WRT54GL and me.

A few months ago I bought a Linksys WRT54GL wireless router. The main purpose of it was to serve as a internet gateway/firewall for my home network. I needed a switch and because I own also a few wireless (802.11) devices, the AP funcionality was a must.

For at least two months I used the router with the linksys original firmware, but soon it was clear that I will need more than linksys's firmware could provide me! (eg. an internal DNS server for my home network, a openvpn client to access other machines I own, and a nsupdate client for dynamic dns with Bind9). The other main reason was I was enable to diagnostic any problem when my DEAR ISP provider goes wrong. In others words, I needed a command line with ping, traceroute, an editor (vi of course), tcpdump as well as other tools.

This was my experience. (Please note there are a lot of tutorials and howtos about this, but as I said before, the main purpose of this blog is to practice my english!)

Step 1: Identifying my router model.

My router is a Linksys WRT54GL, googling a bit I found that the router came with GNU/Linux inside, a very unusefull GNU/Linux at least for me for the reason I told you before. The router version is v1.1 and the serial number prefix is CL7B, The hardware is based on the Broadcom BCM95352E SoC, it came with a 16MB of ram and 4MB of flash rom.

Picture of my Wrt54GL router

You can find more info about hardware revisions in wikipedia.

I was lucky enough to get a WRT54 with 4MB of Flash ROM, other models like de WRT54G v5 and v6 came only with 2MB of ROM and the RTOS VxWorks inside, and it's very dificult (almost not imposible) to put a GNU/Linux based firmware inside those! Mainly because there are very little space for a funcional GNU/Linux distro.

Other features of the Linksys WRT54GL are:

  • GNU/Linux Kernel 2.4
  • All-in-one Internet-sharing Router, 4-port Switch, and 54Mbps Wireless-G (802.11g) Access Point
  • Shares a single Internet connection and other resources with Ethernet wired and Wireless-G and -B devices
  • Push button setup feature makes wireless configuration secure and simple
  • High security: TKIP and AES encryption, wireless MAC address filtering, powerful SPI firewall

Step 2: Choosing the distro.

Having indentifying my router, the next step is to choose a distro for it. What I mean when a say a Distro?, well, the main difference is, as the OpenWrt homepage says, that instead of creating a single static firmware, you can use a full writable filesystem with a packaged system.

OpenWrt

OpenWrt was one the the first firmware alternative for the WRT routers, the implementation of a package system (ikpg) is one of his most impressive features. In the early years of OpenWRT, all the configuration was console based, now there is a developed version of a web interface . I must say that I didn't give a deep look into OpenWRT, but the little a saw, looked impressive, The stable Version (whiterussian)OpenWrt uses only 2MB of the flash memory and give to you a router with the basic features enabled, all the extra stuff must be installed via the ipkg utility.

Is my idea to install this distro in the short time.

dd-wrt

DD-WRT is, as you can read in the homepage, a project which was originally based on the official GPL Sources of Sveasoft Alchemy. but turned later to a OpenWRT Kernel vase firmware variant. The author claims the main modifications is the use of a radius server and the posibility to use an external filesystem to add extra packages. The filesystem of choice is [SAMBA][]. All of this can be done with the OpenWrt firmware, but DD-WRT can do it in a friendly manner via and very nice web interface. But like DD-WRT is OpenWrt based, it have all the impressive features of OpenWrt, like the support of the 'ipkg' package system for example.

I decided to go for DD-WRT, because:

  • It was OpenWrt based, so I'll have all the nice features of it package system.
  • It was my first firmware upgrade.
  • Even I have a rasonably good use of de GNU/Linux console, I don't have the time to configure all by hand, so a good interface web was nice .
  • DD-WRT support for remote access via ssh and openvpn features was there just out of the box. (via the vpn firmwaver version).
  • And mostly because I already knows DD-WRT, becasuse a friend of mine (Jacho) borrowed me a linksys WRT54 with DD-WRT already installed. And I could play with it for a couple of months.

freewrt

[TODO]

Step 3: Installing and the Basic settings.

The instalation was very simple, I just go to the Wiki page of DD-WRT, and follow the installation instrucctions for my router model. And hopefully everything goes right The last version of DD-WRT at this time is dd-wrt-2.3 SP2. I Choose the VPN version because I said before I needed openvpn in the router.

I downloaded the [dd-wrt.v23vpngeneric.bin][] file, I wasn't sure about the diferences between the -generic version and the specific -wrt54g (Remember my router was a 54gl), so i decided to go for sure and installed the -generic version. Later I realized that the 54GL version was exactly the same as the 54G version but because i was installing via de linksys web interface the dd-wrt documentation says you must use the -generic version, The other Linksys router specific binaries are only meant for tftp upgrades.

If you are upgrading from the linksys original firmware then you have to use the [micro version][] first, due a limitation of the firmware that doesn't allow you to install firmware bigger than 3MB. Afortunally my version of the router, v1.1 with serialnumber starting CL7B, came with a firmware version that allow files bigger than 3MB so the -micro instalation step wasn't necesary.

Static DHCP

Static DHCP is one of the features I needed, the linksys firmware didn't have it, but dd-wrt did. You only have to go the Administracion section and then select Services. There you have a web form to add static dhcp leases. The DHCP server used by DD-WRT is dnsmasq, this one is also a very simple forwarder DNS server.

You can find more information about this here

Activating SSH

As I told you before I'm a console fan, so accesing the router via ssh was a must, DD-WRT provide this feature, and all you have to do is go the Administration section and then select Services. There you will find a radio button for activating Secure Shell, you can also put an a textearea a list of your authorized secure shell keys. Once you had done that you can login into your router.

    harpo@lifebook:~ $ ssh root@wrt
    DD-WRT v23 SP2 vpn (c) 2006 NewMedia-NET GmbH
    Release: 09/15/06 (SVN revision: 3932)
    root@wrt's password: 



    ==========================================================

     ____  ___    __        ______ _____         ____  _____ 
     | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \|___ / 
     || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | |_ \ 
     ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/ ___) |
     |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|____/ 

                           DD-WRT v23 SP2
                       http://www.dd-wrt.com

    ==========================================================


    DD-WRT VeryBusyBox v1.2.1 (2006.09.15-18:20+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    ~ #

And then you can use all the power of the unix console. You can look for more info about your router with in and standard unix way.

    ~ # cat /proc/cpuinfo 
    system type     : Broadcom BCM5352 chip rev 0
    processor       : 0
    cpu model       : BCM3302 V0.8
    BogoMIPS        : 199.47
    wait instruction    : no
    microsecond timers  : yes
    tlb_entries     : 32
    extra interrupt vector  : no
    hardware watchpoint : no
    VCED exceptions     : not available
    VCEI exceptions     : not available

Look for the amount of free or unused memory of the system

    ~ # free
                  total         used         free       shared      buffers
      Mem:        14176        13676          500            0         2036
     Swap:            0            0            0
    Total:        14176        13676          500
    ~ #

Or list the processes currently running.

  PID  Uid     VmSize Stat Command
    1 root        380 S   /sbin/init noinitrd 
    2 root            SW  [keventd]
    3 root            SWN [ksoftirqd_CPU0]
    4 root            SW  [kswapd]
    5 root            SW  [bdflush]
    6 root            SW  [kupdated]
   11 root            SW  [mtdblockd]
   14 root        252 S   /sbin/watchdog 
   47 root            SWN [jffs2_gcd_mtd4]
   67 root        304 S   resetbutton 
   97 root        896 S   httpd 
  108 root        372 S   dnsmasq --conf-file /tmp/dnsmasq.conf 
  110 root        288 S   /sbin/wland 
  163 root        464 S   dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d
/tmp/root/.ssh/ssh
  170 root        300 S   /tmp/ppp/redial 30 
25964 root        356 S   process_monitor 
25968 root        304 S   inadyn --input_file /tmp/ddns/inadyn.conf 
26001 root            Z   [sh]
26012 root        336 S   upnp -D -L br0 -W ppp0 -I 60 -A 180 
26014 root        276 S   /usr/sbin/cron 
26056 root       1472 S   openvpn --config /tmp/openvpn/openvpn.conf --route-up /tmp/openvpn/route-up.sh
--down
  360 root        724 R   dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d
/tmp/root/.ssh/ssh
  368 root        588 S   -sh 
  474 root        400 R   ps 
~ #

For me at least this only thing is enough for doing a firmware upgrade.

OpenVPN

OpenVPN is a ligthweight multiplatorm vpn implementation. I have many VPNs connected to a VPN server running on my parent's home. The DD-WRT firmware version I flashed came with openvpn. Again in the Service section on Administration you will find a few textarea entries to put your RSA/DSA key pair and the CA certificate among others form entries for configuration parameters, like the IP of the VPN server and the destination port.

DNS

DNS services as I said before depends of dnsmasq, in the basic mode dnsmaq is only used like a forwareder DNS server, but it has also an option for basic local DNS services. All the hosts of your /etc/hosts and are resolved by dnsmasq and also dnsmasq adds all the hosts of your to DHCP leases file to /etc/hosts. The only thing you have to do is to active the radio button for local DNS support in the web interface.

As a bonus you can also add static entries to your DNS via the aditional DNS Option like:

    address=/elserver.forknet/10.8.0.1
    address=/pc386.forknet/10.8.0.5

I use this nice feature to add entries for my VPN peers into my local network.

You can find more information about this here

Samba and ipkg

This one is another excelent feature of dd-wrt, you can mount SMB shares, and then it uses the ipkg system for installing anything you want. As I said before my router came with only 4M of flash RAM, and DD-WRT uses almost all of it, so if I want to install extra software like kismet or tcpdump i need more space. Of course i will not use the samba share everytime, only when I really need it, for example tcpdump could be very usefull when you are setting your firewall or even your VPNs.

In Administration section and Managment subsection you will find a textarea entries for setting your samba fs automounts. The parameters are the address of the samba share, the user and the password. Opcionally you can set a startup script. This last parameter could be very usefull. I didn't say it but only a part of the filesystem is writable, the other is read-only, so if you want to do some of your changes permanently, the startup script of the samba fs automonts could be an easy way to do it.

Once you have your samba share mounted you can log into your router and do a:

    ~ # ipkg  -d smbfs update

the -d smbfs parameter is to set the destination of the installed packages.

if everything goes fine you will see something like this:

    Downloading http://downloads.openwrt.org/whiterussian/packages/Packages ...
    Connecting to downloads.openwrt.org[195.56.146.238]:80
    Packages             100% |********************************************************|   138 KB 00:00:00
    ETA
    Done.
    Updated list of available packages in //tmp/smbshare/usr/lib/ipkg/lists/whiterussian
    Downloading http://downloads.openwrt.org/whiterussian/packages/non-free/Packages ...
    Connecting to downloads.openwrt.org[195.56.146.238]:80
    Packages             100% |********************************************************|   568    --:--:--
    ETA
    Done.
    Updated list of available packages in //tmp/smbshare/usr/lib/ipkg/lists/non-free
    Downloading http://downloads.openwrt.org/backports/rc5/Packages ...
    Connecting to downloads.openwrt.org[195.56.146.238]:80
    Packages             100% |********************************************************| 98390    00:00:00
    ETA
    Done.
    Updated list of available packages in //tmp/smbshare/usr/lib/ipkg/lists/backports

Now you can install the packages you want with

    ~ # ipkg -d smbfs install tcpdump

You may have problems with symlinks and the sodines of some library, that is because samba shares doesnt allow symlinks (at least for me, I must check that). The solution is to make the symlinks by hand in your samba server. (I know it is ugly)

Then you have to add the libraries to the LDPATHLIBRARY envoriment variable and you also may want to add the new dirs to the binary path. For that the easy way to me is to have an file named paths that looks like this:

    export PATH=$PATH:/tmp/smbshare/usr/sbin/
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/tmp/smbshare/usr/lib

and everytime you want to use the extra packages you have to do a:

    source ./paths

then you can use tcpdump. Is more or less the same for installing other packages.

You can find more information about this here