http://www.themailshack.com/WRTSL54GS/ en-us Copyright 2008 Wed, 25 Jun 2008 01:55:37 -0600 http://www.sixapart.com/movabletype/ http://blogs.law.harvard.edu/tech/rss Due in August. Time to prep my backup router... http://www.themailshack.com/WRTSL54GS/2008/06/new_kamikaze_coming.html http://www.themailshack.com/WRTSL54GS/2008/06/new_kamikaze_coming.html Wed, 25 Jun 2008 01:55:37 -0600 There is probably a better way to do this, but I've gotten tired of my son screwing around on the net and not doing his homework, so I've decided to block a few sites at the router. His system uses DHCP addressing, so he picks up the DNS server info from OpenWRT, which till now just passed along those requests to the configured ISP DNS servers. My other systems are on static, and have these DNS entries listed manually. So, it seemed to be an easy process to insert a few entries into the /etc/hosts file on the router. http://www.themailshack.com/WRTSL54GS/2008/02/restricting_urls.html http://www.themailshack.com/WRTSL54GS/2008/02/restricting_urls.html Tue, 26 Feb 2008 20:53:38 -0600 I'm going to take another crack at installing Kamikaze on my new spare WRTSL54GS that I picked up before the holidays. After I install a new serial jack on it, that is. :) I've had this one just idling with power on and nothing else hooked up as a burn in test, since it's still chugging I think I'm past the issue I had with my last spare router now. http://www.themailshack.com/WRTSL54GS/2008/01/kamikaze_again.html http://www.themailshack.com/WRTSL54GS/2008/01/kamikaze_again.html Thu, 10 Jan 2008 13:42:16 -0600 A few weeks ago, I had purchased a spare WRTSL54GS to do testing on, and unfortunately shortly after installing a new serial port (installed almost immediately after opening the box) and then installing Kamikaze, discovered that the router had become unresponsive after just a few days. Consulting several experts led me to believe that he router was bricked. I shipped it off to a friend to verify, and all indications are that I had experienced an actual hardware failure, possibly as a result of a power fluctuation here (something I had ignored at the time, but now seems likely to have been the culprit). It is also possible I had bad hardware from the factory, but as I had quickly modified it, I had no way of knowing if it may have been bad originally. Bummer. http://www.themailshack.com/WRTSL54GS/2007/07/smoked_router.html http://www.themailshack.com/WRTSL54GS/2007/07/smoked_router.html Fri, 27 Jul 2007 20:16:50 -0600 # Printer iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 12345 -j DNAT --to 192.168.1.99:9100 iptables -A forwarding_rule -d 192.168.1.99 -p tcp --dport 9100 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d 192.168.1.99 -m multiport --dports 9100 -j SNAT --to-source $WANIP ]]> http://www.themailshack.com/WRTSL54GS/2007/06/printing_on_home_lan_via_inter.html http://www.themailshack.com/WRTSL54GS/2007/06/printing_on_home_lan_via_inter.html Fri, 08 Jun 2007 21:45:45 -0600 #!/bin/sh . /etc/functions.sh WAN=$(nvram get wan_ifname) LAN=$(nvram get lan_ifname) iptables -F input_rule iptables -F output_rule iptables -F forwarding_rule iptables -t nat -F prerouting_rule iptables -t nat -F postrouting_rule # Note: Firewall must be re-run if WAN IP address changes WANIP=`ifconfig $WAN | grep inet\ addr | sed -r 's/.*inet addr:([0-9.]+) .*/\1/'` network="192.168.1.0/24" server="192.168.1.10" iptables -t nat -A postrouting_rule -o $WAN -j SNAT --to-source $WANIP There you have the basic setup. The variable WANIP will find the current IP address of the WAN interface, network is whever you have defined for your local LAN, and server is the server you're routing ports to. You could easily define server2, server3, etc, for as many systems as you want to map here. # identd iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 113 -j ACCEPT iptables -A input_rule -i $WAN -p tcp --dport 113 -j ACCEPT This is my config for identd (still not working for some reason?) to open the correct port, and set up the router itself to answer on this port (that part, at least, works). # Lines below let WAN address work from LAN # SMTP iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 25 -j DNAT --to $server:25 iptables -A forwarding_rule -d $server -p tcp --dport 25 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 25 -j SNAT --to-source $WANIP # HTTP iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 80 -j DNAT --to $server:80 iptables -A forwarding_rule -d $server -p tcp --dport 80 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 80 -j SNAT --to-source $WANIP # POP/IMAP iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 110 -j DNAT --to $server:110 iptables -A forwarding_rule -d $server -p tcp --dport 110 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 110 -j SNAT --to-source $WANIP iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 143 -j DNAT --to $server:143 iptables -A forwarding_rule -d $server -p tcp --dport 143 -j ACCEPT iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 143 -j SNAT --to-source $WANIP Opening up various ports that will be handled by 'server', and tricking things so that requests via the LAN port for the WANIP will get routed correctly, so you can use your own external domain name internally (default router config doesn't allow this to work). This was the tricky bit solved in the forum thread mentioned in my last post. # Access webif from WAN on port 65321 iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 65321 -j DNAT --to :80 iptables -A input_rule -i $WAN -p tcp --dport 80 -j ACCEPT This took a small bit of research. This will redirect port 65321 from the WAN side to port 80 on the router itself, in case you want the router's web interface to be accessible externally. Use this same trick if you wanted to SSH into the router, or externally access any other router specific service by remapping the port.]]> http://www.themailshack.com/WRTSL54GS/2007/05/ip_tables.html http://www.themailshack.com/WRTSL54GS/2007/05/ip_tables.html Thu, 03 May 2007 23:32:08 -0600 This posting over on the OpenWRT forums was a great help in doing exactly what I needed.]]> http://www.themailshack.com/WRTSL54GS/2007/04/wrtsl54gs_finally_in_productio.html http://www.themailshack.com/WRTSL54GS/2007/04/wrtsl54gs_finally_in_productio.html Sun, 22 Apr 2007 14:41:56 -0600 TTL-232R-3V3-AJ USB cables arrived last week (I ordered a spare), a quick test after installing the OS X driver indicated that I was indeed seeing a new serial port after plugging the cable in, so it was now time to replace my hacked Keyspan interface with a clean looking 3.5mm stereo audio jack on my WRT. Having it in the back with the other ports would have been ideal, but there was just no real estate left. I opted for the top case opposite the antenna jack. I wish now that I'd had some heat shrink tubing on hand for the jack, but I'm not planning to go back to fix that unless I have to. A quick desoldering of my old cable from the underside of the board and soldering the new cable to the top of the board and I was in business. ]]> http://www.themailshack.com/WRTSL54GS/2007/04/serial_upgrade_complete.html http://www.themailshack.com/WRTSL54GS/2007/04/serial_upgrade_complete.html Sun, 22 Apr 2007 13:34:39 -0600 TTL-232R-3V3-AJ USB cable, a TTL Level Serial Converter, or in other words, it takes a 3.3v RS-232 signal and converts it to USB, perfect for use with my WRTSL54GS, thanks to the fact that they also have Mac drivers available. This will allow me to ditch (with some slight regret) my hacked USB serial interface, and simply add a clean looking 3.5mm stereo audio connector to the side of my WRT, which this cable will plug right into. Several versions of this cable are available for 5v and 3.3v sources, with several alternate ends, the AJ (Audio Jack) version to me seems the most flexible to adding a serial interface as it is easily removable from the unit when not needed. ]]> http://www.themailshack.com/WRTSL54GS/2007/04/usb_serial_cable.html http://www.themailshack.com/WRTSL54GS/2007/04/usb_serial_cable.html Sun, 15 Apr 2007 23:54:16 -0600 openwrt.org, but I'll be sticking with the stable 0.9 release for a while. I still need to dig in and figure out iptables, the code that controls the firewall and NAT settings, it's a lot trickier than what I'm used to, and there aren't a lot of great examples online that I've been able to find so far.]]> http://www.themailshack.com/WRTSL54GS/2007/03/openwrt_whiterussian_09.html http://www.themailshack.com/WRTSL54GS/2007/03/openwrt_whiterussian_09.html Thu, 01 Mar 2007 21:25:37 -0600 I'm now running OpenWRT R6 on the router, and I also had to upgrade to the newer Busybox code from Kamikaze (available as a separate package). Apparently the code that requests a DHCP address via the WAN port generates fairly large packets, and a small number of people seem to have problems getting an IP address under certain circumstances because of this, and it looks like RoadRunner's servers are one of those cases. The new Busybox includes code to trim the packs to eliminate extra padding that really served no useful purpose, and I'm now able to pick up an IP address just fine. That looks to be my last technical hurdle on putting this into production here. All I need to do now are fine tune my firewall rules for port handling, and I should be good to go. Now all I need is some free time to get that worked out... ;) http://www.themailshack.com/WRTSL54GS/2007/01/updated_busybox.html http://www.themailshack.com/WRTSL54GS/2007/01/updated_busybox.html Tue, 09 Jan 2007 22:53:44 -0600 Keyspan USB Twin Serial adapter, a USB to Mac DIN-8 serial adapter left over from a past project. The big fuss with adding a serial port to a Linksys (or similar) router is that most such devices have an RS-232-ish connection available internally, but the voltages aren't at the proper levels (generally 3v instead of 12), and a bit of circuitry is needed to boost these levels to something compatible with most RS-232 gear. I was able to bypass those issues using this adapter, as I'll explain below. Click the image for a larger view...

]]> http://www.themailshack.com/WRTSL54GS/2006/11/serial_hack_1.html http://www.themailshack.com/WRTSL54GS/2006/11/serial_hack_1.html Wed, 22 Nov 2006 23:01:36 -0600 Thanks to some firmware changes gone wrong, my router became unresponsive, and wouldn't even properly boot. I wasn't even able to get the failsafe mode working. I had planned on eventually adding a serial port to the router, but hadn't done so yet, and wanted to get it up and running asap. Digging up an old Keyspan USB-Serial adapter, I stripped an old phone cable and soldered the wires directly to the pads for the (missing) RS-232 connection on the router, and soldered the other ends to appropriate pins on one of the chips in the Keyspan adapter, and (much to my surprise) started getting serial output. I'll post pics and some additional details in a future entry. http://www.themailshack.com/WRTSL54GS/2006/11/bricked_and_fixed.html http://www.themailshack.com/WRTSL54GS/2006/11/bricked_and_fixed.html Fri, 17 Nov 2006 19:21:37 -0600 It looks like setting up the firewall rules are going to be the trickiest thing here, using the iptables commands. Since I'm replacing an existing router with several existing rules, and I don't want the web/mail server to be down any longer than I have to, I'm going to take some time and learn this stuff before I try swapping things out. I've seen a number of sample scripts in the OpenWRT forums, so I don't think this should be too terribly difficult once I get to that point. One thing that I'm noticing a lot of is that the commands get repeated over and over for each port/server being processed. Once I get my rules working, it would seem that setting these up in a loop would end up being a lot cleaner to maintain, just add a new server address and the desired ports, and let the code loop through all the dirty work. http://www.themailshack.com/WRTSL54GS/2006/10/firewall.html http://www.themailshack.com/WRTSL54GS/2006/10/firewall.html Fri, 20 Oct 2006 20:17:58 -0600 This went well, just a matter of uploading the new firmware (OpenWRT version RC5). Only thing I didn't really like was that it forced a 'secure' password, combination of lower/uppercase and numbers. Most of my home stuff had passwords that didn't fit this format, so I had to come up with something new. Turns out that after setting a secure password, it can then be changed, and the new password checking isn't quite as strict, so I was able to use my existing router password. Nice. http://www.themailshack.com/WRTSL54GS/2006/10/openwrt_installed.html http://www.themailshack.com/WRTSL54GS/2006/10/openwrt_installed.html Wed, 18 Oct 2006 19:45:46 -0600