OpenBSD 4.6

2009/10/19 — laurent

The new version of OpenBSD has been released! Yes, they are more than 10 days ahead schedule, since OpenBSD is usually released May 1st and November 1st.

I upgraded my router with this new version and before doing so, you should read the upgrade page (which I didn’t).

Of course my firewall configuration was not working anymore, so I had no internet access because I was using scrub statements which are not there anymore. Rules need to be rewrite a bit.

The installer seems to have changed, some questions were different… and since I was going too fast through the process I installed X related packages (they were selected by default even if I haven’t installed them before).

Anyway, OpenBSD is still working nicely, using nearly no CPU and few MB of RAM. I really like this operating system for my router, I install it and forget it (until the subsequent release).

Posted in Uncategorized. Tags: , . 2 Comments »

Bridge between two LANs with OpenBSD

2009/08/10 — laurent

My router is sharing the internet connection for an ethernet network and a WiFi network. Both of them where on their own sub-networks.

On my iPhone (using the WiFi network), I have the Remote application, allowing to control the iTunes on my Mac (which is using the ethernet network). Since they are not in the same network, it doesn’t work (even if routes are properly specified). The solution is to create a bridge for those two networks.

I already blogged about how I configured WiFi on my OpenBSD router.

Bridge configuration

Here is the configuration of the interfaces (rl0 if the ethernet interface ans rum0 if the WiFi interface):

inet 192.168.2.254 255.255.255.0 NONE

Nothing specific as expected.

up media autoselect mode 11g mediaopt hostap nwid <SSID> wpa wpaprotos wpa2 wpaakms psk wpapsk <SHARED KEY>

Here there is a slight modification, an IP address is not needed anymore. Bridge configuration:

add rl1
add rum0
up
PF

Be sure that PF is allowing packets between the two interfaces, in /etc/pf.conf you should have something like this:

int_if="rl1"
wlan_if="rum0"
 
pass quick on $int_if no state
pass quick on $wlan_if no state

It’s a bit simplistic, you may write more sophisticated filtering rules depending on your needs.

DHCP

My router is also acting as a DHCP for ethernet and WiFi devices. To activate DHCP, add the following line in /etc/rc.conf.local:

dhcpd_flags=""

Tell dhcpd to listen on rl1 only (rum0 does not have any IP so we don’t have to bind dhcpd to it):

dhcpd configuration:

shared-network LAN {
        option domain-name "example.net";
        option domain-name-servers <primary_dns_ip>, <secondary_dns_ip>;
 
        subnet 192.168.2.0 netmask 255.255.255.0 {
                option routers 192.168.2.254;
                range 192.168.2.32 192.168.2.127;
        }
}
Links
Posted in Uncategorized. Tags: , , , , , . No Comments »

OpenBSD and PPPoE

2009/08/03 — laurent

I’m using a new ISP (since I moved in a different country) which does not provide a DSL modem as part of the subscription. So I bought the first ADSL2+ modem I found that was not also a router (since I have my own router).

I ended up with a D-Link DSL-320T. I was a bit disappointed to see that the modem DOES some routing… but quite poorly. I tried several configurations and my conclusion is that this modem is severely bugged. It’s based on an old BusyBox 0.60 (you can telnet the modem to see that and do some stuff manually (if you manage to…)). I went on D-Link website to find firmware updates… the firmware loaded in the modem is more recent that the ones I found on the website! Anyway, after some research, it looks like D-Link people have no clue about how to manage version numbers (it’s a complete mess), but it’s not a problem since the modem does not want to load any firmware (there is something in the interface to do that but it did nothing when I tried).

At some point I find out that the modem has a “bridged” mode, to it will does mostly nothing and I will have to do the authentication with the ISP on my OpenBSD 4.5 router.

PPPoE

Configuring PPPoE on OpenBSD is quite easy. The modem is connected to the rl0 interface, first we need to create a configuration file /etc/hostname.pppoe0 for the new PPPoE interface pppoe0:

inet 0.0.0.0 255.255.255.255 NONE pppoedev rl0 authproto pap authname LOGIN authkey PASSWORD up
dest 0.0.0.1
!/sbin/route add default 0.0.0.1

Replace LOGIN and PASSWORD with the credentials given by your ISP. The rl0 interface does not need any configuration except telling that the interface must be started. /etc/hostname.rl0 must contain only:

Restart network interfaces with the following command:

# sh /etc/netstart

ifconfig should now include pppoe0 configuration.

NAT and PF

I saw on some forums/mailing lists that since PF is started before the pppoe0 interface, PF might block the connection. I’m not having the problem right now, maybe for older versions of OpenBSD. Anyway, I had a different one. When PF starts, the pppoe0 interface does not have yet retrieve an IP, so PF is using “0.0.0.0”.

For instance in /etc/pf.conf, I had the following lines to create a NAT between pppoe0 and rl1 (rl1 is the interface on my local network):

ext_if="pppoe0"
int_if="rl1"
 
nat on $ext_if inet from $int_if:network to any -> $ext_if

In order to tell PF to monitor the external interface’s IP, it just needs to be put between brackets, so the NAT command becomes:

nat on $ext_if inet from $int_if:network to any -> ($ext_if)
Links
Posted in Uncategorized. Tags: , , , , , , , . No Comments »

OpenBSD 4.5

2009/05/01 — laurent

6 month after my post on OpenBSD 4.4, here is the one on OpenBSD 4.5.

Today was released OpenBSD 4.5, adding more hardware support (my D-Link DWA-110 works straight away, no need to recompile the kernel anymore), few new features, lots of software updates.

So I updated my fit-PC with this new OpenBSD, as usual it was quite easy, few questions (and they have good default values), the overall upgrade took me 20 minutes (15 minutes copying files from the CDROM, I have a slow one).

Theme and Song

This release theme is inspired by Tron:

The accompanying song is called “Games”:

Lyrics and songs files are available (as usual, there is a MP3 file for losers and a OGG Vorbis file for good people (anyway, only good people uses OpenBSD ;-) )).

Posted in Uncategorized. Tags: , . No Comments »

Configuring OpenBSD as a WiFi access point

2008/12/08 — laurent
Goal

Now that my WiFi dongle works, I want to configure an access point with it so I could connect to my network and to the internet using WiFi.

My router is still an OpenBSD 4.4 fit-PC box, with the following network interfaces:

  • rl0 (ethernet) connected to my broadband modem, configured by my ISP‘s DHCP.
  • rl1 (ethernet) connected to my network switch, static configuration (192.168.1.254)
  • rum0 (WiFi) static configuration (192.168.2.254)

So I have two local networks and I want them to be able to communicate with each other and connect to the internet.

Ethernet configuration
dhcp NONE NONE NONE
inet 192.168.1.254 255.255.255.0 NONE
Setting up the WiFi dongle

The WiFi dongle needs to be configured as an access point. Network configuration is done in /etc/hostname.rum0 (it can also be configured with ifconfig but in order to keep the configuration after the next reboot it must be written in that file).

inet 192.168.2.254 255.255.255.0 NONE media autoselect mode 11g mediaopt hostap nwid [SSID] wpa wpaprotos wpa2 wpaakms psk wpapsk [shared key]

The beginning is a typical static configuration with 192.168.2.254 as IP address and 255.255.255.0 netmask. Detailed information for each parameter can be find in ifconfig‘s manpage.

  • mode 11g tells the dongle to use IEEE 802.11g standard (by default the dongle was using IEEE 802.11b)
  • mediaopt hostap tell the driver to use the dongle as an access point
  • nwid [SSID] set network’s name, the one showed when scanning WiFi access points ([SSID] must be replaced with the name of the network)
  • wpa use WPA protocol to protect the WiFi network
  • wpaprotos wpa2 tells that I only want to use wpa2, no wpa1
  • wpaakms psk set the authentication protocol to PSK (Pre Shared Key)
  • wpapsk [shared key] set the pre shared key (256 bits). It’s generated with the following command: wpa-psk [SSID] [passphrase] (where [passphrase] is the secret pass phrase, the one to type in the client devices to connect to the access point)
DHCP

I want WiFi clients to have their network configuration set automatically. So I need to set up a DHCP server.

DHCP configuration is in /etc/dhcpd.conf:

shared-network WLAN {
        option  domain-name "example.net";
        option  domain-name-servers xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy;
 
        subnet 192.168.2.0 netmask 255.255.255.0 {
                option routers 192.168.2.254;
                range 192.168.2.32 192.168.2.127;
        }
}

I want DHCP to give addresses only for WiFi devices, so only on rum0 interface. The list of interfaces to work on is stored in /etc/dhcpd.interfaces, I just have to write rum0 in it.

Activating the DHCP server is done by adding the following line to /etc/rc.conf.local:

(…)
dhcpd_flags=""
PF

A major feature of OpenBSD is Packet Filter (aka PF). This is the tool to filter TCP/IP traffic and do mostly anything on network packets. The official PF’s FAQ is very useful.

Here is an small configuration to get the described network to work. Configuration is done in /etc/pf.conf:

# PF options
set skip on lo
 
# Set variables
ext_if="rl0"
int_if="rl1"
wlan_if="rum0"
 
# Normalize packets
scrub all random-id fragment reassemble reassemble tcp
 
# NAT
nat on $ext_if inet from $int_if:network to any -> $ext_if
nat on $ext_if inet from $wlan_if:network to any -> $ext_if
 
block log all
antispoof log quick for { lo $int_if $wlan_if }
pass quick on $int_if no state
pass quick on $wlan_if no state
 
# Allow outgoing traffic
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all modulate state

Activating PF is done by adding the following line to /etc/rc.conf.local:

(…)
pf=YES
Conclusion

Reboot to take all the changes into account and check that the configuration is still set. I tried to connect with my laptop and my phone, it works.

Of course I had several problems, the main one was to forgot a parameter in WiFi configuration, so I had to read the documentation. When you do so (and ask a bit Google for help), OpenBSD is quite easy to configure (well, considering that I don’t have a GUI with a good wizard for it).

Posted in Uncategorized. Tags: , , . 3 Comments »

D-Link DWA-110 on OpenBSD 4.4

2008/11/17 — laurent

In order to reduce power consumption and simplify my home network, I wanted to remove my WIFI router and replace it by adding an USB WIFI dongle on my router (a fit-PC with OpenBSD on it).

Choosing a dongle

As WIFI hardware is mostly proprietary stuff with Windows only drivers, not all of them are able to run on OpenBSD (or Linux).

So my requirements are:

  • USB WIFI dongle (USB is the only kind of connectors I can use on my fit-PC)
  • recognized by OpenBSD
  • do not requires non free (as in free speech) binary firmware
  • can work as an access point

I already had an Acer WLAN-G-US1 dongle, it has a ZyDAS chipset, which is supported by the zyd driver, but it can’t act as an access point.

From the OpenBSD’s supported WIFI hardware page I randomly selected the rum driver (working with Ralink RT2501USB and RT2601USB chipsets) and went to a store with the list of dongle models supported.

So I bought a refurbished D-Link DWA-110.

Plugging the dongle

When plugging it in the fit-PC, I got the following message in /var/log/messages:

(…)
Nov  7 20:00:32 hal /bsd: ugen0 at uhub0
Nov  7 20:00:32 hal /bsd: port 1 "Ralink 802.11 bg WLAN" rev 2.00/0.01 addr 2
(…)

What did just happened? The dongle is not recognized and the generic USB driver is associated with it.

Digging a bit in the manuals I found that in rum manual on my OpenBSD do not have D-Link DWA-110 in the hardware list. In fact, the online manual is more up to date than the one in OpenBSD which is already at least two weeks old… So my dongle will be supported in next OpenBSD release.

So what? Can’t do anything to fix that?

Compiling the kernel

The problem here is just that OpenBSD do not know that D-Link DWA-110 works with the current rum driver.

It’s quite easy to change that, but it requires recompiling OpenBSD’s kernel and rebooting.

First, download kernel sources:

# cd /usr/src
# wget ftp://ftp.crans.org/pub/OpenBSD/4.4/sys.tar.gz
# tar zxvf sys.tar.gz

Then, add the relevant changes to the drivers source files and the USB devices list.

  • Add the following line in the file /usr/src/sys/dev/usb/if_rum.c in the vendors/products list:
{ USB_VENDOR_DLINK2,            USB_PRODUCT_DLINK2_DWA110 },
  • In /usr/src/sys/dev/usb/usbdevs in the D-Link products add:
product DLINK2 DWA110           0x3c07  DWA-110
  • In /usr/src/sys/dev/usb/usbdevs_data.h in the usb_known_products structure add:
{
    USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_DWA110,
    "DWA-110",
},
  • And in /usr/src/sys/dev/usb/usbdevs.h:
#define USB_PRODUCT_DLINK2_DWA110       0x3c07          /* DWA-110 */

Then compile the kernel and reboot (this can be a bit long, especially on a slow computer like my fit-PC, it was about half an hour):

# cd /usr/src/sys/arch/`arch -s`/conf
# config GENERIC
# cd ../compile/GENERIC/
# make depend
# make
# make install
# reboot

Now we can check the USB devices:

# usbdevs -dv
Controller /dev/usb0:
addr 1: full speed, self powered, config 1, OHCI root hub(0x0000), AMD(0x1022), rev 1.00
  uhub0
 port 1 addr 2: full speed, power 300 mA, config 1, 802.11 bg WLAN(0x3c07), Ralink(0x07d1), rev 0.01
  rum0
 port 2 powered
 port 3 powered
 port 4 powered

The rum driver is associated with the D-Link dongle.

We can see that it uses around 300 mA on a 5 V USB power source, so I assume that the dongle is using 1.5 W. My actual WIFI router consumes 4 W.

The fit-PC was consuming 3.7 W, now with the dongle plugged in and running it consumes 5.5 W, that’s 1.8 W for the dongle, not so far from the theory.

Anyway, it seems that DWA-110 was already in “-current”, so it should have been in November’s release.

Useful links:

Posted in Uncategorized. Tags: , , , , . No Comments »

OpenBSD 4.4

2008/11/01 — laurent

Every 6 months, the new version of OpenBSD is released (on May 1 and November 1).

OpenBSD is known to be the most secure operating system, and that’s why I use it as a router/firewall (on my fit-PC).

OpenBSD 4.4

Today’s version is 4.4. New stuff in this release:

  • More platforms supported, better support for some existing ones.
  • Lots of drivers updates.
  • Updated shipped softwares (like OpenSSH, OpenSSL).
  • Lots of improvements.

You can also have a look to the full list of changes.

Upgrade

Upgrading OpenBSD is very easy. In my case I downloaded the installation ISO, burned it on a CD and booted on it.

After some questions (for most of them I just had to press enter), a check disk, 10 minutes to copy the files and reboot, the system was up again, working fine.

Upgrading took 20 minutes in total (from the moment I powered down the router and the moment it was operational with the new version). Most of the time was used to copy and install files, boot and disk check (the fit-PC is not a very fast computer). The upgrade software asked me around 15 questions, most of them the default value was the right one, for some other I had to enter either yes or done, that’s all.

Theme and Song

Each version of OpenBSD has a theme. For 4.4 it’s inspired by Star Wars:

And with every release, there is a song: “Trial of the BSD Knights” (sounds a bit like Cantina Band).

Lyrics are available as well as the songs files (as MP3 and OGG Vorbis).

Donations

OpenBSD is a very good operating system, open source, all that for free.

You can help them by coding, filling bug reports, translating documentation, giving hardware to developers, buying OpenBSD CDROM, audio CD, or simply by giving money.

I had my first OpenBSD by buying the OpenBSD 3.4 CDROM 5 years ago (I also bought a T-shirt).

This year I gave a small amount of money via PayPal.

Helping them will help the overall security of the internet. Several tools from OpenBSD are now widely used on other operating system (like OpenSSH which his now shipped with nearly all *nix systems (including Apple‘s Mac OS X)).

Posted in Uncategorized. Tags: , . No Comments »

fit-PC

2008/09/16 — laurent

L’ordinateur basse consommation, idéal pour un routeur ou consulter ses mails et surfer sur le net.

Intrigue

Récemment encore, j’utilisais un vieil ordinateur de bureau pour faire office de routeur.

Ce dernier est tombé en panne et je l’ai remplacé en catastrophe par un assemblage très peu stable de pièces détachées de différents ordinateurs qui traînaient chez moi. Mais cette solution ne pouvait être que temporaire. Je me suis mis à la recherche d’un ordinateur pour le remplacer.

Casting

Étant donné que le but de cette machine est de faire routeur, une petite configuration à basse consommation fait largement l’affaire. Mes contraintes sont les suivantes :

  • Faible consommation électrique (un routeur tourne 24/7, à la longue ça peut faire cher sur la facture d’électricité et ce n’est vraiment pas écologique).
  • 2 ports ethernet disponibles (afin d’avoir une configuration réseau simplifiée)
  • OpenBSD doit pouvoir fonctionner dessus (c’est le système d’exploitation que j’utilise pour mon routeur).

Depuis un certain temps je regardais les machines de chez Soekris, mais je me suis finalement tourné vers un fit-PC de CompuLab.

Mensurations

  • CPU : AMD Geode LX800 500 MHz
  • RAM : 256 Mo
  • HDD : IDE 60 Go
  • 2 ports ethernet 10/100 Mbps
  • 2 ports USB 2.0
  • Consommation : 3 à 5 W en utilisation normale.
  • Pré-installé avec Ubuntu et Gentoo en dual boot mais sur les forums on peut lire qu’OpenBSD fonctionne.

Séance photos


L’heure de vérité

Si vous avez l’œil attentif et une certaine notion des consommations électriques, vous vous dites peut-être : “3 à 5 Watts en utilisation normale, encore un discours marketing, avec une utilisation normale ne correspondant à personne”.

En tout cas, c’est ce que je me suis dit. Du coup j’ai acheté un Watt-mètre.

Voici les résultats :

  • Branché, à l’arrêt : 0 W (et ce n’est pas le cas de tous les ordinateurs)
  • Dans le bios : 4,4 W (ça ne s’annonce pas très bien)
  • Max pendant le boot de Linux : 6,7 W (ça consomme…)
  • Idle sous Linux : < 5 W
  • OpenBSD en train de faire son travail de routeur : entre 3,5 et 4,5 W (en général à 3,7 W)

Bon, et bien en ce qui me concerne, la consommation annoncée entre 3 et 5 W est largement tenue vu qu’en général le fit-PC consomme 3,7 W chez moi.

La facture

CompuLab est une société israélienne, elle dispose d’un revendeur en angleterre.

Prix du fit-PC : £260,93

Une fois converti en euros via PayPal : 343,12 €

Conclusion

Après quelques temps d’utilisation je dirais que le fit-PC est une machine idéale pour faire un routeur (largement assez puissant et très faible consommation électrique) mais j’émets quelques réserves sur son utilisation comme ordinateur de consultation internet.

Et je pense qu’ils sont conscient de cela chez CompuLab puisqu’ils s’apprêtent à sortir le fit-PC Slim. 40 % plus petit, avec WiFi, 512 Mo de RAM et un port USB supplémentaire.

La quantité de mémoire était un peu limite, mais je pense que les 512 Mo du fit-PC Slim suffisent. En revanche il dispose d’un port ethernet en moins et la consommation en utilisation normale augmente d’1 Watt.

Posted in Uncategorized. Tags: , , , . No Comments »
«
»