Wed May 08 21:42:05 2019

Throw Away Your Router

At least recycle it... And build your own. I thought it was time to refresh my PCEngines hardware collection since my last purchase in 2016. The PCEngines APU series is more than capable of replacing a consumer grade router. With mini PCI express slots, including one for 3G and LTE cards with accompanying SIM socket, you may find yourself with redundant ISPs once you finish. Everytime I receive a new APU, I always forget how to intsall Debian onto it; the APU series supports booting over USB, this will cover PXE booting.

PXE Server Configuration

Network If your network is anything like mine then everything is wireless, and the gear that is wired is tucked away in a cabinet along with a ratsnest of wires. Even thinking about plugging some cat6 in gives me some anxiety. So, usually any project work that requires a wired connection, I turn my desktop into a router and route traffic over the wireless interface. To route traffic from the LAN interface to the rest of the network or the Internet, IP forwarding needs to be enabled, in tandem with iptables rules to masquerade traffic to the Internet accessible inferface. Lets do that: Enable IP forwarding # sysctl net.ipv4.ip_forward=1 If you want this setting to persist, set it appropriately in /etc/sysctl.conf net.ipv4.ip_forward=1 Verify with: # sysctl net.ipv4.ip_forward or # cat /proc/sys/net/ipv4/ip_forward Enable masquerading # iptables -t nat -A POSTROUTING -o the_internet_connected_interface -j MASQUERADE Verify with: # iptables -L -t nat Dnsmasq dnsmasq will provide the soon to be router with DNS, DHCP, and a TFTP server during boot. Install it: # apt-get install dnsmasq In /etc/dnsmasq.conf there are only a few options that need to be enabled to provide the above functions. Set the following appropriately: interface=listen_interface dhcp-range=starting address,ending address,lease time dhcp-option=6,your_preferred_dns_server dhcp-boot=pxelinux.0 enable-tftp tftp-root=tftp_root_directory Before starting dnsmasq, be sure to give the interface you want it to listen on an address within the range you specified in dnsmasq.conf: # ip addr add 192.168.0.1/24 dev dnsmasq_interface Upon starting dnsmasq you may encounter some errors: # systemctl start dnsmasq.service Job for dnsmasq.service failed because the control process exited with error code. See "systemctl status dnsmasq.service" and "journalctl -xe" for details. More than likely, checking journalctl -xe will show: failed to create listening socket for port 53: Address already in use There is a good chance that systemd-resolved service is running and taking up port 53. # netstat -anp | grep \:53 tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 3006/systemd-resolv Stop or disable that daemon before starting dnsmasq again. # systemctl stop systemd-resolved.service Debian PXE Configuration Now that the network is setup, Debian can be configured to be installed over PXE with a serial console. Download the mini.iso and netboot.tar.gz. Move mini.iso and untar netboot.tar.gz to the tftp directory, e.g. /var/tftp/. The /var/tftp/ directory listing should look like: $ ls -l /var/tftp/ total 69232 drwxrwxr-x 3 root root 4096 Feb 11 16:12 debian-installer lrwxrwxrwx 1 root root 47 Feb 11 16:12 ldlinux.c32 -> debian-installer/amd64/boot-screens/ldlinux.c32 -rw-rw-r-- 1 root root 40894464 Mar 8 21:29 mini.iso lrwxrwxrwx 1 root root 33 Feb 11 16:12 pxelinux.0 -> debian-installer/amd64/pxelinux.0 lrwxrwxrwx 1 root root 35 Feb 11 16:12 pxelinux.cfg -> debian-installer/amd64/pxelinux.cfg -rw-rw-r-- 1 root root 65 Feb 11 16:12 version.info To install Debian over a serial console, update the install boot-screen to use the serial device. The --- copies quiet console=ttyS0,115200n8 into the installed systems bootloader. Update the append statement: $ cat debian-installer/amd64/boot-screens/txt.cfg label install menu label ^Install kernel debian-installer/amd64/linux append vga=off console=ttyS0,115200n8 initrd=debian-installer/amd64/initrd.gz --- quiet console=ttyS0,115200n8 In case you need to use the rescue menu, update the boot-screen to use the serial console as well. $ cat debian-installer/amd64/boot-screens/rqtxt.cfg label rescue menu label ^Rescue mode kernel debian-installer/amd64/linux append vga=off console=ttyS0,115200n8 initrd=debian-installer/amd64/initrd.gz rescue/enable=true --- quiet Debian -> APU You have a choice of serial comm programs, minicom and screen to name two. The APU serial comes set at a baud of 115200; power up the APU and launch screen with that speed. # screen /dev/ttyUSB0 115200 Hit n for PXE boot. The PXE menu will countdown from 3 and autoboot, which should bring up the Debian install screen! Proceed through the install!

Router Configuration

Router Network The network configuration shares some of that with the above, namely dnsmasq for DHCP, IP Forwarding, and traffic masquerading via iptables. The interfaces need to be configured appropriately before any of the services come up. In the case of the APU3, there are three wired interfaces and one wireless:

Bridge Interface To get your wired and wireless LAN interaces to hand out from the same DHCP pool, it is necessary to bridge them together. This bridge interface will be specified in the dnsmasq configuration. Install bridge-utils: # apt-get install bridge-utils Create a bridge, then add the interfaces: # brctl addbr br0 # brctl addif br0 eth0 # brctl addif br0 wlan0 Verify with: # brctl show bridge name bridge id STP enabled interfaces br0 8000.000db93ffd39 no eth0 wlan0 Dnsmasq You can remove the notion of tftp from the config previously mentioned, but update your IP address range accordingly. Setting port=0 will disable the DNS service in Dnsmasq in case you run an alternate DNS service. port=0 interface=bridge_interface expand-hosts domain=your internal domain dhcp-range=starting address,ending address,lease time dhcp-option=6,your_preferred_dns_server Enable IP forwarding; exactly the same as before. Its a router! # sysctl net.ipv4.ip_forward=1 If you want this setting to persist, set it appropriately in /etc/sysctl.conf net.ipv4.ip_forward=1 Verify with: # sysctl net.ipv4.ip_forward or # cat /proc/sys/net/ipv4/ip_forward Enable masquerading # iptables -t nat -A POSTROUTING -o the_internet_connected_interface -j MASQUERADE Verify with: # iptables -L -t nat WiFi / hostapd hostapd will allow you to turn your wireless card into an access point. It supports a range of cards and drivers; Atheros chipsets have worked well. PCEngines has the cards et. al. available for purchase along side the main APU unit. Whichever card is chosen, ensure the card is supported. Install hostapd: # apt-get install hostapd There are many options for hostapd; the install includes an exhaustive example in /usr/share/doc/hostapd/examples/. There were a few caveats with setting up hostapd the first time. Since the wired and wireless interfaces will be bridged, the bridge and interface options need to be set exclusively. By setting the bridge interface, hostapd will automatically add the AP interface to the bridge specified. When specifying the bridge in /etc/network/interfaces, only include the internal LAN interface in the bridge_ports bridge interface stanza. # cat /etc/network/interfaces | grep bridge_ports bridge_ports eth0 For the PSK, hostapd accepts a 256-bit secret or the ascii passphrase of the key. To generate the secret, use wpa_passprhase provided by the wpasupplicant package. wpa_passphrase takes two arguments, the SSID and the passphrase. # wpa_passphrase SSID SetecAstronomy network={ ssid="SSID" #psk="SetecAstronomy" psk=2800c2e595e8475fe0f944f58901bbfbcaa0ca6faf9c716ce21b30465ee2652b } Finally, the wpa settings in hostapd may be: wpa=2 wpa_psk=2800c2e595e8475fe0f944f58901bbfbcaa0ca6faf9c716ce21b30465ee2652b wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP The 802.11n setup was tricky. Finding the capabilities of the card required calling iw list; there may be multiple bands listed: Band 1: Band 2: capabilities: 0x11ce capabilities: 0x11ce HT20/HT40 HT20/HT40 SM Power Save disabled SM Power Save disabled RX HT40 SGI RX HT40 SGI TX STBC TX STBC RX STBC 1-stream RX STBC 1-stream Max AMSDU length: 3839 bytes Max AMSDU length: 3839 DSSS/CCK HT40 DSSS/CCK HT40 Maximum RX AMPDU length 65 Maximum RX AMPDU length 65 Make those play nice with hostapd; enable ieee80211n and wmm. For the Qualcomm Atheros AR928X Wireless Network Adapter (PCI-Express) (rev 01), the following worked well: wmm=1 ieee80211n=1 ht_capab=[HT40+][RX-HT40-SGI][TX-STBC][RX-STBC1][DSSS_CK-40] hostapd does not start like a normal daemon. Instead, call it on the CLI specifying the config file; see if it throws any errors. When the router boots, ensure hostapd comes up after all the interfaces do, this can be set in an interfaces file. # /usr/sbin/hostapd /etc/hostapd/hostapd.conf Test connecting a client and check the connected bitrate on the client, this will let you know if HT is working properly. # iwconfig wlan0 wlan0 IEEE 802.11 ESSID:"SSID" Mode:Managed Frequency:5.18 GHz Access Point: 01:DE:AD:BE:EE:EF Bit Rate=243 Mb/s Tx-Power=22 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on Link Quality=46/70 Signal level=-64 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:358 Missed beacon:0 Config Management Since this router is not like others, there is no web interface to manage the settings, who needs that anyhow. Deploy changes via configuration management software like ansible; this helps keep changes consistent and potentially avoid breaking your network, requiring the need to weed through the rats nest. Check out the code section under router for related ansible work. Security Security is paramount when piecing together a router. Running Debian, security updates are available and can be patched rapidly, in lieu of waiting for manufacturer firmware. Taking advanatage of unattended-updates would be a wise practice for any Debian install. Aside from updates, the ability to choose between your favorite packet filtering software, iptables or ufw come to mind, can assist in allowing or denying egress and ingress traffic. Running an IDS / IPS is now within reach, snort, suricata, and zeek to name a few. Imagination may be the barrier when your router runs Debian. Download: [tar] [sha1sum] @nullanvoid