As an ISP we are thinking about using OpenWRT for routers we will supply to end customers. However, we would need a way to remotely manage, monitor, and upgrade thousands of OpenWRT routers. I was wondering what opensource and commercial options are out there and available for management systems?
Most routers we use today use TR-069 for this, but that protocol is getting outdated and slow. Ideally we are looking for something modern with APIs and telemetry support to analyze traffic and uptime in real-time. Something with a built in internet speed test would be awesome.
Does OpenWRT support SNMP?
Does OpenWRT support TR-069?
Does OpenWRT have any telemetry support?
Is there an API?
Hi Colton, afaik OpenWrt is not targetted at the sort of use you're intending, it's primarily for home use and local configuration by the owner/operator. The software's all out there to do what you're interested in. If you take some time to read through the documentation for the project you'll find what's already available from your list and what will require work from yourself.
I've setup TR-069 infrastructure for routers in the past and it's not hard for OSes that are designed with it in mind, and OpenWrt has a TR-069 project. Google is your friend, go and do some research
Whatever you come up with I'm sure the developers will welcome you feeding back into the larger project!
Are you sure that is the case? Many of the commercial routers from Calix, SmartRG, and others use OpenWRT as the base operating system. OpenWRT is linux, and I know there are tons of opensouce tools to manage linux boxes. Ansible, SALT, Puppet, etc...
I did see there is a TR-069 project for OpenWRT, but I think TR-069 is antiquated. Trying to see what other options are our there.
@colton.conor here inthe UK, Secure TR069 is the industy box-standard for ISPs. BT/Plusnet, Virgin and TalkTalk all use their big IT budgets to maintain this protocol as their CPE platform for their millions of subscribers. So what kind of budget is your company working to?
I might add that OpenWRT is somewhat contradictory to ISP's - ISP's expect to be able to monitor and upgrade their stock routers, but OpenWRT does away with all of that stuff [like wan facing management ports]. Note the word freedom in wireless freedom.
So would these routers contain a commercialized build of OpenWRT, with possible GPL issues?
@Geekuino By Secure TR069, do you mean regular TR069? I know it is the decato managment standard used by the big boys, but its slow and not realtime.
We are small and working on a shoe string budget.
I guess I was under the impression that OpenWRT is linux, and linux has thousands of commercial and opensouce projects to remotely monitor, update, and maintain linux boxes remotely.
@colton.conor Indeed, TR069 is designed to be used over TLS, so it's secure by default. Well, that's what it says on the tin. Like all software, TR069 is only as secure as the next zero day exploit. ACS servers are a golden goose target for hackers. An interesting background read: Best Practices for Securing TR-069
As for rollout times, you'll obviously want to push updates ASAP, but with TR069, clients can be trailing weeks behind the latest build. But as things stand, TR069 is the best supported and understood technology.
On the subject of updates and security, you must consider if your client boxes are going to be flashed with a secure bootloader. This is a bootloader which prohibits unauthorized changes - such as reflashing with malware - by authenticating the firmware before the OS starts. Customer routers that allow over-the-wire updates must have secure bootloaders to maintain their integrity. The provisioning of private/public keys adds extra costs to your rollout, but avoids future litigation.
Yes there are lots of linux management systems, most of them not specifically tailored for embedded type hardware, for example desktops would primarily just install new packages, but routers should probably download and install whole images.
if I were going to do something like this, I'd want to do telemetry via mqtt or similar and updates probably by https with a self-managed certificate trust system (ie. a client cert signed by my signing cert pre-installed on the device, the device connects to my system, provides its client cert, checks my website's cert, and only then gets a valid firmware image to download and install via sysupgrade)
You could do a similar thing for configs by having it request a uci config via mutually authenticated https, and you could trigger the request via mqtt messages.
Hi, I'm one of the developers of OpenWISP so my opinion is highly biased of course.
It is not true that OpenWRT is not suitable for ISPs, infact many ISPs use OpenWISP to manage thousands of routers (all APs shown on this public map are running OpenWRT and are being managed with OpenWISP) . It may not have all the features colton.conor is looking for at the present moment but it has the basics and can be easily extended, programmed and integrated with other networking solutions.
Moreover, the community is active and the project is moving ahead steadily, by 2019 we should manage to land an integrated monitoring solution, firmware upgrades and a full RESTful API to handle all aspects of the software (now the API is available only for some modules).
There are other organizations and companies in the same situation of colton.conor which are joining forces to build a programmable network solution to manage an OpenWRT based network which does not restrict their liberty in managing their own network as many other commercial solutions do.
Hi Colton,
if you are searching for a platform that is capable to manage any number of multi-brand access points or routers, on a single dashboard from the cloud, I would suggest you to take a look at Tanaza.
The compatibility list seems pretty dense and they are vendor agnostic, so open to support more models (compatibility list here ).
It also comes with a 15 day free trial so you can give it a try and check if it's the solution you are searching for.
Does Tanaza communicate with an API to OpenWRT, or how does it configure and control OpenWRT? What about monitoring is it doing something special, or just using SNMP?
Tanaza is a software that let you manage access points from a dashboard on its cloud, providing you the firmware to install, so that they can automatically connect to the Tanaza infrastructure with an encrypted connection.
From that moment, you can manage and configure everything from there, since any different brand or model will have the same user interface, which is also a great plus IMO, especially when you have to deal with many different ones.