless.radio1.htmode='HT40'
uci set wireless.@wifi-iface[1].ssid="${WLANSSID}5"
uci set wireless.@wifi-iface[1].encryption='psk-mixed'
uci set wireless.@wifi-iface[1].key="$WLANKEY"
Firewall
- Zones
- LAN: LAN + VoIP
uci set firewall.@zone[0].network='lan voip'
- WAN: WAN + HENET
uci set firewall.@zone[1].network='wan henet'
- DMZ
uci add firewall zone
uci set firewall.@zone[-1].name='dmz'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].network='dmz'
- Rules
- Forward: LAN -> DMZ
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='dmz'
- Forward: DMZ -> WAN
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='dmz'
uci set firewall.@forwarding[-1].dest='wan'
- Allow DHCP requests from DMZ
uci add firewall rule
uci set firewall.@rule[-1].name='DMZ-DHCP'
uci set firewall.@rule[-1].src='dmz'
uci set firewall.@rule[-1].dest_port=67
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].enabled=1
- Allow DNS requests from DMZ
uci add firewall rule
uci set firewall.@rule[-1].name='DMZ-DNS'
uci set firewall.@rule[-1].src='dmz'
uci set firewall.@rule[-1].dest_port=53
uci set firewall.@rule[-1].proto='tcp udp'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].enabled=1
- Port forwarding (DNAT)
- UltraVNC Single Click
uci add firewall redirect
uci set firewall.@redirect[-1].name='vnc-sc'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport=55555
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].dest_ip='192.168.1.100'
uci set firewall.@redirect[-1].dest_port=5500
uci set firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].enabled=1
- VoIP traffic
uci add firewall redirect
uci set firewall.@redirect[-1].name='pbx-sip'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport=49060
uci set firewall.@redirect[-1].dest='voip'
uci set firewall.@redirect[-1].dest_ip='192.168.110.100'
uci set firewall.@redirect[-1].dest_port=49060
uci set firewall.@redirect[-1].proto='udp'
uci set firewall.@redirect[-1].enabled=1
uci add firewall redirect
uci set firewall.@redirect[-1].name='pbx-rtp'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='49004-49008'
uci set firewall.@redirect[-1].dest='voip'
uci set firewall.@redirect[-1].dest_ip='192.168.110.100'
uci set firewall.@redirect[-1].dest_port='49004-49008'
uci set firewall.@redirect[-1].proto='udp'
uci set firewall.@redirect[-1].enabled=1
- SSH
uci add firewall redirect
uci set firewall.@redirect[-1].name='loki-ssh'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport=222
uci set firewall.@redirect[-1].dest='dmz'
uci set firewall.@redirect[-1].dest_ip='192.168.200.5'
uci set firewall.@redirect[-1].dest_port=22
uci set firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].enabled=1
- HTTPS
uci add firewall redirect
uci set firewall.@redirect[-1].name='loki-https'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport=8443
uci set firewall.@redirect[-1].dest='dmz'
uci set firewall.@redirect[-1].dest_ip='192.168.200.5'
uci set firewall.@redirect[-1].dest_port=443
uci set firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].enabled=1
Dynamic DNS (HE.net)
opkg install luci-app-ddns
uci delete ddns.myddns_ipv4
uci delete ddns.myddns_ipv6
uci set ddns.ddns_wan='service'
uci set ddns.ddns_wan.domain="$DDNS_domain"
uci set ddns.ddns_wan.service_name='he.net'
uci set ddns.ddns_wan.username="$DDNS_domain"
uci set ddns.ddns_wan.password="$DDNS_password"
uci set ddns.ddns_wan.interface='wan'
uci set ddns.ddns_wan.ip_source='network'
uci set ddns.ddns_wan.ip_network='wan'
uci set ddns.ddns_wan.enabled=1
QoS / Bufferbloat
Speed test at: https://www.dslreports.com/speedtest
opkg install luci-app-sqm
uci set sqm.eth1.interface='eth0.2'
uci set sqm.eth1.qdisc='cake'
uci set sqm.eth1.script='piece_of_cake.qos'
uci set sqm.eth1.ingress_ecn='ECN'
uci set sqm.eth1.egress_ecn='NOECN'
uci set sqm.eth1.download=12240 # 95% of the measured speed
uci set sqm.eth1.upload=1024 # 95% of the measured speed
uci set sqm.eth1.enabled=1
- For DSL:
uci set sqm.eth1.linklayer='atm'
uci set sqm.eth1.overhead=44
- For VDSL:
uci set sqm.eth1.linklayer='ethernet'
uci set sqm.eth1.overhead=34
- For Cable:
uci set sqm.eth1.linklayer='ethernet'
uci set sqm.eth1.overhead=22
DNS
- Upgrade Dnsmasq
cd /tmp
opkg install dnsmasq-full --download-only
opkg remove dnsmasq
opkg install dnsmasq-full --cache .
rm *.ipk
- DNS-over-TLS resolver
touch /usr/local/etc/hosts
opkg install stubby
uci set dhcp.@dnsmasq[0].domain="$DOMAIN"
uci set dhcp.@dnsmasq[0].noresolv=1
uci add_list dhcp.@dnsmasq[0].addnhosts='/usr/local/etc/hosts'
uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#5453'
uci add_list dhcp.@dnsmasq[0].server='/pool.ntp.org/46.182.19.48' # dns2.digitalcourage.de
uci set dhcp.@dnsmasq[0].dnssec=1
uci set dhcp.@dnsmasq[0].dnsseccheckunsigned=1
while true; do uci delete stubby.@resolver[] || break; done
uci add stubby resolver
uci set stubby.@resolver[-1].address='2a02:2970:1002::18'
uci set stubby.@resolver[-1].tls_auth_name='dns2.digitalcourage.de'
uci add stubby resolver
uci set stubby.@resolver[-1].address='46.182.19.48'
uci set stubby.@resolver[-1].tls_auth_name='dns2.digitalcourage.de'
uci add stubby resolver
uci set stubby.@resolver[-1].address='2001:67c:28a4::0'
uci set stubby.@resolver[-1].tls_auth_name='anycast.censurfridns.dk'
uci add stubby resolver
uci set stubby.@resolver[-1].address='91.239.100.100'
uci set stubby.@resolver[-1].tls_auth_name='anycast.censurfridns.dk'
/etc/init.d/stubby enable
- Ad blocking
opkg install adblock luci-app-adblock libustream-mbedtls ca-bundle ca-certificates
uci set adblock.global.adb_enabled=1
(crontab -l -u root; echo -e '0 4 * * *\t/etc/init.d/adblock reload') | crontab -u root -
DHCP server
- LAN
uci set dhcp.lan.start=101
uci set dhcp.lan.limit=99
- VoIP
uci add dhcp dhcp
uci set dhcp.@dhcp[-1].interface='voip'
uci set dhcp.@dhcp[-1].start=101
uci set dhcp.@dhcp[-1].limit=99
uci set dhcp.@dhcp[-1].leasetime='24h'
uci set dhcp.@dhcp[-1].dynamicdhcp=0
- DMZ
uci add dhcp dhcp
uci set dhcp.@dhcp[-1].interface='dmz'
uci set dhcp.@dhcp[-1].start=101
uci set dhcp.@dhcp[-1].limit=99
uci set dhcp.@dhcp[-1].leasetime='24h'
uci set dhcp.@dhcp[-1].dynamicdhcp=0
Hosts & Aliases
- core
uci add dhcp domain
uci set dhcp.@domain[-1].name='ntpserver'
uci set dhcp.@domain[-1].ip='192.168.1.254'
- filer
uci add dhcp host
uci set dhcp.@host[-1].name='filer'
uci set dhcp.@host[-1].mac='1c:c1:de:18:86:6a'
uci set dhcp.@host[-1].ip='192.168.1.10'
uci add dhcp domain
uci set dhcp.@domain[-1].name='filer'
uci set dhcp.@domain[-1].ip='192.168.1.10'
- filer-rac
uci add dhcp host
uci set dhcp.@host[-1].name='filer-rac'
uci set dhcp.@host[-1].mac='d8:d3:85:af:7c:5e'
uci set dhcp.@host[-1].ip='192.168.1.11'
uci add dhcp domain
uci set dhcp.@domain[-1].name='filer-rac'
uci set dhcp.@domain[-1].ip='192.168.1.11'
- defiant
uci add dhcp host
uci set dhcp.@host[-1].name='defiant'
uci set dhcp.@host[-1].mac='38:60:77:90:d7:6f'
uci set dhcp.@host[-1].ip='192.168.1.100'
- pbx
uci add dhcp host
uci set dhcp.@host[-1].name='pbx'
uci set dhcp.@host[-1].mac='7c:2f:80:bf:20:65'
uci set dhcp.@host[-1].ip='192.168.110.100'
- loki
uci add dhcp host
uci set dhcp.@host[-1].name='loki'
uci set dhcp.@host[-1].mac='00:0d:b9:0e:5c:c0'
uci set dhcp.@host[-1].ip='192.168.200.5'
uci add dhcp domain
uci set dhcp.@domain[-1].name='loki'
uci set dhcp.@domain[-1].ip='192.168.200.5'
Optional
Tcpdump, LLDP
opkg install tcpdump-mini lldpd
/etc/init.d/lldpd enable
USB storage
opkg install kmod-usb-storage usbutils kmod-fs-f2fs f2fs-tools
wget -P /etc/init.d http://files.dateihal.de/openwrt/mountusb.sh
chmod +x /etc/init.d/mountusb.sh
/etc/init.d/mountusb.sh enable
mountusb.sh
NFS server
opkg install nfs-kernel-server nfs-kernel-server-utils
sed -i '/^\// s/^/#/g' /etc/exports
echo -e "$NFSDIR\t*(ro,async,subtree_check,all_squash)" >> /etc/exports
/etc/init.d/portmap enable
/etc/init.d/nfsd enable
Package mirror
PXE server
uci set dhcp.@dnsmasq[0].enable_tftp=1
uci set dhcp.@dnsmasq[0].dhcp_boot='pxelinux.0'
uci set dhcp.@dnsmasq[0].tftp_root="$TFTPDIR"