TID: FMail-W32 2.1.3.7-B20170919   
   TZUTC: 0200   
   CHRS: CP850 2   
   PID: GED+W32 1.1.5-b20070503   
   MSGID: 2:280/5555 4e354ccd   
                   A SECOND LIFE FOR THE LINKSYS  Part 1   
                   By Michiel van der Vlist 2:280/5555   
      
      
   Some five years ago, I joined the family of FON and I obtained a   
   Linksys WRT54GL, flashed with FON software, for a bargain. It has been   
   humming quitly away for almost five years. In March I got a Fonera   
   SIMPL, so I replaced the Linksys.   
      
   As you may have noticed from previous articles, I am an IPv6 advocate.   
   I have been experimenting with IPv6 for some time now. I started out   
   with a tunnel from SixXs. The idea was to have the tunnel terminate on   
   the machine that was going to host my web server and my Fido System. A   
   machine that would run 24/7 anyway.   
      
   The tunnel works fine for providing IPv6 connectivity to that machine,   
   but my plan to have it function as an IPv6 router to provide IPv6   
   connectivity to other machine on the LAN failed. It turned out that an   
   AYIYA tunnel running on a Windows machine can not route a subnet.   
      
   So I choose another approach. Why not let the routing be done by some-   
   thing that was designed for it in the first place: a router? With the   
   help of some guys in a Dutch IPv6 forum, I found a version of OpenWRT   
   that supports IPv6 and that can run on the Linksys. The binary image   
   can be found here:   
      
   http://www.vlist.eu/downloads/openwrt-wrt54g-squashfs-r25759.bin   
      
   Before you flash your linksys with this image be advised that the   
   WRT54GL has only 4 MB flash ROM available and the IPv6 add-ons need   
   memory space. So some compromise had to be made. This version does not   
   have a web interface, it is command line only. For most of us, that   
   should not be a problem, us FidoNetters have been using the command   
   line for ages. Also be warned that there is no easy "go back to factory   
   defaults button". Frankly, I do not even know how to go back to the   
   original firmware. I haven't felt the need yet, it is working fine, so   
   why fix what ain't broken?   
      
   No web interface, so you need a telnet/ssh client to access the router.   
   Telnet to 192.168.1.1 and you will get a prompt. The first thing you   
   will have to do is to configure a password for user root. It won't let   
   you do much, other than to use the "passwd" command for entering a   
   password after first startup.   
      
   Once you have configured a password for root, the Telnet interface is   
   disabled and you can only access the router with ssh. So get yourself   
   an ssh client first. A suitable one for windows is putty. To be found   
   here: www.putty.org. Putty BTW, is IPv6 capable.   
      
   With ssh you can log in as user root and the password you supplied.   
   Write down the password! There is no easy recovery if you forget the   
   password.   
      
   To my surprise I found that not only did I have a router, but I had a   
   complete Linux system at my hands. The idea of running a disk OS on a   
   stand-alone dedicated system - as I see a router - was completely new   
   to me and my first reaction when I saw the command line prompt was a   
   bit similar to what happened when I started up that PDP-8 some forty   
   five years years ago: Ok, it started up. Now what?   
      
   So I tried "dir" and "type". Eh.. sorry, this isn't CP/M, FLEX or MS-DOS.   
   It is linux and the commands are "ls" and "cat" from now on. Ok...   
      
   Many of the standard Linux commands work. The entire configuration is   
   done by editing text files with a text editor. Weird idea for a stand   
   alone dedicated system, but I got used to it quickly.   
      
   The first thing of course was to get it configured properly for IPv4.   
   The machines on the LAN running servers needed a permanent address.   
   So we have to edit some files. We want the dhcp server to always issue   
   the same (semi-fixed) address to the machine named Fido. The package   
   comes with an editor called nano, so we enter the following command:   
      
   nano /etc/config/dhcp   
      
   And we add the following lines to the file:   
      
   [code]   
      
   config  host   
           option ip       '192.168.1.2'   
           option mac      '00:04:76:8C:25:3C'   
           option name     Fido   
      
   [/code]   
      
   Note that the address must be ouside the normal dhcp pool which   
   defaults to 100-150. Set the MAC address to the one on the NIC of   
   the system in question   
      
   Note that changes do not take effect until the router is rebooted.   
      
   Next step is the forwarding of port 80 and port 25445.  This is done   
   by adding the following lines to the file /ect/config/firewall   
      
   [code]   
      
   # forward port 80 and port 24554 to Fido   
      
   config  redirect                http   
           option src              wan   
           option dest             lan   
           option src_dport        80   
           option dest_port        80   
           option dest_ip          192.168.1.2   
           option proto            tcp   
      
   config  redirect                binkp   
           option src              wan   
           option dest             lan   
           option src_dport        24554   
           option dest_port        24554   
           option dest_ip          192.168.1.2   
           option proto            tcp   
      
   [/code]   
      
   If you want to use Wifi, it has to be enabled as it is disabled by   
   default. In the  file /etc/config/wireless:   
      
   [code]   
      
   config 'wifi-device' 'radio0'   
           option 'type' 'mac80211'   
           option 'channel' '11'   
           option 'macaddr' '00:16:b6:da:3a:b5'   
           option 'hwmode' '11g'   
           option 'disabled' '1'   
      
   config 'wifi-iface'   
           option 'device' 'radio0'   
           option 'network' 'lan'   
           option 'mode' 'ap'   
           option 'ssid' 'OpenWrt'   
           option 'encryption' 'none'   
      
   [/code]   
      
   Change "option 'disabled' '1'"  to "option 'disabled' '0'"   
      
   That will enable the radio, but it is highly recommended to enable   
   encryption as well.   
      
   Change "option 'encryption' 'none'" to "option 'encryption' 'psk2'"   
   to enable WPA2 encryption. 'wpa2' as option is for WPA2 with a radius   
   server.   
      
   Specify the key with:   
      
   [code]   
           option 'key' ''   
   [/code]   
      
   You may want to change the channel number and the ssid. Also the para-   
   meter "11g" may be changed to "11bg" if you also want to support older   
   11b clients.   
      
   As always, changes do not take effect until the router is rebooted.   
      
   That takes care of my IPv4 settings.   
      
      
   Next step is to configure a 6in4 tunnel.   
      
      
   If your ISP does not provide native IPv6 you will need to set up a   
   tunnel. Some ISP's offer tunnels, but if yours does not, you will   
   need a third party tunnel broker. Both SixXs and Hurricane Electric   
   offer free tunnels. So set up an account with either one of them   
   (or both) and apply for a tunnel. For this tunnel I choose Hurricane   
   Electric, because unlike SixXs, they do not let you jump through any   
   hoops. Just go to tunnelbroker.net, create an account, choose a site   
   for the tunnel ingress and apply for a tunnel. A Hurricane Electric   
   tunnel comes with a /64 subnet by default. But you can also get a /48.   
   We do not need that. Yet...   
      
   For a static he.net tunnel, you need a static or semi-static IPv4   
   address.   
      
   To configure the tunnel on the Linksys, add the following to /et   
   /config/network   
      
   [code]   
      
   ####  The he.net tunnel   
   config  interface       henet   
           option proto    6in4   
           option peeraddr 216.66.84.46   
           option ip6addr  2001:470:1f14:1117::2/64   
           option tunnelid XXXXXX   
           option username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx   
           option password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx   
      
   [/code]   
      
   For "peeraddr" substitute the Server IPv4 address that the tunnel   
   broker has given you. For ip6addr substitute the client IPv6 address   
   that the the tunnel broker gave you. Note that this is te address   
   of you tunnel end point, not the subnet. Also do not ommit the /64,   
   it won't work without it. For tunnel ID substitie the decimal tunnel   
   ID number as supplied by the tunnel broker.   
      
   For Username substitute the 32 digit hex number that is found as   
   "User ID" on your account info page of tunnelbroker.net   
      
   The password should be a 32 digit hex number that is the MD5 hash of   
   your password for the tunnel broker. So how do we get that? The   
   Linksys will give it to you!   
      
   Type "echo -n '' | md5sum" at the command line and there   
   it is. Ain't that magic?   
      
   Rebot the router thave the changes take effct.   
      
   Now you should be able to ping6 ipv6 hosts from the router's command   
   line.   
      
   You can try to ping mine by typing:   
      
   [code]   
      
   root@OpenWrt:/# ping6 wrt6.vlist.eu   
   PING wrt6.vlist.eu (2001:470:1f14:1117::2): 56 data bytes   
   64 bytes from 2001:470:1f14:1117::2: seq=0 ttl=64 time=1.243 ms   
   64 bytes from 2001:470:1f14:1117::2: seq=1 ttl=64 time=1.358 ms   
   64 bytes from 2001:470:1f14:1117::2: seq=2 ttl=64 time=1.140 ms   
   64 bytes from 2001:470:1f14:1117::2: seq=3 ttl=64 time=1.142 ms   
   ^C   
      
   [/code]   
      
   If you get this result your tunnel is working. To enable incoming   
   pings however you need to open the firewall for protocol 41. Protocol   
   41 is the protocol used for 6in4 tunneling. The firewall of openwrt is   
   closed for all unsollicited incoming packets by default. Bij pinging   
   out over IPv6, the firewall is opened for protocol 41, and it can be   
   pinged from outside, but it closes again after a minute or two. Add   
   the following lines to /etc/config/firewall to keep the tunnel open   
   permanently:   
      
   [code]   
      
   # Accept proto 41 so it always reaches the tunnel endpoint   
      
   config  rule   
           option  src     wan   
           option  proto   41   
           option  target  ACCEPT   
      
   [/code]   
      
   To check if your router is pingable from outside, you can use a looking   
   glass server. Here is one: http://leasewebnoc.com/lg/html.   
      
   As a last step you have to configure the firewall to also apply the   
   firewall rules to the IPv6 tunnel.   
      
   In the file /etc/config/firewall  find this section:   
      
   [code]   
      
   config zone   
           option name     wan   
           option input    REJECT   
           option output   ACCEPT   
           option forward  REJECT   
           option masq     1   
           option mtu_fix  1   
      
   [/code]   
      
   And add this line after the second line:   
      
   [code]   
      
   # to have IPv6 firewall rules apply to the tunnel   
      
           option network  'wan henet'   
      
   [/code]   
      
      
   This completes the setup of the tunnel on the linksys. Next week's   
   article will describe how to let the router issue global IPv6 adresses   
   from a subnet to your machines on the LAN.   
      
      
      
      
   --- Fmail, Binkd, Golded   
    * Origin: he.net certified sage (2:280/5555)   
   SEEN-BY: 1/123 15/2 19/10 203/0 221/0 6 226/17 229/354 426 1014 240/5138   
   SEEN-BY: 240/5832 5853 249/206 317 400 280/464 5003 5006 5555 292/854   
   SEEN-BY: 310/31 317/3 320/219 322/757 342/200 460/58 633/280 640/1384   
   SEEN-BY: 712/848 2452/250 2454/119 3828/7 5019/40 5020/545 1042 12000   
   SEEN-BY: 5053/58   
   PATH: 280/5555 240/5832 229/426