How to install OpenWrt backfire in a comtrend HG356+ (11-23-2011) v.02
Here you have 2 easy ways of closing ports to the Internet:
1) Just create firewall rules blocking connections from wan to port 22 and 80...
2) Or force ssh and http servers to listen only to the LAN like this:
a) ssh, 22 : edit /etc/config/dropbear and edit line:
option Port '192.168.xxx.xxx:22'
where 192.168.xxx.xxx is the LAN ip, and 22 is the port. ("Option Interface" is
not working for me in my router).
b) http, luci, 80: edit /etc/config/uhttpd and edit the line:
list listen_http 192.168.xxx.xxx:80
where 192.168.xxx.xxx is the LAN ip, and 22 is the port.
FEATURES:
System:
bcm63xx/96348GW-11
CPU: 254,97
BogoMIPS
Memory: 13,4 Mb
1.- Installing OpenWRT 10.03 BackFire
I RECOMMEND USING BETA FIRMWARE!!!
You can flash the firmware form the web interface with the binary image:
STABLE openwrt-96348GW-11-squashfs-bc300-cfe.bin that you can get in :
http://downloads.openwrt.org/backfire/10.03/brcm63xx/openwrt-96348GW-11-squashfs-bc300-cfe.bin
If you get an error when flashing you can use this beta firmware:
http://downloads.openwrt.org/backfire/10.03-beta/brcm63xx/openwrt-96348GW-11-squashfs-bc300-cfe.bin
And later you can downgrade to the stable version if you want so.
2.- Installing an external antenna
You can change the fixed antenna with a connector, for example: RP-SMA.
You will need a small UFL to RP-SMA connector like this:
http://www.ciudadwireless.com/pigtail_rp-sma_bulkhead_-cuerpo_hembra_macho--p-614.html
that you can easily find in many routers
3a.- Installing an USB port (Hardware)
Hardware you need:
1 x LM7805 (power regulator)
1 x Ceramic capacitor 0,33uF 20V
1 x Ceramic capacitor 0,1uF 5V
1 x Ceramic capacitor 100uF 25V
3 x Resistor 15K de 0,25W
1 x USB female connector
Connexion diagram:
3b.- Installing USB port (Software)
The packets you need for using the USB port with an external hard disk or pen drive(mass_storage) are:
kmod-nls-base – 2.6.32.10-1
kmod-scsi-core - 2.6.32.10-1
kmod-scsi-generic - 2.6.32.10-1
kmod-usb-core - 2.6.32.10-1
kmod-usb-ohci - 2.6.32.10-1
kmod-usb-storage – 2.6.32.10-1
If you want tu use FAT:
kmod-nls-cp437 - 2.6.32.10-1
kmod-nls-iso8859-1 – 2.6.32.10-1
If you want to use EXT4:
kmod-fs-mbcache – 2.6.32.10-1
kmod-crc16 - 2.6.32.10-1
kmod-fs-ext4 - 2.6.32.10-1
You can create a script to mount the external device in /etc/init.d/ , and a soft link in /etc/rc.d/
root@OpenWrt:~# cat /etc/init.d/disk
mount -t ext4 /dev/sda1 /overlay/disk
root@OpenWrt:~# ls -la /etc/rc.d/S49disk
lrwxrwxrwx 1 root root 16 Mar 31 05:46
/etc/rc.d/S49disk -> /etc/init.d/disk
We just saw how to install the basic hardware and software for the router.
Now we are going to configure backfire to use the comtrend as a neutral router, Internet connection will come from a modem and will share this connection with a wireless wlan(WPA2/CCMP) and a lan cable network, beside, we will setup a bridge between lan and wlan and the router will work as a firewall too.
Most of the information we need for this setup I found it in:
seguridadwireless
Network diagram:
Setup for the lan and wireless network, and the firewall:
---- /etc/config/network :
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'switch' 'eth1'
option 'reset' '1'
option 'enable_vlan' '1'
config 'switch_vlan'
option 'device' 'eth1'
option 'vlan' '1'
option 'ports' '0 1 2 5t'
config 'switch_vlan'
option 'device' 'eth1'
option 'vlan' '2'
option 'ports' '3 5t'
config 'interface' 'lan'
option 'type' 'bridge'
option 'ifname' 'eth1.1'
option 'proto' 'static'
option 'netmask' '255.255.255.0'
option 'nat' '1'
option 'ipaddr' '192.168.xx.1'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'dns' 'xx.xx.xx.xx'
config 'interface' 'wan'
option 'ifname' 'eth1.2'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'proto' 'dhcp'
option 'macaddr' 'xx:xx:xx:xx:xx:xx'
config 'interface' 'int'
option 'ifname' 'eth0'
option 'proto' 'dhcp'
Where I wrote "xx" you must write your right values.
Where I wrote "option 'macaddr' 'xx:xx:xx:xx:xx:xx' " you must write a mac different to the real ETH0 mac, because a strange bug
---- /etc/config/wireless :
config 'wifi-device' 'radio0'
option 'type' 'mac80211'
option 'macaddr' 'xx:xx:xx:xx:xx:xx'
option 'hwmode' '11g'
option 'channel' 'xx'
option 'disabled' '0'
config 'wifi-iface'
option 'device' 'radio0'
option 'network' 'lan'
option 'mode' 'ap'
option 'encryption' 'psk2'
option 'ssid' 'ESSID'
option 'key' 'superSECRETpassword'
In this case the mac in "option 'macaddr' 'xx:xx:xx:xx:xx:xx'" is the real WLAN0's mac.
You should chose your wireless channel too in 'xx'.
You do NOT need to add anything in /etc/firewall.user. And here you have an example with a few forward rules for a ed2k client and a torrent client:
---- /etc/config/firewall:
config 'defaults'
option 'syn_flood' '1'
option 'drop_invalid' '1'
option 'input' 'REJECT'
option 'output' 'REJECT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
config 'rule'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'target' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
config 'redirect'
option 'src' 'wan'
option '_name' 'edonkey'
option 'proto' 'tcpudp'
option 'src_dport' '4662'
option 'dest_ip' '192.168.xx.xx'
config 'redirect'
option 'src' 'wan'
option '_name' 'qtorrent'
option 'proto' 'tcpudp'
option 'src_dport' '6881'
option 'dest_ip' '192.168.xx.xx'
config 'rule'
option 'target' 'ACCEPT'
config 'rule'
option 'target' 'ACCEPT'