@@@@@@@ @@@ @@@@@@@ @@@ @@@@@@ @@@@@@@@@@ @@@@@@@@@@ @@@ @@@ @@@ @@! @@@ @@! @@! @@! @@! @@@ @@! @@! @@! @@! @@! @@! @@! @@!@!@@@ @!@!@!@ !!@ @!! !!@ @!@!@!@! @!! !!@ @!@ @!! !!@ @!@ !!@ @!@@!!@! !!: !!! !!: !!: . .!! !!: !!! !!: !!: !!: !!: !!: !!: !!! :: : :: : : ::.:: : : : : : : : : :: :
Wed May 08 21:42:05 2019
At least recycle it... And build your own. I thought it was time to refresh my PCEngines hardware collection since my last purchase in 2016. The PCEngines APU series is more than capable of replacing a consumer grade router. With mini PCI express slots, including one for 3G and LTE cards with accompanying SIM socket, you may find yourself with redundant ISPs once you finish. Everytime I receive a new APU, I always forget how to intsall Debian onto it; the APU series supports booting over USB, this will cover PXE booting.
PXE Server Configuration
Network
If your network is anything like mine then everything is wireless, and the gear that is wired is tucked away in a cabinet along with a ratsnest of wires. Even thinking about plugging some cat6 in gives me some anxiety. So, usually any project work that requires a wired connection, I turn my desktop into a router and route traffic over the wireless interface. To route traffic from the LAN interface to the rest of the network or the Internet, IP forwarding needs to be enabled, in tandem with iptables
rules to masquerade traffic to the Internet accessible inferface. Lets do that:
Enable IP forwarding
# sysctl net.ipv4.ip_forward=1
If you want this setting to persist, set it appropriately in /etc/sysctl.conf
net.ipv4.ip_forward=1
Verify with:
# sysctl net.ipv4.ip_forward
or # cat /proc/sys/net/ipv4/ip_forward
Enable masquerading
# iptables -t nat -A POSTROUTING -o the_internet_connected_interface -j MASQUERADE
Verify with:
# iptables -L -t nat
Dnsmasq
dnsmasq
will provide the soon to be router with DNS, DHCP, and a TFTP server during boot.
Install it:
# apt-get install dnsmasq
In /etc/dnsmasq.conf
there are only a few options that need to be enabled to provide the above functions.
Set the following appropriately:
interface=listen_interface
dhcp-range=starting address,ending address,lease time
dhcp-option=6,your_preferred_dns_server
dhcp-boot=pxelinux.0
enable-tftp
tftp-root=tftp_root_directory
Before starting dnsmasq
, be sure to give the interface you want it to listen on an address within the range you specified in dnsmasq.conf
:
# ip addr add 192.168.0.1/24 dev dnsmasq_interface
Upon starting dnsmasq
you may encounter some errors:
# systemctl start dnsmasq.service
Job for dnsmasq.service failed because the control process exited with error code.
See "systemctl status dnsmasq.service" and "journalctl -xe" for details.
More than likely, checking journalctl -xe
will show:
failed to create listening socket for port 53: Address already in use
There is a good chance that systemd-resolved
service is running and taking up port 53.
# netstat -anp | grep \:53
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 3006/systemd-resolv
Stop or disable that daemon before starting dnsmasq
again.
# systemctl stop systemd-resolved.service
Debian PXE Configuration
Now that the network is setup, Debian can be configured to be installed over PXE with a serial console.
Download the mini.iso and netboot.tar.gz.
Move mini.iso
and untar netboot.tar.gz
to the tftp directory, e.g. /var/tftp/
.
The /var/tftp/
directory listing should look like:
$ ls -l /var/tftp/
total 69232
drwxrwxr-x 3 root root 4096 Feb 11 16:12 debian-installer
lrwxrwxrwx 1 root root 47 Feb 11 16:12 ldlinux.c32 -> debian-installer/amd64/boot-screens/ldlinux.c32
-rw-rw-r-- 1 root root 40894464 Mar 8 21:29 mini.iso
lrwxrwxrwx 1 root root 33 Feb 11 16:12 pxelinux.0 -> debian-installer/amd64/pxelinux.0
lrwxrwxrwx 1 root root 35 Feb 11 16:12 pxelinux.cfg -> debian-installer/amd64/pxelinux.cfg
-rw-rw-r-- 1 root root 65 Feb 11 16:12 version.info
To install Debian over a serial console, update the install boot-screen to use the serial device. The --- copies quiet console=ttyS0,115200n8
into the installed systems bootloader. Update the append
statement:
$ cat debian-installer/amd64/boot-screens/txt.cfg
label install
menu label ^Install
kernel debian-installer/amd64/linux
append vga=off console=ttyS0,115200n8 initrd=debian-installer/amd64/initrd.gz --- quiet console=ttyS0,115200n8
In case you need to use the rescue menu, update the boot-screen to use the serial console as well.
$ cat debian-installer/amd64/boot-screens/rqtxt.cfg
label rescue
menu label ^Rescue mode
kernel debian-installer/amd64/linux
append vga=off console=ttyS0,115200n8 initrd=debian-installer/amd64/initrd.gz rescue/enable=true --- quiet
Debian -> APU
You have a choice of serial comm programs, minicom and screen to name two.
The APU serial comes set at a baud of 115200; power up the APU and launch screen with that speed.
# screen /dev/ttyUSB0 115200
Hit n for PXE boot.
The PXE menu will countdown from 3 and autoboot, which should bring up the Debian install screen! Proceed through the install!
Router Configuration
Router Network
The network configuration shares some of that with the above, namely dnsmasq
for DHCP, IP Forwarding, and traffic masquerading via iptables
.
The interfaces need to be configured appropriately before any of the services come up.
In the case of the APU3, there are three wired interfaces and one wireless:
eth0
: Internet Connected Interfaceeth1
: Internal LAN handing out DHCP addresseseth2
: Your choicewlan0
: Internal WLAN handing out DHCP addresses
Bridge Interface
To get your wired and wireless LAN interaces to hand out from the same DHCP pool, it is necessary to bridge them together. This bridge interface will be specified in the dnsmasq
configuration.
Install bridge-utils:
# apt-get install bridge-utils
Create a bridge, then add the interfaces:
# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 wlan0
Verify with:
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000db93ffd39 no eth0
wlan0
Dnsmasq
You can remove the notion of tftp
from the config previously mentioned, but update your IP address range accordingly.
Setting port=0
will disable the DNS service in Dnsmasq in case you run an alternate DNS service.
port=0
interface=bridge_interface
expand-hosts
domain=your internal domain
dhcp-range=starting address,ending address,lease time
dhcp-option=6,your_preferred_dns_server
Enable IP forwarding; exactly the same as before. Its a router!
# sysctl net.ipv4.ip_forward=1
If you want this setting to persist, set it appropriately in /etc/sysctl.conf
net.ipv4.ip_forward=1
Verify with:
# sysctl net.ipv4.ip_forward
or # cat /proc/sys/net/ipv4/ip_forward
Enable masquerading
# iptables -t nat -A POSTROUTING -o the_internet_connected_interface -j MASQUERADE
Verify with:
# iptables -L -t nat
WiFi / hostapd
hostapd
will allow you to turn your wireless card into an access point. It supports a range of cards and drivers; Atheros chipsets have worked well. PCEngines has the cards et. al. available for purchase along side the main APU unit. Whichever card is chosen, ensure the card is supported.
Install hostapd
:
# apt-get install hostapd
There are many options for hostapd
; the install includes an exhaustive example in
/usr/share/doc/hostapd/examples/
.
There were a few caveats with setting up hostapd
the first time.
Since the wired and wireless interfaces will be bridged, the bridge
and interface
options need to be set exclusively. By setting the bridge
interface, hostapd will automatically add the AP interface to the bridge specified. When specifying the bridge in /etc/network/interfaces
, only include the internal LAN interface in the bridge_ports
bridge interface stanza.
# cat /etc/network/interfaces | grep bridge_ports
bridge_ports eth0
For the PSK, hostapd
accepts a 256-bit secret or the ascii passphrase of the key. To generate the secret, use wpa_passprhase
provided by the wpasupplicant
package. wpa_passphrase
takes two arguments, the SSID
and the passphrase
.
# wpa_passphrase SSID SetecAstronomy
network={
ssid="SSID"
#psk="SetecAstronomy"
psk=2800c2e595e8475fe0f944f58901bbfbcaa0ca6faf9c716ce21b30465ee2652b
}
Finally, the wpa
settings in hostapd
may be:
wpa=2
wpa_psk=2800c2e595e8475fe0f944f58901bbfbcaa0ca6faf9c716ce21b30465ee2652b
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
The 802.11n setup was tricky. Finding the capabilities of the card required calling iw list
; there may be multiple bands listed:
Band 1: Band 2:
capabilities: 0x11ce capabilities: 0x11ce
HT20/HT40 HT20/HT40
SM Power Save disabled SM Power Save disabled
RX HT40 SGI RX HT40 SGI
TX STBC TX STBC
RX STBC 1-stream RX STBC 1-stream
Max AMSDU length: 3839 bytes Max AMSDU length: 3839
DSSS/CCK HT40 DSSS/CCK HT40
Maximum RX AMPDU length 65 Maximum RX AMPDU length 65
Make those play nice with hostapd
; enable ieee80211n
and wmm
. For the Qualcomm Atheros AR928X Wireless Network Adapter (PCI-Express) (rev 01)
, the following worked well:
wmm=1
ieee80211n=1
ht_capab=[HT40+][RX-HT40-SGI][TX-STBC][RX-STBC1][DSSS_CK-40]
hostapd
does not start like a normal daemon. Instead, call it on the CLI specifying the config file; see if it throws any errors. When the router boots, ensure hostapd
comes up after all the interfaces do, this can be set in an interfaces
file.
# /usr/sbin/hostapd /etc/hostapd/hostapd.conf
Test connecting a client and check the connected bitrate on the client, this will let you know if HT is working properly.
# iwconfig wlan0
wlan0 IEEE 802.11 ESSID:"SSID"
Mode:Managed Frequency:5.18 GHz Access Point: 01:DE:AD:BE:EE:EF
Bit Rate=243 Mb/s Tx-Power=22 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
Link Quality=46/70 Signal level=-64 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:358 Missed beacon:0
Config Management
Since this router is not like others, there is no web interface to manage the settings, who needs that anyhow. Deploy changes via configuration management software like ansible
; this helps keep changes consistent and potentially avoid breaking your network, requiring the need to weed through the rats nest.
Check out the code section under router for related ansible
work.
Security
Security is paramount when piecing together a router. Running Debian, security updates are available and can be patched rapidly, in lieu of waiting for manufacturer firmware. Taking advanatage of unattended-updates
would be a wise practice for any Debian install.
Aside from updates, the ability to choose between your favorite packet filtering software, iptables
or ufw
come to mind, can assist in allowing or denying egress and ingress traffic. Running an IDS / IPS is now within reach, snort, suricata, and zeek to name a few. Imagination may be the barrier when your router runs Debian.
Download: [tar] [sha1sum]
@nullanvoid