WRTSL54GS Adventures

New Kamikaze coming...

2008-06-25T07:55:37Z

Due in August. Time to prep my backup router...

Restricting URLs

2008-02-27T02:53:38Z

There is probably a better way to do this, but I've gotten tired of my son screwing around on the net and not doing his homework, so I've decided to block a few sites at the router. His system uses DHCP addressing, so he picks up the DNS server info from OpenWRT, which till now just passed along those requests to the configured ISP DNS servers. My other systems are on static, and have these DNS entries listed manually. So, it seemed to be an easy process to insert a few entries into the /etc/hosts file on the router. DocumentRoot /www/homework/Documents ErrorLog "/Users/wright/Documents/apache2/homework_error_log" CustomLog "/Users/wright/Documents/apache2/homework_access_log" combined Options Indexes FollowSymLinks MultiViews Order allow,deny Allow from all ErrorDocument 404 /index.html The ErrorDocument statement above will take any page that isn't found (which almost all page requests will be) and redirects this to the main page served. All that I'm using for this is a simple HTML document that displays the text 'Site Unavailable, go do your homework." Obviously you can be as fancy as you want with that. Over on the OpenWRT side, enter the domains you wish to route to this fake web page. My etc/hosts file looks like the following: 127.0.0.1 localhost OpenWrt 192.168.1.9 youtube.com www.youtube.com Specifically adding the www.* domain is important, otherwise those requests will hit the actual site.]]>

Kamikaze again

2008-01-10T19:42:16Z

I'm going to take another crack at installing Kamikaze on my new spare WRTSL54GS that I picked up before the holidays. After I install a new serial jack on it, that is. :) I've had this one just idling with power on and nothing else hooked up as a burn in test, since it's still chugging I think I'm past the issue I had with my last spare router now.

Smoked router

2007-07-28T02:16:50Z

A few weeks ago, I had purchased a spare WRTSL54GS to do testing on, and unfortunately shortly after installing a new serial port (installed almost immediately after opening the box) and then installing Kamikaze, discovered that the router had become unresponsive after just a few days. Consulting several experts led me to believe that he router was bricked. I shipped it off to a friend to verify, and all indications are that I had experienced an actual hardware failure, possibly as a result of a power fluctuation here (something I had ignored at the time, but now seems likely to have been the culprit). It is also possible I had bad hardware from the factory, but as I had quickly modified it, I had no way of knowing if it may have been bad originally. Bummer.

Printing on home LAN via internet

2007-06-09T03:45:45Z

A bit of trickery to print to a printer on my home LAN via the internet. The example below assumes the printer is being connected to externally on port 12345, and actually accepts connections on port 9100 (HP Jet Direct). Tested and working, but may not be perfect. OS X wasn't able to identify the printer model automatically, but setting this manually let the jobs print normally. # Printer iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 12345 -j DNAT --to 192.168.1.99:9100 iptables -A forwarding_rule -d 192.168.1.99 -p tcp --dport 9100 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d 192.168.1.99 -m multiport --dports 9100 -j SNAT --to-source $WANIP

IP Tables

2007-05-04T05:32:08Z

For posterity, here is my working iptables config: #!/bin/sh . /etc/functions.sh WAN=$(nvram get wan_ifname) LAN=$(nvram get lan_ifname) iptables -F input_rule iptables -F output_rule iptables -F forwarding_rule iptables -t nat -F prerouting_rule iptables -t nat -F postrouting_rule # Note: Firewall must be re-run if WAN IP address changes WANIP=`ifconfig $WAN | grep inet\ addr | sed -r 's/.*inet addr:([0-9.]+) .*/\1/'` network="192.168.1.0/24" server="192.168.1.10" iptables -t nat -A postrouting_rule -o $WAN -j SNAT --to-source $WANIP There you have the basic setup. The variable WANIP will find the current IP address of the WAN interface, network is whever you have defined for your local LAN, and server is the server you're routing ports to. You could easily define server2, server3, etc, for as many systems as you want to map here. # identd iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 113 -j ACCEPT iptables -A input_rule -i $WAN -p tcp --dport 113 -j ACCEPT This is my config for identd (still not working for some reason?) to open the correct port, and set up the router itself to answer on this port (that part, at least, works). # Lines below let WAN address work from LAN # SMTP iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 25 -j DNAT --to $server:25 iptables -A forwarding_rule -d $server -p tcp --dport 25 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 25 -j SNAT --to-source $WANIP # HTTP iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 80 -j DNAT --to $server:80 iptables -A forwarding_rule -d $server -p tcp --dport 80 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 80 -j SNAT --to-source $WANIP # POP/IMAP iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 110 -j DNAT --to $server:110 iptables -A forwarding_rule -d $server -p tcp --dport 110 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 110 -j SNAT --to-source $WANIP iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 143 -j DNAT --to $server:143 iptables -A forwarding_rule -d $server -p tcp --dport 143 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 143 -j SNAT --to-source $WANIP Opening up various ports that will be handled by 'server', and tricking things so that requests via the LAN port for the WANIP will get routed correctly, so you can use your own external domain name internally (default router config doesn't allow this to work). This was the tricky bit solved in the forum thread mentioned in my last post. # Access webif from WAN on port 65321 iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 65321 -j DNAT --to :80 iptables -A input_rule -i $WAN -p tcp --dport 80 -j ACCEPT This took a small bit of research. This will redirect port 65321 from the WAN side to port 80 on the router itself, in case you want the router's web interface to be accessible externally. Use this same trick if you wanted to SSH into the router, or externally access any other router specific service by remapping the port.

WRTSL54GS finally in production

2007-04-22T20:41:56Z

After a few months of tinkering with getting to know this guy, and doing my final (for now?) hardware mod and getting a proper serial connection in place, I've finally replaced my old Asante router that had served me well these last several years. The trickiest bit was figuring out the iptables command and setting things up so that I could access my web/mail server via the LAN using the WAN address (so I could refer to it by name instead of a local IP). This posting over on the OpenWRT forums was a great help in doing exactly what I needed.

Serial upgrade complete

2007-04-22T19:34:39Z

My TTL-232R-3V3-AJ USB cables arrived last week (I ordered a spare), a quick test after installing the OS X driver indicated that I was indeed seeing a new serial port after plugging the cable in, so it was now time to replace my hacked Keyspan interface with a clean looking 3.5mm stereo audio jack on my WRT. Having it in the back with the other ports would have been ideal, but there was just no real estate left. I opted for the top case opposite the antenna jack. I wish now that I'd had some heat shrink tubing on hand for the jack, but I'm not planning to go back to fix that unless I have to. A quick desoldering of my old cable from the underside of the board and soldering the new cable to the top of the board and I was in business.

USB Serial cable

2007-04-16T05:54:16Z

A recent post in the OpenWRT forums hilighted the TTL-232R-3V3-AJ USB cable, a TTL Level Serial Converter, or in other words, it takes a 3.3v RS-232 signal and converts it to USB, perfect for use with my WRTSL54GS, thanks to the fact that they also have Mac drivers available. This will allow me to ditch (with some slight regret) my hacked USB serial interface, and simply add a clean looking 3.5mm stereo audio connector to the side of my WRT, which this cable will plug right into. Several versions of this cable are available for 5v and 3.3v sources, with several alternate ends, the AJ (Audio Jack) version to me seems the most flexible to adding a serial interface as it is easily removable from the unit when not needed.

OpenWRT WhiteRussian 0.9

2007-03-02T03:25:37Z

The 'final' build WhiteRussian has been out for a while now, version 0.9 is supposed to be the end of the line, with work now focusing on the Kamikaze builds. Nightly snapshots have been getting posted at openwrt.org, but I'll be sticking with the stable 0.9 release for a while. I still need to dig in and figure out iptables, the code that controls the firewall and NAT settings, it's a lot trickier than what I'm used to, and there aren't a lot of great examples online that I've been able to find so far.

Updated Busybox

2007-01-10T04:53:44Z

I'm now running OpenWRT R6 on the router, and I also had to upgrade to the newer Busybox code from Kamikaze (available as a separate package). Apparently the code that requests a DHCP address via the WAN port generates fairly large packets, and a small number of people seem to have problems getting an IP address under certain circumstances because of this, and it looks like RoadRunner's servers are one of those cases. The new Busybox includes code to trim the packs to eliminate extra padding that really served no useful purpose, and I'm now able to pick up an IP address just fine. That looks to be my last technical hurdle on putting this into production here. All I need to do now are fine tune my firewall rules for port handling, and I should be good to go. Now all I need is some free time to get that worked out... ;)

Serial hack

2006-11-23T05:01:36Z

Last entry I wrote a bit about having to improvise a serial connection. Here are the details on what I did to get this working. As I mentioned, I happened to have a spare Keyspan USB Twin Serial adapter, a USB to Mac DIN-8 serial adapter left over from a past project. The big fuss with adding a serial port to a Linksys (or similar) router is that most such devices have an RS-232-ish connection available internally, but the voltages aren't at the proper levels (generally 3v instead of 12), and a bit of circuitry is needed to boost these levels to something compatible with most RS-232 gear. I was able to bypass those issues using this adapter, as I'll explain below. Click the image for a larger view...

]]> data sheet online, my assumption was confirmed (the bits I cared about anyway). I'm going to step back a moment and admit that I originally rushed things more than what I'm laying out here. When I first started ripping into things to get a serial port going quickly, I didn't remember the exact voltages RS422 used, and had totally forgotten about the negative voltages. What I was actually wanting to do was find the lines this chip was using to feed the other ICs, not tap into the side connected to the DIN8 connector. It just happened that during testing I was only intermittently getting the data stream I was expecting, which turned out to be when I was accidentally touching the wrong pin, a happy accident, and after checking the pin description, all the pieces fell into place. So, armed with this new knowledge, pins 7 (TxD+) and 12 (RxD+) were what I was after, I cut the ends off an old phone cord and soldered wires directly to the chip, and a 3rd wire to ground, conveniently provided on the metal shield around the DIN8 connectors. From there, I soldered the opposite end of the cable directly to the pads for the serial connection on the WRTSL54GS, powered the router up and watched the data flow across the Zterm window, and everything was working great. I've since put the cases back onto both devices, but left the cable attached and the screws a bit loose so as not to pinch the cable. Eventually I'll get around to putting a decent connector on the router, and probably wire up a real DIN8 connector for the other end, but until then this setup is working just fine.

Bricked... and fixed

2006-11-18T01:21:37Z

Thanks to some firmware changes gone wrong, my router became unresponsive, and wouldn't even properly boot. I wasn't even able to get the failsafe mode working. I had planned on eventually adding a serial port to the router, but hadn't done so yet, and wanted to get it up and running asap. Digging up an old Keyspan USB-Serial adapter, I stripped an old phone cable and soldered the wires directly to the pads for the (missing) RS-232 connection on the router, and soldered the other ends to appropriate pins on one of the chips in the Keyspan adapter, and (much to my surprise) started getting serial output. I'll post pics and some additional details in a future entry.

Firewall

2006-10-21T02:17:58Z

It looks like setting up the firewall rules are going to be the trickiest thing here, using the iptables commands. Since I'm replacing an existing router with several existing rules, and I don't want the web/mail server to be down any longer than I have to, I'm going to take some time and learn this stuff before I try swapping things out. I've seen a number of sample scripts in the OpenWRT forums, so I don't think this should be too terribly difficult once I get to that point. One thing that I'm noticing a lot of is that the commands get repeated over and over for each port/server being processed. Once I get my rules working, it would seem that setting these up in a loop would end up being a lot cleaner to maintain, just add a new server address and the desired ports, and let the code loop through all the dirty work.

OpenWRT Installed

2006-10-19T01:45:46Z

This went well, just a matter of uploading the new firmware (OpenWRT version RC5). Only thing I didn't really like was that it forced a 'secure' password, combination of lower/uppercase and numbers. Most of my home stuff had passwords that didn't fit this format, so I had to come up with something new. Turns out that after setting a secure password, it can then be changed, and the new password checking isn't quite as strict, so I was able to use my existing router password. Nice.