This documents details of how the core switching infrastructure is built, in case it needs to be redone in the future.

Highlights

Some random notes on the core switch build and configuration...

• two Cisco/Linksys E4200 v1 for redundant operation and a third as a cold spare

• higher-capacity 5A power supplies for each (radio dropouts are suspected to be due to under-specified factory supplies)
• remove the original housings and add heatsinks and thermal adhesive for the switch chips (similarly, stability issues are thought to come from overheating)

• DD-WRT standard instead of mini (because it adds IPv6 and SNMP support)

• custom switch driver to allow 802.1q VLAN tag remapping

• with modern Iceweasel/Firefox use Web Developer -> Get More Tools and install the Web Developer Extension, then after restarting use Web Developer Extension -> Miscellaneous -> Clear Private Data -> Clear HTTP Authentication to clear HTTP Basic Auth credentials after changing DD-WRT management passwords (otherwise any attempts to Save/Apply changes just go to a failure error or blank page)

• beer (yes, it is necessary to the process)

Firmware Installation

First perform these steps on each device to get the hardware up on the current DD-WRT firmware with desired features...

1. perform a 30/30/30 hard reset to make sure it's at factory defaults (note this is using the recessed red reset button, not the protruding blue one for WDS)

2. plug your machine's wired interface into the Ethernet 4 port

3. set the interface to a static address of 192.168.1.2 and make sure you can reach the device at 192.168.1.1 (sudo ip address add 192.168.1.2/30 dev eth0 ; sudo ip link set up dev eth0 ; ping -c1 192.168.1.1 >/dev/null ; ip neighbor show dev eth0)

4. connect to the management WebUI (initial login is a username of root with the password admin)

5. upgrade the flash with a trailed E4200 mini build like dd-wrt.v24-18777_NEWD-2_K2.6_mini-e4200.bin (the Cisco/Linksys firmware updater looks for special headers, so this is the first in a two-stage load)

6. wait five minutes to make sure everything's booted and written to NVRAM (now is a good time to grab a beer)

7. perform another 30/30/30 to make sure any configuration artifacts are reset to the defaults for this build

8. confirm the DD-WRT password reset page is displayed

9. set root/admin as the new login (yes, I know that's the same as the old login)

10. backup the CFE as hostname_cfe.bin (it embeds the original interface MAC so you want one archived for each device) and stash it somewhere for long term safekeeping (see here for details)

11. upgrade flash with a more featureful NV60K build like dd-wrt.v24-20453_NEWD-2_K2.6_std_usb_nas-nv60k.bin (this adds IPv6 and SNMP support, which we'll want)

12. wait an additional five minutes (and grab another beer if you like)

13. perform yet another 30/30/30

14. wait five more minutes (another beer... why not?)

15. confirm password reset page is displayed and Firmware: DD-WRT v24-sp2 (12/31/12) std-usb-nas shows in the top-right corner

16. set root/admin as the new login again (if you've managed not bricking it, congrats... celebrate your success with more beer)

Initial Configuration

After sobering up a bit, set these basic configuration options which deviate from the factory default configuration settings...

Replace Telnet With SSH

fungi@tsathoggua:~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

DD-WRT v24-sp2 std (c) 2012 NewMedia-NET GmbH
Release: 12/31/12 (SVN revision: 20453)

DD-WRT login: root
Password: admin
==========================================================
 
 ____  ___    __        ______ _____         ____  _  _ 
 | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || | 
 || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_ 
 ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _| 
 |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_| 
 
                       DD-WRT v24-sp2
                   http://www.dd-wrt.com
 
==========================================================


BusyBox v1.20.2 (2012-12-31 04:45:18 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@DD-WRT:~# nvram set sshd_enable=1
root@DD-WRT:~# nvram set telnetd_enable=0
root@DD-WRT:~# startservice sshd
root@DD-WRT:~# stopservice telnetd
Connection closed by foreign host.
fungi@tsathoggua:~$ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@192.168.1.1
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
DD-WRT v24-sp2 std (c) 2012 NewMedia-NET GmbH
Release: 12/31/12 (SVN revision: 20453)
root@192.168.1.1's password: admin
==========================================================
 
 ____  ___    __        ______ _____         ____  _  _ 
 | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || | 
 || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_ 
 ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _|
 |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_| 
 
                       DD-WRT v24-sp2
                   http://www.dd-wrt.com
 
==========================================================


BusyBox v1.20.2 (2012-12-31 04:45:18 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@DD-WRT:~# 

Change Passwords

root@DD-WRT:~# setuserpasswd root somepassword
root@DD-WRT:~# setpasswd root somepassword

Turn Off Both Radios

root@DD-WRT:~# wl -i eth1 radio off
root@DD-WRT:~# wl -i eth2 radio off

Reboot

root@DD-WRT:~# reboot
root@DD-WRT:~# Connection closed by foreign host.

Disable Both Radios

We'll turn them back on later once we configure appropriate security...

• Wireless

  • Basic Settings

    • Wireless Physical Interface wl0 [2.4 GHz]

      • Physical Interface wl0 - SSID [dd-wrt] HWAddr [FE:DC:BA:98:76:54]

        • Wireless Network Mode: Disabled

    • Wireless Physical Interface wl1 [2.4/5 GHz]

      • Physical Interface wl1 - SSID [dd-wrt] HWAddr [01:23:45:67:89:AB]

        • Wireless Network Mode: Disabled

    • Apply Settings: click

Trunked Management Interface

We ultimately want to manage this on a specific VLAN over a trunk and disable the default management interface...

• Setup

  • Networking

    • Bridging

      • Create Bridge

        • Add: click

        • Bridge 1: man

    • Apply Settings: click

    • Bridging

      • Create Bridge

        • Bridge 1

          • IP Address: 172.23.5.(whatever the last octet of this one is going to be)

          • Subnet Mask: 255.255.255.224

    • Apply Settings: click

• Administration

  • Management

    • Reboot Router: click

• Setup

  • Networking

    • Bridging

      • Assign to Bridge

        • Add: click

        • Assignment 0:

Stuff

• Setup

  • Basic Setup

    • WAN Setup

      • WAN Connection Type

        • Connection Type: Disabled

      • Optional Settings

        • Router Name: (enter the short hostname)

        • Hostname: (reenter the short hostname)

        • Domain Name: yuggoth.org

        • STP: Enable

    • Network Setup

      • Router IP

        • Subnet Mask: 255.255.255.224

        • Gateway: 172.23.5.1

        • Local DNS: 172.23.5.36

      • WAN Port

        • Assign WAN Port to Switch: Yes

      • Network Address Server Settings (DHCP)

        • DHCP Server: Disable

      • Time Settings

        • Time Zone: UTC

        • Summer Time (DST): none

        • Server IP/Name: ntp.yuggoth.org

    • Apply Settings: click

  • VLANs

    • Virtual Local Area Network (VLAN)

      • VLAN

        • VLAN 1 Assigned To Bridge: LAN

        • VLAN 2 Assigned To Bridge: None

        • Port W: Tagged (no native VLAN)

        • Port 1: VLAN 1 (access/no tagging)

        • Port 2: Tagged (no native VLAN)

        • Port 3: Tagged (no native VLAN)

        • Port 4: Tagged (native VLAN 1)

    • Apply Settings: click

  • Networking

    • Port Setup

      • Port Setup

        • WAN Port Assignment: Disabled

        • Network Configuration eth0: Unbridged

          • Masquerade / NAT: Disabled