From efc97585b68a9f692984ac4559f38e115957cc10 Mon Sep 17 00:00:00 2001 From: Neale Pickett Date: Fri, 11 May 2012 17:56:29 -0600 Subject: [PATCH] New OpenWRT configuration --- doc/openwrt/README | 82 +++++++----------- doc/openwrt/etc/config/dhcp | 2 - doc/openwrt/etc/config/network | 27 ------ doc/openwrt/etc/config/wifi | 9 -- doc/openwrt/etc/init.d/iptables | 26 ------ doc/openwrt/etc/init.d/vlan | 20 ----- doc/openwrt/etc/rc.d/K89iptables | 1 - doc/openwrt/etc/rc.d/K89vlan | 1 - doc/openwrt/etc/rc.d/S41vlan | 1 - doc/openwrt/etc/rc.d/S45iptables | 1 - doc/openwrt/www/index.html | 18 ++++ doc/openwrt/www/password_strength.png | Bin 0 -> 93029 bytes .../www/password_strength_reflowed.png | Bin 0 -> 131079 bytes packages/mcp/www/index.html | 2 +- 14 files changed, 50 insertions(+), 140 deletions(-) delete mode 100644 doc/openwrt/etc/config/dhcp delete mode 100644 doc/openwrt/etc/config/network delete mode 100644 doc/openwrt/etc/config/wifi delete mode 100755 doc/openwrt/etc/init.d/iptables delete mode 100755 doc/openwrt/etc/init.d/vlan delete mode 120000 doc/openwrt/etc/rc.d/K89iptables delete mode 120000 doc/openwrt/etc/rc.d/K89vlan delete mode 120000 doc/openwrt/etc/rc.d/S41vlan delete mode 120000 doc/openwrt/etc/rc.d/S45iptables create mode 100644 doc/openwrt/www/index.html create mode 100644 doc/openwrt/www/password_strength.png create mode 100644 doc/openwrt/www/password_strength_reflowed.png diff --git a/doc/openwrt/README b/doc/openwrt/README index cedb2f9..ca6cdad 100644 --- a/doc/openwrt/README +++ b/doc/openwrt/README @@ -1,57 +1,37 @@ -This directory contains the files used to set up an OpenWRT router. +Using an OpenWRT router +======================= +You can use an off-the-shelf, OpenWRT capable wireless router, +configuring only through the web interface. The OpenWRT setup is +intended for smaller contests, wired or non-wired, in which +participants can be counted on not to launch link level attacks (ARP +or NDP). Bear in mind that the cheap consumer routers have relatively +slow CPUs and won't stand up to high volume. -Bear in mind that the cheap consumer routers have relatively slow CPUs -and won't stand up to high volume. This same configuration applies to -OpenWRT running on an x86 PC, or any other target of OpenWRT. For -larger contests, it would be a good idea to use a faster machine for the -router. I don't have any specific recommendations at this time (Oct -2010). +The CTF repository includes a "router" package, which will boot a DBTL +device as a IPv6 router complete with multicast forwarding and up to +24 tagged VLANs (by using a managed switch). This is a better option +for larger contests, and can better handle high-speed (Gigabit) +traffic. -The router comes up as 10.0.0.1/16 on eth0. +Instructions for setting up OpenWRT +----------------------------------- -If the router has a built-in switch, it is brought up without VLAN -support, since these switches typically only support 16 VLANs, and do -not support QinQ (double VLAN tags). All 5 ports work like an unmanaged -switch, which ends up being handy for the contest table. +After installing OpenWRT: -Plugging a managed switch into the router enables access to 48 VLANs, -each configured to a /16 network. The router on VLAN number v comes up -as 10.v.0.1/16. +* Change the root password +* Install the kmod-ipv6, radvd, and luci-app-radvd packages +* Configure the LAN interface as 10.0.0.1/16 and + fd84:b410:3441::1/64 +* Tell DHCP to begin at 257 after the base IP: this will assure + all DHCP addresses are after 10.0.1.0 +* Disable router solicitations on LAN +* Enable WPA2, with the password "correct horse battery staple" +* Turn on router advertisements (under radvd) on LAN +* Enable prefix fd84:b410:3441::1/54 under radvd -If the router has the ability to come up as a wireless access point, it -will do so with SSID "CTF" and IP 10.254.0.1/16. - -All subnets can route to all other subnets, through the router. -10.0.0.1/16 and 10.254.0.1/16 may have a higher TTL when routed to a -VLAN (I haven't checked). Keep in mind that anything connected directly -to the router (ie. not through the managed switch) can do its own VLAN -tagging. This would be the way to hop on another team's subnet to do -something like check service availability in such a way as to prevent -teams from firewalling each other out. - - - SSID "CTF" - 10.254.0.1/16 - ((Y)) - | - ------------- - | OpenWRT | - -0-1-2-3-4--- - /| | | | | - / | | | | | - / | | | | | - / 10.0.0.1/16 - / - -------------------t--- - | Managed Switch | - -1-2-3-4-5-...-47-48--- - / | | \ - / | | \ - / | | \ - / | | \ - 10.1.0.1/16 | | 10.48.0.1/16 - | | - 10.3.0.1/16 | - | - 10.47.0.1/16 +This should be sufficient to bring up the router for running the +contest. If you want to get fancy, you can scp the files in +www in this directory, into /www on the router. This will give +users some guidance if they accidentally browse to the router IP, +and also disables the default redirection to luci. diff --git a/doc/openwrt/etc/config/dhcp b/doc/openwrt/etc/config/dhcp deleted file mode 100644 index 91a9742..0000000 --- a/doc/openwrt/etc/config/dhcp +++ /dev/null @@ -1,2 +0,0 @@ -config dnsmasq - option leasefile '/tmp/dhcp.leases' diff --git a/doc/openwrt/etc/config/network b/doc/openwrt/etc/config/network deleted file mode 100644 index d2b22cb..0000000 --- a/doc/openwrt/etc/config/network +++ /dev/null @@ -1,27 +0,0 @@ -#### Switch configuration -config switch eth0 - option enable 1 - option enable_vlan 0 - -#### Loopback configuration -config interface loopback - option ifname "lo" - option proto static - option ipaddr 127.0.0.1 - option netmask 255.0.0.0 - -#### Administrative network -config interface admin - option ifname "eth0" - option proto static - option ipaddr 10.0.0.1 - option netmask 255.255.0.0 - -#### Wireless -config interface wifi - option proto static - option ipaddr 10.254.0.1 - option netmask 255.255.0.0 - -# OpenWRT's "ifup/ifdown" are horribly slow, so the 48 -# vlans are set up in an init script :) diff --git a/doc/openwrt/etc/config/wifi b/doc/openwrt/etc/config/wifi deleted file mode 100644 index eefe021..0000000 --- a/doc/openwrt/etc/config/wifi +++ /dev/null @@ -1,9 +0,0 @@ -config wifi-device wl0 - option type broadcom - option channel 1 - -config wifi-iface - option device wl0 - option network wifi - option mode ap - option ssid CTF diff --git a/doc/openwrt/etc/init.d/iptables b/doc/openwrt/etc/init.d/iptables deleted file mode 100755 index f608ac6..0000000 --- a/doc/openwrt/etc/init.d/iptables +++ /dev/null @@ -1,26 +0,0 @@ -#! /bin/sh /etc/rc.common - -START=45 -STOP=89 - -start () { - stop - - iptables -P INPUT ACCEPT - iptables -P OUTPUT ACCEPT - iptables -P FORWARD ACCEPT - - iptables -A INPUT -p udp --dport 53 -j ACCEPT - iptables -A INPUT -p udp --dport 67 -j ACCEPT - iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT - iptables -A INPUT -s 10.0.0.0/16 -j ACCEPT - iptables -A INPUT -j REJECT -} - -stop () { - iptables -F INPUT - iptables -F OUTPUT - iptables -F FORWARD -} - - diff --git a/doc/openwrt/etc/init.d/vlan b/doc/openwrt/etc/init.d/vlan deleted file mode 100755 index 49bbdbd..0000000 --- a/doc/openwrt/etc/init.d/vlan +++ /dev/null @@ -1,20 +0,0 @@ -#! /bin/sh /etc/rc.common - -START=41 -STOP=89 - -VLANS=48 - -start () { - for i in $(seq 1 $VLANS); do - vconfig add eth0 $i - ifconfig eth0.$i 10.$i.0.1 netmask 255.255.0.0 - done -} - -stop () { - for i in $(seq 1 $VLANS); do - vconfig rem eth0.$i - done -} - diff --git a/doc/openwrt/etc/rc.d/K89iptables b/doc/openwrt/etc/rc.d/K89iptables deleted file mode 120000 index 17013f0..0000000 --- a/doc/openwrt/etc/rc.d/K89iptables +++ /dev/null @@ -1 +0,0 @@ -../init.d/iptables \ No newline at end of file diff --git a/doc/openwrt/etc/rc.d/K89vlan b/doc/openwrt/etc/rc.d/K89vlan deleted file mode 120000 index 444d959..0000000 --- a/doc/openwrt/etc/rc.d/K89vlan +++ /dev/null @@ -1 +0,0 @@ -../init.d/vlan \ No newline at end of file diff --git a/doc/openwrt/etc/rc.d/S41vlan b/doc/openwrt/etc/rc.d/S41vlan deleted file mode 120000 index 444d959..0000000 --- a/doc/openwrt/etc/rc.d/S41vlan +++ /dev/null @@ -1 +0,0 @@ -../init.d/vlan \ No newline at end of file diff --git a/doc/openwrt/etc/rc.d/S45iptables b/doc/openwrt/etc/rc.d/S45iptables deleted file mode 120000 index 17013f0..0000000 --- a/doc/openwrt/etc/rc.d/S45iptables +++ /dev/null @@ -1 +0,0 @@ -../init.d/iptables \ No newline at end of file diff --git a/doc/openwrt/www/index.html b/doc/openwrt/www/index.html new file mode 100644 index 0000000..814d688 --- /dev/null +++ b/doc/openwrt/www/index.html @@ -0,0 +1,18 @@ + + + + Router + + +

+ You're in the wrong place. This is the router. +

+