LEDE Router Setup

Parameters

HOSTNAME='core'
DOMAIN='stelas.de'
TFTPDIR='/media/usb1/tftp'
NFSDIR='/media/usb1/nfs'
WLANSSID='Heimdall'
WLANKEY='********'
PPPUSERNAME='*********@easybell.de'
PPPPASSWORD='********'
HENET_username='stelas'
HENET_tunnelid='529812'
HENET_updatekey='****************'
HENET_peeraddr='216.66.80.30'
HENET_ip6addr='2001:470:1f0a:169b::2/64'
HENET_ip6prefix='2001:470:9b13::/48'
DDNS_domain='home.dyn.codehal.de'
DDNS_password='****************'

System

  • LuCI + IPv6
    opkg install luci-ssl luci-proto-ipv6 6in4
    uci set uhttpd.main.listen_http='192.168.1.254:80'
    uci set uhttpd.main.listen_https='192.168.1.254:443'
    uci set uhttpd.defaults.commonname="$HOSTNAME.$DOMAIN"
  • Filesystem
    mkdir -p /usr/local/bin /usr/local/etc
    echo '/usr/local/' >> /etc/sysupgrade.conf
  • Hostname, Timezone
    uci set system.@system[0].hostname="$HOSTNAME"
    uci set system.@system[0].timezone='CET-1CEST,M3.5.0,M10.5.0/3'
    uci set system.@system[0].zonename='Europe/Berlin'
    uci set dropbear.@dropbear[0].Interface='lan'
  • NTP
    uci set system.ntp.enable_server=1
    uci set system.ntp.server='0.de.pool.ntp.org'
    uci add_list system.ntp.server='1.de.pool.ntp.org'
    uci add_list system.ntp.server='2.de.pool.ntp.org'
    uci add_list system.ntp.server='3.de.pool.ntp.org'

Switch

TP-Link TL-WDR3600

VLAN ID CPU/eth0 (Port 0) LAN 1 (Port 2) LAN 2 (Port 3) LAN 3 (Port 4) LAN 4 (Port 5) WAN (Port 1)
1 (LAN) T U U - - -
2 (WAN) T - - - - U
110 (VoIP) T T - U - -
200 (DMZ) T T - - U -
  • VLAN 1: LAN + WiFi
    uci set network.@switch_vlan[0].ports='0t 2 3' # CPU, LAN1, LAN2
  • VLAN 110: VoIP
    uci add network switch_vlan
    uci set network.@switch_vlan[-1].device='switch0'
    uci set network.@switch_vlan[-1].vlan=110
    uci set network.@switch_vlan[-1].ports='0t 2t 4' # CPU, LAN1, LAN3
  • VLAN 200: DMZ
    uci add network switch_vlan
    uci set network.@switch_vlan[-1].device='switch0'
    uci set network.@switch_vlan[-1].vlan=200
    uci set network.@switch_vlan[-1].ports='0t 2t 5' # CPU, LAN1, LAN4

Xiaomi Mi Router 3G

VLAN ID CPU/eth0 (Port 6) LAN 1 (Port 3) LAN 2 (Port 2) WAN (Port 1)
1 (LAN) T U - -
2 (WAN) T - - U
110 (VoIP) T T U -
200 (DMZ) T T - -
  • VLAN 1: LAN + WiFi
    uci set network.@switch_vlan[0].ports='6t 3' # CPU, LAN1
  • VLAN 110: VoIP
    uci add network switch_vlan
    uci set network.@switch_vlan[-1].device='switch0'
    uci set network.@switch_vlan[-1].vlan=110
    uci set network.@switch_vlan[-1].ports='6t 3t 2' # CPU, LAN1, LAN2
  • VLAN 200: DMZ
    uci add network switch_vlan
    uci set network.@switch_vlan[-1].device='switch0'
    uci set network.@switch_vlan[-1].vlan=200
    uci set network.@switch_vlan[-1].ports='6t 3t' # CPU, LAN1

Network

  • LAN
    uci set network.lan.ifname='eth0.1'
    uci set network.lan.ipaddr='192.168.1.254'
  • WAN (PPPoE)
    uci set network.wan.proto='pppoe'
    uci set network.wan.username="$PPPUSERNAME"
    uci set network.wan.password="$PPPPASSWORD"
    uci set network.wan.ipv6='auto'
  • Delete WAN6
    uci delete network.wan6
  • VoIP
    uci set network.voip='interface'
    uci set network.voip.proto='static'
    uci set network.voip.ifname='eth0.110'
    uci set network.voip.ipaddr='192.168.110.254'
    uci set network.voip.netmask='255.255.255.0'
  • DMZ
    uci set network.dmz='interface'
    uci set network.dmz.proto='static'
    uci set network.dmz.ifname='eth0.200'
    uci set network.dmz.ipaddr='192.168.200.254'
    uci set network.dmz.netmask='255.255.255.0'
  • IPv6 tunnel (HE.net)
    uci set network.henet='interface'
    uci set network.henet.proto='6in4'
    uci set network.henet.peeraddr="$HENET_peeraddr"
    uci set network.henet.ip6addr="$HENET_ip6addr"
    uci set network.henet.ip6prefix="$HENET_ip6prefix"
    uci set network.henet.username="$HENET_username"
    uci set network.henet.tunnelid="$HENET_tunnelid"
    uci set network.henet.password="$HENET_updatekey"

    update-ip.sh

Wireless LAN

  • 2.4 GHz
    uci delete wireless.radio0.disabled
    uci set wireless.radio0.channel=6
    uci set wireless.radio0.htmode='HT40'
    uci set wireless.@wifi-iface[0].ssid="$WLANSSID"
    uci set wireless.@wifi-iface[0].encryption='psk-mixed'
    uci set wireless.@wifi-iface[0].key="$WLANKEY"
  • 5 GHz
    uci delete wireless.radio1.disabled
    uci set wireless.radio1.htmode='HT40'
    uci set wireless.@wifi-iface[1].ssid="${WLANSSID}5"
    uci set wireless.@wifi-iface[1].encryption='psk-mixed'
    uci set wireless.@wifi-iface[1].key="$WLANKEY"

Firewall

  • Zones
    • LAN: LAN + VoIP
      uci set firewall.@zone[0].network='lan voip'
    • WAN: WAN + HENET
      uci set firewall.@zone[1].network='wan henet'
    • DMZ
      uci add firewall zone
      uci set firewall.@zone[-1].name='dmz'
      uci set firewall.@zone[-1].input='REJECT'
      uci set firewall.@zone[-1].output='ACCEPT'
      uci set firewall.@zone[-1].forward='REJECT'
      uci set firewall.@zone[-1].network='dmz'
  • Rules
    • Forward: LAN -> DMZ
      uci add firewall forwarding
      uci set firewall.@forwarding[-1].src='lan'
      uci set firewall.@forwarding[-1].dest='dmz'
    • Forward: DMZ -> WAN
      uci add firewall forwarding
      uci set firewall.@forwarding[-1].src='dmz'
      uci set firewall.@forwarding[-1].dest='wan'
    • Allow DHCP requests from DMZ
      uci add firewall rule
      uci set firewall.@rule[-1].name='DMZ-DHCP'
      uci set firewall.@rule[-1].src='dmz'
      uci set firewall.@rule[-1].dest_port=67
      uci set firewall.@rule[-1].proto='udp'
      uci set firewall.@rule[-1].target='ACCEPT'
      uci set firewall.@rule[-1].enabled=1
    • Allow DNS requests from DMZ
      uci add firewall rule
      uci set firewall.@rule[-1].name='DMZ-DNS'
      uci set firewall.@rule[-1].src='dmz'
      uci set firewall.@rule[-1].dest_port=53
      uci set firewall.@rule[-1].proto='tcp udp'
      uci set firewall.@rule[-1].target='ACCEPT'
      uci set firewall.@rule[-1].enabled=1
  • Port forwarding (DNAT)
    • UltraVNC Single Click
      uci add firewall redirect
      uci set firewall.@redirect[-1].name='vnc-sc'
      uci set firewall.@redirect[-1].target='DNAT'
      uci set firewall.@redirect[-1].src='wan'
      uci set firewall.@redirect[-1].src_dport=55555
      uci set firewall.@redirect[-1].dest='lan'
      uci set firewall.@redirect[-1].dest_ip='192.168.1.100'
      uci set firewall.@redirect[-1].dest_port=5500
      uci set firewall.@redirect[-1].proto='tcp'
      uci set firewall.@redirect[-1].enabled=1
    • VoIP traffic
      uci add firewall redirect
      uci set firewall.@redirect[-1].name='pbx-sip'
      uci set firewall.@redirect[-1].target='DNAT'
      uci set firewall.@redirect[-1].src='wan'
      uci set firewall.@redirect[-1].src_dport=49060
      uci set firewall.@redirect[-1].dest='voip'
      uci set firewall.@redirect[-1].dest_ip='192.168.110.100'
      uci set firewall.@redirect[-1].dest_port=49060
      uci set firewall.@redirect[-1].proto='udp'
      uci set firewall.@redirect[-1].enabled=1
      uci add firewall redirect
      uci set firewall.@redirect[-1].name='pbx-rtp'
      uci set firewall.@redirect[-1].target='DNAT'
      uci set firewall.@redirect[-1].src='wan'
      uci set firewall.@redirect[-1].src_dport='49004-49008'
      uci set firewall.@redirect[-1].dest='voip'
      uci set firewall.@redirect[-1].dest_ip='192.168.110.100'
      uci set firewall.@redirect[-1].dest_port='49004-49008'
      uci set firewall.@redirect[-1].proto='udp'
      uci set firewall.@redirect[-1].enabled=1
    • SSH
      uci add firewall redirect
      uci set firewall.@redirect[-1].name='loki-ssh'
      uci set firewall.@redirect[-1].target='DNAT'
      uci set firewall.@redirect[-1].src='wan'
      uci set firewall.@redirect[-1].src_dport=222
      uci set firewall.@redirect[-1].dest='dmz'
      uci set firewall.@redirect[-1].dest_ip='192.168.200.5'
      uci set firewall.@redirect[-1].dest_port=22
      uci set firewall.@redirect[-1].proto='tcp'
      uci set firewall.@redirect[-1].enabled=1
    • HTTPS
      uci add firewall redirect
      uci set firewall.@redirect[-1].name='loki-https'
      uci set firewall.@redirect[-1].target='DNAT'
      uci set firewall.@redirect[-1].src='wan'
      uci set firewall.@redirect[-1].src_dport=8443
      uci set firewall.@redirect[-1].dest='dmz'
      uci set firewall.@redirect[-1].dest_ip='192.168.200.5'
      uci set firewall.@redirect[-1].dest_port=443
      uci set firewall.@redirect[-1].proto='tcp'
      uci set firewall.@redirect[-1].enabled=1

Dynamic DNS (HE.net)

opkg install luci-app-ddns
uci delete ddns.myddns_ipv4
uci delete ddns.myddns_ipv6
uci set ddns.ddns_wan='service'
uci set ddns.ddns_wan.domain="$DDNS_domain"
uci set ddns.ddns_wan.service_name='he.net'
uci set ddns.ddns_wan.username="$DDNS_domain"
uci set ddns.ddns_wan.password="$DDNS_password"
uci set ddns.ddns_wan.interface='wan'
uci set ddns.ddns_wan.ip_source='network'
uci set ddns.ddns_wan.ip_network='wan'
uci set ddns.ddns_wan.enabled=1

QoS / Bufferbloat

Speed test at: https://www.dslreports.com/speedtest

opkg install luci-app-sqm
uci set sqm.eth1.interface='eth0.2'
uci set sqm.eth1.qdisc='cake'
uci set sqm.eth1.script='piece_of_cake.qos'
uci set sqm.eth1.ingress_ecn='ECN'
uci set sqm.eth1.egress_ecn='NOECN'
uci set sqm.eth1.download=12240 # 95% of the measured speed
uci set sqm.eth1.upload=1024 # 95% of the measured speed
uci set sqm.eth1.enabled=1
  • For DSL:
    uci set sqm.eth1.linklayer='atm'
    uci set sqm.eth1.overhead=44
  • For VDSL:
    uci set sqm.eth1.linklayer='ethernet'
    uci set sqm.eth1.overhead=34
  • For Cable:
    uci set sqm.eth1.linklayer='ethernet'
    uci set sqm.eth1.overhead=22

DNS

  • Upgrade Dnsmasq
    cd /tmp
    opkg install dnsmasq-full --download-only
    opkg remove dnsmasq
    opkg install dnsmasq-full --cache .
    rm *.ipk
  • DNS-over-TLS resolver
    touch /usr/local/etc/hosts
    opkg install stubby
    uci set dhcp.@dnsmasq[0].domain="$DOMAIN"
    uci set dhcp.@dnsmasq[0].noresolv=1
    uci add_list dhcp.@dnsmasq[0].addnhosts='/usr/local/etc/hosts'
    uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#5453'
    uci add_list dhcp.@dnsmasq[0].server='/pool.ntp.org/46.182.19.48' # dns2.digitalcourage.de
    uci set dhcp.@dnsmasq[0].dnssec=1
    uci set dhcp.@dnsmasq[0].dnsseccheckunsigned=1
    while true; do uci delete stubby.@resolver[] || break; done
    uci add stubby resolver
    uci set stubby.@resolver[-1].address='2a02:2970:1002::18'
    uci set stubby.@resolver[-1].tls_auth_name='dns2.digitalcourage.de'
    uci add stubby resolver
    uci set stubby.@resolver[-1].address='46.182.19.48'
    uci set stubby.@resolver[-1].tls_auth_name='dns2.digitalcourage.de'
    uci add stubby resolver
    uci set stubby.@resolver[-1].address='2001:67c:28a4::0'
    uci set stubby.@resolver[-1].tls_auth_name='anycast.censurfridns.dk'
    uci add stubby resolver
    uci set stubby.@resolver[-1].address='91.239.100.100'
    uci set stubby.@resolver[-1].tls_auth_name='anycast.censurfridns.dk'
    /etc/init.d/stubby enable
  • Ad blocking
    opkg install adblock luci-app-adblock libustream-mbedtls ca-bundle ca-certificates
    uci set adblock.global.adb_enabled=1
    (crontab -l -u root; echo -e '0 4 * * *\t/etc/init.d/adblock reload') | crontab -u root -

DHCP server

  • LAN
    uci set dhcp.lan.start=101
    uci set dhcp.lan.limit=99
  • VoIP
    uci add dhcp dhcp
    uci set dhcp.@dhcp[-1].interface='voip'
    uci set dhcp.@dhcp[-1].start=101
    uci set dhcp.@dhcp[-1].limit=99
    uci set dhcp.@dhcp[-1].leasetime='24h'
    uci set dhcp.@dhcp[-1].dynamicdhcp=0
  • DMZ
    uci add dhcp dhcp
    uci set dhcp.@dhcp[-1].interface='dmz'
    uci set dhcp.@dhcp[-1].start=101
    uci set dhcp.@dhcp[-1].limit=99
    uci set dhcp.@dhcp[-1].leasetime='24h'
    uci set dhcp.@dhcp[-1].dynamicdhcp=0

Hosts & Aliases

  • core
    uci add dhcp domain
    uci set dhcp.@domain[-1].name='ntpserver'
    uci set dhcp.@domain[-1].ip='192.168.1.254'
  • filer
    uci add dhcp host
    uci set dhcp.@host[-1].name='filer'
    uci set dhcp.@host[-1].mac='1c:c1:de:18:86:6a'
    uci set dhcp.@host[-1].ip='192.168.1.10'
    uci add dhcp domain
    uci set dhcp.@domain[-1].name='filer'
    uci set dhcp.@domain[-1].ip='192.168.1.10'
  • filer-rac
    uci add dhcp host
    uci set dhcp.@host[-1].name='filer-rac'
    uci set dhcp.@host[-1].mac='d8:d3:85:af:7c:5e'
    uci set dhcp.@host[-1].ip='192.168.1.11'
    uci add dhcp domain
    uci set dhcp.@domain[-1].name='filer-rac'
    uci set dhcp.@domain[-1].ip='192.168.1.11'
  • defiant
    uci add dhcp host
    uci set dhcp.@host[-1].name='defiant'
    uci set dhcp.@host[-1].mac='38:60:77:90:d7:6f'
    uci set dhcp.@host[-1].ip='192.168.1.100'
  • pbx
    uci add dhcp host
    uci set dhcp.@host[-1].name='pbx'
    uci set dhcp.@host[-1].mac='7c:2f:80:bf:20:65'
    uci set dhcp.@host[-1].ip='192.168.110.100'
  • loki
    uci add dhcp host
    uci set dhcp.@host[-1].name='loki'
    uci set dhcp.@host[-1].mac='00:0d:b9:0e:5c:c0'
    uci set dhcp.@host[-1].ip='192.168.200.5'
    uci add dhcp domain
    uci set dhcp.@domain[-1].name='loki'
    uci set dhcp.@domain[-1].ip='192.168.200.5'

Optional

Tcpdump, LLDP

opkg install tcpdump-mini lldpd
/etc/init.d/lldpd enable

USB storage

opkg install kmod-usb-storage usbutils kmod-fs-f2fs f2fs-tools
wget -P /etc/init.d http://files.dateihal.de/openwrt/mountusb.sh
chmod +x /etc/init.d/mountusb.sh
/etc/init.d/mountusb.sh enable

mountusb.sh

NFS server

opkg install nfs-kernel-server nfs-kernel-server-utils
sed -i '/^\// s/^/#/g' /etc/exports
echo -e "$NFSDIR\t*(ro,async,subtree_check,all_squash)" >> /etc/exports
/etc/init.d/portmap enable
/etc/init.d/nfsd enable

Package mirror

PXE server

uci set dhcp.@dnsmasq[0].enable_tftp=1
uci set dhcp.@dnsmasq[0].dhcp_boot='pxelinux.0'
uci set dhcp.@dnsmasq[0].tftp_root="$TFTPDIR"