FIXME **potrebno je urediti dokument!! styling!!** Namestil sem firmware OpenWrt kamikaze 7.09 v datotekama openwrt-atheros-2.6-root.jffs2-64k in kernelom openwrt-atheros-2.6-vmlinux.lzma. Na TFPT streznik (na IPju 192.168.1.166) postavil obe datoteki, ob zagonu routerja se nanj povezal: telnet 192.168.1.254 9000 in na njem pognal: ip_addr -h 192.168.1.166 -l 192.168.1.254/24 fis init load -r -v -b %{FREEMEMLO} openwrt-atheros-2.6-root.jffs2-64k fis create -f 0xA8030000 -l 0x006F0000 -e 0x00000000 rootfs load -r -v -b %{FREEMEMLO} openwrt-atheros-2.6-vmlinux.lzma fis create -r 0x80041000 -e 0x80041000 vmlinux.bin.l7 reset Prijavil s telnetom na 192.168.1.1 in nastavil root geslo. /etc/init.d/firewall stop /etc/init.d/firewall disable echo -n > /etc/firewall.user echo -n > /etc/config/firewall V /etc/config/network nastavil IP na 192.168.10.1 in: /etc/init.d/network restart in se prijavil na novo preko SSH (prej si primerno spremenil IP). V /lib/network/config.sh sem spremenil: ifconfig "$iface" down v: ifconfig "$iface" down 2>/dev/null >/dev/null in: # Interface settings config_get mtu "$config" mtu config_get macaddr "$config" macaddr $DEBUG ifconfig "$iface" ${macaddr:+hw ether "$macaddr"} ${mtu:+mtu $mtu} up uci set "/var/state/network.$config.ifname=$iface" v: # Interface settings (if not an alias) if [ "${iface##*:}" = "$iface" ]; then config_get mtu "$config" mtu config_get macaddr "$config" macaddr $DEBUG ifconfig "$iface" ${macaddr:+hw ether "$macaddr"} ${mtu:+mtu $mtu} up fi uci set "/var/state/network.$config.ifname=$iface" V /etc/hotplug.d/net/10-net sem dodal na zacetek, takoj po include: setup_interface_if_auto() { local cfg="$(find_config "$1")" # check the autoload setting config_get auto "$cfg" auto case "$auto" in 1|on|enabled) setup_interface "$1";; *) return 1 ;; esac } in spremenil: local cfg="$(find_config "$INTERFACE")" # check the autoload setting config_get auto "$cfg" auto case "$auto" in 1|on|enabled) setup_interface "$INTERFACE";; esac v: if setup_interface_if_auto "$INTERFACE"; then # Setup interface alises for ifc in $interfaces; do config_get dev "$ifc" ifname [ "${dev%%:*}" = "$INTERFACE" -a "$dev" != "$INTERFACE" ] && { setup_interface_if_auto "$dev" } done fi Nastavil sem /etc/config/network na: config interface loopback option ifname lo option proto static option ipaddr 127.0.0.1 option netmask 255.0.0.0 config interface wifi option ifname "ath0" option proto static option ipaddr 10.16.201.161 option netmask 255.255.255.224 config interface mesh option ifname "ath0:0" option proto static option ipaddr 10.14.0.17 option netmask 255.255.0.0 config interface wan option ifname "eth0" option proto dhcp config interface fallback option ifname "eth0:0" option proto static option ipaddr 169.254.189.120 option netmask 255.255.0.0 V /etc/config/wireless: config wifi-device wifi0 option type atheros option channel 8 option mode 11g option diversity 0 option txantenna 1 option rxantenna 1 config wifi-iface option device wifi0 option network wifi option mode adhoc option ssid open.kiberpipa.net option bssid 02:CA:FF:EE:BA:BE option hidden 0 option isolate 0 option encryption none #option rts 250 #option frag 512 option bgscan 0 rts in frag nastavitvi ne delata se pravilno v tej verziji (r3314) madwifi modula, zato sta zacasno zakomentirani. V /etc/config/dhcp sem nastavil: config dhcp option interface wifi option start 162 option limit 29 option leasetime 3h option force 1 config dhcp option interface mesh option start 0 option limit 0 option leasetime infinite option force 1 config dhcp option interface wan option ignore 1 config dhcp option interface fallback option ignore 1 touch /etc/ethers V /etc/dnsmasq.conf sem nastavil: domain-needed bogus-priv filterwin2k localise-queries local=/wifi/ domain=wifi expand-hosts no-negcache no-resolv server=10.14.0.1 server=10.14.0.2 dhcp-authoritative dhcp-leasefile=/tmp/dhcp.leases read-ethers Sprasuje le DNS streznike v omrezju. V /etc/init.d/dnsmasq sem dodal za: append_bool "$cfg" ignore "-I $ifname" se: config_get_bool ignore "$cfg" ignore [ "$ignore" -gt 0 ] && return 0 saj se sicer dnsmasqu vseeno lahko doda range, ceprav je ignore nastavljen, in zamenjal: limit="$((${limit:-150} + 1))" z (da racuna malo bolj pravilno): limit="${limit:-150}" in za: eval "$(ipcalc.sh $ipaddr $netmask $start $limit)" dodal: if [ "$limit" = "0" ]; then END=static fi za podporo le staticnemu delovanju DHCP streznika (ce je limit nastavljen na 0). V /etc/config/system: config system option hostname rog-4 reboot Prijavil na 169.254.189.120. Ker sem potreboval uplink (169.254.189.100 je IP racunalnika s katerim sem bil prijavljen na router, saj sem uporabljal failback nastavitve): route add default gw 169.254.189.100 dev eth0:0 metric 100 route add -host 193.164.137.78 gw 169.254.189.100 dev eth0:0 route add -host 91.185.199.246 gw 169.254.189.100 dev eth0:0 echo "nameserver 193.2.1.66" > /etc/resolv.conf V /etc/ipkg.conf sem dodal na vrhu: src wifi http://ipkg.stargate.si/mips ipkg update ipkg upgrade To je nadgradilo busybox na nas paket. ipkg upgrade To je nadgradilo se kmod-madwifi modul. ipkg install kmod-softdog reboot Se enkrat nastavil uplink: ipkg install ntpclient dropbearkey -t dss -s 1024 -f /etc/dropbear/dropbear_dss_host_key.new dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key.new mv /etc/dropbear/dropbear_dss_host_key.new /etc/dropbear/dropbear_dss_host_key mv /etc/dropbear/dropbear_rsa_host_key.new /etc/dropbear/dropbear_rsa_host_key Naredil sem datoteko /etc/init.d/date: #!/bin/sh /etc/rc.common START=35 start() { date 060100002008 } chmod +x /etc/init.d/date /etc/init.d/date enable /etc/init.d/date start ipkg install openvpn mkdir /etc/openvpn/ V /etc/openvpn/wlanlj.conf: client proto udp dev tap0 remote 193.164.137.78 9999 remote 91.185.199.246 9999 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server comp-lzo daemon auth-user-pass /etc/openvpn/wlanlj.pass auth-retry nointeract cipher BF-CBC ifconfig 10.14.0.17 255.255.0.0 writepid /var/run/openvpn.pid verb 3 mute 20 user nobody group nogroup ca /etc/openvpn/wlanlj-ca.crt tls-auth /etc/openvpn/wlanlj-ta.key 1 V /etc/default/openvpn: CONFIG="/etc/openvpn/wlanlj.conf" OPTIONS="--config $CONFIG" V /etc/openvpn/wlanlj.pass sem vpisal uporabnisko ime in geslo, vsako v svojo vrstico. Skopiral wlanlj-ca.crt, wlanlj-ta.key v /etc/openvpn in nastavil, da so vse tri datoteke berljive le za root uporabnika. ipkg install olsrd Nastavil /etc/olsrd.conf: DebugLevel 0 IpVersion 4 ClearScreen yes Hna4 { 10.16.201.160 255.255.255.224 } AllowNoInt yes UseHysteresis no LinkQualityLevel 2 LinkQualityWinSize 100 Pollrate 0.1 NicChgsPollInt 3.0 TcRedundancy 2 MprCoverage 1 Interface "ath0:0" { HelloInterval 4.0 HelloValidityTime 80.0 TcInterval 8.0 TcValidityTime 160.0 MidInterval 8.0 MidValidityTime 160.0 HnaInterval 8.0 HnaValidityTime 160.0 } Interface "tap0" { HelloInterval 4.0 HelloValidityTime 80.0 TcInterval 8.0 TcValidityTime 160.0 MidInterval 8.0 MidValidityTime 160.0 HnaInterval 8.0 HnaValidityTime 160.0 LinkQualityMult default 0.44 } V /etc/sysctl.conf sem nastavil: dev.wifi0.diversity=0 dev.wifi0.rxantenna=1 dev.wifi0.txantenna=1 net.ipv4.conf.default.arp_announce=1 net.ipv4.conf.all.arp_announce=1 V /etc/modules.d/50-madwifi sem nastavil: ath_ahb countrycode=0 outdoor=1 ipkg remove bridge ppp-mod-pppoe kmod-pppoe ppp kmod-ppp ipkg install ip nmap tcpdump ngrep V /usr/share/udhcpc/default.script sem: route add default gw $i dev $interface spremenil v: route add default gw $i dev $interface metric 100 in: $(route -n | awk '/^0.0.0.0\W{9}('$valid')\W/ {next} /^0.0.0.0/ {print "route del -net "$1" gw "$2";"}') v (da pocisi le svoje route in ne drugih default): $(route -n | awk '/^0.0.0.0\W{9}('$valid')\W/ {next} !/('$interface')$/ {next} /^0.0.0.0/ {print "route del -net "$1" gw "$2" metric 100;"}') Tako bo povezava preko DHCP imela nizjo prioriteto kot tista preko omrezja (za to, da pa ima brezzicna povezava visjo prioriteto od VPNja, pa skrbi OLSR z obtezitvijo). V /etc/hotplug.d/iface/10-routes sem v add_route() pred: [ -n "$gateway" ] || { dodal: [ "$gateway" = "auto" ] && { # Get the gateway from the interface configuration config_get gateway "$interface" gateway } Tako mi ni potrebno nastaviti tocnega IPja gatewaya, saj ga pri DHCP wan povezavi tudi ne vem vnaprej. Ker imajo routerji v splosnem dva default routa je potrebno nastaviti, da povezave, ki se naredijo preko enega izmed njiju od zunaj tudi po istem gredo nazaj. Recimo ce ping pride po enem default routu (ker je verjetno povezan v druga omrezja), se mora vrniti po istem nazaj, ne pa se poskusiti vrniti po default routu tocke. mkdir /etc/iproute2/ echo "8 wan" > /etc/iproute2/rt_tables V /etc/hotplug.d/iface/10-routes dodal v sklop branja nastavitev: config_get table "$config" table odstranil dele: config_get netmask "$config" netmask netmask="${netmask:-255.255.255.255}" dest="${netmask:+-net "$target" netmask "$netmask"}" dest="${dest:--host "$target"}" [ -n "$gateway" ] || { echo "Missing gateway in route section $config" return 1 } dodal za sklopom [ "$gateway" = "auto" ]: wasnetwork=0 [ "$target" = "network" ] && { config_get ipaddr "$interface" ipaddr config_get netmask "$interface" netmask target=`ipcalc.sh "$ipaddr" "$netmask" | grep NETWORK | cut -d "=" -f 2`/`ipcalc.sh "$ipaddr" "$netmask" | grep PREFIX | cut -d "=" -f 2` wasnetwork=1 } odstranil komentar celotnega tega dela "make sure there is a gateway and a target", ker vec ni tocen, in spremenil glavni ukaz v: /usr/sbin/ip route add $target ${gateway:+via "$gateway"} ${dev:+dev "$dev"} ${metric:+metric "$metric"} ${table:+table "$table"} in za njim dodal se (rahlo hardcodeano delovanje): [ -n "$table" ] && { config_get ipaddr "$interface" ipaddr /usr/sbin/ip rule list | grep -q "from $ipaddr lookup $table" || /usr/sbin/ip rule add from "$ipaddr" pref 15000 table "$table" [ "$wasnetwork" != 0 ] || [ "$target" = "default" ] || /usr/sbin/ip rule list | grep -q "from all to $target lookup $table" || /usr/sbin/ip rule add to "$target" pref 20000 table "$table" /usr/sbin/ip rule list | grep -q "from all fwmark 0x100000/0x100000 lookup main" || /usr/sbin/ip rule add fwmark 0x100000/0x100000 pref 10000 table main } Na konec /etc/config/network sem tako dodal se route preko wana: config route wanvpn1 option interface wan option target 193.164.137.78 option gateway auto option metric 0 option table wan config route wanvpn2 option interface wan option target 91.185.199.246 option gateway auto option metric 0 option table wan config route wannetwork option interface wan option target network option metric 0 option table wan config route wandefault option interface wan option target default option gateway auto option metric 0 option table wan To tudi ohrani route do VPN, ker se sicer izgubi povezava do VPNja, ko se enkrat doda default route, ki gre preko VPNja (saj ima nizji metric). Ta default route OLSR ponovno umakne cez cas, VPN povezava se ponovno vzpostavi, pa ga ponovno doda ... Vmes tudi morebitnemu uporabniku prijavljenjemu na tocko povezava nekaj casa dela in nekaj casa ne dela. Namrec ko se umakne default route preko VPNja, tocka poslje pakete (ker se ni firewalla, takrat pa bi prav tako to bil problem) na svoj wan, ampak naprave naprej na wanu ne poznajo IPja tega uporabika, tocka pa ne dela NATa, da bi IP zakrila. Tako povezava takrat ne deluje. (Da bi se to v tem koraku testiralo, mora biti v /proc/sys/net/ipv4/ip_forward 1 in firewall pravilno nastavljen, da dovoljuje forward.) Nastavil sem /etc/init.d/firewall na: #!/bin/sh /etc/rc.common START=45 start() { include /lib/network scan_interfaces config_load /var/state/network config_get WIFI_IF wifi ifname config_get MESH_IF mesh ifname config_get LAN_IF lan ifname config_get LANMESH_IF lanmesh ifname config_get WAN_IF wan ifname config_get FALLBACK_IF fallback ifname config_get WIFI_ADDR wifi ipaddr config_get LAN_ADDR lan ipaddr config_get FALLBACK_ADDR fallback ipaddr config_get WIFI_MASK wifi netmask config_get LAN_MASK lan netmask config_get FALLBACK_MASK fallback netmask WIFI_DEV=${WIFI_IF%%:*} MESH_DEV=${MESH_IF%%:*} LAN_DEV=${LAN_IF%%:*} LANMESH_DEV=${LANMESH_IF%%:*} WAN_DEV=${WAN_IF%%:*} FALLBACK_DEV=${FALLBACK_IF%%:*} VPN_DEV="tap+" WIFI_IN="-i $WIFI_DEV -s $WIFI_ADDR/$WIFI_MASK" MESH_IN="-i $MESH_DEV -s ! $WIFI_ADDR/$WIFI_MASK" LAN_IN="-i $LAN_DEV -s $LAN_ADDR/$LAN_MASK" [ -n "$LAN_IF" ] && LANMESH_IN="-i $LANMESH_DEV -s ! $LAN_ADDR/$LAN_MASK" || LANMESH_IN="-i $LANMESH_DEV" WAN_IN="-i $WAN_DEV -s ! $FALLBACK_ADDR/$FALLBACK_MASK" FALLBACK_IN="-i $FALLBACK_DEV -s $FALLBACK_ADDR/$FALLBACK_MASK" VPN_IN="-i $VPN_DEV" WAN_OUT="-o $WAN_DEV -d ! $FALLBACK_ADDR/$FALLBACK_MASK" VPN_HOST1="193.164.137.78" VPN_HOST2="91.185.199.246" VPN_PORT="9999" # Clears everything, INPUT & OUTPUT policy ACCEPT, FORWARD policy DROP stop ### INPUT ### iptables -P INPUT DROP iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT $FALLBACK_IN -j ACCEPT # Allows node SSH from anywhere iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allows node HTTP from anywhere except wan [ -n "$WAN_IF" ] && iptables -A INPUT $WAN_IN -p tcp --dport 80 -j REJECT --reject-with icmp-net-prohibited iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Allows node DNS from anywhere except wan [ -n "$WAN_IF" ] && iptables -A INPUT $WAN_IN -p tcp --dport 53 -j REJECT --reject-with icmp-net-prohibited [ -n "$WAN_IF" ] && iptables -A INPUT $WAN_IN -p udp --dport 53 -j REJECT --reject-with icmp-net-prohibited iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT # Allows captive portal iptables -A INPUT $WIFI_IN -p tcp --dport 2050 -j ACCEPT # Allows DHCP (broadcast) iptables -A INPUT -i $WIFI_DEV -p udp --sport 68 --dport 67 -j ACCEPT [ -n "$LAN_IF" ] && iptables -A INPUT -i $LAN_DEV -p udp --sport 68 --dport 67 -j ACCEPT # Allows OLSR (broadcast) iptables -A INPUT $MESH_IN -p udp --dport 698 -j ACCEPT [ -n "$LANMESH_IF" ] && iptables -A INPUT $LANMESH_IN -p udp --dport 698 -j ACCEPT iptables -A INPUT $VPN_IN -p udp --dport 698 -j ACCEPT # Allows useful ICMP (like ping) iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Allows traceroute iptables -A INPUT -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 30 -j ACCEPT ### FORWARD ### iptables -P FORWARD DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Disallows routing OLSR packets in a network iptables -A FORWARD -p udp --dport 698 -j DROP # Disallows routing DHCP packets in a network iptables -A FORWARD -p udp --dport 67 -j DROP iptables -A FORWARD -p udp --sport 68 -j DROP # Disallows VPN connections to our VPN servers in a network iptables -A FORWARD -p tcp -d $VPN_HOST1 --dport $VPN_PORT -j REJECT --reject-with icmp-net-prohibited iptables -A FORWARD -p udp -d $VPN_HOST1 --dport $VPN_PORT -j REJECT --reject-with icmp-net-prohibited iptables -A FORWARD -p tcp -d $VPN_HOST2 --dport $VPN_PORT -j REJECT --reject-with icmp-net-prohibited iptables -A FORWARD -p udp -d $VPN_HOST2 --dport $VPN_PORT -j REJECT --reject-with icmp-net-prohibited # Disallows routing from or to a wan segment [ -n "$WAN_IF" ] && iptables -A FORWARD -m state --state NEW $WAN_IN -j DROP [ -n "$WAN_IF" ] && iptables -A FORWARD -m state --state NEW $WAN_OUT -j DROP # Allows routing inside other segments iptables -A FORWARD -m state --state NEW -j ACCEPT ### OUPUT ### iptables -P OUTPUT ACCEPT # Allows VPN connections from the router only through wan or fallback [ -n "$WAN_IF" ] && iptables -A OUTPUT -o $WAN_DEV -p tcp -d $VPN_HOST1 --dport $VPN_PORT -j ACCEPT [ -n "$WAN_IF" ] && iptables -A OUTPUT -o $WAN_DEV -p tcp -d $VPN_HOST2 --dport $VPN_PORT -j ACCEPT [ -n "$WAN_IF" ] && iptables -A OUTPUT -o $WAN_DEV -p udp -d $VPN_HOST1 --dport $VPN_PORT -j ACCEPT [ -n "$WAN_IF" ] && iptables -A OUTPUT -o $WAN_DEV -p udp -d $VPN_HOST2 --dport $VPN_PORT -j ACCEPT iptables -A OUTPUT -o $FALLBACK_DEV -p tcp -d $VPN_HOST1 --dport $VPN_PORT -j ACCEPT iptables -A OUTPUT -o $FALLBACK_DEV -p tcp -d $VPN_HOST2 --dport $VPN_PORT -j ACCEPT iptables -A OUTPUT -o $FALLBACK_DEV -p udp -d $VPN_HOST1 --dport $VPN_PORT -j ACCEPT iptables -A OUTPUT -o $FALLBACK_DEV -p udp -d $VPN_HOST2 --dport $VPN_PORT -j ACCEPT iptables -A OUTPUT -p tcp -d $VPN_HOST1 --dport $VPN_PORT -j REJECT --reject-with icmp-net-prohibited iptables -A OUTPUT -p tcp -d $VPN_HOST2 --dport $VPN_PORT -j REJECT --reject-with icmp-net-prohibited iptables -A OUTPUT -p udp -d $VPN_HOST1 --dport $VPN_PORT -j REJECT --reject-with icmp-net-prohibited iptables -A OUTPUT -p udp -d $VPN_HOST2 --dport $VPN_PORT -j REJECT --reject-with icmp-net-prohibited ### ROUTING ### iptables -t mangle -A PREROUTING -d $VPN_HOST1 -j MARK --or-mark 0x100000 iptables -t mangle -A PREROUTING -d $VPN_HOST2 -j MARK --or-mark 0x100000 echo 1 > /proc/sys/net/ipv4/ip_forward } stop() { echo 0 > /proc/sys/net/ipv4/ip_forward iptables -t filter -P INPUT ACCEPT iptables -t filter -P OUTPUT ACCEPT iptables -t filter -P FORWARD DROP iptables -t filter -F iptables -t filter -X iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -F iptables -t nat -X iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P INPUT ACCEPT iptables -t mangle -P FORWARD ACCEPT iptables -t mangle -P POSTROUTING ACCEPT iptables -t mangle -F iptables -t mangle -X } /etc/init.d/firewall enable /etc/init.d/openvpn enable /etc/init.d/olsrd enable reboot Osnovno delovanje je tako nastavljeno. mkdir /www/cgi-bin/ V /www/cgi-bin/urandom sem napisal: #!/bin/sh echo "Content-type: application/octet-stream" echo cat /dev/urandom chmod +x /www/cgi-bin/urandom V /www/cgi-bin/zero sem napisal: #!/bin/sh echo "Content-type: application/octet-stream" echo cat /dev/zero chmod +x /www/cgi-bin/zero Tako HTTP streznik ponuja neskoncni "datoteki", ki lahko sluzita za merjenje kvalitete povezave, ce se meri hitrost prenosa /cgi-bin/urandom (ceprav ta je odvisen potem precej od hitrosti CPU, tako da za velike hitrosti ni) in /cgi-bin/zero. V /etc/init.d/httpd sem: config_get ifname wan hostname [ -d /www ] && httpd -p 80 -h /www -r ${hostname:-OpenWrt} spremenil v: hostname=`cat /proc/sys/kernel/hostname` [ -d /www ] && httpd -p 80 -h /www -r ${hostname:-OpenWrt} -R / -H 10.14.0.2 /etc/init.d/httpd restart Namestil program za merjenje hitrosti povezave, recimo za prenasanje tistih neskoncnih cgi-bin streamov (in seveda drugih stvari, ker za razliko od wgeta izpisuje hitrost prenosa): ipkg install curl Primer: curl -o /dev/null http://localhost/cgi-bin/zero ipkg install nodogsplash Nastavil /etc/nodogsplash/nodogsplash.conf na: GatewayInterface ath0 GatewayIPRange 10.16.201.160/27 GatewayName kiberpipa.net ClientIdleTimeout 30 ClientForceTimeout 360 MaxClients 25 FirewallRuleSet preauthenticated-users { FirewallRule allow tcp port 53 to 10.14.0.1 FirewallRule allow udp port 53 to 10.14.0.1 FirewallRule allow tcp port 53 to 10.14.0.2 FirewallRule allow udp port 53 to 10.14.0.2 FirewallRule allow icmp to 10.14.0.1 FirewallRule allow icmp to 10.14.0.2 } FirewallRuleSet authenticated-users { FirewallRule allow } FirewallRuleSet users-to-router { FirewallRule allow tcp port 22 FirewallRule allow tcp port 53 FirewallRule allow udp port 53 FirewallRule allow udp port 67 FirewallRule allow tcp port 80 FirewallRule allow icmp } /etc/init.d/nodogsplash enable /etc/init.d/nodogsplash start V kolikor se zeli imeti lan port, se v /etc/config/network zakomentira wan del in doda: config interface lan option ifname "eth0" option proto static option ipaddr 10.16.201.193 option netmask 255.255.255.224 V /etc/config/dhcp se doda se: config dhcp option interface lan option start 194 option limit 29 option leasetime 3h V /etc/olsrd.conf se doda se v Hna4 sekcijo: 10.16.201.192 255.255.255.224 Ter se onemogoci VPN, ce ni wana: /etc/init.d/openvpn disable reboot V kolikor se zeli imeti lan port za meshing, se v /etc/config/network zakomentira wan del (seveda ne more biti hkrati tudi lan, ce je, se stvari zakomplicirajo in se mora lanmesh nastaviti kot dodaten alias) in doda: config interface lanmesh option ifname "eth0" option proto static option ipaddr 10.14.0.17 option netmask 255.255.0.0 V /etc/config/dhcp se doda se: config dhcp option interface lanmesh option start 0 option limit 0 option leasetime infinite V /etc/olsrd.conf se doda interface iz: Interface "ath0:0" v: Interface "ath0:0" "eth0" Ter se onemogoci VPN, ce ni wana: /etc/init.d/openvpn disable reboot