[Commotion-dev] PittMesh configuration setup
Adam Longwill
adam.longwill at metamesh.org
Tue Apr 14 14:31:46 EDT 2015
Hello everyone, I wanted to share our configuration document with you to
see if there would be better ways going forward to configure our nodes.
This document is for 1.1, obviously and there may be new ways to configure
things. In particular, we don't seem to have meshing over Ethernet working
properly and I wanted to know in particular if we're doing it properly. The
section about the firewall rules has been corrected in 1.2 and can be
ommitted.
Configuration Instructions for PittMesh for Commotion1.1
0: Assuming you have flashed the node and are directly connected to it
after determining it’s IP address, do the following. Please note that you
MUST NOT connect to your device via a network serving DHCP or this process
will render your router unreachable. Before we begin we ALSO need to know
the speed of the Internet you will be donating. Test your Internet
bandwidth speed by going to GETMYSPEED.COM <http://getmyspeed.com/> (which
presents your speed in kbps). Write those values down and save them for
later.
1.
Run the Setup wizard.
1.
Node Name: The name should follow this model in all lower case:
1.
street-addressnumber-(miscellaneous optional value)-band OR
buildingname-(miscellaneous optional value)-band OR
randomized 10 digit number.
1.
example: ewarrington-744-24 (a 2.4 GHz node at 744 East
Warrington Ave.)
2.
example: brewhouse-ne-5 (a 5 GHz node at the Brew House pointed
North East)
3.
example: hackpgh-tobrewhouse-5 (a 5 GHz directional node
pointed TO the BREWHOUSE at Hack Pittsburgh)
4.
example: 8461285602 (If you wish to remain anonymous, use 10
random digits)
2.
Enter Root Password: Enter a password to configure this node with
3.
Mesh Network Name: PittMesh_Backhaul
4.
Channel: 11 or 48 (2.4GHz and 5GHz, respectively)
5.
Access Point: PittMesh
6.
Channel: Same as Mesh Network channel, 11 or 48
7.
Require Password? No
2.
Click Finish (Do NOT click “NEXT”)
3.
Click “Save and Apply”
4.
Reboot the device (go to ADVANCED > SYSTEM > REBOOT and click PERFORM
REBOOT)
5.
Log back in.
2.
Rename the node
1.
Commotion appends all router names by default with a random number to
ensure different host names on the network. If done properly
with the above
instructuctions, this is not necessary.
2.
Go to ADVANCED > SYSTEM and remove the randomized numbers from the
end of the Node Name then click SUBMIT.This can only be done through
Advanced > System and not Basic Menu > System.
3.
Add the WAN port to the proper firewall zone
1.
WHY? Because after the initial flash, the routers are unreachable
unless this is added. This allows them to be accessed from the WAN
interface only-- how do we access them from another node on the mesh?
2.
SSH into the node into the router with the root user and type the
following commands, hitting the Enter key after each line:
1.
uci add_list firewall. at zone[2].network=wan
2.
uci commit firewall
4.
Enable the use of the firewall.user file for custom firewall rules
1.
When Commotion 1.1 shipped, it mistakenly used a version of OpenWRT
that was not set up to include custom firewall rules set in the GUI. This
process adds the use of the file “firewall.user” for later
configuration in
this process.
2.
Open a terminal and type (make sure you know the IP address of your
router and enter it where the x’s are in the following command):
1.
ssh root at x.x.x.x
3.
Enter the root password you created in step 1aii
4.
type the following commands:
1.
vi /etc/config/firewall
5.
User the down arrow key to scroll down to the end of the file
6.
Position your cursor at the end of the last character in the last
line of the file
7.
Press the "i" key to enter insert mode.
8.
Press Enter twice to make new section
9.
Type the following lines: (NOTE! the second line is preceded by a Tab)
1.
config include
2.
option path /etc/firewall.user
10.
Press the Escape key
11.
Type the following to “write” the file and then “quit” the file:
1.
:wq
12.
Type the following command:
1.
exit
13.
Close the terminal.
5.
Open the HTTPS Port for Management Purposes
1.
By default, HTTPS is blocked by the firewall rules for all
interfaces. This procedure corrects that.
2.
Go to ADVANCED > NETWORK > FIREWALL.
3.
At the top of the page, click on the TRAFFIC RULES tab.
4.
Under the "Open ports on router" section, fill in the following
values:
1.
Name: "Admin Interface"
2.
Protocol: "TCP"
3.
External port: 443
5.
Click the ADD button next to the fields you just filled out.
6.
Click SAVE AND APPLY.
7.
Reboot the device (go to ADVANCED > SYSTEM > REBOOT and click PERFORM
REBOOT)
8.
Log back in.
6.
Add Firewall rules that protect your network from being accessed from
PittMesh
1.
By default, all IP addresses on your LAN are accessible from the
mesh. While this is useful if you are hosting a server, it can be a
security concern if you are not. This procedure instructs the router to
drop any and all packets destined for your LAN IP addresses
except for your
gateway. Make sure you know your gateway’s IP address before proceeding.
2.
Go to ADVANCED > NETWORK > FIREWALL > CUSTOM RULES
3.
There will be a large text box with lines of text starting with #.
After those lines type the following lines with each on its own
line (these
block access to the common private network segments):
1.
iptables -I OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP
iptables -I OUTPUT -o eth0 -d 172.16.0.0/12 -j DROP
iptables -I OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP
4.
You have now blocked access to every IP address on the private
network spaces used in IPv4-- including your gateway. Enter the following
line to allow access to your gateway. Enter your gateway’s IP
address where
the “x’s are such as 192.168.1.1. If you wish to allow access to
another IP
address because you want to host a server on that address,
follow the same
format and add a new line with the server’s IP address:
1.
iptables -I OUTPUT -o eth0 -d x.x.x.x -j ACCEPT
5.
Scroll to the bottom of the page and click SUBMIT
6.
Go to ADVANCED > STATUS > FIREWALL and click RESTART FIREWALL
1.
Set a static IP for the Router
1.
To ensure the PittMesh node has the same IP address on your LAN, we
must manually set it. This procedure sets the IP address for your network.
2.
Go to ADVANCED > NETWORK > INTERFACES.
1.
Under “Interface Overview”, select EDIT next to the WAN interface.
2.
Under “Common Configuration”, in the PROTOCOL pull down menu, change
"Commotion Interface" to "Static Address".
3.
Click SWITCH PROTOCOL under the prompt “Really switch protocol?”
4.
Set the static IP address that you want your node to be accessible on
on your LAN. Meta Mesh recommends using .202 for the last octet (for
2.4GHz) and .205 (for 5GHz) and the Netmask of 255.255.255.0.
1.
Example: IP: 192.168.1.202, netmask 255.255.255.0 for a 2.4 GHz
node and 192.168.1.212, netmask 255.255.255.0 for a second
2.4 GHz node on
your network.
5.
Set the broadcast domain to the proper broadcast domain (x.x.x.255
usually)
1.
Example: For a 192.168.1.0 network, set this value as
192.168.1.255.
6.
Set the Use Custom DNS servers field to the local network gateway and
leave all following fields blank.
1.
Example: For a 10.1.10.0 network with a gateway at .1, set this
value to 10.1.10.1
7.
Scroll down and click SAVE AND APPLY.
1.
Enable QoS rules
1.
Go to ADVANCED > NETWORK > QoS
2.
Check the enable box
3.
Set Download speed and upload speed to less than the speed of your
Internet access (Meta Mesh recommends halving your total bandwidth)
4.
In the Classification rules settings delete all the rules.
5.
Click the "Add" button 3 times. This will create 3 blank rules.
6.
Define the rules as follows:
Target Source host Destination host Service Protocol
Ports
Priority ALL ALL
ALL TCP 80,443
Priority ALL ALL
ALL UDP 698
Low ALL ALL
ALL ALL ALL
1.
Turn on OLSR over Ethernet
1.
Most PittMesh nodes involve 2 or more routers. To ensure that they
speak to each other properly, we must inform the OLSR protocol to work on
an additional Ethernet interface. By default, OLSR only operates on the
PittMesh_Backhaul SSID on the Ad hoc interface called
PittMesh_95backhaul.
This procedure includes OLSR over the WAN interface which is
actually your
LAN in your home or business.
1.
Go to SERVICES > OLSR and, on the General Settings tab, scroll to the
bottom and click ADD in the "Interface" section.
2.
In the new page that comes up, click the radio button for the "WAN"
interface.
3.
In the “Mode” pull down menu, select ETHER.
4.
Scroll down and click SAVE AND APPLY.
5.
Reboot the device (go to ADVANCED > SYSTEM > REBOOT and click PERFORM
REBOOT)
You’re done!
Any advice would be appreciated. Thanks!
Adam Longwill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-dev/attachments/20150414/90e164c7/attachment-0001.html>
More information about the Commotion-dev
mailing list