How to install OpenWrt backfire in a comtrend HG356+ (11-23-2011) v.02





WARNING:

Warning 2.0!! With this setup ports 80 and 22 are wide open, to WAN and LAN!

Here you have 2 easy ways of closing ports to the Internet:

1) Just create firewall rules blocking connections from wan to port 22 and 80...

2) Or force ssh and http servers to listen only to the LAN like this:

a) ssh, 22 : edit /etc/config/dropbear and edit line:
option Port '192.168.xxx.xxx:22'
where 192.168.xxx.xxx is the LAN ip, and 22 is the port. ("Option Interface" is not working for me in my router).

b) http, luci, 80: edit /etc/config/uhttpd and edit the line:
list listen_http 192.168.xxx.xxx:80
where 192.168.xxx.xxx is the LAN ip, and 22 is the port.

The End of Warning 2.0!!


Wanring 1.0:

With this hack you cannot use anymore the comtrend as ADSL+ modem, but you can use it as neutral router
And you will get an open/free gnu/linux system. This modifications will improve the range of the wireless connection. The usb modifications will give you many possibilities to use the comtrend as printing server, free space. p2p client, 3g...



FEATURES:

System:
bcm63xx/96348GW-11
CPU: 254,97
BogoMIPS
Memory: 13,4 Mb



1.- Installing OpenWRT 10.03 BackFire

I RECOMMEND USING BETA FIRMWARE!!!

You can flash the firmware form the web interface with the binary image:
STABLE openwrt-96348GW-11-squashfs-bc300-cfe.bin that you can get in :
http://downloads.openwrt.org/backfire/10.03/brcm63xx/openwrt-96348GW-11-squashfs-bc300-cfe.bin

If you get an error when flashing you can use this beta firmware:
http://downloads.openwrt.org/backfire/10.03-beta/brcm63xx/openwrt-96348GW-11-squashfs-bc300-cfe.bin
And later you can downgrade to the stable version if you want so.



2.- Installing an external antenna

You can change the fixed antenna with a connector, for example: RP-SMA.
You will need a small UFL to RP-SMA connector like this:
http://www.ciudadwireless.com/pigtail_rp-sma_bulkhead_-cuerpo_hembra_macho--p-614.html
that you can easily find in many routers



3a.- Installing an USB port (Hardware)

Hardware you need:

1 x LM7805 (power regulator)
1 x Ceramic capacitor 0,33uF 20V
1 x Ceramic capacitor 0,1uF 5V
1 x Ceramic capacitor 100uF 25V
3 x Resistor 15K de 0,25W
1 x USB female connector



Connexion diagram:






3b.- Installing USB port (Software)

The packets you need for using the USB port with an external hard disk or pen drive(mass_storage) are:

kmod-nls-base – 2.6.32.10-1
kmod-scsi-core - 2.6.32.10-1
kmod-scsi-generic - 2.6.32.10-1
kmod-usb-core - 2.6.32.10-1
kmod-usb-ohci - 2.6.32.10-1
kmod-usb-storage – 2.6.32.10-1

If you want tu use FAT:

kmod-nls-cp437 - 2.6.32.10-1
kmod-nls-iso8859-1 – 2.6.32.10-1

If you want to use EXT4:

kmod-fs-mbcache – 2.6.32.10-1
kmod-crc16 - 2.6.32.10-1
kmod-fs-ext4 - 2.6.32.10-1

You can create a script to mount the external device in /etc/init.d/ , and a soft link in /etc/rc.d/

root@OpenWrt:~# cat /etc/init.d/disk
mount -t ext4 /dev/sda1 /overlay/disk

root@OpenWrt:~# ls -la /etc/rc.d/S49disk
lrwxrwxrwx 1 root root 16 Mar 31 05:46 /etc/rc.d/S49disk -> /etc/init.d/disk



We just saw how to install the basic hardware and software for the router.


Now we are going to configure backfire to use the comtrend as a neutral router, Internet connection will come from a modem and will share this connection with a wireless wlan(WPA2/CCMP) and a lan cable network, beside, we will setup a bridge between lan and wlan and the router will work as a firewall too.
Most of the information we need for this setup I found it in: seguridadwireless

Network diagram:


Setup for the lan and wireless network, and the firewall:

---- /etc/config/network :

config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'


config 'switch' 'eth1'
option 'reset' '1'
option 'enable_vlan' '1'

config 'switch_vlan'
option 'device' 'eth1'
option 'vlan' '1'
option 'ports' '0 1 2 5t'

config 'switch_vlan'
option 'device' 'eth1'
option 'vlan' '2'
option 'ports' '3 5t'

config 'interface' 'lan'
option 'type' 'bridge'
option 'ifname' 'eth1.1'
option 'proto' 'static'
option 'netmask' '255.255.255.0'
option 'nat' '1'
option 'ipaddr' '192.168.xx.1'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'dns' 'xx.xx.xx.xx'

config 'interface' 'wan'
option 'ifname' 'eth1.2'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'proto' 'dhcp'
option 'macaddr' 'xx:xx:xx:xx:xx:xx'

config 'interface' 'int'
option 'ifname' 'eth0'
option 'proto' 'dhcp'

Where I wrote "xx" you must write your right values.
Where I wrote "option 'macaddr' 'xx:xx:xx:xx:xx:xx' " you must write a mac different to the real ETH0 mac, because a strange bug


---- /etc/config/wireless :

config 'wifi-device' 'radio0'
option 'type' 'mac80211'
option 'macaddr' 'xx:xx:xx:xx:xx:xx'
option 'hwmode' '11g'
option 'channel' 'xx'
option 'disabled' '0'

config 'wifi-iface'
option 'device' 'radio0'
option 'network' 'lan'
option 'mode' 'ap'
option 'encryption' 'psk2'
option 'ssid' 'ESSID'
option 'key' 'superSECRETpassword'

In this case the mac in "option 'macaddr' 'xx:xx:xx:xx:xx:xx'" is the real WLAN0's mac.
You should chose your wireless channel too in 'xx'.


You do NOT need to add anything in /etc/firewall.user. And here you have an example with a few forward rules for a ed2k client and a torrent client:

---- /etc/config/firewall:

config 'defaults'
option 'syn_flood' '1'
option 'drop_invalid' '1'
option 'input' 'REJECT'
option 'output' 'REJECT'
option 'forward' 'REJECT'

config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'

config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'

config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'

config 'rule'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'

config 'rule'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'target' 'ACCEPT'

config 'include'
option 'path' '/etc/firewall.user'

config 'redirect'
option 'src' 'wan'
option '_name' 'edonkey'
option 'proto' 'tcpudp'
option 'src_dport' '4662'
option 'dest_ip' '192.168.xx.xx'

config 'redirect'
option 'src' 'wan'
option '_name' 'qtorrent'
option 'proto' 'tcpudp'
option 'src_dport' '6881'
option 'dest_ip' '192.168.xx.xx'

config 'rule'
option 'target' 'ACCEPT'

config 'rule'
option 'target' 'ACCEPT'







Licencia Creative Commons
How to comtrend, images text and web by okupaweb/goyo se encuentra bajo una Licencia Creative Commons Reconocimiento-NoComercial 3.0 Unported.
Basada en una obra en free.okupaweb.com.