A SECOND LIFE FOR THE LINKSYS Part 1 By Michiel van der Vlist 2:280/5555 Some five years ago, I joined the family of FON and I obtained a Linksys WRT54GL, flashed with FON software, for a bargain. It has been humming quitly away for almost five years. In March I got a Fonera SIMPL, so I replaced the Linksys. As you may have noticed from previous articles, I am an IPv6 advocate. I have been experimenting with IPv6 for some time now. I started out with a tunnel from SixXs. The idea was to have the tunnel terminate on the machine that was going to host my web server and my Fido System. A machine that would run 24/7 anyway. The tunnel works fine for providing IPv6 connectivity to that machine, but my plan to have it function as an IPv6 router to provide IPv6 connectivity to other machine on the LAN failed. It turned out that an AYIYA tunnel running on a Windows machine can not route a subnet. So I choose another approach. Why not let the routing be done by some- thing that was designed for it in the first place: a router? With the help of some guys in a Dutch IPv6 forum, I found a version of OpenWRT that supports IPv6 and that can run on the Linksys. The binary image can be found here: http://www.vlist.eu/downloads/openwrt-wrt54g-squashfs-r25759.bin Before you flash your linksys with this image be advised that the WRT54GL has only 4 MB flash ROM available and the IPv6 add-ons need memory space. So some compromise had to be made. This version does not have a web interface, it is command line only. For most of us, that should not be a problem, us FidoNetters have been using the command line for ages. Also be warned that there is no easy "go back to factory defaults button". Frankly, I do not even know how to go back to the original firmware. I haven't felt the need yet, it is working fine, so why fix what ain't broken? No web interface, so you need a telnet/ssh client to access the router. Telnet to 192.168.1.1 and you will get a prompt. The first thing you will have to do is to configure a password for user root. It won't let you do much, other than to use the "passwd" command for entering a password after first startup. Once you have configured a password for root, the Telnet interface is disabled and you can only access the router with ssh. So get yourself an ssh client first. A suitable one for windows is putty. To be found here: www.putty.org. Putty BTW, is IPv6 capable. With ssh you can log in as user root and the password you supplied. Write down the password! There is no easy recovery if you forget the password. To my surprise I found that not only did I have a router, but I had a complete Linux system at my hands. The idea of running a disk OS on a stand-alone dedicated system - as I see a router - was completely new to me and my first reaction when I saw the command line prompt was a bit similar to what happened when I started up that PDP-8 some forty five years years ago: Ok, it started up. Now what? So I tried "dir" and "type". Eh.. sorry, this isn't CP/M, FLEX or MS-DOS. It is linux and the commands are "ls" and "cat" from now on. Ok... Many of the standard Linux commands work. The entire configuration is done by editing text files with a text editor. Weird idea for a stand alone dedicated system, but I got used to it quickly. The first thing of course was to get it configured properly for IPv4. The machines on the LAN running servers needed a permanent address. So we have to edit some files. We want the dhcp server to always issue the same (semi-fixed) address to the machine named Fido. The package comes with an editor called nano, so we enter the following command: nano /etc/config/dhcp And we add the following lines to the file: [code] config host option ip '192.168.1.2' option mac '00:04:76:8C:25:3C' option name Fido [/code] Note that the address must be ouside the normal dhcp pool which defaults to 100-150. Set the MAC address to the one on the NIC of the system in question Note that changes do not take effect until the router is rebooted. Next step is the forwarding of port 80 and port 25445. This is done by adding the following lines to the file /ect/config/firewall [code] # forward port 80 and port 24554 to Fido config redirect http option src wan option dest lan option src_dport 80 option dest_port 80 option dest_ip 192.168.1.2 option proto tcp config redirect binkp option src wan option dest lan option src_dport 24554 option dest_port 24554 option dest_ip 192.168.1.2 option proto tcp [/code] If you want to use Wifi, it has to be enabled as it is disabled by default. In the file /etc/config/wireless: [code] config 'wifi-device' 'radio0' option 'type' 'mac80211' option 'channel' '11' option 'macaddr' '00:16:b6:da:3a:b5' option 'hwmode' '11g' option 'disabled' '1' config 'wifi-iface' option 'device' 'radio0' option 'network' 'lan' option 'mode' 'ap' option 'ssid' 'OpenWrt' option 'encryption' 'none' [/code] Change "option 'disabled' '1'" to "option 'disabled' '0'" That will enable the radio, but it is highly recommended to enable encryption as well. Change "option 'encryption' 'none'" to "option 'encryption' 'psk2'" to enable WPA2 encryption. 'wpa2' as option is for WPA2 with a radius server. Specify the key with: [code] option 'key' '' [/code] You may want to change the channel number and the ssid. Also the para- meter "11g" may be changed to "11bg" if you also want to support older 11b clients. As always, changes do not take effect until the router is rebooted. That takes care of my IPv4 settings. Next step is to configure a 6in4 tunnel. If your ISP does not provide native IPv6 you will need to set up a tunnel. Some ISP's offer tunnels, but if yours does not, you will need a third party tunnel broker. Both SixXs and Hurricane Electric offer free tunnels. So set up an account with either one of them (or both) and apply for a tunnel. For this tunnel I choose Hurricane Electric, because unlike SixXs, they do not let you jump through any hoops. Just go to tunnelbroker.net, create an account, choose a site for the tunnel ingress and apply for a tunnel. A Hurricane Electric tunnel comes with a /64 subnet by default. But you can also get a /48. We do not need that. Yet... For a static he.net tunnel, you need a static or semi-static IPv4 address. To configure the tunnel on the Linksys, add the following to /etc/config/network [code] #### The he.net tunnel config interface henet option proto 6in4 option peeraddr 216.66.84.46 option ip6addr 2001:470:1f14:1117::2/64 option tunnelid XXXXXX option username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx option password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [/code] For "peeraddr" substitute the Server IPv4 address that the tunnel broker has given you. For ip6addr substitute the client IPv6 address that the the tunnel broker gave you. Note that this is te address of you tunnel end point, not the subnet. Also do not ommit the /64, it won't work without it. For tunnel ID substitie the decimal tunnel ID number as supplied by the tunnel broker. For Username substitute the 32 digit hex number that is found as "User ID" on your account info page of tunnelbroker.net The password should be a 32 digit hex number that is the MD5 hash of your password for the tunnel broker. So how do we get that? The Linksys will give it to you! Type "echo -n '' | md5sum" at the command line and there it is. Ain't that magic? Rebot the router thave the changes take effct. Now you should be able to ping6 ipv6 hosts from the router's command line. You can try to ping mine by typing: [code] root@OpenWrt:/# ping6 wrt6.vlist.eu PING wrt6.vlist.eu (2001:470:1f14:1117::2): 56 data bytes 64 bytes from 2001:470:1f14:1117::2: seq=0 ttl=64 time=1.243 ms 64 bytes from 2001:470:1f14:1117::2: seq=1 ttl=64 time=1.358 ms 64 bytes from 2001:470:1f14:1117::2: seq=2 ttl=64 time=1.140 ms 64 bytes from 2001:470:1f14:1117::2: seq=3 ttl=64 time=1.142 ms ^C [/code] If you get this result your tunnel is working. To enable incoming pings however you need to open the firewall for protocol 41. Protocol 41 is the protocol used for 6in4 tunneling. The firewall of openwrt is closed for all unsollicited incoming packets by default. Bij pinging out over IPv6, the firewall is opened for protocol 41, and it can be pinged from outside, but it closes again after a minute or two. Add the following lines to /etc/config/firewall to keep the tunnel open permanently: [code] # Accept proto 41 so it always reaches the tunnel endpoint config rule option src wan option proto 41 option target ACCEPT [/code] To check if your router is pingable from outside, you can use a looking glass server. Here is one: http://leasewebnoc.com/lg/html. As a last step you have to configure the firewall to also apply the firewall rules to the IPv6 tunnel. In the file /etc/config/firewall find this section: [code] config zone option name wan option input REJECT option output ACCEPT option forward REJECT option masq 1 option mtu_fix 1 [/code] And add this line after the second line: [code] # to have IPv6 firewall rules apply to the tunnel option network 'wan henet' [/code] This completes the setup of the tunnel on the linksys. Next week's article will describe how to let the router issue global IPv6 adresses from a subnet to your machines on the LAN.