Management Platforms for Thousands of OpenWrt Routers?

As an ISP we are thinking about using OpenWRT for routers we will supply to end customers. However, we would need a way to remotely manage, monitor, and upgrade thousands of OpenWRT routers. I was wondering what opensource and commercial options are out there and available for management systems?

Most routers we use today use TR-069 for this, but that protocol is getting outdated and slow. Ideally we are looking for something modern with APIs and telemetry support to analyze traffic and uptime in real-time. Something with a built in internet speed test would be awesome.

Does OpenWRT support SNMP?
Does OpenWRT support TR-069?
Does OpenWRT have any telemetry support?
Is there an API?

1 Like

Hi Colton, afaik OpenWrt is not targetted at the sort of use you're intending, it's primarily for home use and local configuration by the owner/operator. The software's all out there to do what you're interested in. If you take some time to read through the documentation for the project you'll find what's already available from your list and what will require work from yourself.

I've setup TR-069 infrastructure for routers in the past and it's not hard for OSes that are designed with it in mind, and OpenWrt has a TR-069 project. Google is your friend, go and do some research :+1:t2:

Whatever you come up with I'm sure the developers will welcome you feeding back into the larger project!

WiteWulf,

Are you sure that is the case? Many of the commercial routers from Calix, SmartRG, and others use OpenWRT as the base operating system. OpenWRT is linux, and I know there are tons of opensouce tools to manage linux boxes. Ansible, SALT, Puppet, etc...

I did see there is a TR-069 project for OpenWRT, but I think TR-069 is antiquated. Trying to see what other options are our there.

Yes. https://openwrt.org/packages/pkgdata/snmpd

What do you mean by this...? Netflow?
https://openwrt.org/packages/pkgdata/softflowd

That seems like a security risk...the answer is no, an API does not already exist...although, the UCI can be accessed.

https://wiki.openwrt.org/doc/uci

You may wish to try:

Cucumber Tony: http://www.ct-networks.io/

Or

OpenWISP 7 project: http://openwisp.org/

Hi, my two cents about this:

A friend of mine was googling about Openwrt at home.

All of a sudden his router login webpage appears in front of him !!

He was puzzled at first ! Then He realized in some way he connected to his new 'ISP provider provided box',

of course that address was not mentioned in the box manual pages ! Somebody forgot to delete something

before production.

Try with with your box at home ! Forum administrastors could set-up a survey about how many providers router are running on openwrt.

Try what? Setup a survey about what?

  • WAN Ports are not opened by default on stock OpenWrt. So if you're refering to WAN, the ISP must have configured WAN access in their image.
  • Also, you can access the box from LAN by default, so I'm not sure what you're suggesting to the OP
  • The domain http://OpenWrt.lan should open the router's page by default on LAN

Also, @colton.conor also has this thread going: 802.11AC Router Recommendation for ISP

Flash space, CPU and memory are considerations for you - if you're going to run additional software.

Per the community guidelines , please refrain from signing posts.

Hi Ileachi

I was answering to WiteWulf but, and I am deeply sorry about that, I replied to colton.

@colton.conor here inthe UK, Secure TR069 is the industy box-standard for ISPs. BT/Plusnet, Virgin and TalkTalk all use their big IT budgets to maintain this protocol as their CPE platform for their millions of subscribers. So what kind of budget is your company working to?

I might add that OpenWRT is somewhat contradictory to ISP's - ISP's expect to be able to monitor and upgrade their stock routers, but OpenWRT does away with all of that stuff [like wan facing management ports]. Note the word freedom in wireless freedom.

So would these routers contain a commercialized build of OpenWRT, with possible GPL issues?

@Geekuino By Secure TR069, do you mean regular TR069? I know it is the decato managment standard used by the big boys, but its slow and not realtime.

We are small and working on a shoe string budget.

I guess I was under the impression that OpenWRT is linux, and linux has thousands of commercial and opensouce projects to remotely monitor, update, and maintain linux boxes remotely.

@colton.conor Indeed, TR069 is designed to be used over TLS, so it's secure by default. Well, that's what it says on the tin. Like all software, TR069 is only as secure as the next zero day exploit. ACS servers are a golden goose target for hackers. An interesting background read: Best Practices for Securing TR-069

As for rollout times, you'll obviously want to push updates ASAP, but with TR069, clients can be trailing weeks behind the latest build. But as things stand, TR069 is the best supported and understood technology.

On the subject of updates and security, you must consider if your client boxes are going to be flashed with a secure bootloader. This is a bootloader which prohibits unauthorized changes - such as reflashing with malware - by authenticating the firmware before the OS starts. Customer routers that allow over-the-wire updates must have secure bootloaders to maintain their integrity. The provisioning of private/public keys adds extra costs to your rollout, but avoids future litigation.

:jack_o_lantern: Yikes!

Well, it look like one ISP in the UK uses openwrt based, but they aren't very good at it

Yes there are lots of linux management systems, most of them not specifically tailored for embedded type hardware, for example desktops would primarily just install new packages, but routers should probably download and install whole images.

if I were going to do something like this, I'd want to do telemetry via mqtt or similar and updates probably by https with a self-managed certificate trust system (ie. a client cert signed by my signing cert pre-installed on the device, the device connects to my system, provides its client cert, checks my website's cert, and only then gets a valid firmware image to download and install via sysupgrade)

You could do a similar thing for configs by having it request a uci config via mutually authenticated https, and you could trigger the request via mqtt messages.

Hi, I'm one of the developers of OpenWISP so my opinion is highly biased of course.

It is not true that OpenWRT is not suitable for ISPs, infact many ISPs use OpenWISP to manage thousands of routers (all APs shown on this public map are running OpenWRT and are being managed with OpenWISP) . It may not have all the features colton.conor is looking for at the present moment but it has the basics and can be easily extended, programmed and integrated with other networking solutions.

Moreover, the community is active and the project is moving ahead steadily, by 2019 we should manage to land an integrated monitoring solution, firmware upgrades and a full RESTful API to handle all aspects of the software (now the API is available only for some modules).

There are other organizations and companies in the same situation of colton.conor which are joining forces to build a programmable network solution to manage an OpenWRT based network which does not restrict their liberty in managing their own network as many other commercial solutions do.

Best regards
Federico

4 Likes

Is there an API?

OpenWRT provides a simple JSON-RPC API access to ubus via uhttpd.
This is quite simple and powerful tool.

3 Likes

Turris Omnia routers are using OpenWRT base and have automatic update and many other features, check if they use open source tools with those.

Hi Colton,
if you are searching for a platform that is capable to manage any number of multi-brand access points or routers, on a single dashboard from the cloud, I would suggest you to take a look at Tanaza.
The compatibility list seems pretty dense and they are vendor agnostic, so open to support more models (compatibility list here ).
It also comes with a 15 day free trial so you can give it a try and check if it's the solution you are searching for.

I hope this could help you

Does Tanaza communicate with an API to OpenWRT, or how does it configure and control OpenWRT? What about monitoring is it doing something special, or just using SNMP?

Tanaza is a software that let you manage access points from a dashboard on its cloud, providing you the firmware to install, so that they can automatically connect to the Tanaza infrastructure with an encrypted connection.
From that moment, you can manage and configure everything from there, since any different brand or model will have the same user interface, which is also a great plus IMO, especially when you have to deal with many different ones.

@colton.conor Are you still looking for cloud management platform for OpenWRT based device?

Yes we are why do you ask?