OpenWRT on a NanoStation M2 with IPv6

Hardware: NanoStation M2

  • Runs Linux by default (AirOS)
  • Atheros wifi, supports 802.11n
  • Power over ethernet

The official reseller for UBNT in Canada is www.ubnt.ca. See there M2 product page for more information. In Québec, Converbit.ca also has good deals and is near Montréal.

The instructions below may apply to other types of routers. Your mileage may vary.

Summary

We are going to configure an AP for file sharing between neighbors. It will have its own subnet (for better privacy) and IPv6 (for fun). It will not directly route to the Internet for IPv4 (NAT can be done on the main router anyway).

Download the firmware

OpenWRT 10.03.1 backfire for ar71xx ubnt nano m: squashfs (recommended) or trunk

Save the file locally on a computer which will connect to the AP in order to flash it.

Flashing the device

Connect a computer directly into the AP with an ethernet cable (using the PoE injector, or using a PoE switch).

On the computer, disable the network-manager (Linux) and manually configure the network interface:

# ifconfig eth0:ap 192.168.1.123

Immediately after powering the AP, press the "reset" button (located near the "main" network jack). When the AP is ready, its network LEDs will flash in an alternating pattern.

Make sure the AP is plugged into a reliable power source so that the flashing procedure is not interrupted.

From the computer, send the firmware using tftp:

$ tftp 192.168.1.20

tftp> binary
tftp> put openwrt-ar71xx-ubnt-nano-m-squashfs-factory.bin

Wait at least 5-10 minutes. The AP should reboot by itself.

Initial configuration

By default, OpenWRT uses 192.168.1.1, so use the same network configuration as above for the next steps.

Telnet into the router:

$ telnet 192.168.1.1

Enable ssh by setting a password on the device:

openwrt# passwd

Configure the network:

openwrt# vi /etc/config/network

In my case, the AP is not my main router, so I am assigning it an IP using DHCP from my main network:

config interface lan
        option ifname   eth0
        option type     bridge
        option proto     dhcp

Reboot for the settings to become effective:

openwrt# reboot

The AP is now available on its new address, by ssh:

$ ssh root@192.168.42.4

A web interface is also available, ex: http://192.168.42.4.

Wireless network configuration

Enable the wifi interface by commenting out the line "option disabled 1" in /etc/config/wireless :

config wifi-device  radio0
[...]
        # REMOVE THIS LINE TO ENABLE WIFI:
        # option disabled 1

config wifi-iface
        option device   radio0
        option network  lan
        option mode     ap
        option ssid     librenet-change-this
        option encryption none

You will also want to change the SSID and the encryption mode. Then reboot the router.

Reference: http://wiki.openwrt.org/doc/uci/network

IPv6

Assuming your local (upstream) network already supports IPv6:

root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg install kmod-ipv6 radvd ip kmod-ip6tables ip6tables

The was interface will auto-configure itself if your upstream network has radvd:

root@OpenWrt:~# ping ipv6.google.com
PING ipv6.google.com (2001:4860:800b::93): 56 data bytes
64 bytes from 2001:4860:800b::93: seq=0 ttl=53 time=57.845 ms

At this point, we only have IPv6 on the AP itself, we cannot route it yet for our own wifi subnet.

Separate the wifi and lan on the AP

Used this to separate the wifi and lan, since the AP is acting weird and using the lan as an uplink: http://wiki.openwrt.org/doc/recipes/routedap

File /etc/config/network (adding the "wifi" interface, and settings eth0 to dhcp, because my main dhcp server gives the AP a static IP and DNS servers):

config interface loopback
        option ifname   lo
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0

 # this is in fact.. the wan/uplink. it will get 192.168.42.4
config interface lan
        option ifname   eth0
        option proto    dhcp

config interface wan
        option ifname   eth1
        option proto    dhcp

config interface wifi
        option proto    static
        option ipaddr   192.168.50.1
        option netmask  255.255.255.0
        option ip6addr  '2001:470:b1e2:50::1/64'

File /etc/config/wireless (the "option network wifi" is the main change):

config wifi-iface
        option device   radio0
        option network  wifi
        option mode     ap
        option ssid     librenet-m2-sud
        option encryption none

For the file /etc/config/firewall, see the main howto from the openwrt wiki (see above).

Routing

Enable routing in /etc/sysctl.conf :

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Enable routing in iptables, in file /etc/firewall.user (there is probably a cleaner way of doing this?) :

iptables -P FORWARD ACCEPT
ip6tables -P FORWARD ACCEPT

Provide automatic configuration on IPv6 by installing radvd

opkg install radvd

Configuration file is /etc/radvd.conf

interface wlan0
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 30;

  prefix 2001:470:b1e2:50::1/64
  {
    AdvOnLink on;
    AdvAutonomous on;
    AdvRouterAddr off;
    AdvValidLifetime 300;
    AdvPreferredLifetime 120;
  };
};

Start the service:

/etc/init.d/radvd start

Testing: network routing (ipv4 + ipv6)

  • my main network is 192.168.42.x, and in IPv6 is 2001:470:b1e2::/48
  • AP configured to use 192.168.50.1, and in IPv6 received automatically 2001:470:b1e2:42:215:6dff:fe71:37ea/64 using stateless configuration (radvd)

Added a static route entry on my main router:

ip route add 192.168.50.0/24 via 192.168.42.4 dev eth1

For IPv6:

ip -6 route add 2001:470:b1e2:50::1/64 via 2001:470:b1e2:42:215:6dff:fe71:37ea dev eth1

Splash page: nodogsplash

Install the package:

root@OpenWrt:~# opkg install nodogsplash

The configuration file is in /etc/nodogsplash/nodogsplash.conf

GatewayInterface wlan0

FirewallRuleSet authenticated-users {
  FirewallRule block to 192.168.0.0/16
  FirewallRule block to 10.0.0.0/8

  # Serveur de fichiers
  FirewallRule allow tcp port 80 to 172.16.42.2

  # respectivement: DNS, http, https, ssh
  FirewallRule allow tcp port 53
  FirewallRule allow udp port 53
  FirewallRule allow tcp port 80
  FirewallRule allow tcp port 443
  FirewallRule allow tcp port 22
}

FirewallRuleSet preauthenticated-users 
{
  # DNS
  FirewallRule allow tcp port 53
  FirewallRule allow udp port 53
  
  # Splash page
  FirewallRule allow tcp port 80 to 172.16.42.1
}

GatewayName librenet-m2-sud
RedirectURL http://partage.m2.bidon.ca/
TrafficControl yes
UploadLimit 128

On peut modifier le html de la splash page dans /etc/nodogsplash/htdocs/

vnstat: stats de bande passante

See: http://wiki.openwrt.org/doc/howto/vnstat

To generate graphs:

 # vnstati image generation script.
 # Source: http://code.google.com/p/x-wrt/source/browse/trunk/package/webif/files/www/cgi-bin/webif/graphs-vnstat.sh
 
WWW_D=/tmp/www/vnstat # output images to here
LIB_D=/var/lib/vnstat # db location
BIN=/usr/bin/vnstati  # which vnstati
  
outputs="s h d t m"   # what images to generate
  
 # Sanity checks
[ -d "$WWW_D" ] || mkdir -p "$WWW_D" # make the folder if it dont exist.
    
 # You might want to setup a link if it dont exist.
 # [ -L /www/vnstat ] || ln -sf /www/vnstat /tmp/www/
     
 # End of config changes
interfaces="$(ls -1 $LIB_D)"
      
if [ -z "$interfaces" ]; then
        echo "No database found, nothing to do."
        echo "A new database can be created with the following command: "
        echo "    vnstat -u -i eth0"
        exit 0
else
        for interface in $interfaces; do
                for output in $outputs; do
                        $BIN -${output} -i $interface -o $WWW_D/vnstat_${interface}_${output}.png
                done
        done
fi

exit 1

QoS

root@OpenWrt:~# opkg install qos-scripts
root@OpenWrt:~# /etc/init.d/qos enable
root@OpenWrt:~# /etc/init.d/qos start

Configuration file in /etc/config/qos. The default configuration limit to 50ko/sec down, 15kb/sec up.

2011-07-08: conflicts with nodogsplash... workaround not found yet -ML

REferences

Notes