Network configuration in OpenWRT
In this article I will talk about how to configure the network in OpenWRT. In particular, I will talk about how to make multiple SSIDs on one radio card, configure WPA2-Enterprise, raise VLANs, and how to configure a software switch (swconfig).
All settings will be carried out through the console as it is not limited in capabilities, unlike the web interface. OpenWRT uses the Unified Configuration Interface (UCI) subsystem for system settings, which allows you to centrally configure all kinds of services from the file system mount service to the QoS service. All UCI settings are in the "/ etc / config /" directory and have the same syntax. To control the UCI system, use the uci program. Using it, you can edit configuration files, view current settings and more. uci is very convenient to use to configure the system from scripts. It is also possible to write extensions for uci. The syntax of the configuration files is:
config 'example' 'test' is the beginning of the section, example is the type by which uci will understand how to interpret the options in this section, test is the section identifier. option or list defines the type of settings, list - composite settings (for example, the list interface for listening to Apache). string, boolean, collection - variable names.
Configuration file - / etc / config / network.
In the simplest case, the network setup looks like this:
Where lan is the role of this interface. It is necessary in order that it would be possible to abstract from the name of interfaces. For example, you can specify in the firewall that allow all incoming traffic from the lan.
An example of adding a static route:
I note that the interface must be specified.
An example of configuring the vlan and adding it to the bridge:
Creates the “br-guest” interface and includes the eth1.123 interface (123 vlan-id on the eth1 interface). Below is an example of how to add a wireless interface to this bridge.
Since the chipsets used in routers usually have 1-2 ethernet ports, and I want more, we use a separate controller for ethernet. It connects one port to the main chipset, and the rest out. Directly in the network system, such a soft switch is not represented. The switch can be configured via the swconfig utility or via uci. Suppose we have one ethernet port eth0 connected to the 5th port of the managed switch:
Here eth0 is the name of the interface where the switch is connected. In the first section we turn on the switch and turn on tagged (traffic with vlan) traffic. Each switch_vlan section is responsible for a specific VLAN specified in the vlan option. This tag will be used to add tags for the ports specified in the ports section. The letter t at the port means that traffic to this port should be transmitted tagged (tagged), to the rest of the listed ports it will go without a tag. Writing '0 1 2 5t' needs to be read like this: send untagged traffic from ports 0, 1, 2 to port 5 with a label 0. Since VLAN with a label 0 is the same as traffic without a label, we get traffic on our port eth0 from ports 0, 1, 2 without any vlan. The following section says: ports = '3 5t', vlan = 1. This means that untagged traffic from port 3 will come to eth0 with vlan-id = 1 (I do not recommend using vlan-id = 1). In the last section, vlan = 124 is written, port = “6t 5t” - this means that the traffic that came to port6 with the tag 124 comes to eth0 with the tag 124.
In the network, you can configure connections such as PPTP, PPPoE and even 6to4.
The configuration file is here - / etc / config / wireless.
Tuning radio interfaces is divided into two parts: phy level settings (physics) and interface settings. The minimum settings are as follows:
In the first section, we indicated that the type of chipset / driver is mac80211 (determined when loading), the channel used is 6. Also, you can specify the standards used, the transmitter power, the antennas used, and so on. In the second section we already describe the interface itself. Interfaces can be several, for example with different SSID. In the device option, you must specify the ID of the section with the description of the device, in this case radio0. network = guest means that you need to attach this device to the guest interface used in the network. Since we (see above) say in the network description that interface = guest is a bridge, this wireless interface should be added to the bridge br-guest.
An example of setting up a multi-ssid with wpa2-enterprise + ccmp encryption:
OpenWRT will create two interfaces with different ssid (super and puper) and will authorize them through the RADIUS server 192.168.0.11. key is the RADIUS key. You can usually pick up to 4 SSID, depending on the radio card. I will also note that OpenWRT automatically creates devices like monitor for each wifi device, with which you can catch 802.11 headers.
Related Links:
wiki.openwrt.org/doc/uci
wiki.openwrt.org/doc/uci/network
wiki.openwrt.org/doc/uci/wireless
wiki.openwrt.org/doc/uci/network/switch
UCI
All settings will be carried out through the console as it is not limited in capabilities, unlike the web interface. OpenWRT uses the Unified Configuration Interface (UCI) subsystem for system settings, which allows you to centrally configure all kinds of services from the file system mount service to the QoS service. All UCI settings are in the "/ etc / config /" directory and have the same syntax. To control the UCI system, use the uci program. Using it, you can edit configuration files, view current settings and more. uci is very convenient to use to configure the system from scripts. It is also possible to write extensions for uci. The syntax of the configuration files is:
config 'example' 'test'
option 'string' 'some value'
option 'boolean' '1'
list 'collection' 'first item'
list 'collection' 'second item'
config 'example' 'test' is the beginning of the section, example is the type by which uci will understand how to interpret the options in this section, test is the section identifier. option or list defines the type of settings, list - composite settings (for example, the list interface for listening to Apache). string, boolean, collection - variable names.
Configuring Network Interfaces
Configuration file - / etc / config / network.
In the simplest case, the network setup looks like this:
config interface lan
option ifname eth1
option proto static
option ipaddr 192.168.0.10
option netmask 255.255.255.0
option gateway 192.168.0.1
option dns 192.168.0.1
Where lan is the role of this interface. It is necessary in order that it would be possible to abstract from the name of interfaces. For example, you can specify in the firewall that allow all incoming traffic from the lan.
An example of adding a static route:
config route
option interface lan
option target 10.1.1.1
option netmask 255.255.255.255
option gateway 192.168.0.100
I note that the interface must be specified.
An example of configuring the vlan and adding it to the bridge:
config interface guest
option ifname "eth1.123"
option type bridge
option proto static
option netmask 255.255.255.0
option ipaddr 192.168.2.2
Creates the “br-guest” interface and includes the eth1.123 interface (123 vlan-id on the eth1 interface). Below is an example of how to add a wireless interface to this bridge.
Since the chipsets used in routers usually have 1-2 ethernet ports, and I want more, we use a separate controller for ethernet. It connects one port to the main chipset, and the rest out. Directly in the network system, such a soft switch is not represented. The switch can be configured via the swconfig utility or via uci. Suppose we have one ethernet port eth0 connected to the 5th port of the managed switch:
config 'switch' 'eth0'
option 'enable' '1'
option 'enable_vlan' '1'
option 'reset' '1'
config 'switch_vlan'
option 'vlan' '0'
option 'device' 'eth0'
option 'ports' '0 1 2 5t'
config 'switch_vlan'
option 'vlan' '1'
option 'device' 'eth0'
option 'ports' '3 5t'
config 'switch_vlan'
option 'vlan' '124'
option 'device' 'eth0'
option 'ports' '6t 5t'
Here eth0 is the name of the interface where the switch is connected. In the first section we turn on the switch and turn on tagged (traffic with vlan) traffic. Each switch_vlan section is responsible for a specific VLAN specified in the vlan option. This tag will be used to add tags for the ports specified in the ports section. The letter t at the port means that traffic to this port should be transmitted tagged (tagged), to the rest of the listed ports it will go without a tag. Writing '0 1 2 5t' needs to be read like this: send untagged traffic from ports 0, 1, 2 to port 5 with a label 0. Since VLAN with a label 0 is the same as traffic without a label, we get traffic on our port eth0 from ports 0, 1, 2 without any vlan. The following section says: ports = '3 5t', vlan = 1. This means that untagged traffic from port 3 will come to eth0 with vlan-id = 1 (I do not recommend using vlan-id = 1). In the last section, vlan = 124 is written, port = “6t 5t” - this means that the traffic that came to port6 with the tag 124 comes to eth0 with the tag 124.
In the network, you can configure connections such as PPTP, PPPoE and even 6to4.
Wi-fi setup:
The configuration file is here - / etc / config / wireless.
Tuning radio interfaces is divided into two parts: phy level settings (physics) and interface settings. The minimum settings are as follows:
config 'wifi-device' 'radio0'
option 'type' 'mac80211'
option 'channel' '6'
config 'wifi-iface'
option 'device' 'radio0'
option 'network' 'guest'
option 'mode' 'ap'
option 'ssid' 'guest'
option 'encryption' 'none'
In the first section, we indicated that the type of chipset / driver is mac80211 (determined when loading), the channel used is 6. Also, you can specify the standards used, the transmitter power, the antennas used, and so on. In the second section we already describe the interface itself. Interfaces can be several, for example with different SSID. In the device option, you must specify the ID of the section with the description of the device, in this case radio0. network = guest means that you need to attach this device to the guest interface used in the network. Since we (see above) say in the network description that interface = guest is a bridge, this wireless interface should be added to the bridge br-guest.
An example of setting up a multi-ssid with wpa2-enterprise + ccmp encryption:
config 'wifi-iface'
option 'device' 'radio1'
option 'network' 'wlan'
option 'mode' 'ap'
option 'ssid' 'super'
option 'encryption' 'wpa2'
option 'server' '192.168.0.11'
option 'port' '1812'
option 'key' 'secret'
config 'wifi-iface'
option 'device' 'radio1'
option 'network' 'wlan'
option 'mode' 'ap'
option 'ssid' 'puper'
option 'encryption' 'wpa2'
option 'server' '192.168.0.11'
option 'port' '1812'
option 'key' 'secret'
OpenWRT will create two interfaces with different ssid (super and puper) and will authorize them through the RADIUS server 192.168.0.11. key is the RADIUS key. You can usually pick up to 4 SSID, depending on the radio card. I will also note that OpenWRT automatically creates devices like monitor for each wifi device, with which you can catch 802.11 headers.
Related Links:
wiki.openwrt.org/doc/uci
wiki.openwrt.org/doc/uci/network
wiki.openwrt.org/doc/uci/wireless
wiki.openwrt.org/doc/uci/network/switch
')
Source: https://habr.com/ru/post/128451/
All Articles