From d5dbb80cce4a36b5fb371ef7d9b249f1848d0b2e Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Tue, 2 Aug 2022 20:45:51 +0200 Subject: Added openwrt interfaces blog article --- content/blog/home/home.md | 35 ++++++++++++++++++++++++ content/blog/home/interfaces.md | 54 ++++++++++++++++++++++++++++++++++++++ content/blog/miscellaneous/home.md | 33 ----------------------- 3 files changed, 89 insertions(+), 33 deletions(-) create mode 100644 content/blog/home/home.md create mode 100644 content/blog/home/interfaces.md delete mode 100644 content/blog/miscellaneous/home.md diff --git a/content/blog/home/home.md b/content/blog/home/home.md new file mode 100644 index 0000000..53b28f0 --- /dev/null +++ b/content/blog/home/home.md @@ -0,0 +1,35 @@ +--- +title: My home network +description: wifi setup with transparent roaming +date: 2022-07-24 +tags: + - OpenWRT +--- + +## Introduction + +This week I have upgraded my OpenWRT access points. The new release had non compatible changes so I had to wipe the routers and reconfigure everything from scratch. I took the opportunity to document the process and will write at least two blog articles about this. This first one describes my network and the design choices, the second one will be about the OpenWRT configuration to implement these choices. + +## My home network + +This is a simple lan network: + +![home network](/static/home.drawio.svg) + +My FAI's router acts as a very basic firewall and as a dhcp server for the lan. Most other functionalities are disabled, especially its wifi since I wanted to do cool stuff this router does not support at all. + +## The wifi setup + +There are two wifi access point on my network. One might just be enough if placed at the center of the house, but I then would have no reception in the garden. Besides I very much prefer having two access points emitting at low power instead of one at high power. + +I chose to run OpenWRT on these two access points in order to do the following cool stuff: +- use 802.11r aka transparent roaming +- have one wifi network bridged with my lan +- have a second wifi network isolated from my lan with a restricted firewall and adblocking +- manage the configuration with ansible + +Roaming wifi is fantastic once you experience it: never again will your network go down for a few seconds when disconnecting from an access point and reconnecting another. You always have the best signal and your connection never loses a packet! + +On top of that, having your wifi network bridged with your lan is very comfortable if like me you need to move around with your laptop and occasionally sit down and plug-in your rj45 cable. With bridging, you just configure the same static ip on both your wired and wireless interfaces and you are good to go! Never again will your ssh connections hang or terminate while moving around. + +Devices like TVs, sound bar or game consoles need to go onto an isolated network. It allows me to hide devices from each others on wifi, run dns adblocking on it and ban some weird spying traffic all these "smart" devices do. It is also useful for cheap devices that do not support modern features like my kobo reader or my neato vacuum cleaner: no 5GHz wifi, no WPA3... diff --git a/content/blog/home/interfaces.md b/content/blog/home/interfaces.md new file mode 100644 index 0000000..0c27798 --- /dev/null +++ b/content/blog/home/interfaces.md @@ -0,0 +1,54 @@ +--- +title: My OpenWRT Routers initial configuration +description: ethernet and system +date: 2022-08-01 +tags: + - OpenWRT +--- + +## Introduction + +This article is the continuation of [the previous one]({{< ref "blog/home/home.md" >}}). Since posting I updated the last two paragraphs because I forgot two reasons for my design choices. You might want to read it again since the following articles implement those choices. + +If you try to follow this as a guide and something is not clear do not hesitate to shoot me an email asking for clarifications or screenshots! + +## Initial configuration + +I will assume you just completed a clean installation of OpenWRT from the official documentation, in my case https://openwrt.org/toh/netgear/r6220. With that done, the first step is to plugin a RJ45 cable between your computer and one of the lan ports behind the router. + +You should get an address in the `192.168.1.0/24` network through dhcp. With it you can access [the webui](http://192.168.1.1/) and login as `root` by leaving the password field blank. Then go set an admin password from the `system/Administration` menu. + +## Interfaces + +For my setup I first need to re-address the lan interface of OpenWRT since by default it uses the network subnet I want to use on my LAN. My LAN being what I will connect the wan interface of the OpenWRT router to. It can get confusing: just remember that the wan interface will be the exit point of the traffic going through the router, while lan ports are the one for devices the furthest from the internet. + +In order to readdress the lan interface, I cannot be connected to it. Therefore our first step is to setup the wan interface and reconnect to the webui with it: +- edit the wan interface from the `network/interfaces` menu and set a temporary subnet on it, something we won't need to use later for example `172.16.0.1/30`. +- edit the firewall to allow INPUT traffic on the wan interface +- unplug your RJ45 cable from its lan port and plug it in the wan port +- configure a static ip on the same subnet you just used for example `172.16.0.2/30` +- you should be able to reconnect to [the webui](http://172.16.0.1/) with these new addresses + +Now we can reconfigure the lan interface: +- edit the lan interface and configure its final subnet: I use `192.168.10.1/24` +- unplug your RJ45 cable from the wan port and reconnect it in a lan port +- you should be able to reconnect to [the webui](http://192.168.10.1/) with these new addresses + +And finally reconfigure the wan interface: +- edit the wan interface and configure its final subnet: I use `192.168.1.5/24` to address the router with `192.168.1.1` as gateway (the address of my FAI's router on my LAN) +- I will leave the INPUT traffic allowed on my firewall because I intend to access my router from my LAN, which means through this interface named wan. + +## System configuration + +It is a good time to set the `hostname` in the `System/System` menu, as well as your router's timezone. On the Logging tab of this page, I also reconfigure the `log output level` to `INFO` and the `cron log level` to `NORMAL`. NTP should be active for time synchronization, and finally I like to set the webui theme to `BootstrapDark`. + +Next, since the router should now have access to the internet through my FAI's router, I head to the `System/Software` menu to add `openssh-server`. It is a requirement for me because the default ssh server is the one from busybox and it does not support `ed25519` ssh keys, only `rsa`. I also install `vim-fuller` for ease of use but if the storage ever gets cramped I would remove it and not miss it. + +I then set an ed25519 key through the `System/Administration` menu, in the SSH-Keys tab. It is then a good time to upgrade the packages which changed since the image's release, which I do through ssh: +```sh +opkg update +opkg list-upgradable | cut -f 1 -d ' ' | xargs -r opkg upgrade +``` + +If critical components got upgraded (like busybox or openssl), it is a good idea to reboot the router. + diff --git a/content/blog/miscellaneous/home.md b/content/blog/miscellaneous/home.md deleted file mode 100644 index dfc5677..0000000 --- a/content/blog/miscellaneous/home.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: My home network -description: wifi setup with transparent roaming -date: 2022-07-24 ---- - -## Introduction - -This week I have upgraded my OpenWRT access points. The new release had non compatible changes so I had to wipe the routers and reconfigure everything from scratch. I took the opportunity to document the process and will write at least two blog articles about this. This first one describes my network and the design choices, the second one will be about the OpenWRT configuration to implement these choices. - -## My home network - -This is a simple lan network: - -![home network](/static/home.drawio.svg) - -My FAI's router acts as a very basic firewall and as a dhcp server for the lan. Most other functionalities are disabled, especially its wifi since I wanted to do cool stuff this router does not support at all. - -## The wifi setup - -There are two wifi access point on my network. One might just be enough if placed at the center of the house, but I then would have no reception in the garden. Besides I very much prefer having two access points emitting at low power instead of one at high power. - -I chose to run OpenWRT on these two access points in order to do the following cool stuff: -- use 802.11r aka transparent roaming -- have one wifi network bridged with my lan -- have a second wifi network isolated from my lan with a restricted firewall and adblocking -- manage the configuration with ansible - -Roaming wifi is fantastic once you experience it: never again will your network go down for a few seconds when disconnecting from an access point and reconnecting another. You always have the best signal and your connection never loses a packet! - -On top of that, having your wifi network bridged with your lan is very comfortable if like me you need to move around with your laptop and occasionally sit down and plug-in your rj45 cable. With bridging, you just configure the same static ip on both your wired and wireless interfaces and you are good to go! Never again will your ssh connections hang or terminate while moving around. - -Devices like TVs, sound bar or game consoles need to go onto an isolated network. It allows me to hide devices from each others on wifi, run dns adblocking on it and ban some weird spying traffic all these "smart" devices do. It is also useful for cheap devices that do not support modern features like my kobo reader or my neato vacuum cleaner: no 5GHz wifi, no WPA3... -- cgit v1.2.3