Latest revision as of 17:41, 7 July 2012

Hout Bay WUG

The Hout Bay WUG is a historic name for what is now the Hout Bay area on CTWUG. It started life in March 2010 as a Hout Bay specific WUG, disconnected from CTWUG due to geographic hurdles in connecting. On 23 December 2010 it was connected to CTWUG via Kommetjie, Noordhoek and Fishoek areas. This Wiki entry is just a knowledge base specific to our area.

Meet the Hout Bay Wuggers

Network Services

File Sharing

We use ADC for sharing files on HBWUG. You will need an ADC 1.0 compliant client to participate. CTWUG's WugDC++ is compatible, but EiskaltDC is another recommended option. If using EiskaltDC, configure the connection settings as follows:

• Mode: Active
• TCP Port: 2222
• UDP Port: 2222
• TLS Port: 2223

Make sure those ports are open on your respective firewalls, especially the Windows firewall and any anti-virus firewalls.

Then just add the ADC hub listed in Network Services above to your favourites.

Ubiquiti Customisations

We use a number of Ubiquiti customisations to make things run smoother on HBWUG. The following instructions are intended for wuggers with some networking and Unix knowledge. Most of the changes below need to be done on the command line of your device via SSH.

Step 1: Load OSPF firmware

This requires custom Ubiquiti firmware. Either obtain a precompiled image from Aragon or build one yourself by following: Adding OSPF support to Ubiquiti devices.

Load the firmware to your device using the "Update" function in the web interface. Once its loaded and your device has rebooted with the new firmware, continue to the next step.

Step 2: Setup shell profile

From this point on do NOT reboot your device again until you've completed step 5.

Create /etc/persistent/profile with contents:

PS1='\[\e]1;\h-term\a\e]2;\h:\w\a\]\h\$ '
alias reload='/etc/persistent/rc.ctwug reload'

Step 3: Setup BIRD

Create a BIRD configuration script in /etc/persistent/bird4.conf.sh with contents:

mkbirdconf () {
	cat >${BIRDCONF} <<_EOF
log stderr all;
router id ${ROUTERID};

filter ospfin
prefix set hbwug;
ip set hbwuggw;
{
	hbwug = [ 172.18.87.0/24+, 172.18.88.0/24+, 172.18.102.0/23+ ];
	hbwuggw = [ 172.18.87.0, 172.18.102.0 ];
	if net ~ hbwug then {
		if gw.mask(26) ~ hbwuggw then accept;
		reject;
	}
	if net ~ 172.16.0.0/12 then accept;
	reject;
}

protocol kernel {
	persist;
	learn;
	description "kernel";
	scan time 60;
	import none;
	export all;
}

protocol device {
	scan time 60;
}

_EOF

if [ -e ${BIRDCONF}.local ]; then
	cat ${BIRDCONF}.local >>${BIRDCONF}
fi

cat >>${BIRDCONF} <<"_EOF"

protocol ospf wug {
	tick 1;
	description "WUG";
	import filter ospfin;
_EOF
	case ${NETMODE} in
	router)
		cat >>${BIRDCONF} <<"_EOF"
	export all;
	area 0.0.0.0 {
		interface "ath0" {
			cost 10;
			hello 10;
			retransmit 20;
			type broadcast;
			authentication none;
		};
		interface "eth0" {
			cost 10;
			type broadcast;
			stub;
		};
	};
_EOF
		;;
	bridge)
		cat >>${BIRDCONF} <<"_EOF"
	export none;
	area 0.0.0.0 {
		interface "br0" {
			cost 10;
			priority 0;
			hello 10;
			retransmit 20;
			type broadcast;
			authentication none;
		};
	};
_EOF
		;;
	esac
	cat >>${BIRDCONF} <<"_EOF"
}
_EOF
}

Step 4: Create firewall script

Ubiquiti devices run Linux and use iptables for firewalling. Unfortunately Ubiquiti's web interface to iptables is very limited, so in order to run a more advanced firewall we add a custom firewall script.

Create /etc/persistent/rc.firewall with contents:

DCPORT="2222"
TORRENTPORT="7000"

iptables -F FIREWALL
iptables -A FIREWALL --protocol icmp -j ACCEPT
iptables -A FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${WLANIP} -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${WLANIP} --protocol ospf -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst 224.0.0.5/32 --protocol ospf -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst 224.0.0.6/32 --protocol ospf -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst 224.0.0.22/32 --protocol igmp -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol tcp --dport ${DCPORT} -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol tcp --dport $((${DCPORT}+1)) -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol udp --dport ${DCPORT} -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol udp --dport ${TORRENTPORT} -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --dst ${LOCALNET} --protocol udp --dport 33434:65535 -m state --state NEW -j ACCEPT
iptables -A FIREWALL -i ath0 --protocol tcp -j REJECT --reject-with tcp-reset
iptables -A FIREWALL -i ath0 --dst 255.255.255.255 --protocol udp --dport 5678 -j DROP
iptables -A FIREWALL -i ath0 -j REJECT

The above is a starting point that will work for most wuggers. Modify it as you need if you understand iptables.

Also remember to:

• Enable the firewall in the web interface of your device. (after step 6)
• Configure your DC client as shown above.

Step 5: Create boot time HBWUG scripts

This step creates the necessary boot time code that allows steps 2 and 3 to work. Create the following files:

/etc/persistent/config.php:

#!/bin/cgi -q
<?
chdir("/usr/www");
include("lib/settings.inc");
$cfg = @cfg_load($cfg_file);
if ($cfg == -1) { exit; }
$netmode = cfg_get($cfg, "netmode");
$fwstatus = cfg_get($cfg, "iptables.status");
$lannet = cfg_get($cfg, "netconf.1.ip") + "/" + cfg_get($cfg, "netconf.1.netmask");
$wlanip = cfg_get($cfg, "netconf.2.ip");
$bridgeip = cfg_get($cfg, "netconf.3.ip");
echo("NETMODE=\"$netmode\"\n");
echo("FWSTATUS=\"$fwstatus\"\n");
echo("LOCALNET=\"$lannet\"\n");
echo("WLANIP=\"$wlanip\"\n");
echo("BRIDGEIP=\"$bridgeip\"\n");
?>
BIRDENABLE=1

/etc/persistent/rc.ctwug:

#!/bin/sh

eval "$(/etc/persistent/config.php)"
. /etc/persistent/bird4.conf.sh
PATH=${PATH}:/sbin
BIRDCONF=/etc/persistent/bird4.conf
FWCONF=/etc/persistent/rc.firewall
[ -z "${BIRDENABLE}" ] && BIRDENABLE=0

case "$1" in
start|reload)
	STARTBIRD=0
	STARTFW=0
	if [ "${NETMODE}" = "router" ]; then
		for f in /proc/sys/net/ipv4/conf/*; do
			echo 1 >${f}/accept_redirects
			echo 1 >${f}/send_redirects
		done
		if [ "${FWSTATUS}" = "enabled" -a -e ${FWCONF} ]; then
			STARTFW=1
		fi
		if [ ${BIRDENABLE} -eq 1 -a -n "${WLANIP}" ]; then
			ROUTERID=${WLANIP}
			STARTBIRD=1
		fi
	elif [ "${NETMODE}" = "bridge" ]; then
		if [ ${BIRDENABLE} -eq 1 -a -n "${BRIDGEIP}" ]; then
			ROUTERID=${BRIDGEIP}
			STARTBIRD=1
		fi
	fi
	case "$1" in
	start)
		echo "CTWUG starting"
		;;
	reload)
		echo "CTWUG reloading:"
		case "$2" in
		fw)
			STARTBIRD=0
			;;
		ospf)
			STARTFW=0
			;;
		esac
		;;
	esac
	if [ ${STARTFW} -eq 1 ]; then
		if [ "${1}" = "reload" ]; then
			if [ "${2}" = "fw" -o -z "${2}" ]; then
				echo "  firewall"
			fi
		fi
		. ${FWCONF}
	fi
	if [ ${STARTBIRD} -eq 1 ]; then
		if [ "${1}" = "reload" ]; then
			if [ "${2}" = "ospf" -o -z "${2}" ]; then
				echo "  OSPF"
				/usr/bin/bird4.init stop
			fi
		fi
		mkbirdconf
		sleep 1
		/usr/bin/bird4.init start
	fi
	;;
stop)
	echo "CTWUG shutdown"
	/usr/bin/bird4.init stop
	iptables -F FIREWALL
	;;
esac

/etc/persistent/rc.poststart:

/etc/persistent/rc.ctwug start

/etc/persistent/rc.prestop:

/etc/persistent/rc.ctwug stop

Step 6: Finishing touches

Run the following commands from within /etc/persistent:

chmod +x config.php rc.ctwug
save

All done! When you reboot your router the changes you made should take effect.

Extra: Making changes

If changes need to be made to bird4.conf.sh or rc.firewall, either or both must be reloaded for the changes to take effect.

To reload the firewall ruleset:

reload fw

To reload the OSPF configuration:

reload ospf

Or to reload both:

reload

Once you've tested the changes and are happy, don't forget to save your changes:

save