Rpi4: Where to start?

Shadow8472 · February 25, 2021, 3:54am

I've been poking about, and it seems stuck in some sort of dark mode that doesn't look quite right. I found the GitHub, but I don't have the theme config as shown in the gif in their readme.

I also saw where they said something about css3 and Chrome, so I might load up Chromium.

anon50098793 · February 25, 2021, 7:23am

you'll need to ssh in and run

opkg remove luci-theme-argon

then reboot... otherwise you may wish to try
21.02-SNAPSHOT/targets/bcm27xx/bcm2711/

Shadow8472 · February 25, 2021, 7:34am

Package removed. You never know what you're missing until it's gone. I probably will try the snapshot. I like the layout, and while I do prefer dark modes, they're hard to get right. Any theme is hard to get right.

dlakelan · February 25, 2021, 3:49pm

Snapshot will not have LUCI at all and won't have any USB drivers etc. So be aware that you'll have to manually install some stuff before you have a fully working setup

Shadow8472 · February 25, 2021, 7:41pm

Oh, I haven't figured out how to get it online yet without its DHCP server goofing my isolated subnet of my home network. I've fixed it before, but it was more educational than fun. I'm also curious how it fares on the 400. That's where my Raspian router is residing right now.

Shadow8472 · February 26, 2021, 2:17am

I reinstalled to wulfy's latest snapshot (factory), as that was the only one I could find presently available, and I was able to switch to a theme called Material, and it looks exploreable.

I'm thinking my next step is to get it online without exposing a DHCP server upstream to the home network. I've already crashed my subnet once. I doubt anyone will be happy were I to crash it for the house.

dlakelan · February 26, 2021, 2:24am

From LUCI under network > interfaces > lan turn off the dhcp server

Shadow8472 · February 26, 2021, 3:10am

Can't say I understand. I'm after an upstream Wi-Fi connection it doesn't try taking over DHCP on. The idea is to isolate the computers it's serving to just the needed addresses, like appropriate repositories and what is needed for whatever project I'm working on.

dlakelan · February 26, 2021, 3:23am

Sounds like you want a wireless wan.

Shadow8472 · February 27, 2021, 12:52am

I've been reading through that page, and I'm drawing a blank on setting up my WWAN (Wireless Wide Area Network?) Firewall settings. I want to drop/reject packets headed everywhere but repositories needed for updating or as needed on a project. I've been over the theory of how a firewall works several times, but I'm always overwhelmed when I'm trying to write a rule set from scratch.

dlakelan · February 27, 2021, 1:33am

start with forward reject, and then add a traffic rule to allow forward to the specific locations.

Shadow8472 · March 1, 2021, 11:05pm

OK, so I'm connected. The command ip a brings up as many as 13 network interfaces, and I've only seen as many as five when I was doing funny stuff on my laptop (three on a Pi without funny stuff). Do these have something to do with VPN's and the like or something?

dlakelan · March 1, 2021, 11:06pm

can you show the output?

Shadow8472 · March 1, 2021, 11:19pm

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether dc:a6:32:d5:5b:3a brd ff:ff:ff:ff:ff:ff
3: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000
    link/tunnel6 :: brd ::
4: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
6: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 8a:7c:a9:53:19:e5 brd ff:ff:ff:ff:ff:ff
7: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
8: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
9: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1464 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
10: ip6gre0@NONE: <NOARP> mtu 1448 qdisc noop state DOWN group default qlen 1000
    link/gre6 :: brd ::
11: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
    link/void 
12: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether dc:a6:32:d5:5b:3b brd ff:ff:ff:ff:ff:ff
13: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether dc:a6:32:d5:5b:3a brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd1e:6fc5:1266::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::dea6:32ff:fed5:5b3a/64 scope link 
       valid_lft forever preferred_lft forever

Shadow8472 · March 1, 2021, 11:20pm

I understand Loopback. I don't get why it's using the old Ethernet/Wi-Fi interface names, but that shouldn't affect this project.

dlakelan · March 1, 2021, 11:23pm

you can safely ignore all those gre and sit tunnels and such. Those are there in case you want to set up lots of complicated tunnels and VPNs and etc, but are not active at the moment (see state DOWN)

Shadow8472 · March 1, 2021, 11:41pm

Let's see, that leaves two I know at the start, and br-lan at the end. I'm going to want to compare notes with my Raspian hack router.

Shadow8472 · March 2, 2021, 8:36pm

Finally broke into my Raspian router. I hand configured it so wlan0 was facing outward and eth0 was facing inward, toward its subnet. It took a bit of work, as I remember.

How should I have configured it in retrospect?

dlakelan · March 2, 2021, 9:29pm

In Raspbian I like to take advantage of systemd-networkd. I disable the Networking (traditional ifupdown interface) and NetworkManager, and enable systemd-networkd, then use /etc/systemd/network/ files to configure things.

Shadow8472 · March 3, 2021, 2:20am

Anyway, for this week, I want to connect to the home network and make sure "untrusted" computers cannot get through the firewall except for projects I'm assigning them.

Network -> Firewall

General Settings
SYN-flood protection ON
Drop invalid packets OFF
Input: Accept
Output: Accept
Forward: Reject

This router is not intended to operate directly exposed to the Internet, though I am trying to learn how to safely handle unknown computers at the same time. At the same time, I may want SSH access into the router, then into the individual nodes.

Routing/NAT Offloading
Software flow offloading: OFF

I'm guessing this is supposed to help with busy networks? I'm leaving it off.

Zones
lan => wan

Input: reject
Output: accept
Forward: reject
Masquerading: OFF

wan => REJECT

Input: reject
Output: accept
Forward: reject
Masquerading: OFF

This part feels a little intimidating to understand, but I'll try to say what I think is going on anyway. LAN should be facing the closed off cluster on eth0 while WAN should be facing the rest of the network on wlan0. I believe I will need a special rule for exempting specific IP's, like for repositories or whatever project (home NAS in this case).

As some point, I am looking to use a USB3 Ethernet adapter, but on the old standard for naming network interfaces, I'm a little worried about it mixing up eth0 and eth1 between boots. I remember seeing a way to manually switch, but I don't want to confuse other parts of the system expecting a specific way of changing it.