Difference between revisions of "Hout Bay"
(Initial Ubiquiti customisations doc) |
(Ubiquiti customisations) |
||
| Line 170: | Line 170: | ||
==Ubiquiti Customisations== | ==Ubiquiti Customisations== | ||
| − | We use a number of Ubiquiti customisations to make things run smoother on HBWUG. The following instructions are intended for wuggers with some networking and Unix knowledge. | + | We use a number of Ubiquiti customisations to make things run smoother on HBWUG. The following instructions are intended for wuggers with some networking and Unix knowledge. Most of the changes below need to be done on the command line of your device via SSH. |
| − | ===Step 1: Setup shell profile=== | + | ===Step 1: Load OSPF firmware=== |
| − | This is primarily a cosmetic improvement, but a very useful one. | + | This requires custom Ubiquiti firmware. Either obtain a precompiled image from Aragon or build one yourself by following: [[Adding OSPF support to Ubiquiti devices]]. |
| + | |||
| + | Load the firmware to your device using the "Update" function in the web interface. Once its loaded and your device has rebooted with the new firmware, continue to the next step. | ||
| + | |||
| + | ===Step 2: Setup shell profile=== | ||
| + | From this point on do NOT reboot your device again until you've completed step 5. | ||
| + | |||
| + | This is primarily a cosmetic improvement, but a very useful one. Create '''/etc/persistent/profile''' with contents: | ||
<pre> | <pre> | ||
| Line 179: | Line 186: | ||
</pre> | </pre> | ||
| − | ===Step | + | ===Step 3: Setup BIRD=== |
| − | + | Create a BIRD configuration in '''/etc/persistent/bird4.conf''' with contents: | |
| − | |||
| − | |||
<pre> | <pre> | ||
| Line 238: | Line 243: | ||
===Step 3: Create firewall script=== | ===Step 3: Create firewall script=== | ||
| − | Ubiquiti devices run Linux and use [http://linux.die.net/man/8/iptables iptables] for firewalling. Unfortunately | + | Ubiquiti devices run Linux and use [http://linux.die.net/man/8/iptables iptables] for firewalling. Unfortunately Ubiquiti's web interface to iptables is very limited, so in order to run a more advanced firewall we add a custom firewall script. |
| − | Create '''/etc/persistent/rc.firewall''' with | + | Create '''/etc/persistent/rc.firewall''' with contents: |
<pre> | <pre> | ||
| Line 265: | Line 270: | ||
* Enable the firewall in the web interface of your device. | * Enable the firewall in the web interface of your device. | ||
| − | * Configure your DC client as shown [[#File_Sharing| | + | * Configure your DC client as shown [[#File_Sharing|above]]. |
| + | |||
| + | The above is a starting point that will work for most wuggers. Modify it as you need if you understand [http://linux.die.net/man/8/iptables iptables]. | ||
===Step 4: Create boot time HBWUG scripts=== | ===Step 4: Create boot time HBWUG scripts=== | ||
| − | This step creates the necessary boot time code that allows | + | This step creates the necessary boot time code that allows steps 2 and 3 to work. Create the following files: |
'''/etc/persistent/config.php''': | '''/etc/persistent/config.php''': | ||
| Line 292: | Line 299: | ||
OSPFDEFROUTE=1 | OSPFDEFROUTE=1 | ||
</pre> | </pre> | ||
| + | |||
'''/etc/persistent/rc.hbwug''': | '''/etc/persistent/rc.hbwug''': | ||
| Line 339: | Line 347: | ||
esac | esac | ||
</pre> | </pre> | ||
| + | |||
'''/etc/persistent/rc.poststart''': | '''/etc/persistent/rc.poststart''': | ||
| Line 344: | Line 353: | ||
/etc/persistent/rc.hbwug start | /etc/persistent/rc.hbwug start | ||
</pre> | </pre> | ||
| + | |||
'''/etc/persistent/rc.prestop''': | '''/etc/persistent/rc.prestop''': | ||
| Line 349: | Line 359: | ||
/etc/persistent/rc.hbwug stop | /etc/persistent/rc.hbwug stop | ||
</pre> | </pre> | ||
| + | |||
| + | ===Step 5: Finishing touches=== | ||
| + | Run the following commands from within '''/etc/persistent''': | ||
| + | |||
| + | <pre> | ||
| + | chmod +x config.php rc.hbwug | ||
| + | save | ||
| + | </pre> | ||
| + | |||
| + | All done! When you reboot your router the changes you made should take effect. | ||
Revision as of 19:55, 30 January 2011
Contents
Hout Bay WUG
The Hout Bay WUG is a historic name for what is now the Hout Bay area on CTWUG. It started life in March 2010 as a Hout Bay specific WUG, disconnected from CTWUG due to geographic hurdles in connecting. On 23 December 2010 it was connected to CTWUG via its only peer, Kommetjie, which established a link to the Noordhoek and Fishoek areas. This Wiki entry is just a knowledge base specific to our area.
Meet the Hout Bay Wuggers
| Name | Nodes | |
|---|---|---|
| Aragon | Kush | |
| Armand | DarkStar | DeathStarCanteen |
| Cobus | TROPiX | |
| David | HitmanV | |
| Denis | d3nis | |
| Georg | Slangkop | Riverside |
| James | Komskom | |
| Luke | FinkNode | |
| Myles | MiloNode | |
| Richard | ClearV | |
Network Layout
IP Addresses
| Network | Status | Allocated To | Function |
|---|---|---|---|
| 172.18.87.0/26 | Active | HBWUG | Backbone |
| 172.18.87.64/27 | Active | Georg | Home LAN |
| 172.18.87.96/28 | Active | Luke | Home LAN |
| 172.18.87.112/28 | Unallocated | ||
| 172.18.87.128/28 | Active | Aragon | Home LAN |
| 172.18.87.144/28 | Active | Armand | Second Home LAN |
| 172.18.87.160/28 | Active | James | Home LAN |
| 172.18.87.176/28 | Active | Richard | Home LAN |
| 172.18.87.192/28 | Active | Myles | Home LAN |
| 172.18.87.208/28 | Active | Armand | Home LAN |
| 172.18.87.224/28 | Active | David | Home LAN |
| 172.18.87.240/29 | Active | Cobus | Home LAN |
| 172.18.87.248/29 | Unallocated | ||
| 172.18.88.0/24 | Unallocated |
Network Services
| Address | Protocol | Admin |
|---|---|---|
| 172.18.87.1 | DNS | Aragon |
| adc://hub.aragon.ctwug.za.net:1511 | ADC | Aragon |
| mumble://mumble.aragon.ctwug.za.net | Mumble | Aragon |
| minecraft.hbwug:25565 | MineCraft | Georg |
File Sharing
We use ADC for sharing files on the WUG. You will need an ADC 1.0 compliant client to participate, and we recommend EisKaltDC. Once installed use the following connection settings:
- Mode: Active
- TCP Port: 2222
- UDP Port: 2222
- TLS Port: 2223
Make sure those ports are open on your respective firewalls (the above AirOS firewall script leaves those ports open).
Then just add the ADC hub listed in Network Services above to your favourites.
Ubiquiti Customisations
We use a number of Ubiquiti customisations to make things run smoother on HBWUG. The following instructions are intended for wuggers with some networking and Unix knowledge. Most of the changes below need to be done on the command line of your device via SSH.
Step 1: Load OSPF firmware
This requires custom Ubiquiti firmware. Either obtain a precompiled image from Aragon or build one yourself by following: Adding OSPF support to Ubiquiti devices.
Load the firmware to your device using the "Update" function in the web interface. Once its loaded and your device has rebooted with the new firmware, continue to the next step.
Step 2: Setup shell profile
From this point on do NOT reboot your device again until you've completed step 5.
This is primarily a cosmetic improvement, but a very useful one. Create /etc/persistent/profile with contents:
PS1='\[\e]1;\h-term\a\e]2;\h:\w\a\]\h\$ '
Step 3: Setup BIRD
Create a BIRD configuration in /etc/persistent/bird4.conf with contents:
log stderr all;
router id 0.0.0.0;
filter ospfin {
if gw ~ 172.18.87.0/26 then {
if net ~ 172.18.87.0/24 then accept;
if net ~ 172.18.88.0/24 then accept;
}
if gw = 172.18.87.20 then {
if net ~ 172.16.0.0/12 then accept;
}
if gw = 172.18.87.1 then {
if net = 0.0.0.0/0 then accept;
}
reject;
}
protocol kernel {
persist;
learn;
description "kernel";
scan time 300;
import none;
export all;
}
protocol device {
scan time 300;
}
protocol ospf wug {
tick 1;
import filter ospfin;
export all;
description "WUG";
area 0.0.0.0 {
interface "ath0" {
cost 10;
hello 10;
retransmit 20;
type broadcast;
authentication none;
};
interface "eth0" {
cost 10;
type broadcast;
stub;
};
};
}
Step 3: Create firewall script
Ubiquiti devices run Linux and use iptables for firewalling. Unfortunately Ubiquiti's web interface to iptables is very limited, so in order to run a more advanced firewall we add a custom firewall script.
Create /etc/persistent/rc.firewall with contents:
DCPORT="2222"
iptables -F FIREWALL
iptables -A FIREWALL --protocol icmp -j ACCEPT
iptables -A FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${WLANIP} -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${WLANIP} --protocol ospf -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst 224.0.0.5/32 --protocol ospf -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst 224.0.0.6/32 --protocol ospf -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst 224.0.0.22/32 --protocol igmp -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol tcp --dport ${DCPORT} -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol tcp --dport $((${DCPORT}+1)) -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol udp --dport ${DCPORT} -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol udp --dport 33434:65535 -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --protocol tcp -j REJECT --reject-with tcp-reset
iptables -A FIREWALL -i ath0 --dst 255.255.255.255 --protocol udp --dport 5678 -j DROP
iptables -A FIREWALL -i ath0 -j REJECT
Also remember to:
- Enable the firewall in the web interface of your device.
- Configure your DC client as shown above.
The above is a starting point that will work for most wuggers. Modify it as you need if you understand iptables.
Step 4: Create boot time HBWUG scripts
This step creates the necessary boot time code that allows steps 2 and 3 to work. Create the following files:
/etc/persistent/config.php:
#!/bin/cgi -q
<?
chdir("/usr/www");
include("lib/settings.inc");
$cfg = @cfg_load($cfg_file);
if ($cfg == -1) { exit; }
$netmode = cfg_get($cfg, "netmode");
$fwstatus = cfg_get($cfg, "iptables.status");
$lannet = cfg_get($cfg, "netconf.1.ip") + "/" + cfg_get($cfg, "netconf.1.netmask");
$wlanip = cfg_get($cfg, "netconf.2.ip");
$bridgeip = cfg_get($cfg, "netconf.3.ip");
echo("NETMODE=\"$netmode\"\n");
echo("FWSTATUS=\"$fwstatus\"\n");
echo("LOCALNET=\"$lannet\"\n");
echo("WLANIP=\"$wlanip\"\n");
echo("BRIDGEIP=\"$bridgeip\"\n");
?>
BIRDENABLE=1
OSPFDEFROUTE=1
/etc/persistent/rc.hbwug:
#!/bin/sh
eval "$(/etc/persistent/config.php)"
PATH=${PATH}:/sbin
case "$1" in
start)
echo "HBWUG startup"
STARTBIRD=0
[ -z "${BIRDENABLE}" ] && BIRDENABLE=0
[ -z "${OSPFDEFROUTE}" ] && OSPFDEFROUTE=0
BIRDCONF=/etc/persistent/bird4.conf
FWCONF=/etc/persistent/rc.firewall
if [ "${NETMODE}" = "router" ]; then
for f in /proc/sys/net/ipv4/conf/*; do
echo 1 >${f}/accept_redirects
echo 1 >${f}/send_redirects
done
if [ "${FWSTATUS}" = "enabled" -a -e ${FWCONF} ]; then
. ${FWCONF}
fi
if [ ${BIRDENABLE} -eq 1 -a -e ${BIRDCONF} -a -n "${WLANIP}" ]; then
sed -i -e "/^router id/ c router id ${WLANIP};" ${BIRDCONF}
STARTBIRD=1
fi
elif [ "${NETMODE}" = "bridge" ]; then
if [ ${BIRDENABLE} -eq 1 -a -e ${BIRDCONF} -a -n "${BRIDGEIP}" ]; then
sed -i -e "/^router id/ c router id ${BRIDGEIP};" ${BIRDCONF}
STARTBIRD=1
fi
fi
if [ ${STARTBIRD} -eq 1 ]; then
if [ ${OSPFDEFROUTE} -eq 1 ]; then
route delete -net 0.0.0.0/0
fi
/usr/bin/bird4.init start
fi
;;
stop)
echo "HBWUG shutdown"
/usr/bin/bird4.init stop
;;
esac
/etc/persistent/rc.poststart:
/etc/persistent/rc.hbwug start
/etc/persistent/rc.prestop:
/etc/persistent/rc.hbwug stop
Step 5: Finishing touches
Run the following commands from within /etc/persistent:
chmod +x config.php rc.hbwug save
All done! When you reboot your router the changes you made should take effect.
