User Manual
From X-Wrt
Contents |
[edit] X-Wrt: User Manual
[edit] Navigating the X-Wrt Webif
Make sure you install the Adobe SVG Viewer if you want Graphs to work!
[edit] Tabs and buttons
- Tabs
- Info
- Graphs
- Status
- Log
- System
- Network
- VPN
- Hotspot
- Reboot
- Buttons
- Apply Changes
- Clear Changes
- Review Changes
- Save Changes (contextual)
Remember to always Save and then Apply the changes, else they won't be activated!
[edit] Basic setup
This covers the typical situation at home, or in a smaller place, with relatively few clients and minimal to medium security levels.
[edit] Root Password
Why should I set a Root Password?
- You need to set a root password in order to keep strangers out of your router. The webif also does not allow you to configure your router until you enter a root password.
How is it done?
- You can set a root password by entering 'passwd root' at your router's command prompt, or by accessing the webif.
What is the best Root Password?
- A good root password is one that is more than 8 characters in length and uses a mix of upper and lower case letters, numbers and symbols.
How can I "recover" if I have forgotten my Root Password
- If you flashed a squashfs image (only prebuilt option as of RC6), you can use the failsafe mode to get into your router and reset the password. This is described in the OpenWrt wiki [1]
[edit] Enable boot_wait
Why must I enable boot_wait? Enabling boot_wait is the only way to recover the router firmware after a crash. Enabling this option consumes only a few seconds during startup, but is strongly recommended.
What is tftp and how to recover from an upgrade gone wrong? tftp is the method used for uploading or recovering the firmware during the boot_wait. '
[edit] WAN and LAN settings
[edit] Wireless settings
- ESSID
- Broadcast
- Wireless modes (a, b etc.)
[edit] Security
- Mac adress authentication
- WEP/WPA keys
- Radius
[edit] Firewall
A firewall's basic task is to transfer traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).
A firewall's function within a network is similar to firewalls in building construction, because in both cases they are intended to isolate one "network" or "compartment" from another. However, network firewalls, unlike physical firewalls, are designed to allow some traffic to flow.
Without proper configuration, a firewall can often become worthless. Standard security practices dictate a "default-deny" firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organization's day-to-day operation. Many businesses lack such understanding, and therefore implement a "default-allow" ruleset, in which all traffic is allowed unless it has specifically blocked. This configuration makes inadvertent network connections and system compromise much likelier.
[edit] Default configuration
The default configuration for the firewall is to drop everything coming in from the wan interface. ie. No open ports
[edit] Port Forwarding
To access the port forwarding configuration, click Network followed by Firewall. To open a port and then forward it to an IP address within your network, select Forward from the New Rule drop-down menu and click Add. You will then be presented with a drop down menu, Forward To field and a Port field. Fill in the IP address you will be forwarding traffic to in the Forward To field. In the Port field, fill in port number you wish to send traffic to on the IP entered on the Forward To field.
In the drop down menu with the Add button next to it, select Protocol and click Add. This will add a Protocol drop down menu, where can select TCP or UDP. (Note: If you want to forward both UDP and TCP, do not add the drop down - both will be forwarded by default). If the port you are coming in on from the Internet / WAN differs from the Port value entered previously, you will need to select Destination Ports from the drop down menu next to the Add button and then click Add. Then you will see a Destination Ports field where you can enter a single value or a range (ex. 10-1000). Once you have entered the Destination Ports value, click Save and you should see something similar to the image below.
You can also achieve the same results by editing /etc/config/firewall and adding the following line:
forward:proto=tcp dport=443:192.168.1.12:22
Note: This is only an example of how to forward port 443 from the Internet to 192.168.1.12 port 22 on your LAN, but with a few changes you can apply it to your needs.
[edit] P2P
Do I need to do anything?
[edit] Firewall tips and tricks
[edit] Disable ICMP echo reply
The following configuration will drop all packets with the protocol ICMP, type 8 (ECHO Request), comming from the WAN interface. Your router will not respond to these packets, e.g. the ping command targeted to your router from the outside will not report anything (no reply).
Place the following rule into /etc/firewall.user:
iptables -A input_wan -p icmp --icmp-type 8 -j DROP
Quotes from RFC1812:
- A router SHOULD have a configuration option that, if enabled, causes the router to silently ignore all ICMP echo requests; if provided, this option MUST default to allowing responses.
- A router MUST implement an ICMP Echo server function that receives Echo Requests sent to the router, and sends corresponding Echo Replies.
Note:
- This type of ICMP packet has the diagnostic meaning, you will lose the diagnostic possibilities of your router.
- Please take into account that it is not necessary to disable it as there are other methods how to discover the type of the device and what software it is running.
WARNING: You are making these changes at your own risk!
[edit] Disable traceroute response
The following configuration will drop all packets with the protocol ICMP, type 11 (Time exceeded message), outgoing from the WAN interface. Your router will not report this information to the ICMP type of traceroute and other applications. Any connection with protocol UDP at ports 33434:33454 will be silently dropped too, not returning any information to the standard Linux traceroute program.
Place the following rules into /etc/firewall.user:
iptables -t nat -A prerouting_wan -p icmp --icmp-type 11 -j DROP iptables -A input_wan -p udp --dport 33434:33454 -j DROP
Quotes from RFC1812:
- A router MUST generate a Time Exceeded message Code 0 (In Transit) when it discards a packet due to an expired TTL field. A router MAY have a per-interface option to disable origination of these messages on that interface, but that option MUST default to allowing the messages to be originated.
Note:
- These types of the ICMP packet and UDP response have the diagnostic meaning, you will loose the diagnostic possibilities of your router.
- Please take into account that it is not necessary to disable it as there are other methods how to discover the type of the device and what software it is running.
- Note that the traceroute application can use any other port instead of the standard range.
WARNING: You are making these changes at your own risk!
[edit] Advanced configuration
- VPN
- Hotspot
- Quality of Service
[edit] Extending it further?
More advanced use of OpenWrt with the X-Wrt Extensions?
- Asterisk
[edit] Real world examples
It would be really nice to have a number of examples of actual set-ups, similar in form to a howto?
