[Commotion-dev] PittMesh configuration setup
Andy Gunn
andygunn at opentechinstitute.org
Wed Apr 15 11:40:09 EDT 2015
Hey Adam - thanks for sending this along! Very interesting to see how
your network is configured... I had a few questions about your setup below:
On 04/14/2015 02:31 PM, Adam Longwill wrote:
> Hello everyone, I wanted to share our configuration document with you
> to see if there would be better ways going forward to configure our
> nodes. This document is for 1.1, obviously and there may be new ways
> to configure things. In particular, we don't seem to have meshing over
> Ethernet working properly and I wanted to know in particular if we're
> doing it properly. The section about the firewall rules has been
> corrected in 1.2 and can be ommitted.
>
>
> Configuration Instructions for PittMesh for Commotion1.1
>
>
> 0: Assuming you have flashed the node and are directly connected to it
> after determining it’s IP address, do the following. Please note that
> you MUST NOT connect to your device via a network serving DHCP or this
> process will render your router unreachable. Before we begin we ALSO
> need to know the speed of the Internet you will be donating. Test your
> Internet bandwidth speed by going to GETMYSPEED.COM
> <http://getmyspeed.com/>(which presents your speed in kbps). Write
> those values down and save them for later.
>
>
> 1.
>
> Run the Setup wizard.
>
> 1.
>
> Node Name:The name should follow this model in all lower case:
>
> 1.
>
> street-addressnumber-(miscellaneous optional value)-band
> OR buildingname-(miscellaneous optional value)-band OR
> randomized 10 digit number.
>
> 1.
>
> example: ewarrington-744-24 (a 2.4 GHz node at 744
> East Warrington Ave.)
>
> 2.
>
> example: brewhouse-ne-5 (a 5 GHz node at the Brew
> House pointed North East)
>
> 3.
>
> example: hackpgh-tobrewhouse-5 (a 5 GHz directional
> node pointed TO the BREWHOUSE at Hack Pittsburgh)
>
> 4.
>
> example: 8461285602 (If you wish to remain anonymous,
> use 10 random digits)
>
> 2.
>
> Enter Root Password:Enter a password to configure this
> node with
>
> 3.
>
> Mesh Network Name:PittMesh_Backhaul
>
> 4.
>
> Channel:11 or 48 (2.4GHz and 5GHz, respectively)
>
> 5.
>
> Access Point: PittMesh
>
> 6.
>
> Channel:Same as Mesh Network channel, 11 or 48
>
> 7.
>
> Require Password?No
>
> 2.
>
> Click Finish (Do NOT click “NEXT”)
>
> 3.
>
> Click “Save and Apply”
>
> 4.
>
> Reboot the device (go to ADVANCED > SYSTEM > REBOOT and click
> PERFORM REBOOT)
>
> 5.
>
> Log back in.
>
> 2.
>
> Rename the node
>
> 1.
>
> Commotion appends all router names by default with a random
> number to ensure different host names on the network. If done
> properly with the above instructuctions, this is not necessary.
>
> 2.
>
> Go to ADVANCED > SYSTEM and remove the randomized numbers from
> the end of the Node Name then click SUBMIT.This can only be
> done through Advanced > System and not Basic Menu > System.
>
> 3.
>
> Add the WAN port to the proper firewall zone
>
> 1.
>
> WHY? Because after the initial flash, the routers are
> unreachable unless this is added. This allows them to be
> accessed from the WAN interface only-- how do we access them
> from another node on the mesh?
>
>
> 2.
>
> SSH into the node into the router with the root user and type
> the following commands, hitting the Enter key after each line:
>
> 1.
>
> uci add_list firewall. at zone[2].network=wan
>
> 2.
>
> uci commit firewall
>
I haven't seen this happen before - when are you getting locked out of
the routers WAN port? The router should assign you an IP address, and if
you open the HTTPS port you should be able to get in... Does it happen
after assigning a static IP?
Or is this just related to the meshing over Ethernet setup? It appears
to be exactly the change we document in
https://commotionwireless.net/docs/cck/installing-configuring/advanced-hardware-setups/
, under "Meshing with Ethernet, without a gateway to the Internet".
> 1.
>
> Enable the use of the firewall.user file for custom firewall rules
>
> 1.
>
> When Commotion 1.1 shipped, it mistakenly used a version of
> OpenWRT that was not set up to include custom firewall rules
> set in the GUI. This process adds the use of the file
> “firewall.user” for later configuration in this process.
>
> 2.
>
> Open a terminal and type (make sure you know the IP address of
> your router and enter it where the x’s are in the following
> command):
>
> 1.
>
> ssh root at x.x.x.x
>
> 3.
>
> Enter the root password you created in step 1aii
>
> 4.
>
> type the following commands:
>
> 1.
>
> vi /etc/config/firewall
>
> 5.
>
> User the down arrow key to scroll down to the end of the file
>
> 6.
>
> Position your cursor at the end of the last character in the
> last line of the file
>
> 7.
>
> Press the "i" key to enter insert mode.
>
> 8.
>
> Press Enter twice to make new section
>
> 9.
>
> Type the following lines: (NOTE! the second line is preceded
> by a Tab)
>
> 1.
>
> config include
>
> 2.
>
> option path /etc/firewall.user
>
> 10.
>
> Press the Escape key
>
> 11.
>
> Type the following to “write” the file and then “quit” the file:
>
> 1.
>
> :wq
>
> 12.
>
> Type the following command:
>
> 1.
>
> exit
>
> 13.
>
> Close the terminal.
>
> 2.
>
> Open the HTTPS Port for Management Purposes
>
> 1.
>
> By default, HTTPS is blocked by the firewall rules for all
> interfaces. This procedure corrects that.
>
> 2.
>
> Go to ADVANCED > NETWORK > FIREWALL.
>
> 3.
>
> At the top of the page, click on the TRAFFIC RULES tab.
>
> 4.
>
> Under the "Open ports on router" section, fill in the
> following values:
>
> 1.
>
> Name: "Admin Interface"
>
> 2.
>
> Protocol: "TCP"
>
> 3.
>
> External port: 443
>
> 5.
>
> Click the ADD button next to the fields you just filled out.
>
> 6.
>
> Click SAVE AND APPLY.
>
> 7.
>
> Reboot the device (go to ADVANCED > SYSTEM > REBOOT and click
> PERFORM REBOOT)
>
> 8.
>
> Log back in.
>
We are looking into whether this could be a "checkbox" option to make it
easier to enable the HTTPS rule in the firewall. In my experience this
only applies to the WAN port though - are you not able to access the
Administrator page over the mesh?
> 1.
>
> Add Firewall rules that protect your network from being accessed
> from PittMesh
>
> 1.
>
> By default, all IP addresses on your LAN are accessible from
> the mesh. While this is useful if you are hosting a server, it
> can be a security concern if you are not. This procedure
> instructs the router to drop any and all packets destined for
> your LAN IP addresses except for your gateway. Make sure you
> know your gateway’s IP address before proceeding.
>
> 2.
>
> Go to ADVANCED > NETWORK > FIREWALL > CUSTOM RULES
>
> 3.
>
> There will be a large text box with lines of text starting
> with #. After those lines type the following lines with each
> on its own line (these block access to the common private
> network segments):
>
> 1.
>
> iptables -I OUTPUT -o eth0 -d 192.168.0.0/16
> <http://192.168.0.0/16>-j DROP
> iptables -I OUTPUT -o eth0 -d 172.16.0.0/12
> <http://172.16.0.0/12>-j DROP
> iptables -I OUTPUT -o eth0 -d 10.0.0.0/8
> <http://10.0.0.0/8>-j DROP
>
> 4.
>
> You have now blocked access to every IP address on the private
> network spaces used in IPv4-- including your gateway. Enter
> the following line to allow access to your gateway. Enter your
> gateway’s IP address where the “x’s are such as 192.168.1.1.
> If you wish to allow access to another IP address because you
> want to host a server on that address, follow the same format
> and add a new line with the server’s IP address:
>
> 1.
>
> iptables -I OUTPUT -o eth0 -d x.x.x.x -j ACCEPT
>
> 5.
>
> Scroll to the bottom of the page and click SUBMIT
>
> 6.
>
> Go to ADVANCED > STATUS > FIREWALL and click RESTART FIREWALL
>
This is a great set of documentation - several folks have asked us for
this before. It would be great if we could include it in our
configuration documentation here:
https://commotionwireless.net/docs/cck/installing-configuring/configure-commotion/#Advanced-Commotion-mesh-settings
Would you be willing to do a pull request against commotion-docs?
https://github.com/opentechinstitute/commotion-docs
The appropriate page is here:
https://github.com/opentechinstitute/commotion-docs/blob/staging/commotionwireless.net/docs/cck/installing-configuring/configure-commotion/index.md
> 7.
>
> Set a static IP for the Router
>
> 1.
>
> To ensure the PittMesh node has the same IP address on your
> LAN, we must manually set it. This procedure sets the IP
> address for your network.
>
> 2.
>
> Go to ADVANCED > NETWORK > INTERFACES.
>
> 1.
>
> Under “Interface Overview”, select EDIT next to the WAN interface.
>
> 2.
>
> Under “Common Configuration”, in the PROTOCOL pull down menu,
> change "Commotion Interface" to "Static Address".
>
> 3.
>
> Click SWITCH PROTOCOL under the prompt “Really switch protocol?”
>
> 4.
>
> Set the static IP address that you want your node to be
> accessible on on your LAN. Meta Mesh recommends using .202 for
> the last octet (for 2.4GHz) and .205 (for 5GHz) and the
> Netmask of 255.255.255.0.
>
> 1.
>
> Example: IP: 192.168.1.202, netmask 255.255.255.0 for a
> 2.4 GHz node and 192.168.1.212, netmask 255.255.255.0 for
> a second 2.4 GHz node on your network.
>
> 5.
>
> Set the broadcast domain to the proper broadcast domain
> (x.x.x.255 usually)
>
> 1.
>
> Example: For a 192.168.1.0 network, set this value as
> 192.168.1.255.
>
> 6.
>
> Set the Use Custom DNS servers field to the local network
> gateway and leave all following fields blank.
>
> 1.
>
> Example: For a 10.1.10.0 network with a gateway at .1, set
> this value to 10.1.10.1
>
> 7.
>
> Scroll down and click SAVE AND APPLY.
>
>
> 8.
>
> Enable QoS rules
>
> 1.
>
> Go to ADVANCED > NETWORK > QoS
>
> 2.
>
> Check the enable box
>
> 3.
>
> Set Download speed and upload speed to less than the speed of
> your Internet access (Meta Mesh recommends halving your total
> bandwidth)
>
> 4.
>
> In the Classification rules settings delete all the rules.
>
> 5.
>
> Click the "Add" button 3 times. This will create 3 blank rules.
>
> 6.
>
> Define the rules as follows:
> Target Source host Destination host Service
> Protocol Ports
>
> Priority ALL ALL
> ALL TCP 80,443
>
> Priority ALL ALL
> ALL UDP 698
>
> Low ALL ALL
> ALL ALL ALL
>
Again, this is awesome - would you be willing to update the QOS settings
in our documentation?
https://commotionwireless.net/docs/cck/installing-configuring/configure-commotion/#bandwidth-qos
> 9.
>
> Turn on OLSR over Ethernet
>
> 1.
>
> Most PittMesh nodes involve 2 or more routers. To ensure that
> they speak to each other properly, we must inform the OLSR
> protocol to work on an additional Ethernet interface. By
> default, OLSR only operates on the PittMesh_Backhaul SSID on
> the Ad hoc interface called PittMesh_95backhaul. This
> procedure includes OLSR over the WAN interface which is
> actually your LAN in your home or business.
>
> 8.
>
> Go to SERVICES > OLSR and, on the General Settings tab, scroll
> to the bottom and click ADD in the "Interface" section.
>
> 9.
>
> In the new page that comes up, click the radio button for the
> "WAN" interface.
>
> 10.
>
> In the “Mode” pull down menu, select ETHER.
>
> 11.
>
> Scroll down and click SAVE AND APPLY.
>
> 12.
>
> Reboot the device (go to ADVANCED > SYSTEM > REBOOT and click
> PERFORM REBOOT)
>
Are #7 and #9 linked? You set a static IP on the WAN interface for
meshing over that Ethernet port?
>
> You’re done!
>
>
>
>
> Any advice would be appreciated. Thanks!
>
> Adam Longwill
--
Andy Gunn, Field Engineer
Open Technology Institute, New America
andygunn at opentechinstitute.org | 202-596-3484
PGP: F1D2 CD5E 9F15 EEB0 232A 1EFA EEDC DC5C F1D5 653C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-dev/attachments/20150415/8112c83a/attachment-0001.html>
More information about the Commotion-dev
mailing list