New OpenWRT configuration

2012-05-11 17:56:29 -06:00 · 2012-05-11 17:56:29 -06:00 · 60d7281342
parent 0b93d6bbc8
commit 60d7281342
14 changed files with 50 additions and 140 deletions
--- a/doc/openwrt/README
+++ b/doc/openwrt/README
@ -1,57 +1,37 @@
-This directory contains the files used to set up an OpenWRT router.
+Using an OpenWRT router
 =======================
 You can use an off-the-shelf, OpenWRT capable wireless router,
 configuring only through the web interface.  The OpenWRT setup is
 intended for smaller contests, wired or non-wired, in which
 participants can be counted on not to launch link level attacks (ARP
 or NDP).  Bear in mind that the cheap consumer routers have relatively
 slow CPUs and won't stand up to high volume.
-Bear in mind that the cheap consumer routers have relatively slow CPUs
+The CTF repository includes a "router" package, which will boot a DBTL
-and won't stand up to high volume.  This same configuration applies to
+device as a IPv6 router complete with multicast forwarding and up to
-OpenWRT running on an x86 PC, or any other target of OpenWRT.  For
+24 tagged VLANs (by using a managed switch).  This is a better option
-larger contests, it would be a good idea to use a faster machine for the
+for larger contests, and can better handle high-speed (Gigabit)
-router.  I don't have any specific recommendations at this time (Oct
+traffic.
 2010).
-The router comes up as 10.0.0.1/16 on eth0.
+Instructions for setting up OpenWRT
 -----------------------------------
-If the router has a built-in switch, it is brought up without VLAN
+After installing OpenWRT:
 support, since these switches typically only support 16 VLANs, and do
 not support QinQ (double VLAN tags).  All 5 ports work like an unmanaged
 switch, which ends up being handy for the contest table.
-Plugging a managed switch into the router enables access to 48 VLANs,
+* Change the root password
-each configured to a /16 network.  The router on VLAN number v comes up
+* Install the kmod-ipv6, radvd, and luci-app-radvd packages
-as 10.v.0.1/16.
+* Configure the LAN interface as 10.0.0.1/16 and
  fd84:b410:3441::1/64
 * Tell DHCP to begin at 257 after the base IP: this will assure
  all DHCP addresses are after 10.0.1.0
 * Disable router solicitations on LAN
 * Enable WPA2, with the password "correct horse battery staple"
 * Turn on router advertisements (under radvd) on LAN
 * Enable prefix fd84:b410:3441::1/54 under radvd
-If the router has the ability to come up as a wireless access point, it
+This should be sufficient to bring up the router for running the
-will do so with SSID "CTF" and IP 10.254.0.1/16.
+contest.  If you want to get fancy, you can scp the files in
-
+www in this directory, into /www on the router.  This will give
-All subnets can route to all other subnets, through the router.
+users some guidance if they accidentally browse to the router IP,
-10.0.0.1/16 and 10.254.0.1/16 may have a higher TTL when routed to a
+and also disables the default redirection to luci.
 VLAN (I haven't checked).  Keep in mind that anything connected directly
 to the router (ie. not through the managed switch) can do its own VLAN
 tagging.  This would be the way to hop on another team's subnet to do
 something like check service availability in such a way as to prevent
 teams from firewalling each other out.
                                    SSID "CTF"
                                  10.254.0.1/16
                                    ((Y))
                                      |
                                      -------------
                                     |   OpenWRT   |
                                      -0-1-2-3-4---
                                      /| | | | |
                                     / | | | | |
                                    /  | | | | |
                                   /  10.0.0.1/16
                                  /
              -------------------t---
             |   Managed Switch      |
              -1-2-3-4-5-...-47-48---
              /    |         |   \
             /     |         |    \
            /      |         |     \
           /       |         |      \
    10.1.0.1/16    |         |   10.48.0.1/16
                   |         |
              10.3.0.1/16    |
                             |
                        10.47.0.1/16
--- a/doc/openwrt/etc/config/dhcp
+++ b/doc/openwrt/etc/config/dhcp
@ -1,2 +0,0 @@
 config dnsmasq
        option leasefile        '/tmp/dhcp.leases'
--- a/doc/openwrt/etc/config/network
+++ b/doc/openwrt/etc/config/network
@ -1,27 +0,0 @@
 #### Switch configuration 
 config switch eth0
 	option enable		1
 	option enable_vlan	0
 #### Loopback configuration
 config interface loopback
 	option ifname	"lo"
 	option proto	static
 	option ipaddr	127.0.0.1
 	option netmask	255.0.0.0
 #### Administrative network
 config interface admin
 	option ifname	"eth0"
 	option proto	static
 	option ipaddr	10.0.0.1
 	option netmask	255.255.0.0
 #### Wireless
 config interface wifi
 	option proto	static
        option ipaddr   10.254.0.1
        option netmask  255.255.0.0
 # OpenWRT's "ifup/ifdown" are horribly slow, so the 48
 # vlans are set up in an init script :)
--- a/doc/openwrt/etc/config/wifi
+++ b/doc/openwrt/etc/config/wifi
@ -1,9 +0,0 @@
 config wifi-device wl0
 	option type	broadcom
 	option channel	1
 config wifi-iface
 	option device	wl0
 	option network	wifi
 	option mode	ap
 	option ssid	CTF
--- a/doc/openwrt/etc/init.d/iptables
+++ b/doc/openwrt/etc/init.d/iptables
@ -1,26 +0,0 @@
 #! /bin/sh /etc/rc.common
 START=45
 STOP=89
 start () {
    stop
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -A INPUT -p udp --dport 53 -j ACCEPT
    iptables -A INPUT -p udp --dport 67 -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A INPUT -s 10.0.0.0/16 -j ACCEPT
    iptables -A INPUT -j REJECT
 }
 stop () {
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
 }
--- a/doc/openwrt/etc/init.d/vlan
+++ b/doc/openwrt/etc/init.d/vlan
@ -1,20 +0,0 @@
 #! /bin/sh /etc/rc.common
 START=41
 STOP=89
 VLANS=48
 start () {
    for i in $(seq 1 $VLANS); do
        vconfig add eth0 $i
        ifconfig eth0.$i 10.$i.0.1 netmask 255.255.0.0
    done
 }
 stop () {
    for i in $(seq 1 $VLANS); do
        vconfig rem eth0.$i
    done
 }
--- a/doc/openwrt/etc/rc.d/K89iptables
+++ b/doc/openwrt/etc/rc.d/K89iptables
@ -1 +0,0 @@
 ../init.d/iptables
--- a/doc/openwrt/etc/rc.d/K89vlan
+++ b/doc/openwrt/etc/rc.d/K89vlan
@ -1 +0,0 @@
 ../init.d/vlan
--- a/doc/openwrt/etc/rc.d/S41vlan
+++ b/doc/openwrt/etc/rc.d/S41vlan
@ -1 +0,0 @@
 ../init.d/vlan
--- a/doc/openwrt/etc/rc.d/S45iptables
+++ b/doc/openwrt/etc/rc.d/S45iptables
@ -1 +0,0 @@
 ../init.d/iptables
--- a/doc/openwrt/www/index.html
+++ b/doc/openwrt/www/index.html
@ -0,0 +1,18 @@
 <DOCTYPE html>
 <html>
  <head>
    <title>Router</title>
  </head>
  <body>
    <p>
      You're in the wrong place.  This is the router.
    </p>
    <ul>
      <li>
        CTF Server: 
        <a href="http://[fd84:b410:3441::2]/">IPv6</a>, <a href="http://10.0.0.2/">IPv4</a>
      </li>
      <li><a href="password_strength.png">WPA2 password</a></li>
    </p>
  </body>
 </html>
--- a/doc/openwrt/www/password_strength.png
+++ b/doc/openwrt/www/password_strength.png
--- a/doc/openwrt/www/password_strength_reflowed.png
+++ b/doc/openwrt/www/password_strength_reflowed.png
--- a/packages/mcp/www/index.html
+++ b/packages/mcp/www/index.html
@ -47,7 +47,7 @@
    <h2>Rules</h2>
    <ul>
      <li>
-        No DoS attacks.
+        No DoS attacks.  No link layer (ARP, NDP) attacks.
      </li>
      <li>
        Contest servers lie within <samp>fd84:b410:3441::/112</samp>
		`@ -1,2 +0,0 @@`
			`config dnsmasq`
			`option leasefile '/tmp/dhcp.leases'`