From X-Wrt

Contents 1 X-Wrt: User Manual 1.1 Navigating the X-Wrt Webif 1.1.1 Tabs and buttons 2 Basic setup 2.1 Root Password 2.2 Enable boot_wait 2.3 WAN and LAN settings 2.4 Wireless settings 3 Security 4 Firewall 4.1 Default configuration 4.2 Port Forwarding 4.3 P2P 4.4 Firewall tips and tricks 4.4.1 Disable ICMP echo reply 4.4.2 Disable traceroute response 5 Advanced configuration 6 Extending it further? 7 Real world examples 7.1 Network-Networks page 7.2 Network-Interfaces page 7.3 Network-Wireless page 7.4 Network-Firewall page 7.5 System-Settings page

X-Wrt: User Manual

Navigating the X-Wrt Webif

Make sure you install the Adobe SVG Viewer if you want Graphs to work!

Tabs and buttons

• Tabs
  • Info
  • Graphs
  • Status
  • Log
  • System
  • Network
  • VPN
  • Hotspot
  • Reboot
• Buttons
  • Apply Changes
  • Clear Changes
  • Review Changes
  • Save Changes (contextual)

Remember to always Save and then Apply the changes, else they won't be activated!

Basic setup

This covers the typical situation at home, or in a smaller place, with relatively few clients and minimal to medium security levels.

Root Password

Why should I set a Root Password?

• You need to set a root password in order to keep strangers out of your router. The webif also does not allow you to configure your router until you enter a root password.

How is it done?

• You can set a root password by entering 'passwd root' at your router's command prompt, or by accessing the webif.

What is the best Root Password?

• A good root password is one that is more than 8 characters in length and uses a mix of upper and lower case letters, numbers and symbols.

How can I "recover" if I have forgotten my Root Password

• If you flashed a squashfs image (only prebuilt option as of RC6), you can use the failsafe mode to get into your router and reset the password. This is described in the OpenWrt wiki [1]

Enable boot_wait

Why must I enable boot_wait? Enabling boot_wait is the only way to recover the router firmware after a crash. Enabling this option consumes only a few seconds during startup, but is strongly recommended.

What is tftp and how to recover from an upgrade gone wrong? tftp is the method used for uploading or recovering the firmware during the boot_wait. '

WAN and LAN settings

Wireless settings

• ESSID
• Broadcast
• Wireless modes (a, b etc.)

Security

• Mac adress authentication
• WEP/WPA keys
• Radius

Firewall

A firewall's basic task is to transfer traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).

A firewall's function within a network is similar to firewalls in building construction, because in both cases they are intended to isolate one "network" or "compartment" from another. However, network firewalls, unlike physical firewalls, are designed to allow some traffic to flow.

Without proper configuration, a firewall can often become worthless. Standard security practices dictate a "default-deny" firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organization's day-to-day operation. Many businesses lack such understanding, and therefore implement a "default-allow" ruleset, in which all traffic is allowed unless it has specifically blocked. This configuration makes inadvertent network connections and system compromise much likelier.

Default configuration

The default configuration for the firewall is to drop everything coming in from the wan interface. ie. No open ports

Port Forwarding

To access the port forwarding configuration, click Network followed by Firewall. To open a port and then forward it to an IP address within your network, select Forward from the New Rule drop-down menu and click Add. You will then be presented with a drop down menu, Forward To field and a Port field. Fill in the IP address you will be forwarding traffic to in the Forward To field. In the Port field, fill in port number you wish to send traffic to on the IP entered on the Forward To field.

In the drop down menu with the Add button next to it, select Protocol and click Add. This will add a Protocol drop down menu, where can select TCP or UDP. (Note: If you want to forward both UDP and TCP, do not add the drop down - both will be forwarded by default). If the port you are coming in on from the Internet / WAN differs from the Port value entered previously, you will need to select Destination Ports from the drop down menu next to the Add button and then click Add. Then you will see a Destination Ports field where you can enter a single value or a range (ex. 10-1000). Once you have entered the Destination Ports value, click Save and you should see something similar to the image below.

Important!: for port forwarding to work, you must then also add an Accept for the same destination port or port range.

You can also achieve the same results by editing /etc/config/firewall and adding the following line:

forward:proto=tcp dport=443:192.168.1.12:22

Note: This is only an example of how to forward port 443 from the Internet to 192.168.1.12 port 22 on your LAN, but with a few changes you can apply it to your needs.

P2P

Do I need to do anything?

Firewall tips and tricks

Disable ICMP echo reply

The following configuration will drop all packets with the protocol ICMP, type 8 (ECHO Request), comming from the WAN interface. Your router will not respond to these packets, e.g. the ping command targeted to your router from the outside will not report anything (no reply).

Place the following rule into /etc/firewall.user:

iptables -A input_wan -p icmp --icmp-type 8 -j DROP

Quotes from RFC1812:

• A router SHOULD have a configuration option that, if enabled, causes the router to silently ignore all ICMP echo requests; if provided, this option MUST default to allowing responses.
• A router MUST implement an ICMP Echo server function that receives Echo Requests sent to the router, and sends corresponding Echo Replies.

Note:

• This type of ICMP packet has the diagnostic meaning, you will lose the diagnostic possibilities of your router.
• Please take into account that it is not necessary to disable it as there are other methods how to discover the type of the device and what software it is running.

WARNING: You are making these changes at your own risk!

Disable traceroute response

The following configuration will drop all packets with the protocol ICMP, type 11 (Time exceeded message), outgoing from the WAN interface. Your router will not report this information to the ICMP type of traceroute and other applications. Any connection with protocol UDP at ports 33434:33454 will be silently dropped too, not returning any information to the standard Linux traceroute program.

Place the following rules into /etc/firewall.user:

iptables -t nat -A prerouting_wan -p icmp --icmp-type 11 -j DROP
iptables -A input_wan -p udp --dport 33434:33454 -j DROP

Quotes from RFC1812:

• A router MUST generate a Time Exceeded message Code 0 (In Transit) when it discards a packet due to an expired TTL field. A router MAY have a per-interface option to disable origination of these messages on that interface, but that option MUST default to allowing the messages to be originated.

Note:

• These types of the ICMP packet and UDP response have the diagnostic meaning, you will loose the diagnostic possibilities of your router.
• Please take into account that it is not necessary to disable it as there are other methods how to discover the type of the device and what software it is running.
• Note that the traceroute application can use any other port instead of the standard range.

WARNING: You are making these changes at your own risk!

Advanced configuration

• VPN
• Hotspot
• Quality of Service

see Quality of Service

Extending it further?

More advanced use of OpenWrt with the X-Wrt Extensions?

• Asterisk

Real world examples

Firmware: OpenWrt Kamikaze - With X-Wrt Extensions 8.09
Kernel: Linux 2.4.35.4 #3 Tue Apr 28 00:23:52 CDT 2009
Device: Linksys WRT54G/GS/GL
Board: Broadcom BCM4712 chip rev 1
Web mgt. console: Webif²
Version: r4743

Network-Networks page

- LAN To make all computers/devices you plug into LAN ports see the router as 192.168.1.1 (a typical setup).
Connection Type: Static IP
Type: Bridged
IP: Typically 192.168.1.1 [2]
Netmask: Typically 255.255.255.0 [3]

- WAN This is a non-typical setup. This makes the router establish a PPPoE session through a DSL modem. (you must disable PPPoE on the modem first).
Mac Address: This can be whatever you want. [4]
Username and Password: Provided by your ISP or defined by you when you set up your service.
Redial Policy: Keep Alive=always ON internet connection. Connect on Demand=dials as you need.
Timeout: How long to wait if connection is dropped before redialing.
MTU: Set by ISP in your modem. Copy it from modem settings page. [5]
Default Route: Makes this the outbound-to-internet route, router will send outbound traffic through this connection if not specified in a packet. [6]

Network-Interfaces page

VLAN 0: LAN
VLAN 1: WIFI

The port numbers and what they correspond to vary on some routers. On the WRT54G: (0 is WIFI, 1-4 are LAN ports, 5 is WAN port).
These settings mean LAN and WIFI are on seperate VLANS but both have access to WAN (internet).

Network-Wireless page

Network-Firewall page

System-Settings page