OpenWrt Forum Archive

Topic: Build for WNDR3700/WNDR3800

The content of this topic has been archived between 9 Jul 2013 and 6 May 2018. Unfortunately there are posts – most likely complete pages – missing.

I have built a rather minimalistic build for WNDR3700v1, WNDR3700v2 and WNDR3800 focusing just on the features I need. This is pretty much the basic IPv6 enabled router setup matching the WNDR3700 hardware without too much additional fancy stuff.

Note that this build is not compatible with v3, v4 and v5 that have totally different hardware.

I build the current master and 17.01 branches.

Current version:
- master:  master-r6755-d089a5d773-20180424
- LEDE 17.01:  lede1701-r3877-23a638ebd1-20180423


WNDR3700 firmware downloads are available in Dropbox:
Download site: https://www.dropbox.com/sh/t52c02rm20y8x9p/khFGAJu3gc
Short link: http://db.tt/4FM5if8e

I only upload the versions after successfully flashing my own router, so the build has at least that much quality assurance process.

Full configuration and source code diffs included, in case somebody wants to utilize info in own builds.
See the patch files included in each build's download directory.

Good ipv6 support is now standard in Openwrt, so I am dropping the IPv6 from the title. Documentation for the ipv6 configuration can be found at http://wiki.openwrt.org/doc/uci/network6

Features included:
- LuCI with HTTPS SSL support
- USB storage automounting
- Support for various file systems to enable most drives: ext2/3/4, FAT, HFS+, CIFS/SMB, (NTFS read-only)
- WiFi button works to toggle Wifi on or off
- WPS button works to enable automatic Wifi-authentication with WPS-enabled devices
- Reset button works
- IPv6: tunnel support for 6in4, 6to4, 6rd and aiccu included in the build.
- QoS for traffic control The 'sqm-scripts' package is included, but initially disabled, as max speed needs to be adjusted to WAN connection speed
- DynDNS support, also in LuCI
- VSFTPD FTP server package with TLS/SSL support (access initially disabled by "local_enable=NO" in vsftpd.conf)
- Adblock package (initially disabled)
- Wake-on-LAN (WOL) LuCI module
- Nano text editor
- EFI/GUID partitions supported
- ccrypt package included for file encryption
- kmod-tun, enables opkg install of OpenVPN (openvpn-openssl variant)

- r31244: added support to Dnsmasq for host-specific lease times for static dhcp leases
- r33212: usb-modeswitch added for 3G modems
- r35964: added script helping to reinstall add-on packages after sysupgrade.
                See /etc/reinstall-packages.sh
- r36377: kmod-ipt-nathelper-rtsp included
- r36467: iptables-mod-ipsec (and kmod-ipt-ipsec)  included
- r39183: WPS pin code set to the original value given by Netgear in the label at the router's bottom
- r39350: GNU wget and hfsplus file system support added
- r41800: luci-app-diag-devinfo has been removed (also its dependencies)
- r42420: wps hotplug script modified to match currently needed hostapd_cli options
- r42673: miniupnpd settings: leave upnp off by default in /etc/config/upnp
- r42769: SQM (Smart Queue Management) QoS system
- r43205: IETF BCP38 functionality added (tab in Firewall config in Luci)
- r44594: trunk: patches for uhttpd log spam
- r46710: Luci statistics tweaks & fixes
- r46763: Luci opkg package listing fixes
- r46815 trunk: devs have disabled telnet. If root password is not yet set, then just ssh without password.
- r47006 trunk: a new Luci theme "material" included. Default is still "bootstrap"
- r47073: build environment: scripts modified, support both git and svn as the main repo
- r47102: Old qos-scripts has been removed and SQM is the only QoS in firmware
- r47486: enable sha256 certs in Luci by switching to default SSL implementation (polarssl)
- r47641 trunk: added "cake" modules for SQM QoS  (might be temporary)
- r48730: Add support for 'adblock' with LuCI interface (adblock is initially disabled)
- r49379 DD trunk: Change Luci to use Openssl instead of Polarssl in DD trunk
- lede-r1297: adjust to sha256sums instead of md5sums in build scripts
- lede-r1298: show also sha256 checksum for sysupgrade in Luci
- April 2017: aiccu is removed as SixXS will stop operations in June

Note: As I build with standard kernel options, the Chaos Calmer 15.05 and trunk snapshot modules should be compatible with my builds, in case somebody wishes to add modules to my build.

Note: A special version of my firmware that has the mtd write-protection removed from u-boot, u-bootenv and art partitions is available in subdirectory art_partition_binary_contents / firmware_with_no_write_protection. That enables you to edit/overwrite u-boot and art. That is highly dangerous and can permanently brick the router. But it might still be needed at some recovery operation...

---- Instructions for re-creating my build environment are in the next message ----

(Last edited by hnyman on 26 Apr 2018, 17:10)

Instructions how to re-create my build environment in Ubuntu x64.
* Updated at r48035 to support only git as the main Openwrt repository and feeds.

Since r34827 my firmware release contains also a script to re-create my full build environment in a few minutes.

The creation script handles trunk and branches (like C15.05) separately and only builds the environment for one of them. The creation script runs pretty automatically. The needed few steps are:
- Create the base directory (I use /Openwrt) and make it writable by your normal user account  (non-root)
- Download from my newest firmware the newBuildroot.sh file and the four *.patch files to /Openwrt
- Run newBuildroot.sh. It creates the complete build environment
- Build firmware with hnscripts/updateNmake.sh

More detailed explanation of the steps in the build environment creation process :

  1. Create the base directory (like e.g. /Openwrt) to your buildhost. chown/chmod that directory to be writable by your normal user account (chmod 755). Buildroot will be created in in that directory, e.g. /Openwrt/trunk or /Openwrt/chaos

  2. Download the "newBuildroot.sh" file from my newest firmware build package to /Openwrt
    2b) chmod "newBuildroot.sh" to be executable

  3. Download the firmware's four patch files: -main.patch, -packages.patch, -luci.patch and -routing.patch to /Openwrt. Note that the trunk build environment needs the trunk patches, and correspondingly the Chaos Calmer environment needs the Chaos Calmer patches.

  4. Verify that "newBuildroot.sh" references the correct patches

    • Check that the FILESTAMP variable definition matches the timestamp in actual patch names.

  5. Run "newBuildroot.sh". It installs the needed prerequisite packages to Ubuntu, creates trunk or chaos git repository and downloads the feeds' sources, patches them and also adds the new files to version control as well as chmods the known script files to be executable.

    • If patch names are correctly set in"newBuildroot.sh", all sources will get patched by the script. Main source needs to be patched first, as that patch possibly contains changes to feeds.conf.defaults. Then it updates the feeds (packages, luci, routing), patches the feed files and finally installs the packages from feeds with "scripts/feeds install -a".

    • Check the attributes of the possible script files added by the patches and chmod them executable, if needed. e.g. /etc/reinstall-packages.sh and other scripts in /etc
      Note: Since the new button hotplug procd functionality also the button scripts in /etc/rc.button need to be executable. (E.g. files/etc/rc.button/BTN_2)

    • Verify that the build script files located in <buildroot>/hnscripts are executable and have been added to version control.

    • Verify that the new files have been added to git tracking. The script has commands for the "files" directory & ".config.init", but you should check if there are other unknown files added by the patches. The script tries to automatically include the noticed new files created by the patches.

  6. Copy possibly needed additional files and prepare the build system:

    • Copy extra custom files to <buildroot>/files . E.g. your personal settings to be the included in the firmware.

    • Copy build keys to <buildroot> if you want to maintain the same build key in the new environment

    • Possibly also create a file share for transferring files. For example, I need /media/windows-share to easily move files from Virtualbox to PC.

    • Additionally, I need to set git options (username etc.) and to set minor OS options like gedit not producing backup files etc.

Steps 1-5 should be done automatically by the script, but verify the results ;-)

After this you should have an identical build environment as I have. I have actually recreated my current build environment several times with this process ;-)

Note: The -openwrt.patch also contains the device profile recipe ".config.init" with all the needed package selections and all build scripts used in my build environment.

Steps in the actual firmware build process in /Openwrt/trunk:
1) Copy .config.init as the new .config to initialize the build profile:  cp .config.init .config
    ("make defconfig" will expand the recipe to a full .config . You can run that command also manually.)
2) Do the actual make: hnscripts/updateNmake.sh
3) transfer files from bin/ar71xx to wherever you need them. I use a script: hnscripts/mountNcopy.sh

Explanation of the scripts in <buildroot>/hnscripts:

  • updateNmake.sh is the main build script that updates sources and builds the firmware

  • mountNcopy.sh is the script that I use to copy firmware files to my PC

  • newBuildroot.sh is the build environment creation script

  • createbuildinfo.sh creates the firmware release package with docs & patches and is automatically called at the end of updateNmake. (Usually there is no need to call that manually.)

  • Other scripts (timestampVersion, parallelcompile, singlecompile, kernelcompile, copypackages2tmp) are just helpers


Note: Main changes at r47072:
* All build scripts are now in <buildroot>/hnscripts and will be included in the -openwrt.patch
* Explicit requirement for /Openwrt as the base was removed. The build environment can now be created anywhere (as long as the path stays reasonably short).
* New buildroot creation script packaged separately and has been clarified.
* The log file "build.log" has been moved to <buildroot>/logs.
Longer explanation at https://forum.openwrt.org/viewtopic.php … 25#p294225

Note: Main changes at r48035:
* Git only. Support for svn as the main repo or feed has been removed

(Last edited by hnyman on 4 Oct 2016, 11:37)

I have updated the build to r25348 with an added feature:

WiFi button:
It toggles WiFi off, it at least one radio was on. And if both radios were off, it toggles WiFi on according to the specs set in normal Wifi config.

WPS button:
If you have a WPS-enabled network device (like a modern USB dongle) supporting Wi-Fi Protected Setup (WPS), you can initiate WPS authentication by pushing the similar WPS button on the device (or launching if by software). After the device has initiated the authetication process, you can accept the call with the WPS button on WNDR3700. The connection should then get negotiated. Using the button requires small editing of /etc/config/wireless. See explanation here: https://forum.openwrt.org/viewtopic.php … 10#p127010
(For builders: using WPS authentication requires changing the 'wpad-mini' package to 'wpad' and 'hostapd-utils'.)

This matches pretty much the original button logic in Netgear firmware.

Control for the WPS button is now included in Luci interface in my build.

If anybody else wants to add the patch to their Luci source (if they have Luci source):
I have created a ticket with patch out it, so it might get into the official Luci build at some point.
http://luci.subsignal.org/trac/ticket/194

(Last edited by hnyman on 21 Dec 2012, 17:08)

Thank you very much for all your work! I've been playing around with it this evening and it seems pretty solid.

Here is the itemized list of source code changes, that was requested in Arokh's thread.

There is no list of the modules selected in menuconfig. I might do that list at some point, but right now you have to compare my .config against yours (with diff), and read the Wiki.

Like I said earlier in Arokh's thread, IPv6 is not about source code changes. Practically the only changes have been in ip6tables firewall rules, aiccu tunnel hotplug script modification and enabling IPv6 forwarding in sysctl.conf (which is already default in Kamikaze/Trunk).

The needed changes to config files not included here (e.g. for WPS button to work) have been explained in the threads referenced earlier.

Base system:
-------------

USB automounting:
Index: /Openwrt/backfire/package/block-mount/files/fstab.config

USB LED (for Backfire only):
Index: /Openwrt/backfire/target/linux/ar71xx/base-files/etc/uci-defaults/wndr3700
Index: /Openwrt/backfire/package/base-files/files/etc/hotplug.d/usb/10-usb

WPS button:
Index: /Openwrt/backfire/package/hostapd/files/wps-hotplug.sh

WiFi Button:
Index: /Openwrt/backfire/files/etc/hotplug.d/button/01-radio-toggle

Network:
---------
QoS:
Index: /Openwrt/backfire/package/qos-scripts/files/etc/config/qos

IPv6:
Index: /Openwrt/backfire/feeds/packages/ipv6/aiccu/files/aiccu.hotplug
Index: /Openwrt/backfire/package/base-files/files/etc/sysctl.conf
Index: /Openwrt/backfire/package/firewall/files/firewall.user

WPS button Luci user interface (separate Luci source code):
--------------------------------------------------------------
Index: /Openwrt/backfire/feeds.conf.default
Index: /Openwrt/luci/branches/luci-0.10/contrib/package/luci/Makefile
Index: /Openwrt/luci/branches/luci-0.10/modules/admin-full/luasrc/model/cbi/admin_network/wifi.lua

Personal preferences (not needed for general build):
------------------------------------------------------
Index: /Openwrt/backfire/feeds/packages/net/ntpclient/files/ntpclient.config
Index: /Openwrt/backfire/scripts/getver.sh
Index: /Openwrt/backfire/package/base-files/files/etc/openwrt_release
Index: /Openwrt/backfire/package/base-files/files/etc/config/system
Index: /Openwrt/backfire/package/base-files/Makefile
Index: /Openwrt/backfire/files/etc/compiled_by.txt

This works pretty well, except I can't get native IPv6 working. Is there anything that might preventing this? I noticed some tunnel-specific firewall rules in place, however adding one for eth1 did not make a change.

Setting the gateway route manually via ssh did allow IPv6 working both to lan and internet from the router (it was set in Luci, wonder if it propagated as it should have?). However, it does not route any IPv6 traffic from lan - the router can be pinged, but thats all.

@Unksi:
make sure that you have the default route set up correctly.

At least the 6in4 tunnel script explicitly sets the default route. I am not sure how well it gets set with native Ipv6 connectivity.

How do you get your subnet? DHCPv6 in use? Stateless autoconfig from ISP's router?

The default route is set like this manually:
::/0                                        2001:1bc8:102:xxx::1                   UG    1024   472       0 eth1

After this was set up, ping6 ipv6.google.com started working from the router. No effect on the workstations though.

The subnet is configured by hand, though I have noticed that my ISP does have autoconfig as well. I am using radvd on the router for my lan.

Unksi wrote:

After this was set up, ping6 ipv6.google.com started working from the router. No effect on the workstations though.

The subnet is configured by hand, though I have noticed that my ISP does have autoconfig as well. I am using radvd on the router for my lan.

I would guess that you need to edit your WAN interface settings by hand (if you are using Backfire build).

There is a bug in Luci that I have reported (and which was fixed in Luci trunk a week ago), but has not yet been fixed in Luci 0.10 used in Backfire. Hopefully devs backport that change to 0.10 also. http://luci.subsignal.org/trac/ticket/192

Luci sets 'defaultroute' '0' statement to all interfaces it sees (you visit that interface's settings), and you need that as 'defaultroute' '1' for IPv6 radvd to work (unless you provide route in radvd settings by hand).

You might check your /etc/config/network and change WAN interface to offer defaultroute 1. Check it.

(Last edited by hnyman on 4 Feb 2011, 19:44)

Not sure if you have the time - but might you try and integrate Comcast's DSLite/6RD software?

@phongn:
I will look into it, although I have no way in testing Comcast's solutions.
And the Sourceforge link seems to lead into a full OpenWrt buildroot. No point for me.
If it looks like there is just info about enabling it in normal Openwrt, then there might be something to include.

But Comast had a nice link to an IPv6 test: http://test-ipv6.com/
(I am getting 9/10 for IPv6... losing one point as my ISP has no DNS server in IPv6 address space.)

EDIT:
At first glance it looks like 6rd is based on 6to4. You might be able to config it by installing the 6to4 package in OpenWrt.

(Last edited by hnyman on 5 Feb 2011, 17:39)

hnyman wrote:

At first glance it looks like 6rd is based on 6to4. You might be able to config it by installing the 6to4 package in OpenWrt.

Not yet unfortuantely. 6RD is basically 6to4 with the relay server manually specified instead of using the fixed anycast address 192.88.99.1.
Also the prefix can be freely choosen (by the ISP) compared to the fixed 2002::/16 prefix defined for 6to4.

I have updated a new r25370 version of my 'trunk' build to the FTP server.
I am currently running that trunk version myself for finding out the possible differences in configurations between Backfire and trunk.

I have noticed one noteworthy difference:
- button names are different. WPS button in Backfire is 'BTN_1', while in trunk it is 'wps'. That was discussed earlier today in another thread, and I had to find out by myself ;-) I added the correct info also to the WNDR3700 Wiki article.

USB LED definition is already there in trunk, so not need to patch /etc/config/system for trunk
Hopefully it gets patched in Backfire at some point...  https://dev.openwrt.org/ticket/8785

One strange effect, caused by the firewall:
System log shows firewall-related error during boot, which errors look like firewall has tried to apply some additional iptables rules to the IPv6 ip6tables. I determine that from the chain names, which are shown in the error messages

Feb  5 22:36:57 OpenWrt user.info sysinit: ip6tables: No chain/target/match by that name.
Feb  5 22:36:57 OpenWrt user.info sysinit: ip6tables v1.4.10: Couldn't load target `zone_lan':File not found
Feb  5 22:36:57 OpenWrt user.info sysinit: Try `ip6tables -h' or 'ip6tables --help' for more information.
Feb  5 22:36:57 OpenWrt user.info sysinit: ip6tables v1.4.10: Couldn't load target `zone_lan_forward':File not found
Feb  5 22:36:57 OpenWrt user.info sysinit: Try `ip6tables -h' or 'ip6tables --help' for more information.

That might be caused by my own rules in /etc/firewall.user, that empty the existing built-in chains first.
Probably I will need to delete my own rules for a while and see how they need to be adapted to the current default rules in Trunk.

Backfire was changed two days ago to use that same firewall (with r25353), right after I had made my previous Backfire build... Possibly I need to generate a new IPv6 ruleset also for Backfire, or possibly/hopefully the default rules might play out well.

EDIT:

Yep, Trunk's current IPv6 firewall seem to have decent default ip6tables rules. I mostly commented out my own rules as unnecessary. Trunk version bumped to 25378 and includes only minimal ip6tables rules additions from me.

(Last edited by hnyman on 6 Feb 2011, 00:39)

hnyman wrote:
Unksi wrote:

After this was set up, ping6 ipv6.google.com started working from the router. No effect on the workstations though.

The subnet is configured by hand, though I have noticed that my ISP does have autoconfig as well. I am using radvd on the router for my lan.

I would guess that you need to edit your WAN interface settings by hand (if you are using Backfire build).

There is a bug in Luci that I have reported (and which was fixed in Luci trunk a week ago), but has not yet been fixed in Luci 0.10 used in Backfire. Hopefully devs backport that change to 0.10 also. http://luci.subsignal.org/trac/ticket/192

Luci sets 'defaultroute' '0' statement to all interfaces it sees (you visit that interface's settings), and you need that as 'defaultroute' '1' for IPv6 radvd to work (unless you provide route in radvd settings by hand).

You might check your /etc/config/network and change WAN interface to offer defaultroute 1. Check it.

I am using the latest trunk version (just updated, still no change). The defaultroute setting does not help on it, and neither does setting the route from radvd either. I have set the settings manually for WAN interface.

With the newest version the IPv6 does not work to the public internet even with the manually forced route set - does work after turning off the firewall though, still without routing. Will fiddle around with it when I have more time to pin down the rule which may cause it.

Although this thread was name as Backfire-related, I have been running trunk for the last day, polishing my build for trunk.

Trunk version at has been bumped to r25382. http://koti.welho.com/hnyman1/Openwrt/
(I have not uploaded a new Backfire build, as the firewall v2 has been impelemented after I last time flashed Backfire. I need to check that everything works ok.)

Full config & source file diffs included, including Luci changes.

There are several enhancements in Kamikaze/trunk:
-Polished IPv6 firewall settings
-Better version display in Luci
-Smart Reset button to return the router to default settings


Explanations:

IPv6:

The trunk firewall v2 seems to have pretty similar default rules as IPv4 firewall. They are ok without modifications. Although there is no special need to include a /etc/firewall.user any more with trunk, I have still have one.
My build includes additional rules doing the following:
- commented-out iptables command to always enable tunnel-provider's IPv4 contacts. Needed for SixXS static tunnels.
- rule for dropping rh0 routing header packets
- commented-out model rule for allowing incoming traffic tto port X. There is no NAT in basic ipv6, so no port-forward, but you have to open the firewall for the desired incoming port X, if you want.
- additionally, commented-out, a full rule set for starting ip6tables without any default rules.


Better version display in Luci:

Kamikaze/trunk and Luci trunk seem to have a mechanism for better version display than the default, but that mechanism is left unused. The default seems to be that SVN version number is only bumped up when Luci is rebuilt. If there are no changes to Luci or the user does not update feeds before compiling, he may end up with old SVN r_number being displayed.

Both Backfire and Kamikaze/trunk enable the functionality, where Luci reads the correct version string from /etc/openwrt_release. But for some reason, that file is not included in default Kamikaze/trunk. I have added that missing file also to my Kamikaze/trunk build, which now always shows the correct SVN revision based on SVN head. 'Base-files' package's Makefile has been modified to add the revision to /etc/openwrt_release.  (Additionally, it might be the 'packages' feed files instead of Backfire or Kamikaze/trunk files that have changed latest, so it is best to use the global SVN head revision. My modified getver.sh takes care of that.)

Version displayed for me: "OpenWrt Kamikaze/trunk SVN (r25382)"

References:
https://dev.openwrt.org/changeset/20659
http://luci.subsignal.org/trac/changeset/6016


Buttons:

I have restructured my button files and added support for a smart reset button.

I hated the approach that you have to press the reset button for at least X seconds. The reset button is so well hidden in a hole in the bottom of the router, that I have no wish to try to press it for 10 seconds etc. So I figured out something else:

WNDR3700 has many buttons and many LEDs. I designed a smart reset button script, that requires you to first press 'reset' in the bottom of the router, and then during the next 20 seconds to press the WPS button. The time period is indicated by a flashing the WPS LED.

Additionally, Luci has been modified to explain this functionality to the user on the Backup/restore/reset page in the System section of Luci. The following explnation is shown:

This router's firmware has been modified to support the 'reset' button located in the bottom of the WNDR3700. If you press the 'reset' button, the WPS LED starts to blink for the next 20 seconds. If you press 'WPS' button during that time, the router resets itself to the initial settings (by removing the jffs partition completely and thus reverting to the original configuration files included in the firmware). If you want to disable this reset feature, delete files '/etc/hotplug.d/button/05-reset' and '/sbin/blink_wps_20' .

The reset script works by first monitoring the reset button itself. If the button is pressed, then the script launches the WPS LED blinking process that has two functions:
- it runs for 20 seconds blinking the WPS LED every second
- it acts as a "reset enabled" flag for the reset script that also monitors WPS button. The existence of the flag process is evaluated when the WPS button pressed event is noticed.

If the script then notices that the WPS button is pressed during the period when that flag process is running (and LED is blinking), it restores the device to default firmware settings by deleting the jffs partition containing the modified config files, by running 'firstboot' and then 'reboot'. I am not 100% sure, if 'firstboot' is the 100% correct process for this, but it seems to work. I tested, it works. User returns to the situation after flashing firmware without saving config files.

This is not useful if the system is completely screwed and has crashed, but it might help if you forget password or otherwise lock yourself out of the router e.g. with disabling network interfaces.

The reset script is '/etc/hotplug.d/button/05-reset' and the blinking/flag script is '/sbin/blink_wps_20'. I made the script compatible with both Backfire and Trunk by using both button names for the buttons.

Note: The same approach could be used also for other routers with several buttons & LEDs.

The new '01-log-button-action' hotplug just records all button actions to system log, that can be seen both from Luci and from the console with the  'logread' command.

Additionally, I modified other button scripts too. Currently there are 4 button scripts and the flag helper script:
/etc/hotplug.d/button/01-log-button-actions  : log all button activities, good for finding out what happens
/etc/hotplug.d/button/05-reset  : Functionality for Reset button
/sbin/blink_wps_20  : Helper script for Reset (blink & flag), needs to be executable, chmod +x
/etc/hotplug.d/button/10-radio-toggle  : WiFi button functionality
/etc/hotplug.d/button/50-wps  : WPS button's normal functionality.

(I have added the other files to the build using /files sub-directory in buildroot, but 50-wps alrady exists in feeds/packages 'hostapd', so I have modified source there.)

/etc/hotplug.d/button/01-log-button-actions

#!/bin/sh
logger "Button '$BUTTON' was '$ACTION'"

/etc/hotplug.d/button/05-reset

#!/bin/sh

# RESET button is 'reset' in trunk, 'BTN_0' in Backfire
# WPS button is 'wps' in trunk, 'BTN_1' in Backfire

if [ "$ACTION" = "pressed" ] && [ "$BUTTON" = "reset" -o "$BUTTON" = "BTN_0" ]; then
  logger "RESET button: status active for 20 seconds"
  #launch reset flag process and blink WPS LED for 20 seconds
  /sbin/blink_wps_20 &
fi

if [ "$ACTION" = "pressed" ] && [ "$BUTTON" = "wps" -o "$BUTTON" = "BTN_1" ]; then
  ps | grep -v grep | grep blink_wps
  if [ $? == 0 ] ; then
    # blinking reset flag process still alive, reset is possible
    logger "WPS button when reset flag is active: go for RESET"
    # RESET action here
    firstboot && reboot &
  else
    logger "WPS button when no reset flag, no reset action"
  fi
fi

/sbin/blink_wps_20   (Note: needs to be executable, chmod +x )

#!/bin/sh
# remember to chmod this file runnable
a=0
while [ "$a" -lt 10 ]
do
        echo "255" > /sys/devices/platform/leds-gpio/leds/wndr3700:green:wps/brightness
        sleep 1
        echo "0" > /sys/devices/platform/leds-gpio/leds/wndr3700:green:wps/brightness
        sleep 1
        let "a += 1"
done

/etc/hotplug.d/button/10-radio-toggle

#!/bin/sh 
if [ "$BUTTON" = "BTN_2" ] && [ "$ACTION" = "pressed" ]; then
    if [ -d /var/run/hostapd-phy0 -o -d /var/run/hostapd-phy1 ]; then
        logger "WiFi button used: WiFi down"
        /sbin/wifi down
    else    
        logger "WiFi button used: WiFi up"
        /sbin/wifi up
    fi
fi

/etc/hotplug.d/button/50-wps

if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
        logger "WPS button pressed, looking for active radios"
        echo "255" > /sys/devices/platform/leds-gpio/leds/wndr3700:green:wps/brightness
        for dir in /var/run/hostapd-*; do
                [ -d "$dir" ] || continue
                logger "WPS activated for: $dir"
                hostapd_cli -p "$dir" wps_pbc
        done
        sleep 10
        echo "0" > /sys/devices/platform/leds-gpio/leds/wndr3700:green:wps/brightness
fi
hnyman wrote:

@phongn:
I will look into it, although I have no way in testing Comcast's solutions.
And the Sourceforge link seems to lead into a full OpenWrt buildroot. No point for me.
If it looks like there is just info about enabling it in normal Openwrt, then there might be something to include/

The guys out in this thread seem to indicate that some of the changes might not be too hard (package ISC DHCP, ipv6tunnel, sipcalc and ensure 6RD and dslite are enabled in the kernel). Do you have a repository for your own branches that might be testable?

Back on the Backfire track: version bumped to r25407. http://koti.welho.com/hnyman1/Openwrt/

The firewall in Backfire has really been upgraded in r25353 to use the same firewall_v2 as Kamikaze/trunk.

In practice this means that neither in Backfire nor in Kamikaze/trunk any special ip6tables rules are currently needed for basic IPv6 connectivity, if you have a "normal" tunnel config.

You only need rules for
- making sure that tunnel stays up (possibly an IPv4 iptables rule)
- possibly allowing incoming packets to port X to get forwarded for those ports you want to open. The correct 'chain' in ip6tables to add the rule seems to be 'forwarding_rule'.

I have thus removed most the rules from /etc/firewall.user and left only the rules explained in my message last Sunday.

However, I have left the old rules for information purposes to a new file /etc/old.firewall.user , which has no actual config meaning. These rules provide a complete basic ruleset, should anybody like to start from scratch with ip6tables.

Both Backfire and Kamikaze/trunk builds have been updated regarding this.


(And the reset button routine works nicely also in Backfire, as expected.)

@phongn - I have OpenWRT trunk up and running using a Comcast 6to4 tunnel.

To do this I,

Installed the radvd, ip6tables, and 6to4 packages with opkg.

Created a wan6 interface, set it to be 6to4, and assigned it to the wan firewall zone.
Had it advertise on the lan.
-- This can be done through Luci.

I enabled RADVD on the LAN interface. All defaults.
I enabled a RADVD prefix on the LAN interface. All defaults.
I enabled RDNSS on the LAN interface. All defaults.
-- This can also be done in Luci, and the defaults will pick up your wan6 settings.

I made sure to edit the /etc/config/network file and change the config option 'defaultroute' to '1' under the wan6 interface after I was done in Luci.

That was it. After I did all this, I had a public ipv6 address wan6, and global ipv6 addresses for everything on the lan in addition to their link local addresses.

I didn't have to enter any custom ipv4 or ipv6 firewall rules. The defaults seem to be fairly locked down, and I have no problems keeping the tunnel up 24/7.  I did an ipv6tables --list before and after the suggested rules here and in other places, and the defaults seem to do the right thing. I also noticed that Luci shows things for like "enabled for IPV4 and IPV6 families" on the echo/icmp rule, for instance.

Another note: I've seen a number of places saying to change the MTU to 1280 for tunnels. If I did that on either the wan6 interface or in RADVD, I could not use the Comcast tunnel. The default 1500 MTU seems to be the only thing that works.

Basker wrote:

@phongn - I have OpenWRT trunk up and running using a Comcast 6to4 tunnel.

I also have the OpenWRT 6to4 tunnel up! I was looking to experiment with 6RD and possibly DSLite (I am part of Comcast's IPv6 trials).

I have updated both Backfire and trunk versions to r25489.

No major changes during this week, but I noticed that you can disable the debug output functionality in wpad = hostapd, which act can decrease the size of the hostapd application by over 200 kB (from 800 kB to 580 kB) and even the size of the compressed squashfs image by 100 kB.

This applies both to Trunk and Backfire, and both to wpad-mini and wpad-full:
Check the config files hostapd-full.config and wpa_supplicant-full.config in  /package/hostapd/files/:
The option line about disabling debug output is commented for some reason:
#CONFIG_NO_STDOUT_DEBUG=y

Uncommenting that line makes the hostapd to get built without part of the debug functionality, which is rather unnecessary for us basic users. I have so far disabled the debug from my Backfire image and didn't notice any side effects.

I just wonder, why this debug has been left as the default to hostapd/wpad packages.

(EDIT: additionally, I have built Backfire using Luci trunk, so that it includes the new status screen.)

(Last edited by hnyman on 13 Feb 2011, 00:03)

Good tip, thx smile

Hallo, I have a couple of questions:
  What do you need for basic IPv6 support? Only "kmod-ipv6" | 156 851 Bytes | Kernel modules for IPv6 support |?
  How can you disable IPv4 support?  (I guess only possible when you compile yourself)

  Where can I read about Dual-Stack-Operation?
  When I obtained an IPv6 /64-Block from my ISP, how can I test everything?
  What about privacy?

Orca wrote:

What do you need for basic IPv6 support? Only "kmod-ipv6" | 156 851 Bytes | Kernel modules for IPv6 support |?
  How can you disable IPv4 support?  (I guess only possible when you compile yourself)

  Where can I read about Dual-Stack-Operation?
  When I obtained an IPv6 /64-Block from my ISP, how can I test everything?

A few more packages are needed than just kmod-ipv6:
opkg install kmod-ipv6 radvd ip kmod-ip6tables ip6tables 6in4

And as most ISPs do not offer IPv6 services yet, you need a tunnel from a provider. Hurricane Electric (HE) and SixXS offer free tunnels.
http://tunnelbroker.net/
http://www.sixxs.net/main/

I just followed the guidelines in Wiki...
...both here and SixXS, from where I have the IPv6 6in4 tunnel. I had used the same tunell with my D-Link DIR-615C1, which offered tunnel support, so I had the basics already.

As the steps were not that clear and so well documented, I wrote guidelines how to do it. The story has links to the relevant Wiki articles, and I have improved some of the Wiki articles myself:
https://forum.openwrt.org/viewtopic.php?id=27541

hnyman wrote:
Orca wrote:

What do you need for basic IPv6 support? Only "kmod-ipv6" | 156 851 Bytes | Kernel modules for IPv6 support |?
  How can you disable IPv4 support?  (I guess only possible when you compile yourself)
  Where can I read about Dual-Stack-Operation?
  When I obtained an IPv6 /64-Block from my ISP, how can I test everything?

A few more packages are needed than just kmod-ipv6:
opkg install kmod-ipv6 radvd ip kmod-ip6tables ip6tables 6in4

And as most ISPs do not offer IPv6 services yet, you need a tunnel from a provider. Hurricane Electric (HE) and SixXS offer free tunnels.

But let's say, I do not need any tunnel or whatsoever. I want to use dual-stack or even IPv6-single stack ;-) kmod-ipv6 should suffice? Also, as long as I do not want to configure routes, I shouldn't need "ip".



hnyman wrote:

As the steps were not that clear and so well documented, I wrote guidelines how to do it. The story has links to the relevant Wiki articles, and I have improved some of the Wiki articles myself:
https://forum.openwrt.org/viewtopic.php?id=27541

Yes, Thank You!

I recommend getting a sixxs tunnel. If you are running trunk, all that's needed is configuring the aiccu client and optionally radvd.