16 Feb

Optimising LEDE (OpenWrt) for the PC Engines APU2

I’m planning to get APU2 in near future, I found this article is useful for my future project and created a mirror here. Credit to original post.

The PC Engines APU2 is an embedded system based on AMD’s Jaguar family of processors. Many people prefer to run pfSenseon it, but since the rest of my hardware is alread on LEDE, it’s easier for me to stick with that; the APU2 will manage a network running other LEDE nodes, with customised images (see my article on UCI defaults for more information on that). To get an idea of all the tidbits the APU2 offers, the OpenWrt wiki page is a good starting point – since there are no subtargets anymore for x86/64 (alas), you have to install all extra packages manually to get full support for the hardware capabilities.

Default configuration

Because LEDE uses generic targets – a kind of catch-all – for the x86 and x86_64 platforms, by default it only configures eth0, the leftmost interface. It took me a while (coming from consumer platforms) to realise the images I built were fine, I just kept trying the two rightmost interfaces, figuring those were the LAN interfaces… So if you don’t seem to be getting an IP, try all of those ports. You never know. There’s also no WAN interface defined, so it won’t work as a router out of the box.

Hardware support

A stock LEDE image will boot just fine from internal mSATA/S-ATA storage or USB altogether. I have not been able to verify if booting off SD works yet.

Gigabit Ethernet

The APU2 comes with Intel’s i210AT or i211AT Gigabit Ethernet NICs, which need the igb driver on Linux. The stock x86_64 LEDE builds include this driver by default.

SDHC card reader

For the card reader, install the kmod-sdhci package. If you’d like to include it in your own build, enable it under Kernel modules > Other modules in the buildroot. To boot off an SD card, however, you need the following symbols to be enabled:

CONFIG_MMC_BLOCK=y
CONFIG_MMC_SDHCI=y
CONFIG_MMC_SDHCI_PCI=y

You can grep target/linux/x86/64/config-default for them, they should all be enabled by default. Add them to the same file if they aren’t. I have been unable to test so far if booting off SD cards works; I’ve seen some statements that the APU2 will ignore SD or USB 3 boot devices if there is an mS-ATa SSD installed.

USB 3.0 support

Booting off USB 3.0 works just fine out of the box – not much to add.

Temperature sensor

For basic temperature reading support – which may come in handy as you essentially rely on passive cooling – install the kmod-hwmon-k10temp package, or enable kmod-hwmon-k10temp in the buildroot under Kernel modules > Hardware Monitoring Support. Reading out the temperature is as simple as typing sensors:

# sensors 
k10temp-pci-00c3
Adapter: PCI adapter
temp1:        +53.2°C  (high = +70.0°C)
               (crit = +105.0°C, hyst = +104.0°C)

As you can see, though, it only reports one temperature instead of one per core.

VLAN support

For VLAN support, you need the 8021q module installed. The generic target statically includes it. You will find a package under Kernel modules > Network Support; however, this is only useful for targets that do not include the module by default. On targets like e.g. ar71xx or x86, it will just generate a package only containing a modprobe file, nothing more. You can set up tagged VLANs through LEDE’s framework -in /etc/config/network, e.g.:

config interface 'guest'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ifname 'eth1.20 eth2.20'
    option ipaddr '10.0.1.1'

This will set up a bridge named br-guest, containing both eth1 and eth2, tagged with VLAN ID 20. This is standard; the bridge itself apparently does not get tagged, only the member interfaces.

# for i in eth1.20 eth2.20 br-guest; do ip -d link show $i; done
9: eth1.20@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP mode DEFAULT group default qlen 1000
    link/ether 00:0d:b9:41:45:61 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    vlan protocol 802.1Q id 20 <REORDER_HDR> 
    bridge_slave state forwarding priority 32 cost 4 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 
10: eth2.20@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP mode DEFAULT group default qlen 1000
    link/ether 00:0d:b9:41:45:62 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    vlan protocol 802.1Q id 20 <REORDER_HDR> 
    bridge_slave state forwarding priority 32 cost 4 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 
8: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 00:0d:b9:41:45:61 brd ff:ff:ff:ff:ff:ff promiscuity 0 
    bridge forward_delay 200 hello_time 200 max_age 2000 ageing_time 30000 stp_state 0 priority 32767 vlan_filtering 0 addrgenmode eui64

I can confirm this works as expected – for more info on VLANs on OpenWrt/LEDE, see my older post.

LED support

By default only the leftmost LED is active, and it just stays on. As of commit fe12d51, LEDE has a driver for the APU2’s PCB LEDs and reset button. I have backported this to my LEDE 17.01 builds.

GPIO header

The GPIO headers are controlled by the Nuvoton NCT5104D chip. To use them, enable the kmod-gpio-nct5104d package under Kernel modules > Other modules.

AMD’s cryptographic coprocessor (‘CCP’)

Enable the kmod-crypto-hw-ccp package under Kernel modules > Cryptographic API modules.

Hardware watchdog

Enable the kmod-sp5100-tco package under Kernel modules > Other modules.

Optimising LEDE for the APU2

GCC optimisation

GCC has its own target for the Jaguar SoCs. You can optimise by using the -march=btver2 -mtune=btver2 GCC options, with a recent GCC version. In the buildroot, enable Advanced configuration options (for developers), then tick Target Options and add the compiler flags to Target Optimizations. Do keep in mind though this will greatly limit your testing capabilites – I haven’t found a way to emulate a CPU supporting the same feature set yet, if you do, let me know, that would greatly simplify testing. For now I build a separate generic x86_64 build so I can test it in a VM, before deploying it.

AES-NI

One of the cooler things with the APU2 is it supports AES-NI, which is handy for applications relying on encryption (e.g. a VPN). LEDE enabled the necessary bits and bolts for that in the meantime.

Resizing partitions

Chances are you’ll be running conventional storage, so the default 4/48 configuration for the kernel and root partitions do not really use the space available. You can change this by setting the CONFIG_TARGET_ROOTFS_PARTSIZE= (for the root file system) and CONFIG_TARGET_KERNEL_PARTSIZE= for the kernel partition size.

UCI defaults

I have preconfigured my LEDE builds for the APU2 to set up a WAN interface on eth0 and a LAN bridge on the eth1 and eth2interfaces, as well as some other tidbits. Imho, if you want to deploy the APU2 with LEDE, prepping the network is a must.

LEDE discussion forum link for APU2

Incoming search terms:

  • apu2 openwrt
  • 4S84
  • aboveaw6
  • active8rp
  • apu2 log in
  • beforekma
  • best firewall for pcengines apu2
  • bitheu
  • blewebd
  • openwrt firewall custom rules example malware
  • openwrt pc engines apu2
  • pcengines apu2 install openwrt resize filesystem
  • pixelserv uhttpd
  • recent5uw
  • risew8a
11 Nov

Setting up IPv6 in OpenWRT Barrier Breaker for TM Unifi

  1. Create new interface for IPv6
    Network-Interface-Add New Interface..
    Match below setting
    ipv6-1
    ipv6-2
    ipv6-3
    ipv6-4
    ipv6-5ipv6-6

Incoming search terms:

  • httpd package for openwrt
  • https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1839 1bYtp47uiFttj_KGdCotS6HXyhpmEPS-VLHBgFqgcseNky_tRYxq8Skq27YUDtMv 05741a3461152e389a0eff372c0169dd79d482d9&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme
  • https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1843 HoeJwi6hvjPYGG20Pq9-g-XirbykqX0O0UMg7A03s54V8n4_w8yK_zflYOn4gtmA f33177a4d126a81f18c26122f5205d1184e5b10a&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme
  • openwrt barrier breaker ipv6
  • openwrt luci config options
  • openwrt plugins
  • openwrt tm unifi ipv6
21 Jan

OpenWRT Adblock with Pixelserv

adblock

There’re many ways of doing this. The scenario and configuration is flexible enough, depending on what you want to achieve.

The easy way

My review: Provide the simplest method, poisoned DNS record will be redirected to 127.0.0.1. Longer page load due to no content served in 127.0.0.1 (wait until connection timeout). However this script let you manually control on white list and black list domain.

My review: The script will attempt to create another interface alias and run pixelserv (simple webserver serving 1×1 pixel transparent gif) on that interface. However, you’ll not be able to manually control on white/black list as previous script.

My method

Again, this might not be the best way, but it served my requirements. I’ll be using the same script except that i tweaked it to suit my environment.

Step 1: Create interface alias
I need my pixelserv to run in different ip address (let say my LAN ip is 192.168.1.1/24 i want pixelserv to run on 192.168.88.1/24) so that my uhttpd can listen on 192.168.1.1:80 for LuCI. Add below interface to /etc/config/network

#nano /etc/config/network
config interface 'lan2'
	option ifname 	'eth0'
	option proto	'static'
	option ipaddr 	'192.168.88.1'
	option netmask	'255.255.255.0'

Restart network interfaces
#/etc/init.d/network restart

Verify new interface alias created

root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 08:00:27:9A:88:DD
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:629 errors:0 dropped:0 overruns:0 frame:0
          TX packets:661 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:73752 (72.0 KiB)  TX bytes:393608 (384.3 KiB)

eth0      Link encap:Ethernet  HWaddr 08:00:27:9A:88:DD
          inet addr:192.168.88.1  Bcast:192.168.88.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:633 errors:0 dropped:0 overruns:0 frame:0
          TX packets:769 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:82836 (80.8 KiB)  TX bytes:528224 (515.8 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:9C:1E:FF
          inet addr:10.0.3.15  Bcast:10.0.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:157 errors:0 dropped:0 overruns:0 frame:0
          TX packets:138 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:15482 (15.1 KiB)  TX bytes:13962 (13.6 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1648 (1.6 KiB)  TX bytes:1648 (1.6 KiB)

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.0.3.2        0.0.0.0         UG    0      0        0 eth1
10.0.3.0        *               255.255.255.0   U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.88.0    *               255.255.255.0   U     0      0        0 eth0

Step 2: Pixelserv setup
We already have a web server installed on the router (serving LuCI), we just need to configure a new uHTTPd server instance.

mkdir /www_pixelserv
wget -O /www_pixelserv/blank.gif http://probablyprogramming.com/wp-content/uploads/2009/03/tinytrans.gif

Edit /etc/config/uhttpd

config uhttpd 'main'
list listen_http '0.0.0.0192.168.1.1:80'
list listen_https '0.0.0.0:443'
option home '/www'

config uhttpd 'pixelserv'
list listen_http '192.168.88.1:80'
option home '/www_pixelserv'
option error_page '/blank.gif'

Restart uhttpd

/etc/init.d/uhttpd restart

Step 3: Adblock for dnsmasq
Follow installation instruction at https://gist.github.com/teffalump/7227752
For adblock.sh, add following lines to 127.0.0.1 with 192.168.88.1

....
#Download and process the files needed to make the lists (add more, if you want)
wget -qO- "http://adaway.org/hosts.txt"|grep "^127.0.0.1" >> /tmp/block.build.list

#Replace 127.0.0.1 with 192.168.88.1
sed -i 's/127.0.0.1/192.168.88.1/g' /tmp/block.build.list
#Add black list, if non-empty
[ -s "/etc/black.list" ] && sed -e 's/^/192.168.88.1\t/g' /etc/black.list >> /tmp/block.build.list
...

Update:

Above mentioned method (creating interface alias) is valid for interface that do not have vlan tagging. For my case, eth0 is tagged with vlan500 and vlan600 (eth0.500 and eth0.600) and I cannot find any documentation for creating alias for tagged interfaces. As workaround, I’ve changed the pixelserv uhttpd to listen to 192.168.1.1:80, while for router web ui (LuCI) listened to port 443.

This is my modified adblock.sh

!/bin/sh   
#Put in /etc/adblock.sh

#Script to grab and sort a list of adservers and malware

#Delete the old block.hosts to make room for the updates
rm -f /etc/block.hosts

#Download and process the files needed to make the lists (add more, if you want)
wget -qO- http://www.mvps.org/winhelp2002/hosts.txt| sed 's/0.0.0.0/127.0.0.1/g' |grep "^127.0.0.1" > /tmp/block.build.list
wget -qO- http://www.malwaredomainlist.com/hostslist/hosts.txt|grep "^127.0.0.1" >> /tmp/block.build.list
wget -qO- "http://hosts-file.net/.\ad_servers.txt"|grep "^127.0.0.1" >> /tmp/block.build.list
wget -qO- "http://adaway.org/hosts.txt"|grep "^127.0.0.1" >> /tmp/block.build.list

#Replace 127.0.0.1 with 192.168.88.1
sed -i 's/127.0.0.1/192.168.88.1/g' /tmp/block.build.list
#Add black list, if non-empty
[ -s "/etc/black.list" ] && sed -e 's/^/192.168.1.1\t/g' /etc/black.list >> /tmp/block.build.list

#Sort the download/black lists
sed -e 's/\r//g' -e 's/^192.168.88.1[ ]\+/192.168.88.1\t/g' /tmp/block.build.list|sort|uniq > /tmp/block.build.before

if [ -s "/etc/white.list" ]
then
    #Filter the blacklist, supressing whitelist matches
    sed -e 's/\r//g' /etc/white.list > /tmp/white.list
    grep -vf /tmp/white.list /tmp/block.build.before > /etc/block.hosts
    rm -f /tmp/white.list
else
    cat /tmp/block.build.before > /etc/block.hosts
fi

#Delete files used to build list to free up the limited space
rm -f /tmp/block.build.before

References:
http://jazz.tvtom.pl/adblock-w-openwrt-gargoyle/

http://sfxpt.wordpress.com/2011/02/21/the-best-ad-blocking-method
https://forum.openwrt.org/viewtopic.php?id=35023&p=2

 

Incoming search terms:

  • openwrt adblock
  • 192 168 88 1
  • luci-app-vnstat
  • adblock openwrt
  • 192 168 88
  • open wrt block ad
  • openwrt adblock support
  • dd-wrt tew-652brp install pixelserv adblocker
  • open wrt restatr adblock
  • pixelserv
  • abilityqsp
  • adblock test openwrt
  • variousjvw
  • ddwrt block youtube ads
  • doctor8fp
21 Jan

OpenDNS update script on OpenWRT Backfire 10.03.

AUTHOR: drl@MyBSD.org.my

Install ‘curl’ package:

# opkg update
# opkg install curl

Next create a script and call it /root/rc.ddns_opendns.sh :

#/bin/sh

/usr/bin/curl -4 -k -u username:password "https://updates.opendns.com/account/ddns.php?"

Make the script executable:

# chmod +x /root/rc.ddns_opendns.sh

Next create another script and call it /etc/hotplug.d/iface/100-opendns :

#!/bin/sh

if [ "$ACTION" = ifup ]; then
/root/rc.ddns_opendns.sh > /dev/null 2>&1
fi

This will update your IP with OpenDNS whenever you reboot or reconnect.

One of the benefits of using OpenDNS is their web content filter. Login to your account on OpenDNS
and start configuring the content filter for your network. Choose Custom and select the categories
you want the content filter to apply too for your home/office network.

Click Apply and wait for roughly 5 minutes for it to take effect. Your network is now protected.

Reference: https://lemur.mybsd.org.my/drl/OpenWRT/DDNS_OpenDNS_OpenWRT.txt

Incoming search terms:

  • openwrt ddns opends
  • er-x ddns web-skip
  • opendns openwrt
  • openwrt opendns updater
19 Jun

OpenWRT Backfire + HE.net IPv6 Tunnelling with dynamic WAN address

Mission: The example below illustrates a dynamic tunnel configuration for the Hurricane Electric broker with dynamic IP update enabled. The local IPv4 address is automatically determined and tunnelid, username and password are provided for IP update.
Requirements: HE.net ipv6 tunnel, OpenWRT Backfire

Get your v6 tunnel
Go to http://www.tunnelbroker.net and register. Once registered, click on “Create Regular Tunnel” link. Select your nearest v6 tunnel server and click create.

1

Based on above info we know that:
74.82.46.6 is the remote IPv4 address (the other side of the tunnel)
2001:470:23:9c::1/64 is the remote IPv6 tunnel endpoint
210.195.119.81 is the local IPv4 router address (assigned by ISP)
2001:470:23:9c::2/64 is the local IPv6 tunnel endpoint (labeled “Client IPv6 Address” on the Tunnel Details page in your HE account)
2001:470:24:9c::/64 is our allocated subnet/segment

Install required package and dependencies
opkg update
opkg install 6in4 ip ip6tables kmod-sit kmod-iptunnel6 radvd

Configure tunnel
uci set network.henet=interface
uci set network.henet.proto=6in4
uci set network.henet.peeraddr=74.82.46.6
uci set network.henet.ip6addr='2001:470:23:9c::2/64'
uci set network.henet.tunnelid=210081
uci set network.henet.username='YOUR_HASHED_USERNAME'
uci set network.henet.password='YOUR_PASSWORD'
uci commit network

Set firewall zone
uci set firewall.@zone[1].network='wan henet'
uci commit firewall

Bring up the interface
ifup henet
/etc/init.d/firewall restart

You can check new interface is created from LuCI2

Firewall
To apply IPv6 firewall rules to the tunnel interface, add it to the “wan” zone in /etc/config/firewall:
config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'masq' '1'
option 'mtu_fix' '1'
option 'forward' 'ACCEPT'
option 'network' 'wan henet'

To allow 6in4 traffic to always reach your tunnel endpoint, it may be necessary to pass IPv4 protocol 41 traffic with the following firewall configuration stanza:
config 'rule'
option 'target' 'ACCEPT'
option 'name' '6to4'
option 'src' 'wan'
option 'proto' '41'
option '_name' '6to4'

Routing
To enable routing of IPv6 traffic through the tunnel, add a static IPv6 address in a valid routed subnet to the local-facing interface (LAN). Edit /etc/config/network file and add the last option (‘ip6addr’).

config ‘interface’ ‘lan’
option ‘ifname’ ‘eth0.1’
option ‘type’ ‘bridge’
option ‘proto’ ‘static’
option ‘ipaddr’ ‘192.168.1.1’
option ‘netmask’ ‘255.255.255.0’
option ‘ip6addr’ ‘2001:470:24:9c:964:387b:8888:8888’

Enable Routing in Backfire
To forward packets between interfaces, a kernel-level setting must be enabled. To enable packet forwarding, edit /etc/sysctl.conf. Uncomment following line:
# net.ipv6.conf.all.forwarding=1 to
net.ipv6.conf.all.forwarding=1

Restart sysctl to apply the new setting
/etc/init.d/sysctl restart

IPv6 DHCP
Clients that auto-configure using SLAAC (stateless address auto-configuration) will need to know our routed prefix. To broadcast the prefix to clients on the local network, we use radvd.

3

Verify your tunnel is working

4

 

5

Incoming search terms:

  • beltqb9
  • bowlgqh
  • bush8u5
  • busysqw
  • castpu5
  • crewndm
  • damagehjb
  • dugy2t
  • excited177
  • fastenedypo
  • fastzhy
  • firenx4
  • floatingw4r
  • foreignvvd
  • functionizf