OpenWRT
Contents
-
OpenWRT
- About
- Basics
- USB storage
- opkg
- System upgrades
- System recovery
- DHCP options
- DNS with dnsmasq
- Dynamic DNS
- Adblock
- Wake on LAN
- Windows shares
- VPN
- UPnP
- Software Flow Offloading
- SQM (Smart Queue Management)
- Trouble Shooting
- DSL
- DOCSIS 3.1
- Omnia Turris
- TP-Link Archer C7 v5
About
The OpenWrt Project is a Linux operating system targeting embedded devices. Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application. For developers, OpenWrt is the framework to build an application without having to build a complete firmware around it; for users this means the ability for full customization, to use the device in ways never envisioned.
Forum
Kommentare zur Router Sicherheit
Source Code
Mailing Lists
Youtube
Basics
Fallback behaviour
Please note that, if you make a configuration on Luci and and Luci is not called back within 90s (you locked yourself out), the changes are reverted.
This is a life-safer! Such a nice feature.
Please remind yourself to stay calm. It's not bricked, yet. Just don't pull cables or power it off.
On the other side this means that some changes are relevant to tight timing. :-D
Please keep in mind.
Set a password
Factory OpenWRT comes with no password set for the user root.
grep root /etc/shadow
1 root::0:0:99999:7:::
Set a root password via CLI
1 passwd
Or via Luci - System > Administration
Essential packages
Packages you just need on a networking device
Shell profile
I like creating a addtional file with some commands for convinience and not mess up to much with the original file
/etc/profile.local
To set this file active add this to /etc/profile
1 [ -e /etc/profile.local ] && source /etc/profile.local
Logging
You probably don't need a log-file, which fills up your system memory. OpenWRT System Configuration
logread to access logd membuffer
dmesg to access kernel messages
Read and follow logbuffer
1 logread -f
LUCI
Install bare LUCI
HTTPs
Install LUCI https support
1 opkg update
2 opkg install luci-ssl luci-app-uhttpd
3 /etc/init.d/uhttpd restart
4 4+0 records in
5 4+0 records out
6 Generating RSA private key, 2048 bit long modulus
7 Generating selfsigned certificate with subject 'C=ZZ,ST=Somewhere,L=Unknown,O=OpenWrtcbba6ded,CN=OpenWrt,' and validity 20210315195149-20230315195149
The automatic redirection can then be enabled in the uhttpd app of the webfrontend.
LUCI CSS
Adjust container max-width to make tables readable.
/www/luci-static/bootstrap/cascade.css
Reduce horizontal padding between table cells
…
USB storage
If you hava only a very limited amount of space available (like 8MiB on a Archer C7 v1), you can use a extroot with an overlayfs on a usbstick. So you only need to install everything on the limited rom to mount the "next" root filesystem.
Block device support -> USB-storage
Install additional ext4 utilities
1 opkg install e2fsprogs gdisk
Please take a look at
OpenWRT Fstab Configuration
Swap
Mount swap persistently
Extroot
OpenWRT - Extroot configuration
Create a directory for the partition "rootfs_data" (jffs2) (from flash rom)
Mount the new device and sync the current overlay directory
Mount usb drive persistently as overlay (on next boot)
Good luck
reboot
Works
1 root@openwrt:~# df -h
2 Filesystem Size Used Available Use% Mounted on
3 /dev/root 2.5M 2.5M 0 100% /rom
4 tmpfs 60.8M 76.0K 60.7M 0% /tmp
5 /dev/sda2 3.1G 7.1M 3.0G 0% /overlay
6 overlayfs:/overlay 3.1G 7.1M 3.0G 0% /
7 tmpfs 512.0K 0 512.0K 0% /dev
8 /dev/mtdblock4 3.9M 3.0M 856.0K 78% /mnt/mtdblock4
opkg
Freeing up space
When removing a package always specify the full name of the package! Opkg will report no packages to be removed. Try to find the name of the installed package with
1 opkg list |grep package
Autoremove orphaned packages during removal of a "higher-level" package.
1 opkg remove --autoremove package
Remove package and all packages that depend upon it.
1 opkg remove --force-removal-of-dependent-packages package
It happens that you accidentally installed a packages, which pull many dependencies and fill up the space on the device. Then opkg is not even capable to write the state, that a package was installed, to its database. The files reside on disk and use up space, but the package cannot be removed, since it's not installed.
To fix this behavior, i suggest to
- to free up space by forcefully uninstalling another "big" package (like libopenssl1.1). Please make sure you remember to reinstall all the packages, that were uninstalled, later.
opkg remove --force-removal-of-dependent-packages libopenssl1.1
- and fully install the package that previously failed
opkg install failed-package
- uninstall the now fully installed previously failed-package and its dependencies
opkg remove --autoremove failed-package
- Install the packages you only uninstalled to free up space
opkg install top-level-packages that pulled libopenssl1.1
A quite invasive script that purges the files in a package from disk. Should only by used, if normal removal did not succeed
/sbin/opkg_remove_partly_installed_packages.sh
1 #!/bin/sh
2 # takes one argument/parameter: the name of the package
3 # which didn't install correctly and
4 # should be removed along with its dependencies
5 # example: opkg_remove_partly_installed_packages.sh pulseaudio-daemon
6
7 if [ -z "$1" ]; then
8 echo "Please specify one or more packages".
9 exit 1
10 fi
11
12 opkg update
13
14 #get list of all packages that would be installed along with package x
15 PACKAGES="$(opkg --force-space --noaction install $@ \
16 |grep "http:" \
17 |cut -f 2 -d ' ' \
18 |sed 's/\.$//')"
19
20 echo "Following packages will be destroyed."
21 echo "$PACKAGES"
22
23 read -p"Check and confirm with 'yes': " CONFIR_INPUT
24 if test "$CONFIR_INPUT" = "yes"; then
25 echo "Confirmed. Exterminating packages_"
26 else
27 echo "Not confirmed - aborting."
28 exit 0
29 fi
30
31 for i in $PACKAGES
32 do
33 LIST="$(wget -qO- $i \
34 |tar -Oxz ./data.tar.gz \
35 |tar -tz \
36 |sort -r \
37 |sed 's/^./\/overlay\/upper/')"
38 for f in $LIST; do
39 if [ -f "$f" ]; then
40 echo "Removing file $f"
41 rm -f "$f"
42 fi
43 if [ -d "$f" ];then
44 cat <<-EOF
45 Trying to remove directory '$f'
46 (will only work on empty directories)
47 EOF
48 rmdir "$f"
49 fi
50 done
51 done
52
53 echo "You may need to reboot for the free space to become visible."
This is only a slightly improved version of this script
opkg manual upgrade
Please make sure, you have enough space in your overlay filesystem (~8MiB).
Upgrade the system in tmux
You may have to execute it more than once (e.g. if netifd is upgraded).
opkg_upgrade
Speeds up the process
/usr/local/sbin/opkg_upgrade
1 #!/bin/sh
2
3 PACKAGES="$(opkg list-upgradable \
4 |grep -v '^Not selecting' \
5 |awk '{print $1}')"
6
7 if test "$PACKAGES"; then
8 echo -e "Packages to be upgraded:\n$PACKAGES"
9 read -p"Check and confirm with 'yes': " CONFIR_INPUT
10 if test "$CONFIR_INPUT" = "yes"; then
11 echo "Confirmed performing upgrade"
12 opkg upgrade $PACKAGES
13 else
14 echo "Input invalid - aborting."
15 fi
16 else
17 echo -e "No packages to be upgraded."
18 echo "Nothing to do - exiting ..."
19 fi
Make script executable
1 chmod u+x /usr/local/sbin/opkg_upgrade
Upgrade the system in tmux
You may have to execute it more than once (e.g. if netifd is upgraded).
Automatic opkg_upgrade
crontab -e
1 0 2 * * * echo yes |/usr/local/sbin/opkg_upgrade
System upgrades
Configure your backup
These files are kept during sysupgrades! Maintain this file carefully!
/etc/sysupgrade.conf
1 ## This file contains files and directories that should
2 ## be preserved during an upgrade.
3
4 # /etc/example.conf
5 # /etc/openvpn/
6
7 ### docu
8 /etc/user_installed_pkg.list
9 /etc/sysbackup.tar.gz
10
11 ### daemons
12 /etc/samba/
13 /etc/dropbear/
14 /etc/dnsmasq.hosts
15 /etc/collectd.conf
16 /etc/fwknop/
17 /etc/vsftpd/
18 /etc/vsftpd.conf
19 /etc/config/ahcpd
20 /etc/dnsmasq.conf
21 /etc/ppp/
22
23 ### configs
24 /etc/screenrc
25
26 ### login data
27 /etc/group
28 /etc/group-
29 /etc/passwd
30 /etc/passwd-
31 /etc/profile
32 /etc/profile.local
33 /etc/shadow
34 /etc/shadow-
35 /etc/login.defs
36
37 ### system
38 /etc/config/
39 /etc/crontabs
40 /etc/dropbear/dropbear_rsa_host_key
41 /etc/exports
42 /etc/firewall.user
43 /etc/kresd/custom.conf
44 /etc/inittab
45 /etc/lvm/
46 #/etc/opkg
47 /etc/opkg/customfeeds.conf
48 /etc/opkg.conf
49 /etc/rc.local
50 /etc/sysctl.conf
51 /etc/sysctl.d/local.conf
52 /etc/sysupgrade.conf
53
54 ### databases
55 /etc/ethers
56 /etc/hosts
57 /etc/protocols
58 /etc/services
59 /etc/shells
60
61 ### scripts
62 /etc/listlinkedpkg.sh
63 /etc/listuserpackages.sh
64 /etc/opkg_color.sh
65 /sbin/opkg_upgrade
66 /sbin/opkg_remove_partly_installed_packages.sh
Check what is backed up
Create backup
Create a backup (e.g. to your overlay-fs)
%H%M%S is better than %T with ssh-based copying because of the interpretation of : (colon) as the remote path delimiter …
Secure the backup from another machine
SAVE
Restore backup
Perform the upgrade
1 sysupgrade -v /root/img-bin
If you unluckyly bricked the device
#System recovery
System recovery
TFTP
https://openwrt.org/docs/guide-user/troubleshooting/tftpserver
https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
Prepare TFTPD
You'll need root privileges
- install a TFTP daemon
- to bind to port 69/UDP
Classically install atftpd and a tftp client
1 apt install atftpd tftp
The daemon is listening right from installation, wrapped by Wietse Venemas tcpd
TCPD
/etc/rlinetd.conf
1 # look for further configuration files elsewhere (ignore editor backup files)
2
3 directory "/etc/rlinetd.d" "" "(~|\.bak|\.swp|\.ucf-.*|\.dpkg-.*)$";
4
5 # set up some reasonable defaults
6
7 defaults {
8 instances 5;
9 # only making services available to your inside network?
10 # interface 192.168.1.1;
11 }
/etc/rlinetd.d/tftp_udp
1 # This file was automatically generated by inetd2rlinetd
2
3 # Generated from: tftp dgram udp wait nobody /usr/sbin/tcpd /usr/sbin/in.tftpd --tftpd-timeout 300 --retry-timeout 5 --mcast-port 1758 --mcast-addr 239.239.239.0-255 --mcast-ttl 1 --maxthread 100 --verbose=5 /srv/tftp
4 service "tftp_udp" {
5 enabled yes;
6 protocol udp;
7 port "tftp";
8 user "nobody";
9 exec "/usr/sbin/in.tftpd --tftpd-timeout 300 --retry-timeout 5 --mcast-port 1758 --mcast-addr 239.239.239.0-255 --mcast-ttl 1 --maxthread 100 --verbose=5 /srv/tftp";
10 server "/usr/sbin/tcpd";
11 wait yes;
12 }
Directory structure
The default config points to /srv/tftp. Let's create the directory structure, which should also be writeable by the group "tftp" for convinience.
You'll need to logoff and on again to be member of the group. :-/ Check it with id.
Prepare device specific files
In my specific case i broke a "BT Home Hub 5A". So i took a look on its device specific OpenWRT page.
https://openwrt.org/toh/bt/homehub_v5a
I downloaded the bootloader image, tftp-bootable install image, and the current snapshot of openwrt and put it to a subdirectory of the tftpd-root.
1 sudo install -o tobias -g tftp -m 2775 -d /srv/tftp/homehub_v5a
2 cd /srv/tftp/homehub_v5a
3 wget "https://github.com/mkresin/BTHH5a-installimage/releases/download/v1.0/lede-lantiq-bthomehubv5a_ram-u-boot.asc"
4 wget "https://github.com/mkresin/BTHH5a-installimage/releases/download/v1.0/lede-lantiq-xrx200-BTHOMEHUBV5A-installimage.bin"
5 wget "https://downloads.openwrt.org/snapshots/targets/lantiq/xrx200/openwrt-lantiq-xrx200-bt_homehub-v5a-squashfs-sysupgrade.bin"
6 ln -s /srv/tftp/homehub_v5a/lede-lantiq-xrx200-BTHOMEHUBV5A-installimage.bin \
7 /srv/tftp/lede-lantiq-xrx200-BTHOMEHUBV5A-installimage.bin
8 ls -l /srv/tftp/homehub_v5a
9 insgesamt 18612
10 -rw-r--r-- 1 tobias tftp 853647 3. Nov 2017 lede-lantiq-bthomehubv5a_ram-u-boot.asc
11 -rw-r--r-- 1 tobias tftp 11387322 3. Nov 2017 lede-lantiq-xrx200-BTHOMEHUBV5A-installimage.bin
12 -rw-r--r-- 1 tobias tftp 6810208 1. Sep 02:01 openwrt-lantiq-xrx200-bt_homehub-v5a-squashfs-sysupgrade.bin
Test the connection
There is no command in tftp to change or list directories. So you the file needs to be put into the base directory and you need to know the filename.
Startup the client and download a file
1 tobias@libertas ~ % tftp 192.168.1.10
2 tftp> ?
3 Commands may be abbreviated. Commands are:
4
5 connect connect to remote tftp
6 mode set file transfer mode
7 put send file
8 get receive file
9 quit exit tftp
10 verbose toggle verbose mode
11 trace toggle packet tracing
12 status show current status
13 binary set mode to octet
14 ascii set mode to netascii
15 rexmt set per-packet retransmission timeout
16 timeout set total retransmission timeout
17 ? print help information
18 tftp> get lede-lantiq-xrx200-BTHOMEHUBV5A-installimage.bin
19 Transfer timed out.
20
21 ### LOG SHOWED TCPD WAS MISSING
22 tftp> get lede-lantiq-xrx200-BTHOMEHUBV5A-installimage.bin
23 Received 11460682 bytes in 1.0 seconds
TFTP works!
Create serial connection
- Prepare a connection to the board (e.g. solder wires or headers)
- Adjust voltage of the USB-UART adapter
- Connect the serial adapter
- TX of the board to RX of the adapter
- RX of the board to TX of the adapter
- GROUND of the board to GROUND of the adapter
Your user should be member of the unix group 'dialout'. Logoff (completely) from the system and in again to gain membership.
1 sudo adduser tobias dialout
Establish a connection via the adapter with the respective parameters
In my case the boot-loader was still okay, but the kernel image could not be loaded.
1 Willkommen zu minicom 2.8
2
3 Optionen: I18n
4 Port /dev/ttyUSB0, 08:56:49
5
6 Drücken Sie CTRL-A Z für Hilfe zu speziellen Tasten
7
8 ROM VER: 1.1.4
9 CFG 06
10 NAND
11 NAND Read OK
12
13 DDR autotuning Rev 0.3d
14 DDR size from 0xa0000000 - 0xa7ffffff
15 DDR check ok... start booting...
16
17
18
19 U-Boot 2010.06-LANTIQ-v-2.2.46 (Dec 06 2013 - 02:39:45 on tester@clean-machine)
20
21 CLOCK CPU 500M RAM 250M
22 secure boot
23 DRAM: 125 MiB
24 NAND: ONFI flash detected
25 ONFI param page 0 valid
26 NAND device: Manufacturer ID: 0x01, Chip ID: 0xf1 (AMD S34ML01G1)
27 128 MiB
28 Bad block table found at page 65472, version 0x01
29 Bad block table found at page 65408, version 0x01
30 In: serial
31 Out: serial
32 Err: serial
33 Net: Internal phy(GE) firmware version: 0x841b
34 vr9 Switch
35
36 Type "run flash_nfs" to mount root filesystem over NFS
37
38 Hit any key to stop autoboot: 0
39 Creating 1 MTD partitions on "nand0":
40 0x000000100000-0x000007f80000 : "mtd=0"
41 UBI: attaching mtd1 to ubi0
42 UBI: physical eraseblock size: 131072 bytes (128 KiB)
43 UBI: logical eraseblock size: 129024 bytes
44 UBI: smallest flash I/O unit: 2048
45 UBI: sub-page size: 512
46 UBI: VID header offset: 512 (aligned 512)
47 UBI: data offset: 2048
48 UBI: attached mtd1 to ubi0
49 UBI: MTD device name: "mtd=0"
50 UBI: MTD device size: 126 MiB
51 UBI: number of good PEBs: 1012
52 UBI: number of bad PEBs: 0
53 UBI: max. allowed volumes: 128
54 UBI: wear-leveling threshold: 4096
55 UBI: number of internal volumes: 1
56 UBI: number of user volumes: 1
57 UBI: available PEBs: 997
58 UBI: total number of reserved PEBs: 15
59 UBI: number of PEBs reserved for bad PEB handling: 10
60 UBI: max/mean erase counter: 400/282
61 kernel volume not found
62 Wrong Image Format for bootm command
63 ERROR: can't get kernel image!
64 VR9 #
65
Das U-Boot
typically abbreviated as just "U-Boot"
GPLv2
Got dropped into the uboot shell
1 VR9 # help
2 ? - alias for 'help'
3 base - print or set address offset
4 bootm - boot application image from memory
5 bootp - boot image via network using BOOTP/TFTP protocol
6 chpart - change active partition
7 cmp - memory compare
8 cp - memory copy
9 crc32 - checksum calculation
10 dualimage- dualimage - sets openrg_start and openrg_size according to the current active image.
11
12 echo - echo args to console
13 go - start application at address 'addr'
14 help - print command description/usage
15 loop - infinite loop on address range
16 md - memory display
17 mm - memory modify (auto-incrementing address)
18 mtdparts- define flash/nand partitions
19 mtest - simple RAM read/write test
20 mw - memory write (fill)
21 nand - NAND sub-system
22 nboot - boot from NAND device
23 nm - memory modify (constant address)
24 printenv- print environment variables
25 rarpboot- boot image via network using RARP/TFTP protocol
26 reset - Perform RESET of the CPU
27 run - run commands in an environment variable
28 saveenv - save environment variables to persistent storage
29 setenv - set environment variables
30 signverify- signverify - verify the active image signature and decryption if needed.
31
32 tftpboot- boot image via network using TFTP protocol
33 ubi - ubi commands
34 upgrade - upgrade - forward/backward copy memory to pre-defined flash location
35
36 version - print monitor version
37 VR9 #
38
Display the version to aquire the manual
Display the environment to gather information like server ip
1 VR9 # printenv
2 bootdelay=1
3 baudrate=115200
4 preboot=echo;echo Type \"run flash_nfs\" to mount root filesystem over NFS;echo
5 bootfile="openrg.img"
6 cert=-----BEGIN CERTIFICATE-----
7 MIICtjCCAZ4CCQCCD6si8HRyjDANBgkqhkiG9w0BAQUFADAdMQswCQYDVQQGEwJV
8 UzEOMAwGA1UEAxMFSnVuZ28wHhcNMTMxMjA1MjIzNjU0WhcNMzMxMjA1MjIzNjU0
9 WjAdMQswCQYDVQQGEwJVUzEOMAwGA1UEAxMFSnVuZ28wggEiMA0GCSqGSIb3DQEB
10 AQUAA4IBDwAwggEKAoIBAQDQupk1RFBIK7J980ya9oDpV1g+bg+g6tWW0GHX2sof
11 xW5sF2NOvI73Y1hPDmfSfVeZSx8wWamb5Ihknm5hjP1fjrvXJ6iRoC9lbXgqYAV1
12 Rc1JVpV69ZLFDQLhT9+4VFAMMRyVFcd0TqlPyhlg8QEbzzczSznpphlnI4ZnYiqn
13 NNq1ZYNd4LIo7+W9is1ECi9oo02sPQN+k9NJWuM9BTSL8XfiAresYSSOZfiOnT3p
14 w9ZDJMiXCT1sa80LRsIJpPceAJ5OzHiN598ERgApsk8uMCr5QFndtDW/d0QRVANJ
15 EmjDtMcqg+JSdcMUgji6msE+0XFjFO+QnbxQPM+n53Q7AgMBAAEwDQYJKoZIhvcN
16 AQEFBQADggEBABTmjDTqZMGNEBsvVWo8ZW3X4FLx3uOgIZG9zc5ZiaU08c9UExeo
17 Tvei/mrHTLoxSI+nXDpP54FuKi6KIk87OWH/kS1HyXxoD9zmgXAbpqYMh//LzyKc
18 +gwxBpS/XQJLxnl0YLDfk5SR1BZsPWegc3V8TmS0U5CdxsJ5SDalvTbJrJMwlV3y
19 Z9xBPrtF5RGXwPDQICkX40u2vcvd8NkNa6OYb0Gcp7PfdwSmhmXXUY2btjjxORlF
20 1eT7mGL1PkmhEsMoviroWT5gNRJbxQszVqNiwH3tcMvrVo2/IODgtFVNIsjFj36G
21 YappoROYOJqf4JNcnSYUoR6tNyThYD7giNA=
22 -----END CERTIFICATE-----
23 -----BEGIN CERTIFICATE-----
24 MIIE7jCCA9agAwIBAgIJAJ/y7ShWD/6pMA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD
25 VQQGEwJVSzEQMA4GA1UECBMHU3VmZm9sazEQMA4GA1UEBxMHSXBzd2ljaDEnMCUG
26 A1UEChMeQnJpdGlzaCBUZWxlY29tbXVuaWNhdGlvbnMgcGxjMRUwEwYDVQQLEwxD
27 UEUgUGxhdGZvcm0xEzARBgNVBAMTCkRhdmUgSmFtZXMxIjAgBgkqhkiG9w0BCQEW
28 E2RhdmUuZS5qYW1lc0BidC5jb20wHhcNMTMwMjAxMTE1MDQ2WhcNMzMwMjAxMTE1
29 MDQ2WjCBqjELMAkGA1UEBhMCVUsxEDAOBgNVBAgTB1N1ZmZvbGsxEDAOBgNVBAcT
30 B0lwc3dpY2gxJzAlBgNVBAoTHkJyaXRpc2ggVGVsZWNvbW11bmljYXRpb25zIHBs
31 YzEVMBMGA1UECxMMQ1BFIFBsYXRmb3JtMRMwEQYDVQQDEwpEYXZlIEphbWVzMSIw
32 IAYJKoZIhvcNAQkBFhNkYXZlLmUuamFtZXNAYnQuY29tMIIBIjANBgkqhkiG9w0B
33 AQEFAAOCAQ8AMIIBCgKCAQEAwFjjDbl9/PIunU8BHu/5wg24DParZe5SnPWxG+aF
34 51EWdhK0KamLU4ADxkdfRWLAufJsrt2b+AoG4qWwVjbE3HqPwXsrJNZoc6YBC0bB
35 Hfy7/u4jo/kd3iTQwgkhTmHRjJdTp4CL8WKPKCDe5qO3SuERp8wglHHzA+Ea7dH2
36 4KkEPK4wD8HAkX9wWhPipmxYIKG+YwjmQfeVggI6HgJ4gVHlol17ZjXiWFSoUTka
37 ziYbYf/i8f+ayM8mNV27zJ0LjhY5E50EhzI5QXFIoDBYNNfQJYWNT/NDGx9mr4G4
38 439XwK62yiG2CmNn6bjYlASqnMu0NHd6JcM7ASttVV4JiQIDAQABo4IBEzCCAQ8w
39 HQYDVR0OBBYEFGAe/bZoesow/+DWuRz9gManNE/SMIHfBgNVHSMEgdcwgdSAFGAe
40 /bZoesow/+DWuRz9gManNE/SoYGwpIGtMIGqMQswCQYDVQQGEwJVSzEQMA4GA1UE
41 CBMHU3VmZm9sazEQMA4GA1UEBxMHSXBzd2ljaDEnMCUGA1UEChMeQnJpdGlzaCBU
42 ZWxlY29tbXVuaWNhdGlvbnMgcGxjMRUwEwYDVQQLEwxDUEUgUGxhdGZvcm0xEzAR
43 BgNVBAMTCkRhdmUgSmFtZXMxIjAgBgkqhkiG9w0BCQEWE2RhdmUuZS5qYW1lc0Bi
44 dC5jb22CCQCf8u0oVg/+qTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IB
45 AQCFzVvT9EH8h+xM2xg/85SLaNIAAPrPN3tTknLix4+/NseGczl788bdFehdEGy2
46 2w27mBTxFIorGwM5z1etfr5a5AP5zEUbpRvJDZ47v5skQ0j7a73CxAiYD8NtqAZ8
47 kcxxIGmqisOy9wIcgzXB8Ezap0+erxBYwFaz11VWoo0yjEvxYS66vq0u/2YlZJOj
48 UkjRuycd+bz8hma3lP8TmOajxYyeVfUOd+x49Q/J2D5IEbyFhFjlS2Zs4VR6mR0R
49 P7N4ZJptV+OLGKra7rnhtz20FEUfd0Ju0OoWd9h0DPN1M/h/OFdtrTKijEsGab2I
50 VHKbpEVM7ObIIHGxmt6kWZho
51 -----END CERTIFICATE-----
52
53 mem=127M
54 phym=128M
55 ethaddr=00:E0:92:00:01:40
56 netdev=eth0
57 console=ttyS0
58 tftppath=
59 loadaddr=0x80800000
60 rootpath=/mnt/full_fs
61 rootfsmtd=/dev/mtdblock2
62 nfsargs= setenv bootargs root=/dev/nfs rw nfsroot=$(serverip):$(rootpath)
63 ramargs=setenv bootargs root=/dev/ram rw
64 addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):on
65 addmisc=setenv bootargs $(bootargs) console=$(console),$(baudrate) ethaddr=$(ethaddr) phym=$(phym) mem=$(mem) panic=1 mtdparts=$(mtdparts) vpe1
66 flash_nfs=run nfsargs addip addmisc;bootm $(kernel_addr)
67 net_nfs=tftp $(loadaddr) $(tftppath)$(bootfile);run nfsargs addip addmisc;bootm
68 net_flash=tftp $(loadaddr) $(tftppath)$(bootfile); run flashargs addip addmisc; bootm
69 net_ram=tftp $(loadaddr) $(tftppath)$(bootfile); bootm
70 u-boot=u-boot.lq
71 rootfs=rootfs.img
72 firmware=firmware.img
73 fullimage=fullimage.img
74 totalimage=totalimage.img
75 load=tftp $(loadaddr) $(u-boot)
76 update=protect off 1:0-2;era 1:0-2;cp.b $(loadaddr) B0000000 $(filesize)
77 flashargs=setenv bootargs root=$(rootfsmtd) ro rootfstype=squashfs init=/etc/preinit
78 flash_flash=run flashargs addip addmisc; bootm $(kernel_addr)
79 update_nandboot=tftp $(loadaddr) $(tftppath)u-boot-nand.bin; nand erase 0 0x100000; nand write.partial $(loadaddr) 0 $(filesize); reset
80 ubi_init=setenv kernel_vol kernel;setenv rootfs_vol rootfs;setenv firmware_vol firmware;setenv kernel_id 0;setenv rootfs_id 1;setenv firmware_iw
81 update_kernel=tftpboot $(loadaddr) $(tftppath)$(bootfile);upgrade $(loadaddr) $(filesize)
82 update_bootloader=update_uboot;update gphyfirmware
83 update_rootfs=tftpboot $(loadaddr) $(tftppath)$(rootfs); upgrade $(loadaddr) $(filesize)
84 update_firmware=tftpboot $(loadaddr) $(tftppath)$(firmware);upgrade $(loadaddr) $(filesize)
85 update_fullimage=tftpboot $(loadaddr) $(tftppath)$(fullimage);upgrade $(loadaddr) $(filesize)
86 update_totalimage=tftpboot $(loadaddr) $(tftppath)$(totalimage);upgrade $(loadaddr) $(filesize)
87 reset_uboot_config=nand write.partial 80400000 $(f_ubootconfig_addr) $(f_ubootconfig_size)
88 reset_ddr_config=nand write.partial 80400000 $(f_ddrconfig_addr) $(f_ddrconfig_size)
89 mtdparts=mtdparts=nand0:0x07e80000@0x100000(UBI)
90 mtdids=nand0=nand0
91 part0_begin=0x00000000
92 part1_begin=0x00040000
93 part2_begin=0x000C0000
94 part3_begin=0x002C0000
95 part4_begin=0x06C40000
96 part5_begin=0x07040000
97 part6_begin=0x07080000
98 total_part=7
99 flash_end=0x07FFFFFF
100 data_block0=uboot
101 data_block1=firmware
102 data_block2=kernel
103 data_block3=rootfs
104 data_block4=sysconfig
105 data_block5=ubootconfig
106 data_block6=dectconfig
107 total_db=7
108 f_uboot_addr=0x00000000
109 f_uboot_size=0
110 f_ubootconfig_addr=0xA0000
111 f_ubootconfig_size=0x20000
112 f_ubootconfig_end=0x0704FFFF
113 f_gphy_firmware_addr=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_START_ADDR
114 f_gphy_firmware_size=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_SIZE
115 f_gphy_firmware_end=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_END_ADDR
116 f_kernel_addr=0x000C0000
117 f_kernel_size=0
118 f_kernel_end=IFX_CFG_FLASH_KERNEL_IMAGE_END_ADDR
119 f_rootfs_addr=0x002C0000
120 f_rootfs_size=0x6980000
121 f_rootfs_end=IFX_CFG_FLASH_ROOTFS_IMAGE_END_ADDR
122 f_firmware_addr=0x00040000
123 f_firmware_size=0
124 f_fwdiag_addr=IFX_CFG_FLASH_FIRMWARE_DIAG_START_ADDR
125 f_fwdiag_size=IFX_CFG_FLASH_FIRMWARE_DIAG_SIZE
126 f_sysconfig_addr=0x06C40000
127 f_sysconfig_size=0x400000
128 f_dectconfig_addr=0x07080000
129 f_dectconfig_size=0x40000
130 f_wlanconfig_addr= IFX_CFG_FLASH_WLAN_CFG_START_ADDR
131 f_wlanconfig_size=IFX_CFG_FLASH_WLAN_CFG_SIZE
132 f_ddrconfig_addr=0x000057E8
133 f_ddrconfig_size=24
134 f_ddrconfig_end=0x000057FF
135 ethact=vr9 Switch
136 ipaddr=192.168.1.1
137 serverip=192.168.1.10
138 bootcmd_openrg=ubi part UBI; dualimage; bootm $(openrg_start)
139 bootcmd=ubi part UBI; ubi read $(loadaddr) kernel; bootm $(loadaddr)
140 stdin=serial
141 stdout=serial
142 stderr=serial
143 ver=U-Boot 2010.06-LANTIQ-v-2.2.46 (Dec 06 2013 - 02:39:45 on tester@clean-machine)
144 partition=nand0,0
145 mtddevnum=0
146 mtddevname=UBI
147
148 Environment size: 6831/131068 bytes
Add serverip to your machine and start the tftp server
1 sudo ip a add 192.168.1.10/24 dev bridge
Load the firmware image into RAM and boot address.
1 VR9 # tftpboot 0x81000000 lede-lantiq-xrx200-BTHOMEHUBV5A-installimage.bin; bootm 0x81000000
2 Using vr9 Switch device
3 TFTP from server 192.168.1.10; our IP address is 192.168.1.1
4 Filename 'lede-lantiq-xrx200-BTHOMEHUBV5A-installimage.bin'.
5 Load address: 0x81000000
6 Loading: #################################################################
7 #################################################################
8 #################################################################
9 #################################################################
10 #################################################################
11 #################################################################
12 #################################################################
13 #################################################################
14 #################################################################
15 #################################################################
16 #################################################################
17 #############################################################
18 done
19 Bytes transferred = 11387322 (adc1ba hex)
20 ## Booting kernel from Legacy Image at 81000000 ...
21 Image Name: MIPS LEDE Linux-4.4.92
22 Created: 2017-10-17 17:46:20 UTC
23 Image Type: MIPS Linux Kernel Image (uncompressed)
24 Data Size: 11387258 Bytes = 10.9 MiB
25 Load Address: 80002000
26 Entry Point: 80002000
27 Verifying Checksum ... OK
28 Loading Kernel Image ... OK
29 OK
30
31 Starting kernel ...
32
33 [ 0.000000] Linux version 4.4.92 (mkresin@desktop) (gcc version 5.4.0 (LEDE GCC 5.4.0 r3560-79f57e422d) ) #0 Tue Oct 17 17:46:20 2017
34 [ 0.000000] SoC: xRX200 rev 1.2
35 [ 0.000000] bootconsole [early0] enabled
36 [ 0.000000] CPU0 revision is: 00019556 (MIPS 34Kc)
37 [ 0.000000] MIPS: machine is BTHOMEHUBV5A - BT Home Hub 5A
38 [ 0.000000] Determined physical RAM map:
39 [ 0.000000] memory: 08000000 @ 00000000 (usable)
40 [ 0.000000] Initrd not found or empty - disabling initrd
41 [ 0.000000] Zone ranges:
42 [ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
43 [ 0.000000] Movable zone start for each node
44 [ 0.000000] Early memory node ranges
45 [ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
46 [ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
47 [ 0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
48 [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
49 [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512
50 [ 0.000000] Kernel command line: console=ttyLTQ0,115200
51 [ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
52 [ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
53 [ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
54 [ 0.000000] Writing ErrCtl register=00048046
55 [ 0.000000] Readback ErrCtl register=00048046
56 [ 0.000000] Memory: 117460K/131072K available (3778K kernel code, 162K rwdata, 792K rodata, 7412K init, 210K bss, 13612K reserved, 0K cma-re)
57 [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
58 [ 0.000000] NR_IRQS:256
59 [ 0.000000] Setting up vectored interrupts
60 [ 0.000000] CPU Clock: 500MHz
61 [ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041786 ns
62 [ 0.000010] sched_clock: 32 bits at 250MHz, resolution 4ns, wraps every 8589934590ns
63 [ 0.007856] Calibrating delay loop... 332.54 BogoMIPS (lpj=665088)
64 [ 0.042316] pid_max: default: 32768 minimum: 301
65 [ 0.047157] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
66 [ 0.053723] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
67 [ 0.066632] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
68 [ 0.076277] futex hash table entries: 256 (order: -1, 3072 bytes)
69 [ 0.082481] pinctrl core: initialized pinctrl subsystem
70 [ 0.088323] NET: Registered protocol family 16
71 [ 0.097144] pinctrl-xway 1e100b10.pinmux: Init done
72 [ 0.102666] dma-xway 1e104100.dma: Init done - hw rev: 7, ports: 7, channels: 28
73 [ 0.212595] dcdc-xrx200 1f106a00.dcdc: Core Voltage : 1016 mV
74 [ 0.218341] Can't analyze schedule() prologue at 80008f30
75 [ 0.232232] PCI host bridge /fpi@10000000/pci@E105400 ranges:
76 [ 0.237840] MEM 0x0000000018000000..0x0000000019ffffff
77 [ 0.243126] IO 0x000000001ae00000..0x000000001affffff
78 [ 0.366187] PCI host bridge /fpi@10000000/pcie@d900000 ranges:
79 [ 0.385197] usbcore: registered new interface driver usbfs
80 [ 0.390684] usbcore: registered new interface driver hub
81 [ 0.396050] usbcore: registered new device driver usb
82 [ 0.401470] PCI host bridge to bus 0000:00
83 [ 0.405461] pci_bus 0000:00: root bus resource [mem 0x18000000-0x19ffffff]
84 [ 0.412368] pci_bus 0000:00: root bus resource [io 0x1ae00000-0x1affffff]
85 [ 0.419312] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
86 [ 0.426168] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
87 [ 0.434684] pci 0000:00:0e.0: BAR 0: assigned [mem 0x18000000-0x1800ffff]
88 [ 0.441566] PCI host bridge to bus 0000:01
89 [ 0.445549] pci_bus 0000:01: root bus resource [mem 0x1c000000-0x1cffffff]
90 [ 0.452462] pci_bus 0000:01: root bus resource [io 0x1d800000-0x1d8fffff]
91 [ 0.459406] pci_bus 0000:01: root bus resource [??? 0x00000000 flags 0x0]
92 [ 0.466262] pci_bus 0000:01: No busn resource found for root bus, will use [bus 01-ff]
93 [ 0.474325] ifx_pcie_rc_class_early_fixup: fixed pcie host bridge to pci-pci bridge
94 [ 0.492363] pci 0000:01:00.0: bridge configuration invalid ([bus 02-00]), reconfiguring
95 [ 0.501131] pci 0000:01:00.0: BAR 8: assigned [mem 0x1c000000-0x1c1fffff]
96 [ 0.507810] pci 0000:01:00.0: BAR 9: assigned [mem 0x1c200000-0x1c2fffff pref]
97 [ 0.515079] pci 0000:02:00.0: BAR 0: assigned [mem 0x1c000000-0x1c1fffff 64bit]
98 [ 0.522477] pci 0000:02:00.0: BAR 6: assigned [mem 0x1c200000-0x1c20ffff pref]
99 [ 0.529742] pci 0000:01:00.0: PCI bridge to [bus 02]
100 [ 0.534778] pci 0000:01:00.0: bridge window [mem 0x1c000000-0x1c1fffff]
101 [ 0.541635] pci 0000:01:00.0: bridge window [mem 0x1c200000-0x1c2fffff pref]
102 [ 0.549001] ifx_pcie_bios_map_irq port 0 dev 0000:01:00.0 slot 0 pin 1
103 [ 0.555606] ifx_pcie_bios_map_irq dev 0000:01:00.0 irq 144 assigned
104 [ 0.561948] ifx_pcie_bios_map_irq port 0 dev 0000:02:00.0 slot 0 pin 1
105 [ 0.568614] ifx_pcie_bios_map_irq dev 0000:02:00.0 irq 144 assigned
106 [ 0.575753] clocksource: Switched to clocksource MIPS
107 [ 0.581994] NET: Registered protocol family 2
108 [ 0.587124] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
109 [ 0.594010] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
110 [ 0.600392] TCP: Hash tables configured (established 1024 bind 1024)
111 [ 0.606896] UDP hash table entries: 256 (order: 0, 4096 bytes)
112 [ 0.612741] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
113 [ 0.619289] NET: Registered protocol family 1
114 [ 0.750226] gptu: totally 6 16-bit timers/counters
115 [ 0.755062] gptu: misc_register on minor 63
116 [ 0.759156] gptu: succeeded to request irq 126
117 [ 0.763645] gptu: succeeded to request irq 127
118 [ 0.768160] gptu: succeeded to request irq 128
119 [ 0.772672] gptu: succeeded to request irq 129
120 [ 0.777185] gptu: succeeded to request irq 130
121 [ 0.781699] gptu: succeeded to request irq 131
122 [ 0.786527] phy-xrx200 gphy-xrx200: requesting lantiq/vr9_phy11g_a2x.bin
123 [ 0.793849] phy-xrx200 gphy-xrx200: booting GPHY0 firmware at 7DA0000
124 [ 0.800179] phy-xrx200 gphy-xrx200: booting GPHY1 firmware at 7DA0000
125 [ 0.906906] No VPEs reserved for AP/SP, not initialize VPE loader
126 [ 0.906906] Pass maxvpes=<n> argument as kernel argument
127 [ 0.918258] No TCs reserved for AP/SP, not initializing RTLX.
128 [ 0.918258] Pass maxtcs=<n> argument as kernel argument
129 [ 0.930094] Crashlog allocated RAM at address 0x3f00000
130 [ 0.954224] squashfs: version 4.0 (2009/01/31) Phillip Lougher
131 [ 0.959950] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
132 [ 0.973688] io scheduler noop registered
133 [ 0.977494] io scheduler deadline registered (default)
134 [ 0.983297] 1e100c00.serial: ttyLTQ0 at MMIO 0x1e100c00 (irq = 112, base_baud = 0) is a lantiq,asc
135 [ 0.992189] console [ttyLTQ0] enabled
136 [ 0.992189] console [ttyLTQ0] enabled
137 [ 0.999517] bootconsole [early0] disabled
138 [ 0.999517] bootconsole [early0] disabled
139 [ 1.010669] nand: device found, Manufacturer ID: 0x01, Chip ID: 0xf1
140 [ 1.015623] nand: AMD/Spansion S34ML01G1
141 [ 1.019510] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
142 [ 1.027561] Bad block table found at page 65472, version 0x01
143 [ 1.033473] Bad block table found at page 65408, version 0x01
144 [ 1.038787] 5 ofpart partitions found on MTD device 14000000.nand-parts
145 [ 1.045220] Creating 5 MTD partitions on "14000000.nand-parts":
146 [ 1.051116] 0x000000000000-0x0000000a0000 : "u-boot"
147 [ 1.057847] 0x0000000a0000-0x0000000c0000 : "uboot-env"
148 [ 1.063686] 0x0000000c0000-0x000000100000 : "unused"
149 [ 1.069343] 0x000000100000-0x000007f80000 : "ubi"
150 [ 1.074999] 0x000000000000-0x000008000000 : "nand_chip"
151 [ 1.184128] libphy: lantiq,xrx200-mdio: probed
152 [ 1.195818] net-xrx200: invalid MAC, using random
153 [ 1.260483] eth0: attached PHY [Lantiq XWAY PEF7071] (phy_addr=0:00, irq=-1)
154 [ 1.328455] eth0: attached PHY [Lantiq XWAY PEF7071] (phy_addr=0:01, irq=-1)
155 [ 1.396440] eth0: attached PHY [Lantiq XWAY VR9 GPHY 11G v1.4] (phy_addr=0:11, irq=-1)
156 [ 1.464439] eth0: attached PHY [Lantiq XWAY VR9 GPHY 11G v1.4] (phy_addr=0:13, irq=-1)
157 [ 1.532456] eth0: attached PHY [Lantiq XWAY PEF7071] (phy_addr=0:05, irq=-1)
158 [ 1.639789] ltq-cputemp cputemp@0: Current CPU die temperature: 46.0 °C
159 [ 1.645314] wdt 1f8803f0.watchdog: Init done
160 [ 1.652748] NET: Registered protocol family 10
161 [ 1.661748] NET: Registered protocol family 17
162 [ 1.664886] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
163 [ 1.677400] 8021q: 802.1Q VLAN Support v1.8
164 [ 1.685693] UBI: auto-attach mtd3
165 [ 1.687374] ubi0: attaching mtd3
166 [ 1.853790] ubi0: scanning is finished
167 [ 1.867628] ubi0: attached mtd3 (name "ubi", size 126 MiB)
168 [ 1.871709] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 129024 bytes
169 [ 1.878554] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 512
170 [ 1.885255] ubi0: VID header offset: 512 (aligned 512), data offset: 2048
171 [ 1.892043] ubi0: good PEBs: 1012, bad PEBs: 0, corrupted PEBs: 0
172 [ 1.898136] ubi0: user volume: 1, internal volumes: 1, max. volumes count: 128
173 [ 1.905364] ubi0: max/mean erase counter: 400/282, WL threshold: 4096, image sequence number: 1019015774
174 [ 1.914849] ubi0: available PEBs: 987, total reserved PEBs: 25, PEBs reserved for bad PEB handling: 20
175 [ 1.924692] ubi0: background thread "ubi_bgt0d" start[ 1.952404] Freeing unused kernel memory: 7412K
176 [ 1.970683] init: Console is alive
177 [ 1.972972] init: - watchdog -
178 [ 1.984852] kmodloader: loading kernel modules from /etc/modules-boot.d/*
179 [ 1.996418] exFAT: Version 1.2.9
180 [ 2.032042] SCSI subsystem initialized
181 [ 2.041817] dwc2 1e101000.ifxhcd: requested GPIO 495
182 [ 2.899940] dwc2 1e101000.ifxhcd: DWC OTG Controller
183 [ 2.903534] dwc2 1e101000.ifxhcd: new USB bus registered, assigned bus number 1
184 [ 2.910860] dwc2 1e101000.ifxhcd: irq 62, io mem 0x00000000
185 [ 2.916379] dwc2 1e101000.ifxhcd: Hardware does not support descriptor DMA mode -
186 [ 2.923819] dwc2 1e101000.ifxhcd: falling back to buffer DMA mode.
187 [ 2.931284] hub 1-0:1.0: USB hub found
188 [ 2.934268] hub 1-0:1.0: 1 port detected
189 [ 2.941753] usbcore: registered new interface driver usb-storage
190 [ 2.947205] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
191 [ 2.956808] init: - preinit -
192 [ 3.126232] random: procd: uninitialized urandom read (4 bytes read, 13 bits of entropy available)
193 Press the [f] key and hit [enter] to enter failsafe mode
194 Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
195 [ 4.463898] eth0: port 4 got link
196 [ 6.281305] procd: - early -
197 [ 6.282899] procd: - watchdog -
198 [ 6.463781] eth0: port 4 lost link
199 [ 6.847919] procd: - watchdog -
200 [ 6.850063] procd: - ubus -
201 [ 6.902798] random: ubusd: uninitialized urandom read (4 bytes read, 28 bits of entropy available)
202 [ 6.910897] random: ubusd: uninitialized urandom read (4 bytes read, 28 bits of entropy available)
203 [ 6.919431] random: ubusd: uninitialized urandom read (4 bytes read, 28 bits of entropy available)
204 [ 6.928723] random: ubusd: uninitialized urandom read (4 bytes read, 28 bits of entropy available)
205 [ 6.937403] random: ubusd: uninitialized urandom read (4 bytes read, 28 bits of entropy available)
206 [ 6.946544] random: ubusd: uninitialized urandom read (4 bytes read, 28 bits of entropy available)
207 [ 6.955513] random: ubusd: uninitialized urandom read (4 bytes read, 28 bits of entropy available)
208 [ 6.964726] procd: - init -
209 Please press Enter to activate this console.
210 [ 7.143513] kmodloader: loading kernel modules from /etc/modules.d/*
211 [ 7.164503] kmodloader: done loading kernel modules from /etc/modules.d/*
212 [ 8.349749] random: jshn: uninitialized urandom read (4 bytes read, 34 bits of entropy available)
213 [ 8.415682] random: jshn: uninitialized urandom read (4 bytes read, 34 bits of entropy available)
214 [ 11.990047] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
215 [ 12.013700] device eth0 entered promiscuous mode
216 [ 12.049481] device eth0.1 entered promiscuous mode
217 [ 12.066598] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
218 [ 12.468012] eth0: port 4 got link
219 [ 12.470049] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
220 [ 12.487896] br-lan: port 1(eth0.1) entered forwarding state
221 [ 12.492134] br-lan: port 1(eth0.1) entered forwarding state
222 [ 12.523801] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
223 [ 14.495761] br-lan: port 1(eth0.1) entered forwarding state
224 [ 32.031805] random: nonblocking pool is initialized
225
226
227
228 BusyBox v1.25.1 () built-in shell (ash)
229
230 *******************************************************************************
231 * Guide for installing LEDE onto a BT Home Hub 5 Type A & clones *
232 *******************************************************************************
233
234 You need an USB flash drive with at least 512MB free capacity, formatted as
235 FAT32, exFAT or ext2/3/4, attached to the Hub. The attached flash drive will be
236 accessible at /tmp/mounts/<directory>.
237
238 To install LEDE, the USB flash drive must have a copy of the file:
239 lede-17.01.4-lantiq-xrx200-BTHOMEHUBV5A-squashfs-sysupgrade.bin
240
241 To restore the stock Firmware, the USB flash drive must have a copy of the
242 nanddump backup file (hh5a.nanddump) containing the stock Firmware.
243
244 LIST OF COMMANDS
245
246 To create a backup of the installed firmware (Take care to not overwrite
247 any previously made backup):
248 nanddump --file /tmp/mounts/<directory>/hh5a.nanddump /dev/mtd4
249
250 To install LEDE:
251 prepare
252
253 To restore stock firmware:
254 restore
255
256 TO UPGRADE FROM OpenWrt OR LEDE PRIOR TO r2363-0e34459e6b:
257
258 Restore the stock firmware and do a fresh install of LEDE.
259
260 If you don't have a backup of the stock firmware from your Hub, use the
261 experimental 'migrate' script. It is offered with no guarantee of success.
262 You are strongly advised to restore the stock firmware.
263
264 Please scroll back to view ALL of the above instructions.
265
266 root@LEDE:/#
267 root@LEDE:/# df -h
268 Filesystem Size Used Available Use% Mounted on
269 rootfs 57.4M 7.1M 50.2M 12% /
270 tmpfs 61.0M 56.0K 60.9M 0% /tmp
271 tmpfs 512.0K 0 512.0K 0% /dev
272 root@LEDE:/# cat /etc/openwrt_release
273 DISTRIB_ID='LEDE'
274 DISTRIB_RELEASE='17.01.4'
275 DISTRIB_REVISION='r3560-79f57e422d'
276 DISTRIB_CODENAME='reboot'
277 DISTRIB_TARGET='lantiq/xrx200'
278 DISTRIB_ARCH='mips_24kc'
279 DISTRIB_DESCRIPTION='LEDE Reboot 17.01.4 r3560-79f57e422d'
280 DISTRIB_TAINTS='no-all'
The system booted the image via tftp.
So i copied the firmware file from my computer to the device (ipaddr=192.168.1.1)
1 cd /srv/tftp
2 https://downloads.openwrt.org/snapshots/targets/lantiq/xrx200/openwrt-lantiq-xrx200-bt_homehub-v5a-squashfs-sysupgrade.bin
3 scp -o "KexAlgorithms +diffie-hellman-group14-sha1" \
4 /srv/tftp/homehub_v5a/openwrt-lantiq-xrx200-bt_homehub-v5a-squashfs-sysupgrade.bin \
5 192.168.1.1:/tmp
Perform the sysupgrade
1 root@LEDE:/# sysupgrade /tmp/openwrt-lantiq-xrx200-bt_homehub-v5a-squashfs-sysupgrade.bin
2 Device BTHOMEHUBV5A not supported by this image
3 Supported devices: bt,homehub-v5a BTHOMEHUBV5A - Image version mismatch: image 1.1, device 1.0. Please wipe config during upgrade (force required) or reinstall. Reason: Config cannot be migrated from swconfig to DSA
4 Image check 'fwtool_check_image' failed.
This upgrade can only performed wiping the configuration and forcefully.
1 root@LEDE:/# sysupgrade -v -F -n /tmp/openwrt-lantiq-xrx200-bt_homehub-v5a-squashfs-sysupgrade.bin
2 Device BTHOMEHUBV5A not supported by this image
3 Supported devices: bt,homehub-v5a BTHOMEHUBV5A - Image version mismatch: image 1.1, device 1.0. Please wipe config during upgrade (force required) or reinstall. Reason: Config cannot be migrated from swconfig to DSA
4 Image check 'fwtool_check_image' failed but --force given - will update anyway!
5 killall: watchdog: no process killed
6 Watchdog handover: fd=3
7 - watchdog -
8 killall: telnetd: no process killed
9 Sending TERM to remaining processes ... ubusd logd netifd odhcpd mountd ntpd dnsmasq
10 Sending KILL to remaining processes ...
11 Volume ID 0, size 21 LEBs (2709504 bytes, 2.6 MiB), LEB size 129024 bytes (126.0 KiB), dynamic, name "kernel", alignment 1
12 Volume ID 1, size 33 LEBs (4257792 bytes, 4.1 MiB), LEB size 129024 bytes (126.0 KiB), dynamic, name "rootfs", alignment 1
13 Set volume size to 120379392
14 Volume ID 2, size 933 LEBs (120379392 bytes, 114.8 MiB), LEB size 129024 bytes (126.0 KiB), dynamic, name "rootfs_data", alignment 1
15 sysupgrade successful
16 umount: can't unmount /dev: Resource busy
17 umount: can't unmount /tmp: Resource busy
18 umount: can't unmoun[ 3161.612532] reboot: Re�
19 ROM VER: 1.1.4
20 CFG 06
21 NAND
22 NAND Read OK
23
24 DDR autotuning Rev 0.3d
25 DDR size from 0xa0000000 - 0xa7ffffff
26 DDR check ok... start booting...
27
28
29
30 U-Boot 2010.06-LANTIQ-v-2.2.46 (Dec 06 2013 - 02:39:45 on tester@clean-machine)
31
32 CLOCK CPU 500M RAM 250M
33 secure boot
34 DRAM: 125 MiB
35 NAND: ONFI flash detected
36 ONFI param page 0 valid
37 NAND device: Manufacturer ID: 0x01, Chip ID: 0xf1 (AMD S34ML01G1)
38 128 MiB
39 Bad block table found at page 65472, version 0x01
40 Bad block table found at page 65408, version 0x01
41 In: serial
42 Out: serial
43 Err: serial
44 Net: Internal phy(GE) firmware version: 0x841b
45 vr9 Switch
46
47 Type "run flash_nfs" to mount root filesystem over NFS
48 …
Came up back again.
UNBRICKED
Switch to dhcp (intermediate)
The BT Homehub 5A has a VDSL2 WAN interface. Therefore we reconfigure the internal network to get an IP/DNS/GW from a DHCP server.
/etc/config/network
Restart the networking, which is easily possible if you are connected via UART.
1 /etc/init.d/network restart
You may also register the MAC address of the bridge in the upstream dhcp-server.
To create an access point also enable WiFi and disable the DHCP-server
/etc/config/dhcp
Restart the DHCP-service
1 /etc/init.d/odhcpd restart
DHCP options
Please also see
IANA - Dynamic Host Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) Parameters
IETF RFC5071 - Dynamic Host Configuration Protocol Options Used by PXELINUX
To push a custom dhcp option you may add them in
- Menu network: interfaces
- Choose the interface and press the "Edit" button
- Select tab DHCP Server
- Select sub-ordinated tab "Advanced Settings"
- There is a input-field "DHCP-Options"
additional DNS servers
6,192.168.2.1,6,192.168.3.1custom route
121,192.168.2.0/24,192.168.1.1NTP servers
42,192.168.182.1search domains
119,lan,foopxe TFTP server name
66,192.168.182.16pxe Bootfile name
67,pxelinux.0pxe Configuration file add
209,pxelinux.cfg
Or configure it via CLI
/etc/config/dhcp
DNS with dnsmasq
DNSmasq on Omnia Turris
On Turris OS, the DNS function of DNSMASQ is disabled by design, the Knot resolver is used instead. Therefore, changing the settings related to the DNS service in the DHCP and DNS screen of the LuCI interface has no effect.
Please see #Knot Resolver
Please compare to
Knot resolver (i.e. kresd) - DNS advanced settings for Omnia and MOX
Investigation
When something is changed in the webfrontend, this gets persisted in
/etc/config/dhcp. UCI that also renders a new configuration
/var/etc/dnsmasq.conf.cfg*,
which you may compare to
man dnsmasq
Test config
dnsmasq -C /var/etc/dnsmasq.conf.cfg* --test
Reload config
pgrep dnsmasq |xargs -n1 kill -HUP
Dump cache
pgrep dnsmasq |xargs -n1 kill -USR1
Temporarily change
Tail the log
1 tail -f /var/log/dnsmasq.log
Run dnsmasq in foreground
Stop dnsmasq using CTRL + ALTgr + \
Strict order
DNS servers you specified in LUCI are queried in the opposite order. So if you are using --strict-order specify your backup DNS servers first.
No SRV records
By default the option filterwin2k is activated (1).
man dnsmasq
1 -f, --filterwin2k
2 Later versions of windows make periodic DNS requests
3 which don't get sensible answers from the public DNS
4 and can cause problems by triggering dial-on-demand
5 links. This flag turns on an option to filter such
6 requests. The requests blocked are for records of
7 types SOA and SRV, and type ANY where the requested
8 name has underscores, to catch LDAP requests.
In LUCI this option is toggled with Network -> DHCP and DNS -> Advanced Settings -> "filter useless".
/etc/config/dhcp
Remove the entire option or at least set this to "0"!
After applying the configuration, SRV records will resolve.
Local DNS resolution
To allow local DNS resolution, dnsmasq has to be configured correctly.
In my experience the following options should be set in LUCI.
- General settings
- Domain required
- Don't forward DNS-Requests without DNS-Name
- Authoritative
- This is the only DHCP-Server in the local network
- Domain = "your.domain"
- Local domain suffix appended to DHCP names and hosts file entries
- Local domain = "/your.domain//"
Mind the trailing /
An empty domain specification, // has the special meaning of "unqualified names only" i.e. names without any dots in them.
- "your.domain" and any query for an unqualified name will be answered by the local system
- DNS forwardings = 195.201.246.253, 78.47.38.48
- Choose DNS-servers you really trust
- Rebind protection
- Discard upstream RFC1918 responses
- Allow localhost
- Allow upstream responses in the 127.0.0.0/8 range, e.g. for RBL services
- Local Service Only
- Limit DNS service to subnets interfaces on which we are serving DNS.
- Non-wildcard
- Bind dynamically to interfaces rather than wildcard address (recommended as linux default)
- Exclude interfaces = eth2
- Prevent listening on these interfaces (WAN)
- Domain required
- Advanced Settings
- Filter private
- Do not forward reverse lookups for local networks
- Localise queries
- Localise hostname depending on the requesting subnet if multiple IPs are available
- Expand hosts
- Add local domain suffix to names served from hosts files
- DNSSEC
- DNSSEC check unsigned
- Requires upstream supports DNSSEC; verify unsigned domain responses really come from unsigned domains
- Size of DNS query cache
- Number of cached DNS entries (max is 10000, 0 is no caching)
- On more beefier devices this could speed up some queries
- Filter private
Dynamic DNS
Install the luci app
The DNS client in busybox dons not have support for tcp, therefor we can install bind-host.
You might have problems with uclient-fetch:
error: 8 is triggered when HTTP return code is different from 204 or 200.
github libkit/uclient uclient/uclient-fetch.c
To resolve this simply install curl …
# ddns-scripts configuration in
/etc/config/ddns
1 config service "ipv4ddns"
2 option enabled "1"
3 option interface "wan"
4 option use_syslog "1"
5
6 option update_url "http://[USERNAME]:[PASSWORD]@ipv4.nsupdate.rockstable.it/nic/update?hostname=[DOMAIN]&myip=[IP]"
7 option ip_source "web"
8 option ip_url "http://ipv4.nsupdate.rockstable.it/myip"
9
10 option domain "blubb.dyna.rockstable.org"
11 option username "blubb.dyna.rockstable.org"
12 option password "strong_long_pass"
13
14 # for https support, first install wget with ssl support and
15 # a current (and working) bundle of CA certificates:
16 # opkg install wget
17 # mkdir -p /etc/ssl/certs
18 # wget -P /etc/ssl/certs http://curl.haxx.se/ca/cacert.pem
19 option use_https "1"
20 option cacert "/etc/ssl/certs/cacert.pem"
21 #option cacert "/etc/ssl/certs/ca-certificates.crt"
22
Adblock
A must have feature! But libopenssl1.1 takes some some space. If you are limied on disk space, consider installing it on a extroot.
Install adblocker and a tool to download the blocklists (like uclient-fetch, curl, wget, aria2) and TLS support
1 opkg install luci-app-adblock uclient-fetch libustream-openssl
This is a config that worked out to be fast
/etc/config/adblock
1 config adblock 'global'
2 option adb_dns 'dnsmasq'
3 option adb_fetchutil 'uclient-fetch'
4 option adb_trigger 'wan'
5 option adb_debug '0'
6 option adb_whitelist '/etc/adblock/adblock.whitelist'
7 option adb_whitelist_rset '\$1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower(\"^\"\$1\"\\\|[.]\"\$1)}'
8 option adb_backup '0'
9 option adb_backupdir '/mnt'
10 option adb_enabled '1'
11
12 config adblock 'extra'
13 option adb_debug '0'
14 option adb_nice '0'
15 option adb_whitelist '/etc/adblock/adblock.whitelist'
16 option adb_maxqueue '16'
17 option adb_forcedns '0'
18 option adb_forcesrt '1'
19
20 ### LIST SPECIFIC CONFIG OMITTED
21
You should not set adb_dnsflush = '1', it gets very slow.
Wake on LAN
Install the luci app
1 opkg install luci-app-wol
Windows shares
Install the luci app
Mount a USB-stick or a mSATA at /srv for some storage.
In most situations every samba account needs a underlying unix account. Authorization to access a file is stored in the filesystem. So we need to prepare the necessary system groups and users. Busybox has all the necessary tools builtin.
Prepare groups and directories to be authorized by membership in group samba
1 groupadd --system samba
2 [ -d /srv/samba ] && mkdir /srv/samba
3 ### EXAMPLES
4 ### DIRECTORY FOR YOUR MUSIC COLLECTION
5 [ -d /srv/samba/music ] && mkdir /srv/samba/music
6 chgrp samba /srv/samba/music
7 ### SET SETGID BIT,
8 ### SO EVERY DIRECTORY AND FILE THAT IS CREATED BELOW
9 ### BELONGS TO GROUP SAMBA
10 ### AND GROUP SAMBA IS ALWAYS ALLOWED
11 ### TO READ AND WRITE BY THE CREATION MASK IN SAMBA
12 chmod 2775 /srv/samba/music
13
14 ### DIRECTORY FOR TEMPORARY NETWORK STORAGE
15 [ -d /srv/samba/tmp ] && mkdir /srv/samba/tmp
16 chgrp samba /srv/samba/tmp
17 ### LETS SEE IF SETGID (2) AND STICKY BIT (1) WORKOUT WELL
18 chmod 3750 /srv/samba/tmp
Allow your printer to save scans on a network share
Normal system users are required for authorization and a home directory may be served.
1 ### HOME DIRECTORIES
2 [ -d /srv/home ] && mkdir /srv/home
3 ln -s /srv/home /home
4 ### CREATE A USER AND ITS GROUP,
5 ### MAKE THE USER ADDITIONALLY MEMBER OF GROUP SAMBA,
6 ### DISALLOW A SYSTEM LOGIN AND
7 ### CREATE ITS HOME-DIRECTORY
8 useradd -c 'Tobias Stein,,,' -G samba -s /bin/false -m tobias
9 ### IF YOU WANT TO REMOVE THE USER
10 userdel -r tobias
Create and enable the corresponding Samba accounts
Enable service samba4
1 service samba4 enable
VPN
Wireguard
Install Wireguard
1 opkg install luci-app-wireguard qrencode
Wireguard Remote-Access VPN
It is relatively comfortable to configure wireguard via the LUCI web-interface
- Generate the key material
Please take a look at wireguard#Create keyswireguard#Create keys
Network -> Interfaces
Create a new interface wg0 of type Wireguard-VPN
- General settings
- Enter the previously created private key
Set the listening port usually udp/51820
- Set the IP address of the interface
- Advanced Settings
- Usually nothing to change
- Firewall Settings
Assign the firewall zone VPN (create new)
- Peers
- You should skip this point now
return later when you have configured the firewall.
- You should skip this point now
- General settings
Network -> Firewall
Allow Input, Output and Forward from firewall zone VPN
Allow forwarding to the desired zones like WAN, LAN, and GUEST
Allow inbound wireguard traffic on the interface wan port udp/51820
Network -> Interfaces
Configure the peer within the interface wg0
- Peers
Press the ADD button
- Set a description/name for the connection
- Set the public key of the remote device
- Set the preshared key (psk) of the remote device
- Set the Allowed IPs (probalby the wireguard address of the remote device)
- Tick the checkbox "Route Alloed IPs"
- Set the "Endpoint host" used during connection initiation
- Set a "Persist Keep Alive" interval, when your device is behind a NAT.
- Peers
Network -> Firewall
- "Traffic Rules"
- Allow any additional traffic that should be routed over the Wireguard tunnel
- "Traffic Rules"
Status -> WireGuard Status
- Check connectivity
You may also configure wireguard manually on the CLI. In this case configure
/etc/network/config
1 config interface 'wg0'
2 option proto 'wireguard'
3 ### SERVER PRIVATE KEY
4 option private_key '2C/6rN9Tj5thhJZY6kkvUVyc1BQ12kOgSGEkN6757XY='
5 list addresses '10.255.255.1/24'
6 option listen_port '51820'
7
8 config wireguard_wg0
9 option description 'test'
10 ### CLIENT PUBLIC KEY
11 option public_key 'HR4MQkH/+pMVdXyvLC/iUcTgpCo674CSU+4IDAGgahs='
12 option preshared_key '4MlwfdGzVo3FfTMEERMhYxu/hzNIA3i0RXuFYkIKTZg='
13 list allowed_ips '10.255.255.254'
14 option route_allowed_ips '1'
Add this to your firewall configuration to allow unlimited VPN access. Otherwise be more specific. ;-)
/etc/network/firewall
1 config rule
2 option target 'ACCEPT'
3 option src 'wan'
4 option proto 'udp'
5 option name 'Allow-WireGuard-VPN'
6 option dest_port '51820'
7
8 config zone
9 option input 'ACCEPT'
10 option output 'ACCEPT'
11 option name 'vpn'
12 option forward 'ACCEPT'
13 option network 'wg0'
14
15 config forwarding
16 option dest 'guest'
17 option src 'vpn'
18
19 config forwarding
20 option dest 'lan'
21 option src 'vpn'
22
23 config forwarding
24 option dest 'wan'
25 option src 'vpn'
Commit the changes
Wireguard site-to-site
Very similar to the remote access VPN.
- Allowed IPs:
- You probably want to add some addresses that differ from the wireguard address of the remote device
- Firewalling
- You'll need to specify a much more sophisticated set of rules.
It's always the best idea to route the networks without NAT. For this to work the networks must not overlap. Networks must be planned and reorganized carefully, which is with a growing amount of networks not that easy.
- This approach has the advantage that also remote DNS information can be used (e.g. by DNS forwarding/delegation/replication/…).
When straight routing is not possible NAT comes to the rescue.
- The OpenWRT webinterface only supports Source NAT (SNAT) and it's special case masquerading.
Please compare to networking#NAT
Furthermore no IP address ranges can be specified. - SNAT scrambles IPs based on round-robin, which is not really what we need or want.
It is a better idea to use a iptables TARGET module called NETMAP. This neat little iptables-module maps a subnet to another subnet. Please see man -P "less -p 'NETMAP'" iptables-extensions
- The OpenWRT webinterface only supports Source NAT (SNAT) and it's special case masquerading.
Please test the rules in live mode (without persistence) to avoid a lock out.
Install the netmap packages
1 opkg install iptables-mod-nat-extra kmod-ipt-nat-extra
Add the NETMAP rules
Validate existence of the rules
Test connectivity
Persist the rules in Network > Firewall > Custom Rules, which is equal to
/etc/firewall.user
1 # This file is interpreted as shell script.
2 # Put your custom iptables rules here, they will
3 # be executed with each firewall (re-)start.
4
5 # Internal uci firewall chains are flushed and recreated on reload, so
6 # put custom rules into the root chains e.g. INPUT or FORWARD or into the
7 # special user chains, e.g. input_wan_rule or postrouting_lan_rule.
8 iptables -t nat -A zone_vpn_postrouting -s 192.168.1.0/24 -d 192.168.182.0/24 -j NETMAP --to 192.168.191.0/24
9 iptables -t nat -A zone_vpn_prerouting -s 192.168.182.0/24 -d 192.168.191.0/24 -j NETMAP --to 192.168.1.0/24
Test the by reloading the firewall
/etc/init.d/firewall restart
Reboot the system
reboot
Samba on the wireguard interface
To allow samba to run on the wireguard interface wg0 in Services > Network-Shares > Edit template reconfigure the
/etc/samba/smb.conf.template
And restart the service manually.
OpenVPN
https://openwrt.org/docs/guide-user/services/vpn/openvpn/server
Forget about OpenVPN on a device with 2.7MiB storage. The libraries take up some space.
Be sure to understand the shellscripts, they build on each other.
Install OpenVPN
Install OpenVPN
Prepare shell environment
Populate shell variables
/etc/openvpn/openvpn_defaults.sh
1 # Configuration parameters
2 OVPN_DIR="/etc/openvpn"
3 OVPN_PKI="/etc/easy-rsa/pki"
4 OVPN_PORT="1194"
5 OVPN_PROTO="udp"
6 OVPN_POOL="192.168.100.0 255.255.255.0"
7 OVPN_DNS="${OVPN_POOL%.* *}.1"
8 OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
9 OVPN_SERV_MANUAL="false"
10 #OVPN_SERV_MANUAL="IP.ADD.RE.SS"
11
12 # Fetch WAN IP address
13 . /lib/functions/network.sh
14 network_flush_cache
15 network_find_wan NET_IF
16 network_get_ipaddr NET_ADDR "${NET_IF}"
17 OVPN_SERV="${NET_ADDR}"
18
19 # Fetch FQDN from DDNS client
20 NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)"
21 if [ -n "${NET_FQDN}" ]
22 then OVPN_SERV="${NET_FQDN}"
23 fi
24
25 # Override server address manually
26 if [ "${OVPN_SERV_MANUAL}" != "false" ] \
27 && [ -n "${OVPN_SERV_MANUAL}" ]
28 then OVPN_SERV="OVPN_SERV_MANUAL"
29 fi
Initialize EasyRSA-PKI
/sbin/openvpn_pki.sh
1 # Configuration parameters
2 export EASYRSA_PKI="${OVPN_PKI}"
3 export EASYRSA_REQ_CN="ovpnca"
4 export EASYRSA_BATCH="1"
5
6 # Remove and re-initialize PKI directory
7 easyrsa init-pki
8
9 # Generate DH parameters
10 easyrsa gen-dh
11
12 # Create a new CA
13 easyrsa build-ca nopass
14
15 # Generate server keys and certificate
16 easyrsa build-server-full server nopass
17 openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem
18
19 # Create OVPN_DIR
20 if [ ! -d "$OVPN_DIR" ]; then
21 UMASK_OLD="$(umask)"
22 umask go=
23 mkdir "$OVPN_DIR"
24 umask "$UMASK_OLD"
25 fi
26
27 # Generate ta.key
28 if [ ! -f "$OVPN_DIR/ta.key" ]
29 UMASK_OLD="$(umask)"
30 then openvpn --genkey --secret "$OVPN_DIR/ta.key"
31 umask "$UMASK_OLD"
32 fi
# Generate client keys and certificate
Configure firewall
1 uci rename firewall.@zone[0]="lan"
2 uci rename firewall.@zone[1]="wan"
3 uci del_list firewall.lan.device="tun+"
4 uci add_list firewall.lan.device="tun+"
5 uci -q delete firewall.ovpn
6 uci set firewall.ovpn="rule"
7 uci set firewall.ovpn.name="Allow-OpenVPN"
8 uci set firewall.ovpn.src="wan"
9 uci set firewall.ovpn.dest_port="${OVPN_PORT}"
10 uci set firewall.ovpn.proto="${OVPN_PROTO}"
11 uci set firewall.ovpn.target="ACCEPT"
12 uci commit firewall
13 /etc/init.d/firewall restart
Configure VPN service and generate client profiles
/sbin/openvpn_configure
1 #!/bin/sh
2 umask go=
3 OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
4 OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
5 ls ${OVPN_PKI}/issued \
6 |sed -e "s/\.\w*$//" \
7 |while read -r OVPN_ID
8 do
9 OVPN_TC="$(cat ${OVPN_PKI}/private/${OVPN_ID}.pem)"
10 OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
11 OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
12 OVPN_EKU="$(echo "${OVPN_CERT}" | openssl x509 -noout -purpose)"
13 case ${OVPN_EKU} in
14 (*"SSL server : Yes"*)
15 OVPN_CONF="${OVPN_DIR}/${OVPN_ID}.conf"
16 cat << EOF > ${OVPN_CONF} ;;
17 user nobody
18 group nogroup
19 dev tun
20 port ${OVPN_PORT}
21 proto ${OVPN_PROTO}
22 server ${OVPN_POOL}
23 topology subnet
24 client-to-client
25 keepalive 10 60
26 persist-tun
27 persist-key
28 push "dhcp-option DNS ${OVPN_DNS}"
29 push "dhcp-option DOMAIN ${OVPN_DOMAIN}"
30 push "redirect-gateway def1"
31 push "persist-tun"
32 push "persist-key"
33 <dh>
34 ${OVPN_DH}
35 </dh>
36 EOF
37 (*"SSL client : Yes"*)
38 OVPN_CONF="${OVPN_DIR}/${OVPN_ID}.ovpn"
39 cat << EOF > ${OVPN_CONF} ;;
40 user nobody
41 group nogroup
42 dev tun
43 nobind
44 client
45 remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO}
46 auth-nocache
47 remote-cert-tls server
48 EOF
49 esac
50 cat << EOF >> ${OVPN_CONF}
51 <tls-crypt-v2>
52 ${OVPN_TC}
53 </tls-crypt-v2>
54 <key>
55 ${OVPN_KEY}
56 </key>
57 <cert>
58 ${OVPN_CERT}
59 </cert>
60 <ca>
61 ${OVPN_CA}
62 </ca>
63 EOF
64 done
65 /etc/init.d/openvpn restart
66 ls ${OVPN_DIR}/*.ovpn
UPnP
Install miniupnpc (client) on your pc
Install luci-app-upnp which depends on miniupnpd
1 opkg install luci-app-upnp
Enable UPNP IGD and NAT-PMP on Router via webif and query status again
1 % upnpc -s
2 upnpc : miniupnpc library test client, version 2.1.
3 (c) 2005-2018 Thomas Bernard.
4 Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
5 for more information.
6 List of UPNP devices found on the network :
7 desc: http://192.168.182.1:5000/rootDesc.xml
8 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
9
10 desc: http://[fd93:56fb:daf7::1]:5000/rootDesc.xml
11 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
12
13 Found valid IGD : http://192.168.179.1:5000/ctl/IPConn
14 Local LAN ip address : fd93:2709:de35:0:fc16:acff:fe54:157e
15 Connection Type : IP_Routed
16 Status : Connected, uptime=451723s, LastConnectionError : ERROR_NONE
17 Time started : Fri Apr 3 08:07:49 2020
18 MaxBitRateDown : 33554432 bps (33.5 Mbps) MaxBitRateUp 4194304 bps (4.1 Mbps)
19 ExternalIPAddress = ww.xx.yy.zz
20 Bytes: Sent: 2283027815 Recv: 2695217145
21 Packets: Sent: 12678549 Recv: 80009359
Get external IP-address via UPNP IGD
1 /usr/bin/external-ip
Software Flow Offloading
You can find this option in:
Network -> Firewall -> General Settings -> Software Flow offloading
On a TP-Link Archer C7 this improves NAT/routing throughput significantly by a faktor of 3 (from 190Mbit/s -> ~630Mbit/s).
SQM (Smart Queue Management)
OpenWrt has a package for controlling Bufferbloat - the undesirable latency that arises when the router buffers too much data. OpenWrt calls this Smart Queue Management (SQM), although it's sometimes called active queue management (AQM).
Bufferbloat is most evident when the link is heavily loaded. It causes bad performance for voice and video chat, online games to lag, and generally makes people say, “The Internet is not responsive today.”
The “luci-app-sqm” package solves the problem of Bufferbloat. After installation and configuration, you'll have a much more responsive network connection under load.
This option may not work properly in conjunction with
#Software Flow Offloading
Install
1 opkg install luci-app-sqm
Configure SQM using Luci.
Network -> SQM QoS
An follow the guide from above.
Trouble Shooting
Slow Routing/NAT throughput
Please see:
#Software Flow Offloading
Wrong Link Speed
I had a problem with link-speed between Docsis-modem in front and a OpenWRT-Router. OpenWRT displayed only 10Base-T (10Mbit/s).
It turns out that (against my expections/assumptions) OpenWRT did not support Auto MDI-X (Wikipedia EN: Medium Dependent Interface).
1 # ethtool eth0
2 Settings for eth0:
3 Supported ports: [ ]
4 Supported link modes: 1000baseT/Full
5 Supported pause frame use: No
6 Supports auto-negotiation: No
7 Supported FEC modes: Not reported
8 Advertised link modes: 1000baseT/Full
9 Advertised pause frame use: No
10 Advertised auto-negotiation: No
11 Advertised FEC modes: Not reported
12 Speed: 1000Mb/s
13 Duplex: Full
14 Port: MII
15 PHYAD: 0
16 Transceiver: external
17 Auto-negotiation: on
18 Current message level: 0x000000ff (255)
19 drv probe link timer ifdown ifup rx_err tx_err
20 Link detected: yes
So all you need to change to achieve the intended Link-Speed is to use
- a cross-over cable or
even simpler a (Amazon:) cross-over adapter, which turns some pins of any RJ-45 plug.
DSL
Delete an option to configure it automatically.
/etc/config/network
/etc/config/network
1 config interface 'wan'
2 option proto 'pppoe' ### POINT-TO-POINT OVER ETHERNET
3 option device 'dsl0.7' ### VLAN 7 ON DEVICE dsl0
4 option username 'username' ### PAP/CHAP USERNAME
5 option password 'password' ### PAP/CHAP PASSWORD
6 option ipv6 'auto'
7 ### BRING UP ON BOOT
8 option auto '1' ### DEFAULT - BRING UP
9 option auto '0'
10 ### ACCESS CONCENTRATOR
11 #option ac 'STRING'
12 ### SERVICE NAME
13 #option service 'STRING'
14 ### USE DEFAULT GATEWAY
15 option defaultroute '1' ### DEFAULT - INSTALL ROUTE
16 option defaultroute '0'
17 ### OVERRIDE MTU
18 option mtu '1492' ### DEFAULT 1500 BYTE
19 ### USE DNS SERVERS ADVERTISED BY PEER
20 option peerdns '1' ### DEFAULT - USE DNS SERVERS
21 option peerdns '0'
22 ### USE CUSTOM DNS SERVERS (QUAD9)
23 list dns '9.9.9.9'
24 list dns '149.112.112.112'
25 #…TONS OF OTHER OPTIONS
26
27 config interface 'wan6'
28 option device '@wan'
29 option proto 'dhcpv6'
Please make sure your modem supports the requirements of the ISP.
- Like protocol and annex.
/etc/config/network
1 config dsl 'dsl'
2 ### ANNEX
3 option annex 'a' ### ANNEX A + L + M (all)
4 option annex 'b' ### ANNEX B (all)
5 option annex 'j' ### ANNEX J (all) GERMAN TELEKOM
6 option annex 'm' ### ANNEX M (all)
7 option annex 'bdmt' ### ANNEX B G.992.1
8 option annex 'b2' ### ANNEX B G.992.3
9 option annex 'b2p' ### ANNEX B G.992.5
10 option annex 'at1' ### ANSI T1.413
11 option annex 'admt' ### ANNEX A G.992.1
12 option annex 'alite' ### ANNEX A G.992.2
13 option annex 'a2' ### ANNEX A G.992.3
14 option annex 'a2' ### ANNEX A G.992.5
15 option annex 'l' ### ANNEX L G.992.3 POTS 1
16 option annex 'm2' ### ANNEX M G.992.3
17 option annex 'm2p' ### ANNEX M G.992.5
18 ### TONE
19 option tone 'a' ### A43C + J43 + A43
20 option tone 'av' ### A43C + J43 + A43 + V43
21 option tone 'b' ### B43 + B43C
22 option tone 'bv' ### B43 + B43C + V43
23 ### ENCPASULATION MODE
24 option xfer_mode 'ptm'
25 option xfer_mode 'atm'
26 ### DSL LINE MODE
27 option line_mode 'vdsl'
28 option line_mode 'adsl'
29 ### DOWNSTREAM SNR (SIGNAL TO NOISE) OFFSET
30 option ds_snr_offset '-100' ### -10.0dB
31 option ds_snr_offset '0' ### 0.0dB
32 option ds_snr_offset '100' ### +10.0dB
33 ### FIRMWARE FILE
34 #option firmware '/lib/firmware/vr9-B-dsl.bin'
35
/etc/config/network
1 ### WITH ATM (ANSYNCHRONOUS TRANSFER MODE) ENCAPSULATION
2 config atm-bridge 'atm'
3 ### ATM VIRTUAL PATH IDENTIFIER (VPI)
4 option vpi '1'
5 ### ATM VIRTUAL CHANNEL IDENTIFIER (VCI)
6 option vci '32'
7 ### ENCPASULATION MODE
8 option encaps 'llc'
9 option encaps 'vc' ### VC-mux
10 ### FORWARDING MODE
11 option payload 'bridged'
12 option payload 'routed'
13 ### DEVICE NAME PREFIX ???
14 option nameprefix 'dsl'
15 ### ATM DEVICE NUMBER
16 option atmdev '12345'
17 ### BRIDGE UNIT NUMBER
18 option unit '12345'
AAL means ATM Adaptation Layer
/etc/init.d/dsl_control
1 Syntax: /etc/init.d/dsl_control [command]
2
3 Available commands:
4 start Start the service
5 stop Stop the service
6 restart Restart the service
7 reload Reload configuration files (or restart if service does not implement reload)
8 enable Enable service autostart
9 disable Disable service autostart
10 enabled Check if service is started on boot
11 dslstat Get DSL status information
12 running Check if service is running
13 status Service status
14 trace Start with syscall trace
Get current dsl-state
No cable connected
1 {
2 "api_version": "4.17.18.6",
3 "firmware_version": "5.8.1.8.1.6",
4 "chipset": "Lantiq-VRX200",
5 "driver_version": "1.5.17.6",
6 "state": "Silent",
7 "state_num": 3,
8 "up": false,
9 "uptime": 0,
10 "atu_c": {
11
12 },
13 "power_state": "L3 - No power",
14 "power_state_num": 3,
15 "upstream": {
16
17 },
18 "downstream": {
19
20 },
21 "errors": {
22 "near": {
23 "es": 0,
24 "ses": 0,
25 "loss": 0,
26 "uas": 55793624,
27 "lofs": 0,
28 "fecs": 0,
29 "hec": 0,
30 "ibe": 0,
31 "crc_p": 0,
32 "crcp_p": 0,
33 "cv_p": 0,
34 "cvp_p": 0
35 },
36 "far": {
37 "es": 0,
38 "ses": 0,
39 "loss": 0,
40 "uas": 55793623,
41 "lofs": 0,
42 "fecs": 0,
43 "hec": 0,
44 "ibe": 0,
45 "crc_p": 0,
46 "crcp_p": 0,
47 "cv_p": 0,
48 "cvp_p": 0
49 }
50 }
51 }
DSL optimization
- Make sure to run your DSL wire not in parallel to Power wires,
which are used with PowerLine adapters. The 35MHz band disturbs the DSL connection and therefor lowers your uplink speed. There might be an option in your PowerLine Adapter to not use this band for reducing the interference with DSL.
- You may access the DSL wires directly bypassing the TAE-Plug by soldering a (shielded folied) cable with a suitable jack (like RJ-45) to the wires directly and by this mean reducing or nearly eliminating attentuation and reflection when crossing the socket.
DOCSIS 3.1
Technicolor TC4400-EU
Available for end customers.
Vodafone Station
Either you are satisfied with
- using the Vodafone Station as your gateway
- Very basic basic and limited feature set
Buy !WIFI
- No control
- …
- OR decide to use an own router.
Normal Mode
- The Vodafone Station (VS) is assigned the public IPv$4/6 addresses and performs NAT.
- The WAN interface of an own router will only receive a private IPv4 address from the VS.
- Double
- Port Forwards ?
- NAT ?
- Firewall rules ?
Bridge Mode
Status
Alles funktioniert einwandfrei.
Einschränkungen sind bisher keine bekannt.
Das Gerät bekommt eine IPv4 und eine IPv6 Adresse zugewiesen.
Vorbereitungen
Überprüfen und sicher stellen, das
- ein aktuelles Backup der Router Konfiguration existiert
- der alternativer Internetzugang (z.B. über LTE funktioniert), damit die Änderung auch wieder Rückgängig gemacht werden kann.
- WAN(6)-Schnittstelle auf DHCP(6) konfiguriert ist, damit nach dem Hochfahren des Modems der Router dahinter auch sofort eine IP-Adresse bezieht
- der interne Router an einem beliebigen LAN-Port verkabelt ist.
Aktivierung
Dauert einige Minuten (t<30min).
- Privatkunden
> MeinKabel > Einstellungen > Interneteinstellungen > Bridge Mode einstellen
https://kabel.vodafone.de/meinkabel/einstellungen/interneteinstellungen/bridgemode
Erst müssen einige Tipps angesehen werden.
- Um die Änderung der Einstellung wirksam zu machen, wird das Kabelmodem automatisch neu gestartet werden. Die Internet-Verbindung wird hierbei für einige Minuten unterbrochen.
- Wenn die Einstellung von Deinem Vodafone Internet-Anschluss aus getätigt wird, wird keine Bestätigungsseite angezeigt. Um die aktuelle Einstellung zu überprüfen, rufst Du bitte diese Seite erneut auf.
Bridgemode:
Ein <-> Aus
Achtung!
Wenn Du den Bridgemode aktivierst, wird gleichzeitig NAT, Firewall, Routing und WLAN deaktiviert. Diese Funktionen sind auf der Weboberfläche nicht mehr sichtbar.
Im Bridgemode kannst Du nur noch ein Gerät betreiben. Dieses Gerät kann an einem beliebigen LAN-Port angeschlossen werden.
Die WLAN-Option bleibt weiterhin Vertragsbestandteil. Wenn Du auf die WLAN Option verzichten möchtest, muss diese Option beim Kundenservice schriftlich gekündigt werden.
Omnia Turris
About
Devices
Device |
Function |
Description |
eth0 |
LAN PHY 1 |
LAN switch ports 0,1 |
eth1 |
LAN PHY 2 |
LAN switch ports 2,3 |
eth2 |
WAN PHY/SFP |
WAN port (RJ-45/SFP) and LAN switch port 4 |
Change WAN interface from RJ-45 to SFP
Exchange the ARM flattened devicetree blob (dtb) to make the SFP the WAN interface.
1 cd /boot
2 ln -sf armada-385-turris-omnia-sfp.dtb dtb
3 ll /boot
4 drwxr-xr-x 1 root root 158 Sep 9 13:03 ./
5 drwxr-xr-x 1 root root 142 Sep 9 11:45 ../
6 -rw-r--r-- 1 root root 18834 Aug 26 01:49 armada-385-turris-omnia-phy.dtb
7 -rw-r--r-- 1 root root 18870 Aug 26 01:49 armada-385-turris-omnia-sfp.dtb
8 -rw-r--r-- 1 root root 1199 Aug 26 01:49 boot.scr
9 lrwxrwxrwx 1 root root 31 Sep 9 13:03 dtb -> armada-385-turris-omnia-sfp.dtb
10 -rwxr-xr-x 1 root root 3359368 Aug 26 01:49 zImage*
Possible SFPs
ALLNET ALL4781-VDSL2-SFP / Switch Modul (Mini-GBIC), VDSL2 Telco
- ONLY VDSL2, not downwards compatible to ADSLx
- ITU-T G.993.2 - Very high speed digital subscriber line transceivers 2 (VDSL2)
- ITU-T G.inp (G.998.4) - Improved impulse noise protection for digital subscriber line (DSL) transceivers
- ITU-T G.vector (G.993.5) - Self-FEXT cancellation (vectoring) for use with VDSL2 transceivers
- ITU-T G.994.1 - Handshake procedures for digital subscriber line transceivers
- Negotiation procedures used in ADSL, ADSL2, G.fast, SHDSL, VDSL, VDSL2
- ITU-T G.997.1 - Physical layer management for digital subscriber line transceivers
- Downstream Power Back-Off (DPBO)
Flexoptix has a site for the Omnia Turris
Turris Omnia compatible Universal Transceiver
ALLNET ALL4781-VDSL2-SFP
Status
Works on VDSL2!
About ALLNET ALL4781-VDSL2-SFP
LED |
Interval |
Status |
green |
blinking |
xDSL synchonizing |
green |
continuously |
xDSL in sync |
green |
off |
no xDSL |
yellow |
continuously |
SFP power |
yellow |
off |
SFP without power |
Logs without a cable attached
logread |grep sfp
1 Oct 12 17:55:14 antares kernel: [ 10.711350] sfp sfp: module ALLNET ALL4781 rev V3.4 sn 0000000FC91BA95D dc 16-04-21
2 Oct 12 17:55:14 antares kernel: [ 10.720684] sfp sfp: unknown connector, encoding 8b10b, nominal bitrate 1.3Gbps +0% -0%
3 Oct 12 17:55:14 antares kernel: [ 10.728961] sfp sfp: 1000BaseSX+ 1000BaseLX- 1000BaseCX- 1000BaseT- 100BaseTLX- 1000BaseFX- BaseBX10- BasePX-
4 Oct 12 17:55:14 antares kernel: [ 10.739078] sfp sfp: 10GBaseSR- 10GBaseLR- 10GBaseLRM- 10GBaseER-
5 Oct 12 17:55:14 antares kernel: [ 10.745361] sfp sfp: Wavelength 0nm, fiber lengths:
6 Oct 12 17:55:14 antares kernel: [ 10.750423] sfp sfp: 9µm SM : unsupported
7 Oct 12 17:55:14 antares kernel: [ 10.755139] sfp sfp: 62.5µm MM OM1: unsupported/unspecified
8 Oct 12 17:55:14 antares kernel: [ 10.760897] sfp sfp: 50µm MM OM2: unsupported/unspecified
9 Oct 12 17:55:14 antares kernel: [ 10.766657] sfp sfp: 50µm MM OM3: unsupported/unspecified
10 Oct 12 17:55:14 antares kernel: [ 10.772419] sfp sfp: 50µm MM OM4: 2.540km
11 Oct 12 17:55:14 antares kernel: [ 10.776785] sfp sfp: Options: retimer
12 Oct 12 17:55:14 antares kernel: [ 10.780628] sfp sfp: Diagnostics:
13 Oct 12 17:55:14 antares kernel: [ 16.741379] sfp sfp: module transmit fault indicated
14 Oct 12 17:55:14 antares kernel: [ 19.431401] sfp sfp: module transmit fault recovered
15 Oct 12 17:55:14 antares kernel: [ 19.801394] sfp sfp: module transmit fault indicated
16 Oct 12 17:55:14 antares kernel: [ 22.541597] sfp sfp: module persistently indicates fault, disabling
Gets really hot! T>60°C
Device infos with working DSL
1 root@turris:~# ethtool eth2
2 Settings for eth2:
3 Supported ports: [ TP ]
4 Supported link modes: 1000baseX/Full
5 Supported pause frame use: Symmetric
6 Supports auto-negotiation: Yes
7 Supported FEC modes: Not reported
8 Advertised link modes: 1000baseX/Full
9 Advertised pause frame use: Symmetric
10 Advertised auto-negotiation: Yes
11 Advertised FEC modes: Not reported
12 Speed: 1000Mb/s
13 Duplex: Full
14 Port: Twisted Pair
15 PHYAD: 0
16 Transceiver: internal
17 Auto-negotiation: on
18 MDI-X: Unknown
19 Supports Wake-on: d
20 Wake-on: d
21 Link detected: yes
22 root@turris:~# ethtool -m eth2
23 Identifier : 0x03 (SFP)
24 Extended identifier : 0x04 (GBIC/SFP defined by 2-wire interface ID)
25 Connector : 0x22 (RJ45)
26 Transceiver codes : 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00
27 Transceiver type : Ethernet: 1000BASE-SX
28 Encoding : 0x01 (8B/10B)
29 BR, Nominal : 1300MBd
30 Rate identifier : 0x00 (unspecified)
31 Length (SMF,km) : 0km
32 Length (SMF) : 0m
33 Length (50um) : 0m
34 Length (62.5um) : 0m
35 Length (Copper) : 255m
36 Length (OM3) : 0m
37 Laser wavelength : 0nm
38 Vendor name : ALLNET
39 Vendor OUI : 00:0f:c9
40 Vendor PN : ALL4781
41 Vendor rev : V3.4
42 Option values : 0x08 0x00
43 Option : Retimer or CDR implemented
44 BR margin, max : 0%
45 BR margin, min : 0%
46 Vendor SN : 0000000FC91BA95D
47 Date code : 210416__
48 root@turris:~# ethtool -m eth2 raw on |hexdump -C
49 00000000 03 04 22 00 00 00 01 00 00 00 00 01 0d 00 00 00 |..".............|
50 00000010 00 00 ff 00 41 4c 4c 4e 45 54 20 20 20 20 20 20 |....ALLNET |
51 00000020 20 20 20 20 00 00 0f c9 41 4c 4c 34 37 38 31 20 | ....ALL4781 |
52 00000030 20 20 20 20 20 20 20 20 56 33 2e 34 00 00 00 c7 | V3.4....|
53 00000040 08 00 00 00 30 30 30 30 30 30 30 46 43 39 31 42 |....0000000FC91B|
54 00000050 41 39 35 44 32 31 30 34 31 36 00 00 00 00 00 ae |A95D210416......|
55 00000060 30 30 30 46 43 39 31 42 41 39 35 44 20 20 20 20 |000FC91BA95D |
56 00000070 20 20 20 20 20 20 20 20 45 44 4c 31 36 43 56 31 | EDL16CV1|
57 00000080 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
58 *
59 00000100
60 root@turris:~# ethtool -k eth2
61 Features for eth2:
62 rx-checksumming: off [fixed]
63 tx-checksumming: on
64 tx-checksum-ipv4: on
65 tx-checksum-ip-generic: off [fixed]
66 tx-checksum-ipv6: on
67 tx-checksum-fcoe-crc: off [fixed]
68 tx-checksum-sctp: off [fixed]
69 scatter-gather: on
70 tx-scatter-gather: on
71 tx-scatter-gather-fraglist: off [fixed]
72 tcp-segmentation-offload: on
73 tx-tcp-segmentation: on
74 tx-tcp-ecn-segmentation: off [fixed]
75 tx-tcp-mangleid-segmentation: off
76 tx-tcp6-segmentation: off [fixed]
77 generic-segmentation-offload: on
78 generic-receive-offload: on
79 large-receive-offload: off [fixed]
80 rx-vlan-offload: off [fixed]
81 tx-vlan-offload: off [fixed]
82 ntuple-filters: off [fixed]
83 receive-hashing: off [fixed]
84 highdma: off [fixed]
85 rx-vlan-filter: off [fixed]
86 vlan-challenged: off [fixed]
87 tx-lockless: off [fixed]
88 netns-local: off [fixed]
89 tx-gso-robust: off [fixed]
90 tx-fcoe-segmentation: off [fixed]
91 tx-gre-segmentation: off [fixed]
92 tx-gre-csum-segmentation: off [fixed]
93 tx-ipxip4-segmentation: off [fixed]
94 tx-ipxip6-segmentation: off [fixed]
95 tx-udp_tnl-segmentation: off [fixed]
96 tx-udp_tnl-csum-segmentation: off [fixed]
97 tx-gso-partial: off [fixed]
98 tx-sctp-segmentation: off [fixed]
99 tx-esp-segmentation: off [fixed]
100 fcoe-mtu: off [fixed]
101 tx-nocache-copy: off
102 loopback: off [fixed]
103 rx-fcs: off [fixed]
104 rx-all: off [fixed]
105 tx-vlan-stag-hw-insert: off [fixed]
106 rx-vlan-stag-hw-parse: off [fixed]
107 rx-vlan-stag-filter: off [fixed]
108 l2-fwd-offload: off [fixed]
109 hw-tc-offload: off [fixed]
110 esp-hw-offload: off [fixed]
111 esp-tx-csum-hw-offload: off [fixed]
112 rx-udp_tunnel-port-offload: off [fixed]
113
mSATA card
The Kingston SKC600MS/1024G fits perfectly into the Omnia Turris.
But you have to move the 2.4GHz WiFi card to the outer slot (below the SIM card). Only the inner mini-PCI-Express port provides the mSATA interface. The card does not work in another slot, but the inner. Please compare to the Omnia Turris specifications. I actually do not understand, why this is not delivered this way, but anyway.
All you'll need to do is
- Disconnect the antennas
- Open the chassis (with 6 screws)
Disconnect all WiFi cables
Unscrew the 2.4GHz WiFi card
- Unscrew the board from the chassis (with 5 screws) to get access to the screws, that hold the spacers for the mini-PCI-Express cards
- Move and screw the spacers to the other holes
- Screw the boards to the chassis
- Carefully insert and screw the cards to the board
Exchange some WiFi cables to achieve the correct lenght and attach them back to the WiFi cards
- Close the chassis
- Reattach the antennas
Onmia Turris with a Kingston mSATA
Just for completeness a picture of the backside of the Omnia Turris.
Firewall custom rules
In my case custom firewall rules /etc/firewall.user are not applied on reboot.
Procd actually starts firewall early and the firewall also executes /etc/firewall.user, but it may be superseeded by another startup routine like the DynFW, that is started later. I did not yet find the time to investigate the issue and chose a quick work around with cron over the webfrontend.
System > Scheduled Tasks, which is the same as
crontab -e
Knot Resolver
About
Knot Resolver is a minimalistic implementation of a caching validating DNS resolver. Modular architecture keeps the core tiny and efficient, and it provides a state-machine like API for extensions.
Replacement of DNSmasq
On Turris OS, the DNS function of DNSMASQ is disabled by design, the Knot resolver is used instead. Therefore, changing the settings related to the DNS service in the DHCP and DNS screen of the LuCI interface has no effect.
Please compare to
Knot resolver (i.e. kresd) - DNS advanced settings for Omnia and MOX
Kresd - Clear DNS cache
The kresd DNS cache is persitent on disk and thus survives restarts of the system and daemon. To test something you will have to clear the cache.
Connect via unix-socket and clear the cache via cli.
Or as a script
/usr/sbin/kresd_clear_cache.sh
Make schript executable
Kresd - show cache.stats
Show chache stats
1 echo 'cache.stats()' |socat - /tmp/kresd/control/$(pgrep kresd)
Kresd - adjust cache.size
Performance may be a bit improved by storing DNSsec validation results aggressively in a increased cache.
/etc/config/resolver
Restart kresd
Kresd - Change logging live
Making the log visible renders things lots easier.
This is runtime configuration and does not survive a restart of the daemon.
Kresd - Custom config
Enable custom configuration to be included to kresd
/etc/config/resolver
Commit the configuration and restart the resolver service to let the custom config take effect.
Kresd - Forwarding domains
/etc/kresd/custom.conf
Kresd - Disable DNSsec validation per domain
/etc/kresd/custom.conf
Kresd - network buffer size
DNS protocol tweaks - net.bufsize()
Increase sizes and align network buffer (default RX/TX 1232 Byte) with kernel pagesize /etc/kresd/custom.conf
Kresd - name server timeout
Kred docs - cache.ns_tout([timeout])
NS retry interval in milliseconds (default: KR_NS_TIMEOUT_RETRY_INTERVAL (1000ms))
Hypothesis: 1s can be a little short for a deep DNSsec validation.
/etc/kresd/custom.conf
TP-Link Archer C7 v5
Model TP-Link Archer C7 v5 Architecture Qualcomm Atheros QCA9560 802.11bgn ver 1 rev 0 Qualcomm Atheros QCA9880 802.11nac Target Platform ath79/generic Firmware Version OpenWrt 21.02.2 r16495-bf0c965af0 / LuCI openwrt-21.02 branch git-22.046.85957-59c3392 Kernel Version 5.4.179
Benchmark
- The iperf server is running on a Omnia Turris (2020).
No additional offloding features could be enabled using ethtool. I guess the ath10k driver does not support toggling these features.
- The CPU load is likely to go through the roof.
- The Archer C7 does not support hardware flow offloading.
When using 5GHz WiFi.
- I guess there is some offloading is missing, like tcp checksumming.
- When using a routed/NAT setup the CPU is simply at it's limits.
Test1
- Firewall off
- Flow offloading: off
- Szenario:
- Router uplink via cable on br-lan LAN0
- LAN:
- DHCP server: off
- DHCP client: on (default route)
- WAN: unused
Iperf client running laptop connected via WiFi (5GHz)
- CPU load: MAX
ksoftirqd: ~80%
1 iperf -c 192.168.183.1
2 ------------------------------------------------------------
3 Client connecting to 192.168.183.1, TCP port 5001
4 TCP window size: 85.0 KByte (default)
5 ------------------------------------------------------------
6 [ 1] local 192.168.183.127 port 53496 connected with 192.168.183.1 port 5001
7 [ ID] Interval Transfer Bandwidth
8 [ 1] 0.0000-10.0943 sec 383 MBytes 318 Mbits/sec
Test2
- Firewall on
- Flow offloading: software
- Szenario:
- Router uplink via cable on br-lan LAN0
- LAN:
- DHCP server: off
- DHCP client: on (default route)
- WAN: unused
Iperf client running laptop connected via WiFi (5GHz)
- CPU load: MAX
ksoftirqd: ~80%
1 iperf -c 192.168.183.1
2 ------------------------------------------------------------
3 Client connecting to 192.168.183.1, TCP port 5001
4 TCP window size: 85.0 KByte (default)
5 ------------------------------------------------------------
6 [ 1] local 192.168.183.127 port 53488 connected with 192.168.183.1 port 5001
7 [ ID] Interval Transfer Bandwidth
8 [ 1] 0.0000-10.0799 sec 392 MBytes 326 Mbits/sec
Test3
- Firewall on
- Flow offloading: on
- Szenario:
- Router uplink via cable on br-lan
- LAN:
- DHCP server: off
- DHCP client: on (default route)
- WAN: unused
- Iperf client running laptop connected via cable on br-lan LAN1
- CPU load: MIN
1 iperf -c 192.168.183.1
2 ------------------------------------------------------------
3 Client connecting to 192.168.183.1, TCP port 5001
4 TCP window size: 85.0 KByte (default)
5 ------------------------------------------------------------
6 [ 1] local 192.168.183.110 port 36576 connected with 192.168.183.1 port 5001
7 [ ID] Interval Transfer Bandwidth
8 [ 1] 0.0000-10.0238 sec 1.07 GBytes 918 Mbits/sec
Test4
- Firewall: off
- Flow offloading: none
- Szenario:
- Router uplink via cable on br-lan
- LAN:
- DHCP server: off
- DHCP client: on (default route)
- WAN: unused
- Iperf client running laptop connected via cable on br-lan LAN1
- CPU load: MIN
1 iperf -c 192.168.183.1
2 ------------------------------------------------------------
3 Client connecting to 192.168.183.1, TCP port 5001
4 TCP window size: 85.0 KByte (default)
5 ------------------------------------------------------------
6 [ 1] local 192.168.183.110 port 36578 connected with 192.168.183.1 port 5001
7 [ ID] Interval Transfer Bandwidth
8 [ 1] 0.0000-10.0210 sec 1.07 GBytes 917 Mbits/sec
Test5
- Firewall: on
- Flow offloading: on
- Szenario:
- Router uplink via cable on WAN
- LAN:
- Protocol: Static address
- DHCP server: on
- WAN:
- DHCP client: on (default route)
Iperf client running laptop connected via WiFi (5GHz)
- CPU load: MAX
ksoftirqd: ~80%
1 iperf -c 192.168.183.1
2 ------------------------------------------------------------
3 Client connecting to 192.168.183.1, TCP port 5001
4 TCP window size: 85.0 KByte (default)
5 ------------------------------------------------------------
6 [ 1] local 192.168.111.111 port 51764 connected with 192.168.183.1 port 5001
7 [ ID] Interval Transfer Bandwidth
8 [ 1] 0.0000-10.1084 sec 245 MBytes 203 Mbits/sec
9 ------------------------------------------------------------
Test6
- Firewall: on
- Flow offloading: none
- Szenario:
- Router uplink via cable on WAN
- LAN:
- Protocol: Static address
- DHCP server: on
- WAN:
- DHCP client: on (default route)
Iperf client running laptop connected via WiFi (5GHz)
- CPU load: MAX
ksoftirqd: ~80%
1 iperf -c 192.168.183.1
2 ------------------------------------------------------------
3 Client connecting to 192.168.183.1, TCP port 5001
4 TCP window size: 85.0 KByte (default)
5 ------------------------------------------------------------
6 [ 1] local 192.168.111.111 port 51760 connected with 192.168.183.1 port 5001
7 [ ID] Interval Transfer Bandwidth
8 [ 1] 0.0000-10.1564 sec 203 MBytes 168 Mbits/sec
Test7
- Firewall: on
- Flow offloading: on
- Szenario:
- Router uplink via cable on WAN
- LAN:
- Protocol: Static address
- DHCP server: on
- WAN:
- DHCP client: on (default route)
- Iperf client running laptop connected via cable on br-lan LAN1
- CPU load: MAX
ksoftirqd: ~90%
1 iperf -c 192.168.183.1
2 ------------------------------------------------------------
3 Client connecting to 192.168.183.1, TCP port 5001
4 TCP window size: 85.0 KByte (default)
5 ------------------------------------------------------------
6 [ 1] local 192.168.111.127 port 33552 connected with 192.168.183.1 port 5001
7 [ ID] Interval Transfer Bandwidth
8 [ 1] 0.0000-10.0391 sec 760 MBytes 635 Mbits/sec
Test8
- Firewall: on
- Flow offloading: none
- Szenario:
- Router uplink via cable on WAN
- LAN:
- Protocol: Static address
- DHCP server: on
- WAN:
- DHCP client: on (default route)
- Iperf client running laptop connected via cable on br-lan LAN1
- CPU load: MAX
ksoftirqd: ~85%
1 iperf -c 192.168.183.1
2 ------------------------------------------------------------
3 Client connecting to 192.168.183.1, TCP port 5001
4 TCP window size: 85.0 KByte (default)
5 ------------------------------------------------------------
6 [ 1] local 192.168.111.127 port 33556 connected with 192.168.183.1 port 5001
7 [ ID] Interval Transfer Bandwidth
8 [ 1] 0.0000-10.1120 sec 231 MBytes 192 Mbits/sec
Test9
- Firewall: on
- Flow offloading: on
- Szenario:
- Router uplink via cable on WAN
- LAN:
- Protocol: Static address
- DHCP server: on
- WAN:
- DHCP client: on (default route)
- Iperf client running on Archer C7
- CPU load: MAX
iperf: ~72%
ksoftirqd: ~10%
1 iperf -c 192.168.183.1
2 ------------------------------------------------------------
3 Client connecting to 192.168.183.1, TCP port 5001
4 TCP window size: 262 KByte (default)
5 ------------------------------------------------------------
6 [ 3] local 192.168.183.238 port 56182 connected with 192.168.183.1 port 5001
7 [ ID] Interval Transfer Bandwidth
8 [ 3] 0.0-10.0 sec 292 MBytes 245 Mbits/sec
Test10
- Firewall: on
- Flow offloading: none
- Szenario:
- Router uplink via cable on WAN
- LAN:
- Protocol: Static address
- DHCP server: on
- WAN:
- DHCP client: on (default route)
- Iperf client running on Archer C7
- CPU load: MAX
iperf: ~71%
ksoftirqd: ~11%
1 iperf -c 192.168.183.1
2 ------------------------------------------------------------
3 Client connecting to 192.168.183.1, TCP port 5001
4 TCP window size: 175 KByte (default)
5 ------------------------------------------------------------
6 [ 3] local 192.168.183.238 port 56184 connected with 192.168.183.1 port 5001
7 [ ID] Interval Transfer Bandwidth
8 [ 3] 0.0-10.0 sec 294 MBytes 247 Mbits/sec
Test11
- Firewall: off
- Flow offloading: none
- Szenario:
- Router uplink via cable on WAN
- LAN:
- Protocol: Static address
- DHCP server: on
- WAN:
- DHCP client: on (default route)
- Iperf client running on Archer C7
- CPU load: MAX
iperf: ~75%
ksoftirqd: ~8%
1 iperf -c 192.168.183.1
2 ------------------------------------------------------------
3 Client connecting to 192.168.183.1, TCP port 5001
4 TCP window size: 131 KByte (default)
5 ------------------------------------------------------------
6 [ 3] local 192.168.183.238 port 56188 connected with 192.168.183.1 port 5001
7 [ ID] Interval Transfer Bandwidth
8 [ 3] 0.0-10.0 sec 314 MBytes 263 Mbits/sec
Add user
Busybox is nowdays mighty enough. I no longer consider this package essential.
There are some packages for shadow-accounting
1 opkg list |grep shadow-
Install package
Default group is "users" (GID=100). Add a non-privileged user with its own group and a login shell set.