[HOWTO] Installing OpenWrt on Cyberoam CR15(w)iNG and CR25(w)iNG

Recently, I did several OpenWrt installs on Cyberoam CR15wiNG and CR25wiNG devices, so I thought I'd publish my notes here. Both of these models include wireless networking. Both have matching wired-only sister models, CR15iNG and CR25iNG respectively, so I expect the installation process for those should be nearly identical, but shorter (no need to configure wireless networking).

This HOWTO is intended for the relatively new users who have some experience with general computing and system administration but are not (yet) comfortable with flashing firmware and need some friendly handholding to get through the process.

I am deeply grateful to @frollic, whose informative post was the starting point for this little project.

Introduction

Cyberoam is an Indian network security company that was acquired by Sophos in 2014. The CR15wiNG and CR25wiNG models are implemented in a desktop form factor with three wireless antennas:

The image above shows the back panel of a CR25wiNG unit; note four Ethernet ports, the leftmost of which is almost entirely obscured by the middle antenna. The CR15wiNG is visually similar but has only three Ethernet ports.

Under the hood, my CR15wiNG was running an AMD G-T24L processor with 2 GB of RAM and a 4 GB Compact Flash (CF) card as the sole storage device. The CR25wiNG had an AMD G-T30L processor, also with 2 GB of RAM. The storage situation was a little different: a 2 GB CF card complemented by a 320 GB HGST hard drive. Both models came equipped with Intel 82583V Gigabit Ethernet controllers and Qualcomm Atheros AR93xx wireless network cards.

Note
Both processors are 64-bit, so we will need a 64-bit OpenWrt image for installation on either model.

Power-wise, both models came with 12V / 5A power supply units featuring 5.5-mm barrel plugs.

In terms of management interface, we are not exactly spoiled with choices. There are no video outputs, but there is a single RJ-45 console socket, so that's what we're going to use. Note that the connection speed needed to access BIOS is 9600 bits per second (bps), while OpenWrt by default operates at 115200 bps, so choose your connection speed depending on what you want to accomplish with the connection. BIOS access keys are F2 and Delete; in my experience, F2 generally worked better.

Installation Options and Plan of Work

For sheer repeatability (as well as for sheer laziness β€” no desire to open up the cases), I decided to install OpenWrt on CF cards on both models. Another possibility was to remove the CF card from the CR25wiNG and install OpenWrt on the hard drive. Yet another possibility was to still remove the CF card from the CR25wiNG, but replace the hard drive with a SATA SSD and install OpenWrt on that SSD. In terms of installation actions this really doesn't matter. You need some kind of boot drive; exactly what kind is a secondary consideration.

Next, I had to decide if I wanted to take the CF cards out of their respective devices and write OpenWrt onto them directly or boot the devices from a USB stick and copy OpenWrt onto the CF cards from there. I chose the latter (again, I just didn't feel like taking the devices apart and cleaning up the sticky residue of the warranty seals).

So here's the plan of work I came up with:

  • Write an OpenWrt image onto a USB stick
  • Boot the device from that USB stick
  • Install OpenWtr onto the device's CF card
  • Set up wireless networking (on x86, it may or may not work out of the box), and finally,
  • Make the entire CF card accessible to OpenWrt (more on that later)

Preparations

To follow along, you will need (in addition to an operational CR something or other):

  • A computer with console connection software (I used a Linux machine with the screen utility, but Putty, whether on Linux or Windows, will work just as well)
  • A console cable (I used the kind that connects the RJ-45 port on the router to a USB port on the administrator's computer)
  • An Internet connection
  • A pair of Ethernet cables. one to connect the CR to an upstream device, another to connect a client device to the CR when the time comes

Obtainig OpenWrt

Go to the OpenWrt downloads site:

https://downloads.openwrt.org/

Near the top of the page, there's a section titled Stable Release. Click on the version number (as of this writing, 22.03.2). This will take you to a list of "targets" (various systems for which OpenWrt is available). Scroll to the end of the page and click on x86. On the page that opens, click on 64; this will take you to the downloads for 64-bit PCs and derivatives.

Generally speaking, there are four installation images to choose from (there are others, but they are made for some very specific situations, and we're not in one of them). You can choose a BIOS or UEFI image with either ext4 or SquashFS file system on the root partition. Given the age of the devices, I thought BIOS would be a safer choice. As for the file system, I am slightly biased in favor of SquashFS for no particular reason. So I chose the generic-squashfs-combined.img.gz image, downloaded it, and created a bootable USB stick from it using Rufus on a Windows machine. Needless to say, there is plenty of other software that does exactly that, so you have options.

First Boot

On a CR15 device, there are three Ethernet ports labeled LAN/A, WAN/B, and DMZ/C. CR25 has them as well; its fourth port is labeled simply D.

Generally, on the first run, OpenWrt designates the first port it can find as the WAN port. In our case, this would mean that OpenWrt would designate as WAN the port that is labeled LAN, which is confusing. However, in this install, OpenWrt was able to fiigure out which port is WAN with no prodding from me. I don't know whether this was a happy accident or had something to do with the fact that I had the router cabled up for Internet access during installation.

So here's my setup before the first boot:

  • The CR is off
  • The WAN/B port of the CR is connected to an upstream device providing Internet connectivity and DHCP service
  • The console port is connected to a USB port on the administrator's computer
  • The bootable USB stick is inserted into the USB port on the CR

First, we should initiate the console connection. In my case, this was done by starting the screen utility:

sudo screen /dev/ttyUSB0 115200

Note the sudo part; screen requires root-level access to hardware, so it always wants to run as root. Note also that 115200 is the connection speed; if you need a different speed (say, 9600), use that number instead.

When connection starts, the terminal screen goes blank. At this point, turn on the CR, and you should see some output. If you see large amounts of garbage output or legible output that's clearly not OpenWrt, this means that your device is booting from a device other than the USB stick. If that happens, turn off the device, end your screen session (press Ctrl-a, then k, then y), start a new screen session at 9600 bps, turn the device back on and immediately start pressing F2. This will get you into BIOS, where you can change the order of boot devices, so that the first boot device is USB. In my case, however, this wasn't necessary; OpenWrt booted from the USB stick with no additional prodding.

If all goes well, you will eventually see this message among others:

Please press Enter to activate this console.

When you see if, do as requested. You will be shown the OpenWrt logo and taken to the command line:

BusyBox v1.35.0 (2022-10-31 22:44:41 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.2, r19803-9a599fee93
 -----------------------------------------------------
root@OpenWrt:/# 

OpenWrt may continue the start-up process (and spew messages) even after you get to the command line, so give it a moment to finish what it's doing. At this point, the CR should be able to connect to the upstream device and thus the Internet. Test it out:

ping -c 3 google.com

You should see the familiar output of ping.

Now we should install OpenWrt onto the CF card. Here's the problem though: we don't know its system name. So let's find out. For that, we will need a utility called lsblk, which we don't have right now. But, since we're connected to the Internet, we can get it easily. Run this command from the command line:

opkg update && opkg install lsblk

Technically, this is two commands rolled into one: opkg update asks opkg, the OpenWrt package manager, to go online and retrieve a list of packages available for installation, while opkg install lsblk actually installs the package lsblk. If we tried the second without the first, opkg wouldn't be able to install anything; it wouldn't know where to get the package identified only by its name.

Now let's inspect our system:

lsblk

On a CR15, the CF card will be reported as sda and the USB stick as sdb. On a CR25 with the hard drive present, the CF card will be reported as sda, the hard drive, as sdb, and the USB stick. as sdc. You should be able to tell which is which by simply looking at the drive sizes.

Now we need to install OpenWrt onto the CF card. First, let's go to an out-of-the-way place where we can store some temporary files:

cd /tmp

Next, let's download OpenWrt (it can be the same image file you downloaded for writing onto the USB stick earlier or a different one; say, you changed your mind and decided to try an ext4 image rather that a squashfs image). Right, now, with 22.03.2 being the current release and assuming we still like squashfs, we would do:

wget https://downloads.openwrt.org/releases/22.03.2/targets/x86/64/openwrt-22.03.2-x86-64-generic-squashfs-combined.img.gz

Now let's unzip the downloaded file:

gunzip openwrt-*.img.gz

For quality control, run ls and make sure a file named openwrt-22.03.2-x86-64-generic-squashfs-combined.img (note the .img, rather than .img.gz, ending) is present in your /tmp directory.

Now we can write OpenWrt onto the CF card:

dd if=openwrt-22.03.2-x86-64-generic-squashfs-combined.img bs=1M of=/dev/sda

Essentially, this means "take this image file and write its contents in one-megabyte chunks onto the /dev/sda drive".

Now our CF card should be ready to serve as a boot drive. Stop the device:

halt

Wait until you see the message:

reboot: Power down

When you see this message, use the switch on the back of the CR to turn it off. Then, remove the USB stick from the CR.

Second Boot

Use the switch on the back of the CR to turn it on again. Once again, watch for the Please press Enter to activate this console message and do as requested.

Now that you're back on the command line, you may want to send another ping to the outside world to ensure you have connectivity. Speaking of connectivity, your connectivity right now is impaired. Your wired connections work, but your wireless card is not even being detected by OpenWrt. To remedy this, we will need a few extra packages. Which ones? Depends on what our Wi-Fi card is. To find out what we have, we can use a utility called lspci. But we don't have it, so let's install it; it is a part of the pciutils package. And once again, since we haven't run opkg since reboot, we will need to let opkg download the inventory before downloading anything:

opkg update && opkg install pciutils

Now we can see what components we have on our unit:

lspci -nn

Here's the relevant line in the lspci output:

07:00.0 Network controller [0280]: Qualcomm Atheros AR93xx Wireless Network Adapter [168c:0030] (rev 01)

The fastest way to figure out what we need is to pay a quick visit to Hardware for Linux:

https://linux-hardware.org/index.php?id=pci:168c-0030

Note the ending of the URL; it is the same as the PCI identifier of our wireless card (168c:0030), except the colon has been replaced with a dash.

Hardware for Linux tells us that this card has a Linux driver, and that driver is found at the following location in the Linux source code:

drivers/net/wireless/ath/ath9k/pci.c

The part that's important for us here is ath9k. In OpenWrt, drivers for PCI devices are supplied as kernel modules. A kernel module looks like a package whose name starts with kmod-. So we can simply Google kmod-ath9k, and sure enough, this package exists and provides support for the Atheros wireless cards.

Prior experience tells me that an Atheros card will also require the hostapd package.

Now let's get our wireless networking going:

opkg install hostapd kmod-ath9k

After the packages are installed, you will see some additional activity on the console. There will be messages indicating that a wireless port (wlan0) is available, has been bridged to the LAN, etc. Simply put, good news all around. :slight_smile:

Once this is done, let's set the root password for out device. Type passwd, press Enter, and follow the prompts. (In case you're wondering, you could have done this before or after; you can do it any time after you boot from the CF card.)

Now we need to configure the wireless networking. Connect to any of the LAN ports on the CR with an Ethernet cable, open your Web browser, and point it to https://192.168.1.1 (this is the default OpenWrt location). Enter your new password when prompted, then go to Network >> Wireless. On the Wireless screen, click the Edit button. A complicated-looking Device Configuration dialog will open. At the very least, you should do the following:

  • Under Advanced Settings on top of the dialog, use the Country Code selector to choose the country you're in. This will tell the router which radio frequencies it is permitted to use (those are regulated to prevent interference with broadcasting, emergency services, and other uses of radio).
  • Down the dialog, under General Setup make sure that (1) Mode is set to Access Point, (2) you set ESSID (wireless network name) to something you like, and (3) the Network is set to lan (this will make sure that all your client devices, wired and wireless, will be on the same local network).
  • Also down the dialog, under Wireless Security, set Encryption to something secure (I chose WPA2-PSK) and enter the key (network password) under Key. Obviously, if you have a good knowledge of wireless security, you can choose other encryption and authentication options; I am just providing a minimal set of directions here...

When all of this is done, click Save at the bottom of the dialog. The dialog will close, and you will be back to the Wireless Overview. Click Save & Apply on the bottom of the screen and wait for the changes to be made (there will be a pop-up dialog informing you of what's going on). Next, take a look at the button to the left of Edit. Most likely, it says Enable. If so, click it to enable wireless networking. If it says Disable, leave it be; you probably clicked on it before, so wireless is enabled now.

At this point, your device should be fully operational. Just in case, reboot the device to verify that everything that should start at boot actually starts.

Expanding the Root Partition

Your device is working, and you absolutely can use it as is. However, right now, only about 120 megabytes of your disk space is usable. This is plenty for OpenWrt, but if you want, you can still make your entire CF card accessible. This is done by expanding the root partition. You may want to check out the official OpenWrt on x86 Hardware page to see if it has a more recent guidance compared to this post:

https://openwrt.org/docs/guide-user/installation/openwrt_x86

In short, the process of expanding the root partition depends on whether you have a BIOS system or UEFI system. as well as on whether your root partition is ext4 or SquashFS. We have a BIOS system with a SquashFS root partition, so here's what we need to do.

A. Get the Supplies

We will need a small collection of utilities. Some of them we may have already, but opkg is smart enough to figure that out. so let's ask for everything we need:

opkg update && opkg install fdisk losetup resize2fs

B. Expand the Root Partition

We will resize the root partition using the fdisk utility. The listing below shows the whole fdisk session I ran interactively (I am copying it from an earlier post of mine, where the target drive was a 64 GB SSD; the process is identical to what you will see in the case of a CF card, a hard drive, or any other data storage device). The manual inputs are shown [[in double square brackets]]; the [[]] sequence indicates pressing Enter with no visible input. It's a bit confusing, but I can't come up with a better formatting scheme right now. So here goes:

root@OpenWrt:~# [[fdisk /dev/sda]] 

Welcome to fdisk (util-linux 2.37.3).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

This disk is currently in use - repartitioning is probably a bad idea.
It's recommended to umount all file systems, and swapoff all swap
partitions on this disk.


Command (m for help): [[p]]

Disk /dev/sda: 59.63 GiB, 64023257088 bytes, 125045424 sectors
Disk model: ADATA_IM2S3134N-
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xc120d9f5

Device     Boot Start       End   Sectors  Size Id Type
/dev/sda1  *      512     33279     32768   16M 83 Linux
/dev/sda2       33792    246783    212992  104M 83 Linux

Command (m for help): [[d]]
Partition number (1,2, default 2): [[2]]

Partition 2 has been deleted.

Command (m for help): [[n]]
Partition type
   p   primary (1 primary, 0 extended, 3 free)
   e   extended (container for logical partitions)
Select (default p): [[p]]
Partition number (2-4, default 2): [[2]]
First sector (33280-31277231, default 34816): [[33792]]
Last sector, +/-sectors or +/-size{K,M,G,T,P} 
    (33792-125045423, default 125045423): [[]]

Created a new partition 2 of type 'Linux' and of size 59.6 GiB.
Partition #2 contains a squashfs signature.

Do you want to remove the signature? [Y]es/[N]o: [[n]]

Command (m for help): [[w]]

The partition table has been altered.
Syncing disks.

root@OpenWrt:~# 

Notes:

  1. This has worked despite the "bad idea" warning.
  2. Technically, we didn't "extend" the partition; rather, we deleted one, then created a new one starting at the same location and gobbling up all available disk space. However, since there was no write command in-between, the net result was a new, larger partition that "inherited" all data located on the old small partition.
  3. The number 33792 specified in response to the First sector prompt came from the disk information table output in response to the p command.

To verify that the changes have taken place, you can run fdisk /dev/sda again and execute another p command to display partitions followed by a q command to quit. Alternatively, you can do fdisk -l; this will not enter the interactive mode, you'll just get the output, and then fdisk will exit.

C. Resize the File System

In my experience, you should start this stage by rebooting the system (run reboot from the command line). If you do the steps below without rebooting, OpenWrt may refuse to resize the file system (it looks like some of the changes we made in the previous step need a reboot to set in). So here are the steps:

BOOT="$(sed -n -e "\|\s/boot\s.*$|{s///p;q}" /etc/mtab)"
DISK="${BOOT%%[0-9]*}"
PART="$((${BOOT##*[^0-9]}+1))"
ROOT="${DISK}${PART}"
LOOP="$(losetup -n -l | sed -n -e "\|\s.*\s${ROOT#/dev}\s.*$|{s///p;q}")"
resize2fs -f ${LOOP}
reboot

After the device reboots, you should be able to use the entire disk.

A Future Project?

As noted above, the CR25 comes with a 320 GB hard drive. In home installations, it would be tempting to use this hard drive as a file storage location. OpenWrt allows deployment of Samba, as well as some lightweight alternatives. So it's entirely possible to configure a hybrid device pulling double duty as a network appliance and a file server. Probably not the best idea for a business, but for a home, why not?

11 Likes

great work - how about adding it to the wiki ?
https://forum.openwrt.org/t/applying-for-openwrt-wiki-account/101671/240

Tbh, it's not any different than the other x86 devices.

Great write up, never the less, and thnx for posting the hw details for the 15 and W models, @NC1.

Linux desktop OS typically enumerates ttyUSB ports with owner root and group dialout. Check with ls -l /dev/ttyUSB* If you add your non-root user account to the dialout group (which for some reason Ubuntu doesn't do by default), you can then access a ttyUSB without using sudo.

On Linux, as easy way to write the OpenWrt image to a USB stick is:

sudo -s
gzip -cd filename.gz | dd of=/dev/sdX bs=4M

This does require sudo since writing directly to the wrong block device will do a lot of damage. Be absolutely sure of the drive letter X being the USB stick and not one of your internal drives.

After the write is complete (use sync to wait until all data is on the drive not in the RAM cache) unplug/replug the drive so the new filesystem mounts, and copy the distribution image gzip to the boot partition. You can use that to install on the target machine's internal drive without downloading again.

The Cyberoam CR35wiNG adds 2 more Intel 82583V Gigabit ports and uses the AMD G-T48L so the instructions should be easily modified to accommodate it as well. Memory in these should be upgrade able to 4 GB by replacing the SODIMM. My CR35wiNG came with a 2GB CF card and a 250GB HGST hard drive.

Indeed. I just installed OpenWrt on a Sophos XG85w. I could write an identical guide about it, except the processor would be Intel Atom E3805 and the boot drive is an eMMC device, so instead of /dev/sda, you would use /dev/mmcblk0. But I followed my own guidance more or less on an autopilot, and things worked out very well...

The trick with OpenWrt on x86 is to identify the kernel modules to match the ever-so-diverse hardware. The trickiest cases arise when OpenWrt can't detect any networking hardware on the first boot, so the appropriate packages need to be introduced somehow other than through networking... The very first installation guide I published here involved Watchguard Firebox X750e Core. That old beast had two different Marvell NICs, and neither had a kernel module present at the first boot. To make matters worse, the thing didn't have a USB port and booted off a CF card. So I ended up copying kmod-skge (kernel module for the primary NIC) onto the CF card, booting from it and installing kmod-skge locally to get at least some networking capability. After that, smooth sailing... :slight_smile:

1 Like

I suspect they would be identical. Especially if the reader follows the approach presented here and does the suggested diagnostic steps before actually changing things on the system...

Hi can any one say just how fast these boxes are pleas. I have just had a bump to my internet speed and my trusty r7800 cant keep up. Would the cr15 be a step up or would I have to jump up to the cr35? All so do these boxes have fans on them? I don't want a winy fan in my living room.

The cr25 routes 1gbit at 13% CPU load (50% on one of 4 cores).

The cr25 and 35 got fans, no idea about the 15.

I read that the cr25 is a single core cpu. https://www.cpu-world.com/CPUs/Bobcat/AMD-G%20Series%20G-T30L%20-%20GET30LGBB12GTE.html

They're wrong, or you're looking at the wrong CPU.

Very good, I found a working CR25Wing for 50 euros...

Delivery around November 15,

I will be able to play with it!!!

Let me start at the end: yes, they do have fans. So these are not the droids you want. :slight_smile: Also from the not the droids you want department: these are OLD boxes. So old that they are past end of life set by the manufacturer. Also also, they are commercial-grade boxes, so they are designed to provide more processing power than you would find on home equipment (this is necessary for encryption, threat management, and other "commercial-type" functions).

Back to cooling, the CR15 has one fan on the side of its case (so it moves air side-to-side) and a decent size heat sink on top of the CPU. The CR25, in addition, has a second fan sitting on top of the CPU.

In terms of performance, I have to repeat: these are OLD boxes. They have Gigabit Ethernet and Wireless N Wi-Fi. They are designed to perform well in situations where processing power, rather than data transmission rate, is likely to be the bottleneck. So once again, this is probably not your use case...

Have fun!!! :slight_smile:

Just a quick question:

Is the console in TTL or RS232 ? Pinout ?

I looked at the picture and saw the Wifi slot, I think I would put a b/g/n/ac 2.4 / 5 Ghz wifi card there.

I must have a small SSD of 60 Gb surely usable

Rs232.

You'll need a RJ45 to 9 pin RS232, I've seen RJ45 to USB too, haven't used one though.

1 Like

I honestly have no idea. The physical connector is RJ-45, and that's all I know,

All units I have looked at have Atheros 93xx wireless cards that go up to N and use the ath9k driver. So I would guess that upgrading to an AC card is possible. I've seen AC cards on newer Sophos models that are similar to these.

The hard drive is mounted on a tray that sits above the motherboard. There are three mounting points, two are on the edge of the case, the third one is a standoff. The standoff, incidentally, is located in a way that prevents the removal of the CF card from its slot. So you will have to take out the hard drive tray (which you have to do anyway to install the SSD, since drive mounting screws are on the bottom of the tray), then unscrew the standoff, and only then remove the CF card. Like I said, fun. :slight_smile:

These are commonly called "Cisco console cables" since Cisco was one of the first to make this standard for RS-232 over RJ-45. They are are usually light blue flat cable. The voltage levels are RS-232 not TTL.

Ok for RS232 ....

I have some USB/ / RS232 adapters or PCi card with 4 * RS232 or fine this:

RS232 <- > Bluetooth FireFly

I snagged one of these on ebay, but it's easy to create one, of you got the 9 pin RS232 connector lying around.