Edge Network Router - GL-MV1000W
Note: These instructions are superseded with my CLI that I wrote to ease the configuration. I am retaining these instructions so that the curious among you can see the details behind what the Lab CLI abstracts.
Prepare for Edge Network Router Configuration
The operating system running your router is OpenWRT. Find out more here: OpenWRT
-
If you don’t have an SSH key pair configured on your workstation, then create one now:
ssh-keygen -t rsa -b 4096 -N "" -f ${HOME}/.ssh/id_rsa -
Connect to your edge router:
For the
GL-MV1000Wyou can connect to the WiFi. The initial SSID and passphrase are on the back of the router.Otherwise, connect from your workstation with a network cable.
-
Copy your SSH public key to the router for login:
cat ~/.ssh/id_rsa.pub | ssh root@192.168.8.1 "cat >> /etc/dropbear/authorized_keys" -
Create an environment script to help configure the router:
createEnvScript.sh -e cat ${OKD_LAB_PATH}/work-dir/edge-router | ssh root@192.168.8.1 "cat >> /root/.profile" rm -rf ${OKD_LAB_PATH}/work-dir -
Log into the router:
ssh root@192.168.8.1 -
Set a root password:
passwd -
Create an SSH key pair:
mkdir -p /root/.ssh dropbearkey -t rsa -s 4096 -f /root/.ssh/id_dropbear -
Disable password login:
uci set dropbear.@dropbear[0].PasswordAuth='off' uci set dropbear.@dropbear[0].RootPasswordAuth='off' uci commit dropbear -
Configure the IP address:
uci set network.lan.ipaddr="${ROUTER}" uci set network.lan.netmask=${NETMASK} uci set network.lan.hostname=router.${DOMAIN} uci delete network.guest uci delete network.wan6 uci commit network -
Configure DHCP:
uci set dhcp.lan.leasetime='5m' uci set dhcp.lan.start='11' uci set dhcp.lan.limit='19' uci add_list dhcp.lan.dhcp_option="6,${ROUTER}" uci delete dhcp.guest uci commit dhcp -
Configure a Wireless repeater to your home Wifi:
uci delete wireless.guest2g uci delete wireless.sta2 uci set wireless.radio2.disabled='0' uci set wireless.radio2.repeater='1' uci set wireless.radio2.legacy_rates='0' uci set wireless.radio2.htmode='HT20' uci set wireless.sta=wifi-iface uci set wireless.sta.device='radio2' uci set wireless.sta.ifname='wlan2' uci set wireless.sta.mode='sta' uci set wireless.sta.disabled='0' uci set wireless.sta.network='wwan' uci set wireless.sta.wds='0' uci set wireless.sta.ssid='Your-WiFi-SSID' # Replace with your home WiFi router's SSID uci set wireless.sta.encryption='psk2' # Replace with your home WiFi router's encryption type uci set wireless.sta.key='Your-WiFi-Key' # Replace with your home WiFi router's Key uci commit wireless -
Create a Network Interface for the repeater:
uci set network.wwan=interface uci set network.wwan.proto='dhcp' uci set network.wwan.metric='20' uci commit network -
Add the
wwannetwork to thewanfirewall zone:unset zone let i=0 let j=1 while [[ ${j} -eq 1 ]] do zone=$(uci get firewall.@zone[${i}].name) let rc=${?} if [[ ${rc} -ne 0 ]] then let j=2 elif [[ ${zone} == "wan" ]] then let j=0 else let i=${i}+1 fi done if [[ ${j} -eq 0 ]] then uci add_list firewall.@zone[${i}].network='wwan' uci commit firewall else echo "FIREWALL ZONE NOT FOUND, CCONFIGURE MANUALLY WITH LUCI" fi -
Configure a Wireless Network for Your Lab:
uci set wireless.default_radio0=wifi-iface uci set wireless.default_radio0.device='radio0' uci set wireless.default_radio0.ifname='wlan0' uci set wireless.default_radio0.network='lan' uci set wireless.default_radio0.mode='ap' uci set wireless.default_radio0.disabled='0' uci set wireless.default_radio0.ssid='OKD-LAB' uci set wireless.default_radio0.key='WelcomeToMyLab' uci set wireless.default_radio0.encryption='psk2' uci set wireless.default_radio0.multi_ap='1' uci set wireless.radio0.legacy_rates='0' uci set wireless.radio0.htmode='HT20' uci commit wireless -
Now restart the router:
reboot
DNS Configuration
Now, we will set up Bind to serve DNS. We will also disable the DNS functions of dnsmasq to let Bind do all the work.
-
Connect your workstation to your new lab WiFi network, and log into the router:
EDGE_ROUTER=$(yq e ".router" ${LAB_CONFIG_FILE}) ssh root@${EDGE_ROUTER} -
Install some additional packages on your router
opkg update && opkg install ip-full procps-ng-ps bind-server bind-tools -
Backup the default bind config.
mv /etc/bind/named.conf /etc/bind/named.conf.orig -
Set some variables:
CIDR=$(ip -br addr show dev br-lan label br-lan | cut -d" " -f1 | cut -d"/" -f2) IFS=. read -r i1 i2 i3 i4 << EOF ${ROUTER} EOF net_addr=$(( ((1<<32)-1) & (((1<<32)-1) << (32 - ${CIDR})) )) o1=$(( ${i1} & (${net_addr}>>24) )) o2=$(( ${i2} & (${net_addr}>>16) )) o3=$(( ${i3} & (${net_addr}>>8) )) o4=$(( ${i4} & ${net_addr} )) NET_PREFIX=${o1}.${o2}.${o3} NET_PREFIX_ARPA=${o3}.${o2}.${o1} -
Create the Bind config file:
cat << EOF > /etc/bind/named.conf acl "trusted" { ${NETWORK}/${CIDR}; 127.0.0.1; }; options { listen-on port 53 { 127.0.0.1; ${ROUTER}; }; directory "/data/var/named"; dump-file "/data/var/named/data/cache_dump.db"; statistics-file "/data/var/named/data/named_stats.txt"; memstatistics-file "/data/var/named/data/named_mem_stats.txt"; allow-query { trusted; }; recursion yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/bind/bind.keys"; managed-keys-directory "/data/var/named/dynamic"; pid-file "/var/run/named/named.pid"; session-keyfile "/var/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "${DOMAIN}" { type master; file "/etc/bind/db.${DOMAIN}"; # zone file path }; zone "${NET_PREFIX_ARPA}.in-addr.arpa" { type master; file "/etc/bind/db.${NET_PREFIX_ARPA}"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; EOF -
Create the forward lookup zone:
cat << EOF > /etc/bind/db.${DOMAIN} @ IN SOA router.${DOMAIN}. admin.${DOMAIN}. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; ; name servers - NS records IN NS router.${DOMAIN}. ; name servers - A records router.${DOMAIN}. IN A ${ROUTER} ; ${NETWORK}/${CIDR} - A records bastion.${DOMAIN}. IN A ${BASTION_HOST} nexus.${DOMAIN}. IN A ${BASTION_HOST} EOFCreate the reverse lookup zone:
cat << EOF > /etc/bind/db.${NET_PREFIX_ARPA} @ IN SOA router.${DOMAIN}. admin.${DOMAIN}. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; name servers - NS records IN NS router.${DOMAIN}. ; PTR Records 1 IN PTR router.${DOMAIN}. 10 IN PTR bastion.${DOMAIN}. EOF -
Create the necessary files, and set permissions for the bind user.
mkdir -p /data/var/named/dynamic mkdir /data/var/named/data chown -R bind:bind /data/var/named chown -R bind:bind /etc/bind -
When you have completed all of your configuration changes, you can test the configuration with the following command:
named-checkconfIf the output is clean, then you are ready to fire it up!
-
First, tell
dnsmasqnot to hanlde DNS:uci set dhcp.@dnsmasq[0].domain=${DOMAIN} uci set dhcp.@dnsmasq[0].localuse=0 uci set dhcp.@dnsmasq[0].cachelocal=0 uci set dhcp.@dnsmasq[0].port=0 uci commit dhcp /etc/init.d/dnsmasq restart -
Then, tell the router to use itself for DNS.
uci set network.wan.dns=${ROUTER} uci commit network -
Finally, enable Bind and reboot the router:
/etc/init.d/named enable /etc/init.d/named start