TheMilkfish
MilkfishServicesBoozy Milkfish
Milkfish-ddDoozy MilkfishWoozy MilkfishMain.SideBar (edit) |
Please only use firmware versions which were announced as an official release on www2.milkfish.org if you want to get a stable setup.Mini-howto: Installing Boozy Milkfish 3.0.0 and 3.2.0Installation time: 5 minutes
Mini-howto: Installing Boozy Milkfish 2.0.0Installation time: 5 minutes
On a Linksys WRT54GL this installation leaves you with the following memory utilization: root@OpenWrt:~# df Filesystem 1k-blocks Used Available Use% Mounted on /dev/root 1408 1408 0 100% /rom /dev/mtdblock/4 1856 1000 856 54% / none 7188 60 7128 1% /tmp root@OpenWrt:~# Mini-howto: Upgrading from 1.0.0 to 1.1.0 - v1.0 hardwares onlyThis is the first official release having all necessary packages already integrated in one flashable binary. If you install for the first time on your v1.0 hardware, you can follow the detailed StepByStep Howto for Release 1.0.0 below and skip the sections on package download and setup. 1. set nvram boot_wait=on root@OpenWrt:/# nvram set boot_wait=on root@OpenWrt:/# nvram commit 2. FLASH tftp 192.168.1.1 tftp> rexmt 1 tftp> binary tftp> trace tftp> put boozy_milkfish-1.1.0.bin wait until lights are static 3. REBOOT telnet to lan_ipaddr of wrt nvram set boozy_firstboot= (erasing the nvram variable completely) nvram commit 4. REBOOT into failsafe mode press reset button for 2 sec when dmz light goes on (if the router should reboot normally, you have to erase boozy_firstboot nvram variable again) router will be in failsafe mode (192.168.1.1) when the DMZ LED flashes quickly for one second and then is off for the next second, and so on. 5. TELNET to 192.168.1.1 of wrt (failsafe lan_ipaddr of router) @OpenWrt:/# mount | grep jffs if no output, then no jffs partition is mounted -> let's generate a jffs partition from the squashfs partition with... @OpenWrt:/# firstboot Creating jffs2 partition... done creating directories... done setting up symlinks... done @OpenWrt:/# check if no nvram commit is running (ps -aux ;-) then 6. REBOOT wait a while then try ssh (root@<lan_ipaddr of wrt>) with password "admin" and check web interface with your browser. configuration of wan interface (e.g. pppoe: ppp_username=<yours>, ppp_password=<yours>, wan_proto=pppoe, wan_ifname=ppp0, pppoe_ifname=<vlan1>) via web interface "Settings" Commit NVRAM ! start of firewall via web interface "Firewall" this takes some time, progress can be checked in a ssh seesion with "ps | grep shorewall" give it 10 minutes. then check the firewall overview: long list means success. if firewall test is ok (you can surf etc.) go to Settings and set firewall_bootstart=1 and 7. FINAL REBOOT check status via web interface "Status" check internet connection check firewall check voip StepByStep for Release v1.0.0This document describes all necessary setup steps for installing Openwrt Linux and The Milkfish Communication Server on a Linksys WRT54GS v1.0. Newer hardware than WRT54GS v1.0 will be supported after the first stable release of Openwrt supporting the newer hardwares, expected towards the end of 2005. Until then, this StepByStep pages may still be valuable in assisting installation on non-supported yet already-running Openwrt firmwares based on the White Russian Beta Release. This manual covers the following issues:
StepByStep 1 - boot_wait
;cp${IFS}*/*/nvram${IFS}/tmp/n
;*/n${IFS}set${IFS}boot_wait=on
;*/n${IFS}commit
;*/n${IFS}show>tmp/ping.log
Check the list which's being presented for the line boot_wait=on - if positive you can proceed with ... StepByStep 2 - Flashing
This process is called 'flashing' because the binary file is uploaded to the flash memory of the router where usually only the original firmware is located. Therefore, by (over)writing the flash you void the warranty of the device since you alter essential parts of it. You also loose the nice blueish web interface you used before to enter that ping-thing. One could compare the flash memory in the router with an router-integrated USB memory stick. However, unplug the power of your router and enter on your console: tftp 192.168.1.1 tftp> binary tftp> rexmt 1 tftp> trace Packet tracing on. tftp> put sipath-gs-code.bin After executing the put command, plug the power in again. Upload should commence after a little while and have an output like this when finished: <--snip--> received ACK <block=3010> sent DATA <block=3011, 0 bytes> received ACK <block=3011> Sent 1541120 bytes in 310.5 seconds tftp> Let the router reboot after the upload. This may take up to some minutes because the file system needs to be generated. StepByStep - Router ConfigurationOpenwrt SpecificsThe Openwrt linux environment is quite different from a usual desktop linux. This is due to the embedded architecture of the device. Let me sketch the main differences briefly here:
Temporary internet connection through gatewayFirst of all, a internet connection would be nice. There are different ways to do that, depending on your scenario. I'll explain here the simplest and for a new router setup I'd even say recommended way of getting on-line, and thereby installing all the packages and so forth. Open a console and telnet to your router telnet 192.168.1.1 If flashing was successful, you should be presented with the Openwrt ASCII welcome banner. I once ecountered a problem with connecting to the router when I used an outdated buildroot for building binaries for new hardware. I'm giving this hint because if everything is ok you are not asked for a password when using telnet at this point of the 'StepByStep Setup Continuum'. Anyway, change your internal gateway settings by altering the respective NVRAM variable nvram set lan_gateway=<your_internally_reachable_gateway's_ip> To disable the lan_gateway later just set it to 0.0.0.0: nvram set lan_gateway=0.0.0.0 Check similar settings with nvram show | grep gateway Your wan_gateway setting should be set to 0.0.0.0. If not the case, execute nvram set wan_gateway=0.0.0.0 and commit the NVRAM changes... nvram commit ...to be effective after: reboot After reboot you should be able to ping your favorite IP. DNS - the resolv.conf fileNow, let's take care of DNS. Domain Name Service is provided by DNS-Servers which in turn are commonly listed in the file /etc/resolv.conf. A possible content of that file could be search nameserver <1st-dns-ip> <2nd-dns-ip> No reboot was necessary on my box to have successful pings immediately after entering valid DNS IP's into resolv.conf. The settings made in /etc/resolv.conf are static and reboot-persistent since /etc is on the flash partition. Symbolic File LinksLater, a PPPOE daemon may provide connection specific DNS information upon connection setup in a dynamic /tmp/resolv.conf file. If you'd like to use that feature later, simply replace our /etc/resolv.conf with a symbolic link to the file in /tmp by executing the following line whilst being in the /etc directory. cd /etc ln -s /tmp/resolv.conf resolv.conf Similarly, you can repair or reset symbolic links to files on the rom since initially most files are just linked to their respective templates on the read-only rom partition. The vi EditorTo replace or alter the files you can make a little shell script and place it in the /usr/sbin/ directory. Syntax could be simply rw <filename> to copy a rom-linked file with the same name and location to the flash partition. To set up that script, change to the /usr/sbin directory and type: vi rw This opens the vi text editor. Hit a to enter the edit mode and generate the following content: #!/bin/ash cp $1 $1.cp rm $1 mv $1.cp $1 Exit and save by hitting ESC followed by : and an x. Finally, Return executes the command and get's you back to the console. Here you need to make the file executable by changing the file flags: chmod 777 rw The Package Management Configuration File aka. ipkg.confNow quickly to /etc and rw ipkg.conf After that do vi ipkg.conf where you can configure the Milkfish internet package repository by adding this line, if possible as the first line in the list: src milkfish http://packages.milkfish.org/boozy/ Dropbear SSH ServerAfter that, you can check for actually available packages by ipkg update and install the neat and security-enhancing dropbear ssh server with ipkg install dropbear Please provide a well-chosen password during the installation process. Milkfish PackagesAfter all these preliminaries, let's install the Milkfish specific files. You can start with a ipkg install ser which takes some time since the SER package is considerably large (~500kB). After that, you may ipkg install milkfish and reboot the router. Although SER and especially the dbtext database module is contained in the SER package, it is prepared and started with an init script being part of the Milkfish package. To use the serctl script it may be convenient to add the following line to the file /etc/profile: export SIP_DOMAIN=$(nvram get lan_ipaddr) The profile file affects the console shell and so changes to it become effective by the time of your next login. Still having the opportunity to get some packages over the gateway, you should consider to install the configurable shoreline firewall, aka. shorewall, as potentially very useful for the Milkfish standard application. Although configuration details follow further below, for now you could just preparationally download it to the router with ipkg install shorewall Please note that this shorewall package will be downloaded from the Milkfish Package repository. The PPPOE DaemonFor connecting to the internet you may want to use broadband (DSL) or cable and therefore you could have thought of using the pppoecd package. Its source is already known since it's a standard package and installation follows the usual pattern by executing ipkg install pppoecd PPPOE needs some additional customizations depending on your account data of your Internet Service Provider and your type of hardware. These customizations are stored in NVRAM variables by using the nvram tool. For a WRT54GS with the Internet port being named vlan1 they are: nvram set wan_ifname=ppp0 nvram set wan_proto=pppoe nvram set pppoe_ifname=vlan1 nvram set ppp_username=<your_username_at_your_isp> nvram set ppp_passwd=<your_password_at_your_isp> nvram set ppp_redialperiod=30 nvram set ppp_idletime=5 nvram set wan_mtu=1492 Don't forget to nvram commit and consider to do a reboot (which took some time on my box...). For your convenience, here is Section 3 of the Openwrt README.pppoe: 3. NVRAM variables
------------------
In order for the PPPoE link to be established by the networking
scripts the following NVRAM variables must be present:
wan_ifname Should be set to: ppp0
wan_proto Should be set to: pppoe
pppoe_ifname Set it to the WAN interface on which the PPPoE is to function.
On a 2.0 or a GS model it is usually vlan1.
The 1.0 and 1.1 models used vlan2.
ppp_username User name for your PPPoE connection.
ppp_passwd Password for the connection.
ppp_redialperiod Time between reconnect attempts.
Usualy set to 30.
ppp_idletime Time the link has to stay dead before reconnecting.
Usually set to 5.
wan_mtu The Maxumum Transfer Unit for the PPPoE connection.
Typically 1492.
Please consult the Openwrt WIKI or the Openwrt Forum for more information on NVRAM variables.
Firewall ConfigurationThis section is about how to configure the Shoreline Firewall aka. Shorewall. Shorewall has a very convenient and structured configuration philosophy which consists of separate files providing the necessary level of abstraction to make firewalling transparent and understandable for humans. Each file contains besides many examples a comprehensive explanations on how to do the settings properly. All configuration files can be found in the /etc/shorewall directory. Let's start with the most abstract one, the zones file. It should include all zones or realms neighboring to your router:
Since the neighboring zones are necessarily to be connected to the router by different interfaces, you need to define a third zone being the one between your router and your dsl or cable modem so that the bottom of the zones file will look like this #ZONE DISPLAY COMMENTS net Net Internet (ppp0) wan WAN WAN Port (vlan1) loc Local Local networks (br0) #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE NOTE: This is on a WRT54GS v1.0 having vlan1 as native wan interface. Second file will take care of the actual and therefore less abstract zone-to-interface assignment: #ZONE INTERFACE BROADCAST OPTIONS wan vlan1 detect routefilter net ppp0 detect routefilter, norfc1918 loc br0 detect routeback #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE The configuration above is intended for static addressing in your local network. If you need DHCP support add this option accordingly. Third file of interest is the policy file which contains abstract access policies depending on the zones settings already mentioned. #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc net ACCEPT net all DROP info # If you want open access to the Internet from your Firewall # remove the comment from the following line. fw net ACCEPT loc fw ACCEPT fw loc ACCEPT fw wan ACCEPT loc wan ACCEPT # # THE FOLLOWING POLICY MUST BE LAST # all all REJECT info #LAST LINE -- DO NOT REMOVE The settings are self explaning if you read each line like that Traffic from <SOURCE> to <DEST> will be <POLICY>ED. You thereby made it to the rules file where it becomes a bit more technical, so let's have a look first: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP # Accept DNS connections from the firewall to the network # AllowDNS fw net # Accept SSH connections from the local network for administration # AllowSSH loc fw # Accept SSH connections from the internet for administration #AllowSSH net fw # Allow Ping To And From Firewall # AllowPing loc fw AllowPing fw loc AllowPing fw net # Allow Ping To Firewall from internet # #AllowPing net fw # Milkfish specific rules ACCEPT loc fw udp 5060 1024: ACCEPT net fw udp 5060 1024: ACCEPT wan fw udp 5060 1024: ACCEPT fw net udp 1024: 5060 ACCEPT fw wan udp 1024: 5060 ACCEPT fw loc udp 1024: 5060 ACCEPT loc net udp 1024: 1024: ACCEPT loc wan udp 1024: 1024: ACCEPT net loc udp 1024: 1024: ACCEPT wan loc udp 1024: 1024: # # OpenWRT specific rules: # allow loc to fw udp/53 for local/caching DNS servers to work # allow loc to fw tcp/80 for weblet to work # allow loc to fw udp/67 and udp/68 for dnsmasq's dhcpd to work AllowDNS loc fw AllowWeb loc fw #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE The first three of the Milkfish specific rules are to enable SIP signalling on the standard SIP port 5060 from all directions to the router. Furthermore you need to permit RTP traffic which carries the media and is established upon SIP signalling. These media streams may use arbitrary ports above 1024 so all these ports are enabled for traffic pass-through which is configured in the following lines. Again, the whole file becomes transparent and understandable after reading the explanations provided in the upper part of the file. Last not least, the masq file: #INTERFACE SUBNET ADDRESS PROTO PORT(S) vlan1 br0 ppp0 br0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE In the windows world Masqerading is called NAT, standing for Network Address Translation. Whatever... Concerning the customization of config files, you are through now. The next step thats needs to be done, is setting up logging at router startup. This can be accomplished by editing the /etc/inittab file. Make it writeable first with the rw script used before. cd /etc rw inittab and then add these two lines using vi editor ::respawn:/sbin/syslogd -n ::respawn:/sbin/klogd -n After that you need to create a directory for the log files, being /var/log. Since this is on the ramdisk it will be lost during reboots or power outages, so it needs to be created during the boot process. This is done by editing the file /etc/init.d/rcS after you made it writeable: cd /etc/init.d rw rcS vi rcS adding the line mkdir /var/log to make it look like this #!/bin/sh
# Start all init scripts in /etc/init.d
# executing them in numerical order.
#
<--- snip --->
esac
done
mkdir /var/log
It seems we are almost up and running, let's check the important Shorewall box displayed at the time of ipkg installation if anything else needs to be done... *************************************************************** * Please edit the configuration files found in /etc/shorewall * * and make sure they match your router's configuration before * * proceding to reboot! (esp /etc/shorewall/interfaces) * * * * Please also setup your logging as described in the WIKI MINI* * HowTos at http://www.openwrt.org/MiniHowtos so that your * * logs aren't written to flash which may shorten its lifetime!* * * * When you are satisfied by your firewall's configuration run:* * /etc/init.d/shorewall check &&\ * * /etc/init.d/shorewall start * * * * this will ensure you configuration is syntactially correct * * and start the firewall, saving the tables so that they may * * be restored on reboot quickly. * * * * When you are sure that your firewall is correctly running * * rename the RC script so that it is run on boot: * * rm /etc/init.d/S45firewall * * mv /etc/init.d/shorewall /etc/init.d/S45shorewall * *************************************************************** If not already done, remove the default route for the lan interface by executing nvram set lan_gateway=0.0.0.0 nvram commit reboot Ok, you can try your configuration with: /etc/init.d/shorewall start This takes some time since everything you set needs to be computed. After Shorewall startup, you should test all connections from your computers to the internet before replacing the standard firewall startup script with the shorewall startup script: rm /etc/init.d/S45firewall mv /etc/init.d/shorewall /etc/init.d/S45shorewall reboot |
