New OpenWRT configuration

2012-05-11 17:56:29 -06:00 · 2012-05-11 17:56:29 -06:00 · 5afb9f8fd4
parent cdc5f01f42
commit 5afb9f8fd4
14 changed files with 50 additions and 140 deletions
--- a/doc/openwrt/README
+++ b/doc/openwrt/README
@ -1,57 +1,37 @@
-This directory contains the files used to set up an OpenWRT router.
+Using an OpenWRT router
+=======================

+You can use an off-the-shelf, OpenWRT capable wireless router,
+configuring only through the web interface.  The OpenWRT setup is
+intended for smaller contests, wired or non-wired, in which
+participants can be counted on not to launch link level attacks (ARP
+or NDP).  Bear in mind that the cheap consumer routers have relatively
+slow CPUs and won't stand up to high volume.

-Bear in mind that the cheap consumer routers have relatively slow CPUs
-and won't stand up to high volume.  This same configuration applies to
-OpenWRT running on an x86 PC, or any other target of OpenWRT.  For
-larger contests, it would be a good idea to use a faster machine for the
-router.  I don't have any specific recommendations at this time (Oct
-2010).
+The CTF repository includes a "router" package, which will boot a DBTL
+device as a IPv6 router complete with multicast forwarding and up to
+24 tagged VLANs (by using a managed switch).  This is a better option
+for larger contests, and can better handle high-speed (Gigabit)
+traffic.

-The router comes up as 10.0.0.1/16 on eth0.
+Instructions for setting up OpenWRT
+-----------------------------------

-If the router has a built-in switch, it is brought up without VLAN
-support, since these switches typically only support 16 VLANs, and do
-not support QinQ (double VLAN tags).  All 5 ports work like an unmanaged
-switch, which ends up being handy for the contest table.
+After installing OpenWRT:

-Plugging a managed switch into the router enables access to 48 VLANs,
-each configured to a /16 network.  The router on VLAN number v comes up
-as 10.v.0.1/16.
+* Change the root password
+* Install the kmod-ipv6, radvd, and luci-app-radvd packages
+* Configure the LAN interface as 10.0.0.1/16 and
+  fd84:b410:3441::1/64
+* Tell DHCP to begin at 257 after the base IP: this will assure
+  all DHCP addresses are after 10.0.1.0
+* Disable router solicitations on LAN
+* Enable WPA2, with the password "correct horse battery staple"
+* Turn on router advertisements (under radvd) on LAN
+* Enable prefix fd84:b410:3441::1/54 under radvd

-If the router has the ability to come up as a wireless access point, it
-will do so with SSID "CTF" and IP 10.254.0.1/16.
-
-All subnets can route to all other subnets, through the router.
-10.0.0.1/16 and 10.254.0.1/16 may have a higher TTL when routed to a
-VLAN (I haven't checked).  Keep in mind that anything connected directly
-to the router (ie. not through the managed switch) can do its own VLAN
-tagging.  This would be the way to hop on another team's subnet to do
-something like check service availability in such a way as to prevent
-teams from firewalling each other out.
-
-
-                                    SSID "CTF"
-                                  10.254.0.1/16
-                                    ((Y))
-                                      |
-                                      -------------
-                                     |   OpenWRT   |
-                                      -0-1-2-3-4---
-                                      /| | | | |
-                                     / | | | | |
-                                    /  | | | | |
-                                   /  10.0.0.1/16
-                                  /
-              -------------------t---
-             |   Managed Switch      |
-              -1-2-3-4-5-...-47-48---
-              /    |         |   \
-             /     |         |    \
-            /      |         |     \
-           /       |         |      \
-    10.1.0.1/16    |         |   10.48.0.1/16
-                   |         |
-              10.3.0.1/16    |
-                             |
-                        10.47.0.1/16
+This should be sufficient to bring up the router for running the
+contest.  If you want to get fancy, you can scp the files in
+www in this directory, into /www on the router.  This will give
+users some guidance if they accidentally browse to the router IP,
+and also disables the default redirection to luci.
--- a/doc/openwrt/etc/config/dhcp
+++ b/doc/openwrt/etc/config/dhcp
@ -1,2 +0,0 @@
-config dnsmasq
-        option leasefile        '/tmp/dhcp.leases'
--- a/doc/openwrt/etc/config/network
+++ b/doc/openwrt/etc/config/network
@ -1,27 +0,0 @@
-#### Switch configuration 
-config switch eth0
-	option enable		1
-	option enable_vlan	0
-
-#### Loopback configuration
-config interface loopback
-	option ifname	"lo"
-	option proto	static
-	option ipaddr	127.0.0.1
-	option netmask	255.0.0.0
-
-#### Administrative network
-config interface admin
-	option ifname	"eth0"
-	option proto	static
-	option ipaddr	10.0.0.1
-	option netmask	255.255.0.0
-
-#### Wireless
-config interface wifi
-	option proto	static
-        option ipaddr   10.254.0.1
-        option netmask  255.255.0.0
-
-# OpenWRT's "ifup/ifdown" are horribly slow, so the 48
-# vlans are set up in an init script :)
--- a/doc/openwrt/etc/config/wifi
+++ b/doc/openwrt/etc/config/wifi
@ -1,9 +0,0 @@
-config wifi-device wl0
-	option type	broadcom
-	option channel	1
-
-config wifi-iface
-	option device	wl0
-	option network	wifi
-	option mode	ap
-	option ssid	CTF
--- a/doc/openwrt/etc/init.d/iptables
+++ b/doc/openwrt/etc/init.d/iptables
@ -1,26 +0,0 @@
-#! /bin/sh /etc/rc.common
-
-START=45
-STOP=89
-
-start () {
-    stop
-
-    iptables -P INPUT ACCEPT
-    iptables -P OUTPUT ACCEPT
-    iptables -P FORWARD ACCEPT
-
-    iptables -A INPUT -p udp --dport 53 -j ACCEPT
-    iptables -A INPUT -p udp --dport 67 -j ACCEPT
-    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-    iptables -A INPUT -s 10.0.0.0/16 -j ACCEPT
-    iptables -A INPUT -j REJECT
-}
-
-stop () {
-    iptables -F INPUT
-    iptables -F OUTPUT
-    iptables -F FORWARD
-}
-
-
--- a/doc/openwrt/etc/init.d/vlan
+++ b/doc/openwrt/etc/init.d/vlan
@ -1,20 +0,0 @@
-#! /bin/sh /etc/rc.common
-
-START=41
-STOP=89
-
-VLANS=48
-
-start () {
-    for i in $(seq 1 $VLANS); do
-        vconfig add eth0 $i
-        ifconfig eth0.$i 10.$i.0.1 netmask 255.255.0.0
-    done
-}
-
-stop () {
-    for i in $(seq 1 $VLANS); do
-        vconfig rem eth0.$i
-    done
-}
-
--- a/doc/openwrt/etc/rc.d/K89iptables
+++ b/doc/openwrt/etc/rc.d/K89iptables
@ -1 +0,0 @@
-../init.d/iptables
--- a/doc/openwrt/etc/rc.d/K89vlan
+++ b/doc/openwrt/etc/rc.d/K89vlan
@ -1 +0,0 @@
-../init.d/vlan
--- a/doc/openwrt/etc/rc.d/S41vlan
+++ b/doc/openwrt/etc/rc.d/S41vlan
@ -1 +0,0 @@
-../init.d/vlan
--- a/doc/openwrt/etc/rc.d/S45iptables
+++ b/doc/openwrt/etc/rc.d/S45iptables
@ -1 +0,0 @@
-../init.d/iptables
--- a/doc/openwrt/www/index.html
+++ b/doc/openwrt/www/index.html
@ -0,0 +1,18 @@
+<DOCTYPE html>
+<html>
+  <head>
+    <title>Router</title>
+  </head>
+  <body>
+    <p>
+      You're in the wrong place.  This is the router.
+    </p>
+    <ul>
+      <li>
+        CTF Server: 
+        <a href="http://[fd84:b410:3441::2]/">IPv6</a>, <a href="http://10.0.0.2/">IPv4</a>
+      </li>
+      <li><a href="password_strength.png">WPA2 password</a></li>
+    </p>
+  </body>
+</html>
--- a/doc/openwrt/www/password_strength.png
+++ b/doc/openwrt/www/password_strength.png
--- a/doc/openwrt/www/password_strength_reflowed.png
+++ b/doc/openwrt/www/password_strength_reflowed.png
--- a/packages/mcp/www/index.html
+++ b/packages/mcp/www/index.html
@ -47,7 +47,7 @@
    <h2>Rules</h2>
    <ul>
      <li>
-        No DoS attacks.
+        No DoS attacks.  No link layer (ARP, NDP) attacks.
      </li>
      <li>
        Contest servers lie within <samp>fd84:b410:3441::/112</samp>