Differences between revisions 44 and 69 (spanning 25 versions)
Revision 44 as of 2013-01-06 20:41:09
Size: 9331
Editor: fungi
Comment:
Revision 69 as of 2014-08-31 23:30:05
Size: 8900
Editor: fungi
Comment:
Deletions are marked like this. Additions are marked like this.
Line 9: Line 9:
 * two [[http://www.dd-wrt.com/wiki/index.php/Linksys_E4200|Cisco/Linksys E4200 v1]] for redundant operation and a third as a cold spare  * two [[http://www.dd-wrt.com/wiki/index.php/Linksys_E4200|Cisco/Linksys E4200 v1]] ([[http://www.dd-wrt.com/phpBB2/viewtopic.php?p=661393&highlight=#661393|not v2]]) for redundant operation and a third as a cold spare
Line 11: Line 11:
 * remove the original housings and add heatsinks and thermal adhesive for the switch chips (similarly, stability issues are thought to come from overheating)  * [[http://www.dd-wrt.com/phpBB2/viewtopic.php?p=693780|remove the original housings and solder serial connectors to the boards]] for out-of-band access
 *
add heatsinks and thermal adhesive for the switch chips (similarly, stability issues are thought to come from overheating)
Line 15: Line 16:
 * beer (yes, it ''is'' necessary to the process)  * [[http://beeradvocate.com/beer/101/|beer]] (yes, it ''is'' necessary to the process)
Line 22: Line 23:
 1. plug your machine's wired interface into the ''Ethernet 4'' port
 1.
set the interface to a static address of 192.168.1.2 and make sure you can reach the device at 192.168.1.1 (''sudo ip address add 192.168.1.2/30 dev eth0 ; sudo ip link set up dev eth0 ; ping -c1 192.168.1.1 >/dev/null ; ip neighbor show dev eth0'')
 1. plug your machine's wired interface into the ''Ethernet 4'' port, set the interface to a static address of 192.168.1.2 and make sure you can reach the device over it at 192.168.1.1 (''sudo ip address add 192.168.1.2/30 dev eth0 ; sudo ip link set up dev eth0 ; ping -c1 192.168.1.1 >/dev/null ; ip neighbor show dev eth0'')
Line 25: Line 25:
 1. upgrade the flash with a trailed E4200 mini build like [[http://dd-wrt.com/dd-wrtv2/downloads/others/eko/BrainSlayer-V24-preSP2/2012/03-19-12-r18777/broadcom_K26/dd-wrt.v24-18777_NEWD-2_K2.6_mini-e4200.bin|dd-wrt.v24-18777_NEWD-2_K2.6_mini-e4200.bin]] (the Cisco/Linksys firmware updater looks for special headers, so this is the first in a two-stage load)  1. upgrade the flash with a trailed E4200 mini build like [[ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2012/03-19-12-r18777/broadcom_K26/dd-wrt.v24-18777_NEWD-2_K2.6_mini-e4200.bin|dd-wrt.v24-18777_NEWD-2_K2.6_mini-e4200.bin]] (the Cisco/Linksys firmware updater looks for special headers, so this is the first in a two-stage load)
Line 31: Line 31:
 1. upgrade flash with a more featureful NV60K build like [[http://dd-wrt.com/dd-wrtv2/downloads/others/eko/BrainSlayer-V24-preSP2/2013/01-01-2013-r20453/broadcom_K26/dd-wrt.v24-20453_NEWD-2_K2.6_std_usb_nas-nv60k.bin|dd-wrt.v24-20453_NEWD-2_K2.6_std_usb_nas-nv60k.bin]] (this adds IPv6 and SNMP support, which we'll want)  1. upgrade flash with a more featureful NV60K build like [[https://secure.dd-wrt.com/routerdb/de/download/Cisco%20Linksys/E4200/1.0/dd-wrt.v24-21061_NEWD-2_K2.6_std_usb_nas-nv60k.bin/3940|dd-wrt.v24-20453_NEWD-2_K2.6_std_usb_nas-nv60k.bin]] (this adds IPv6 and SNMP support, which we'll want)
Line 41: Line 41:

== Replace Telnet And HTTP With SSH And HTTPS ==
Line 70: Line 72:
root@DD-WRT:~# nvram set sshd_enable=1 telnetd_enable=0 commit
root@DD-WRT:~# reboot
root@DD-WRT:~# Connection closed by foreign host.
fungi@tsathoggua:~$ ssh root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is 67:fe:7b:50:6a:2e:97:9e:0b:53:f6:64:9c:c6:d9:e8.
Are you sure you want to continue connecting (yes/no)? yes
root@DD-WRT:~# nvram set sshd_enable=1
root@DD-WRT:~# startservice sshd
root@DD-WRT:~# nvram set https_enable=1
root@DD-WRT:~# nvram set http_enable=0
root@DD-WRT:~# startstop httpd
root@DD-WRT:~# nvram set telnetd_enable=0
root@DD-WRT:~# stopservice telnetd
Connection closed by foreign host.
fungi@tsathoggua:~$ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@192.168.1.1
Line 80: Line 84:
root@192.168.1.1's password: root@192.168.1.1's password: admin
Line 98: Line 102:
root@DD-WRT:~# nvram commit
Line 101: Line 106:
== Disable Both Radios == == Change Passwords ==
Line 103: Line 108:
We'll turn them back on later once we configure appropriate security... {{{
root@DD-WRT:~# setuserpasswd root somepassword
root@DD-WRT:~# setpasswd root somepassword
}}}
Line 105: Line 113:
 * '''Wireless'''
  * '''Basic Settings'''
   * '''Wireless Physical Interface wl0 [2.4 GHz]'''
    * '''Physical Interface wl0 - SSID [dd-wrt] HWAddr [FE:DC:BA:98:76:54]'''
     * '''Wireless Network Mode:''' Disabled
   * '''Wireless Physical Interface wl1 [2.4/5 GHz]'''
    * '''Physical Interface wl1 - SSID [dd-wrt] HWAddr [01:23:45:67:89:AB]'''
     * '''Wireless Network Mode:''' Disabled
   * '''Apply Settings:''' click
== Add A JFFS2 Filesystem ==
Line 115: Line 115:
== Trunked Management Interface == {{{
root@DD-WRT:~# nvram set clean_jffs2=1
root@DD-WRT:~# nvram set enable_jffs2=1
root@DD-WRT:~# nvram set sys_clean_jffs2=1
root@DD-WRT:~# nvram set sys_enable_jffs2=1
root@DD-WRT:~# nvram commit
}}}
Line 117: Line 123:
We ultimately want to manage this on a specific VLAN over a trunk and disable the default management interface... == Use A Management VLAN ==
Line 119: Line 125:
 * '''Setup'''
  * '''Networking'''
   * '''Bridging'''
    * '''Create Bridge'''
     * '''Add:''' click
     * '''Bridge 1:''' ''man''
   * '''Apply Settings:''' click
   * '''Bridging'''
    * '''Create Bridge'''
     * '''Bridge 1'''
      * '''IP Address:''' ''172.23.5.(whatever the last octet of this one is going to be)''
      * '''Subnet Mask:''' ''255.255.255.224''
   * '''Apply Settings:''' click
 * '''Administration'''
  * '''Management'''
   * '''Reboot Router:''' click
 * '''Setup'''
  * '''Networking'''
   * '''Bridging'''
    * '''Assign to Bridge'''
     * '''Add:''' click
     * '''Assignment 0:''' ''
     
== Stuff ==
{{{
root@DD-WRT:~# nvram set rc_firewall="iptables -I INPUT 2 -i vlan9 -j ACCEPT"
root@DD-WRT:~# nvram set rc_startup="ifconfig vlan9 192.168.2.1 netmask 255.255.255.0"
root@DD-WRT:~# nvram set vlan1ports="0 1 2 8"
root@DD-WRT:~# nvram set vlan9hwname=et0
root@DD-WRT:~# nvram set vlan9ports="3t 8*"
root@DD-WRT:~# nvram commit
}}}
Line 144: Line 134:
Work in progress... == Reboot ==
Line 146: Line 136:
 * '''Setup'''
  * '''Basic Setup'''
   * '''WAN Setup'''
    * '''WAN Connection Type'''
     * '''Connection Type:''' Disabled
    * '''Optional Settings'''
     * '''Router Name:''' ''(enter the short hostname)''
     * '''Hostname:''' ''(reenter the short hostname)''
     * '''Domain Name:''' ''yuggoth.org''
     * '''STP:''' Enable
   * '''Network Setup'''
    * '''Router IP'''
     * '''Subnet Mask:''' ''255.255.255.224''
     * '''Gateway:''' ''172.23.5.1''
     * '''Local DNS:''' ''172.23.5.36''
    * '''WAN Port'''
     * '''Assign WAN Port to Switch:''' Yes
    * '''Network Address Server Settings (DHCP)'''
     * '''DHCP Server:''' Disable
    * '''Time Settings'''
     * '''Time Zone:''' UTC
     * '''Summer Time (DST):''' none
     * '''Server IP/Name:''' ''ntp.yuggoth.org''
   * '''Apply Settings:''' click
  * '''VLANs'''
   * '''Virtual Local Area Network (VLAN)'''
    * '''VLAN'''
     * '''VLAN 1 Assigned To Bridge:''' LAN
     * '''VLAN 2 Assigned To Bridge:''' None
     * '''Port W:''' Tagged (no native VLAN)
     * '''Port 1:''' VLAN 1 (access/no tagging)
     * '''Port 2:''' Tagged (no native VLAN)
     * '''Port 3:''' Tagged (no native VLAN)
     * '''Port 4:''' Tagged (native VLAN 1)
   * '''Apply Settings:''' click
  * '''Networking'''
   * '''Port Setup'''
    * '''Port Setup'''
     * '''WAN Port Assignment:''' Disabled
     * '''Network Configuration eth0:''' Unbridged
      * '''Masquerade / NAT:''' Disabled
{{{
root@DD-WRT:~# reboot
root@DD-WRT:~# Connection to 192.168.1.1 closed by remote host.
Connection to 192.168.1.1 closed.
}}}

== Connect Through The Management VLAN ==

{{{
fungi@tsathoggua:~$ sudo ip link add link eth0 name eth0.9 type vlan id 9
fungi@tsathoggua:~$ sudo ip link set up dev eth0.9
fungi@tsathoggua:~$ sudo ip address add 192.168.2.2/30 dev eth0.9
fungi@tsathoggua:~$ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@192.168.2.1
Warning: Permanently added '192.168.2.1' (RSA) to the list of known hosts.
DD-WRT v24-sp2 std (c) 2012 NewMedia-NET GmbH
Release: 12/31/12 (SVN revision: 20453)
root@192.168.2.1's password: somepassword
==========================================================
 
 ____ ___ __ ______ _____ ____ _ _
 | _ \| _ \ \ \ / / _ \_ _| __ _|___ \| || |
 || | || ||____\ \ /\ / /| |_) || | \ \ / / __) | || |_
 ||_| ||_||_____\ V V / | _ < | | \ V / / __/|__ _|
 |___/|___/ \_/\_/ |_| \_\|_| \_/ |_____| |_|
 
                       DD-WRT v24-sp2
                   http://www.dd-wrt.com
 
==========================================================


BusyBox v1.20.2 (2012-12-31 04:45:18 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@DD-WRT:~#
}}}

== Remove Old Management Access ==

...still in progress...

This documents details of how the core switching infrastructure is built, in case it needs to be redone in the future.

Highlights

Some random notes on the core switch build and configuration...

  • two Cisco/Linksys E4200 v1 (not v2) for redundant operation and a third as a cold spare

  • higher-capacity 5A power supplies for each (radio dropouts are suspected to be due to under-specified factory supplies)
  • remove the original housings and solder serial connectors to the boards for out-of-band access

  • add heatsinks and thermal adhesive for the switch chips (similarly, stability issues are thought to come from overheating)
  • DD-WRT standard instead of mini (because it adds IPv6 and SNMP support)

  • custom switch driver to allow 802.1q VLAN tag remapping

  • with modern Iceweasel/Firefox use Web Developer -> Get More Tools and install the Web Developer Extension, then after restarting use Web Developer Extension -> Miscellaneous -> Clear Private Data -> Clear HTTP Authentication to clear HTTP Basic Auth credentials after changing DD-WRT management passwords (otherwise any attempts to Save/Apply changes just go to a failure error or blank page)

  • beer (yes, it is necessary to the process)

Firmware Installation

First perform these steps on each device to get the hardware up on the current DD-WRT firmware with desired features...

  1. perform a 30/30/30 hard reset to make sure it's at factory defaults (note this is using the recessed red reset button, not the protruding blue one for WDS)

  2. plug your machine's wired interface into the Ethernet 4 port, set the interface to a static address of 192.168.1.2 and make sure you can reach the device over it at 192.168.1.1 (sudo ip address add 192.168.1.2/30 dev eth0 ; sudo ip link set up dev eth0 ; ping -c1 192.168.1.1 >/dev/null ; ip neighbor show dev eth0)

  3. connect to the management WebUI (initial login is a username of root with the password admin)

  4. upgrade the flash with a trailed E4200 mini build like dd-wrt.v24-18777_NEWD-2_K2.6_mini-e4200.bin (the Cisco/Linksys firmware updater looks for special headers, so this is the first in a two-stage load)

  5. wait five minutes to make sure everything's booted and written to NVRAM (now is a good time to grab a beer)
  6. perform another 30/30/30 to make sure any configuration artifacts are reset to the defaults for this build

  7. confirm the DD-WRT password reset page is displayed

  8. set root/admin as the new login (yes, I know that's the same as the old login)
  9. backup the CFE as hostname_cfe.bin (it embeds the original interface MAC so you want one archived for each device) and stash it somewhere for long term safekeeping (see here for details)

  10. upgrade flash with a more featureful NV60K build like dd-wrt.v24-20453_NEWD-2_K2.6_std_usb_nas-nv60k.bin (this adds IPv6 and SNMP support, which we'll want)

  11. wait an additional five minutes (and grab another beer if you like)
  12. perform yet another 30/30/30

  13. wait five more minutes (another beer... why not?)
  14. confirm password reset page is displayed and Firmware: DD-WRT v24-sp2 (12/31/12) std-usb-nas shows in the top-right corner

  15. set root/admin as the new login again (if you've managed not bricking it, congrats... celebrate your success with more beer)

Initial Configuration

After sobering up a bit, set these basic configuration options which deviate from the factory default configuration settings...

Replace Telnet And HTTP With SSH And HTTPS

fungi@tsathoggua:~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

DD-WRT v24-sp2 std (c) 2012 NewMedia-NET GmbH
Release: 12/31/12 (SVN revision: 20453)

DD-WRT login: root
Password: admin
==========================================================
 
 ____  ___    __        ______ _____         ____  _  _ 
 | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || | 
 || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_ 
 ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _| 
 |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_| 
 
                       DD-WRT v24-sp2
                   http://www.dd-wrt.com
 
==========================================================


BusyBox v1.20.2 (2012-12-31 04:45:18 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@DD-WRT:~# nvram set sshd_enable=1
root@DD-WRT:~# startservice sshd
root@DD-WRT:~# nvram set https_enable=1
root@DD-WRT:~# nvram set http_enable=0
root@DD-WRT:~# startstop httpd
root@DD-WRT:~# nvram set telnetd_enable=0
root@DD-WRT:~# stopservice telnetd
Connection closed by foreign host.
fungi@tsathoggua:~$ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@192.168.1.1
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
DD-WRT v24-sp2 std (c) 2012 NewMedia-NET GmbH
Release: 12/31/12 (SVN revision: 20453)
root@192.168.1.1's password: admin
==========================================================
 
 ____  ___    __        ______ _____         ____  _  _ 
 | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || | 
 || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_ 
 ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _|
 |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_| 
 
                       DD-WRT v24-sp2
                   http://www.dd-wrt.com
 
==========================================================


BusyBox v1.20.2 (2012-12-31 04:45:18 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@DD-WRT:~# nvram commit
root@DD-WRT:~# 

Change Passwords

root@DD-WRT:~# setuserpasswd root somepassword
root@DD-WRT:~# setpasswd root somepassword

Add A JFFS2 Filesystem

root@DD-WRT:~# nvram set clean_jffs2=1
root@DD-WRT:~# nvram set enable_jffs2=1
root@DD-WRT:~# nvram set sys_clean_jffs2=1
root@DD-WRT:~# nvram set sys_enable_jffs2=1
root@DD-WRT:~# nvram commit

Use A Management VLAN

root@DD-WRT:~# nvram set rc_firewall="iptables -I INPUT 2 -i vlan9 -j ACCEPT"
root@DD-WRT:~# nvram set rc_startup="ifconfig vlan9 192.168.2.1 netmask 255.255.255.0"
root@DD-WRT:~# nvram set vlan1ports="0 1 2 8"
root@DD-WRT:~# nvram set vlan9hwname=et0
root@DD-WRT:~# nvram set vlan9ports="3t 8*"
root@DD-WRT:~# nvram commit

Reboot

root@DD-WRT:~# reboot
root@DD-WRT:~# Connection to 192.168.1.1 closed by remote host.
Connection to 192.168.1.1 closed.

Connect Through The Management VLAN

fungi@tsathoggua:~$ sudo ip link add link eth0 name eth0.9 type vlan id 9
fungi@tsathoggua:~$ sudo ip link set up dev eth0.9
fungi@tsathoggua:~$ sudo ip address add 192.168.2.2/30 dev eth0.9
fungi@tsathoggua:~$ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@192.168.2.1
Warning: Permanently added '192.168.2.1' (RSA) to the list of known hosts.
DD-WRT v24-sp2 std (c) 2012 NewMedia-NET GmbH
Release: 12/31/12 (SVN revision: 20453)
root@192.168.2.1's password: somepassword
==========================================================
 
 ____  ___    __        ______ _____         ____  _  _ 
 | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || | 
 || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_ 
 ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _| 
 |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_| 
 
                       DD-WRT v24-sp2
                   http://www.dd-wrt.com
 
==========================================================


BusyBox v1.20.2 (2012-12-31 04:45:18 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@DD-WRT:~#

Remove Old Management Access

...still in progress...

CCL: Configuration/CoreSwitching (last edited 2014-08-31 23:32:39 by fungi)

CC0 To the extent possible under law, the creator of this work has waived all copyright and related or neighboring rights to it.