?

Log in

No account? Create an account
I win over the Linksys - Artur Bergman [entries|archive|friends|userinfo]
Artur Bergman

[ website | O'Reilly Radar ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

I win over the Linksys [Apr. 10th, 2007|05:46 pm]
Artur Bergman
[Tags|, ]

So, we have a number of public IPs, 8 of them in fact, but they are still on a /24. We have a network internally that is just switched into the ADSL port, and all machines in there have public IPs. (printers and airports and so on have private ips, and the machines that needed access are multihomed).

I wanted a way to see our outbound and inbound network streams, so I started looking around for a smart switch that could give me the data using snmp ( I wasn't at all hoping for netflow ). I couldn't find one for less than a few hundred bucks which didn't seem worth it, however I recalled that Brian Aker (krow) had raved about the DD-WRT Linksys WRT54GL, so since I had one for the public net, i figured i might try. From the UI it wasn't possible, but with some linux work and a few hours I could get it to do so. I do agree that it would be nice to get this kind of flexibility on something with more than 5 switch ports.

I bridged a port to be the same as the WAN port, I routed it through the CPU, i enabled rflow (netflow) and I did some shenanigans as seen below to make it work.


# 0 = port 4
# 1 = port 3
# 2 = port 2
# 3 = port 1
# 4 = WAN port
# 5 = CPU port (* means it is sending all trafic there I think)
# this configures the switch so that tagged stuf
nvram set vlan0ports='0 1 2 5*'
nvram set vlan1ports='4 5'
# note the * is needed here because the CPU needs to see the traffic ( I think)
nvram set vlan2ports='3 5*'

# vlan1 is going to map the the WAN port
# vlan2 is going to map to switch port 1

# set the startup script
nvram set rc_startup='
#!/bin/ash
# you need to remove the IP from the public port
ip a del 69.12.246.231/24 dev vlan1

#create a new bridge and add vlan1 vlan 2 on it
brctl addbr public
brctl addif public vlan1
brctl addif public vlan2

# add the public address to the bridge
ip a add 69.12.246.231/24 dev public
# in our case we have a airport express management network that i want to route as well
ip a add 10.250.250.1/24 dev public

# turn them up
ip link set vlan2 up
ip link set vlan2 multicast on
ip link set public up
# tell the machine about our default gateway
# this is for the natted people on the vlan0 and wifi (together bridges as br0)
ip r add default via 69.12.246.1
'

nvram set rc_firewall='
#!/bin/ash

# delete the standard DD-WRT nat rule
iptables -v -v -t nat -D POSTROUTING 1
# set up a NAT rule from your source ips that you want to nat
# ignoring where they came from
# in our case 192.168.1.0/24 is from the open wifi
# and 10.250.250.0/24 is airport management network
iptables -t nat -I POSTROUTING 1 -j SNAT -s 192.168.1.0/24 --to-source=69.12.246.231
iptables -t nat -I POSTROUTING 1 -j SNAT -s 10.250.250.0/24 --to-source=69.12.246.231
'

And now it works, all traffic passes through the box and the CPU (no load problems as I can see) which means the rflow collector works and reports on all our network traffic that is leaving the building (or transiting between the machines). Since it turns out the Linksys is a smart switch and a CPU, you can get the monitoring I wanted from a $50 device instead of a $500 device! (Thanks again for the inspiration krow)
LinkReply

Comments:
[User Picture]From: krow
2007-07-04 06:48 am (UTC)
I keep hoping they will decide to create a gigabyte product I can similarly hack :)

It would also be nice to see them add USB and upgrade the one 10mb port up to being a 100.

In general, DD-WRT has inspired me to want to replace my HP SuperStack with something more flexible.
(Reply) (Thread)
[User Picture]From: crucially
2007-07-05 08:49 am (UTC)
I agree, I really want something I can program freely.

At previous work, I had these linux machines with 12 GB ethernet ports that where used for a lot of routing stuff. Pretty awesome the kind of flexilibty we could do with them.
(Reply) (Parent) (Thread)
[User Picture]From: krow
2007-07-05 03:51 pm (UTC)
Do you know what sort of cards they were using?

I would prefer a single "appliance" that I could reprogram. Something that used as little electricity as possible (it is one reason I like the WRTG).

The real thing that I believe DD-WRT got right, was the interface. There are a few similar projects, but they haven't made their interfaces all that friendly to use.
(Reply) (Parent) (Thread)
[User Picture]From: crucially
2007-07-05 04:26 pm (UTC)
TIgon cards. No doubt the machines where rather powerhungry! But it illustrated the point to me that if I had linux on a switch I could have a lot of flexibility. We also used the iptable stafeful failover, so you could pretty much restart them at will.

If someone made a switch with linux on it that did this, even if it was a 100Mbit for now, I would go buy it.

The DD-WRT is sure better than any of the commercial or opensource alternatives for the home router market.
(Reply) (Parent) (Thread)