Wednesday, May 02, 2007

WIFI -- dd-wrt -- from Geeks in Paradise

Beef Up Your Wireless Router

Filed under: Open Source , Toys and tools

Sure you have one. Everyone nowadays has at least one wireless router at home, be it Linksys, NetGear, D-Link, or Buffalo. With new wireless products being released nearly every month, I am willing to bet that some of you even have a couple of the older wireless routers collecting dust in your closet. Well, it's time to take them out and put them to good use.

Check out the OpenWRT project. OpenWRT is a Linux distribution for embedded devices, and it brings a lot of exciting possibilities to your humble wireless router. Although still in its release candidate stage (currently at RC6), OpenWRT is very usable and feature-rich right out of the box. Be warned, you could void your manufacturer warranty by installing OpenWRT on your wireless routers.

So what can you do with an embedded Linux device running on limited RAM and very small storage? As it turns out, quite a lot actually. You can install asterisk, and have your personal, customizable PBX (private branch exchange). If you already have a SIP phone or some kind of VoIP phone interface (such as the Cisco ATA 186 adapter), you can have your very own VoIP system at home, all running out of your low power-consumption embedded hardware.

Put your router/firewall on steroids by installing packages like nmap (network security scanner), snort (intrusion detection), and tcpdump (packet sniffer). Together with iptables (which comes with the Linux kernel), you can turn your OpenWRT box into a powerful security tool. Install openvpn, and you have a very affordable VPN device. And if it strikes your fancy, you can install quagga and turn your dusty little Linksys into an OSPF and BGP-capable router.

Want to provide your own wireless hotspot? No problem. Install chillispot, and you are ready to go. You can even install FreeRADIUS on the OpenWRT for the authentication back-end, and WPA (wifi protected access) for the added security.

You can turn it into an all purpose office server by installing DHCP, cups (print server), lighthttpd (web server), NTP (time server) and OpenSSH or dropbear (secure remote administration). If your router has a USB port, you can also turn it into a file server by hooking it up with a USB hard drive and installing NFS.

And don't forget that this is a wireless router. It has a wireless card, so take advantage of it! Install kismet on it, and you have a wireless sniffer. This can prove to be invaluable if you ever need to analyze the airwaves at a remote location, but don't want to leave your expensive laptop on-site. Drop in place a $50 OpenWRT box loaded with kismet instead.

Here is one way to use your old wireless router: In the past, I had setup a few cheap Linksys WRT54g boxes with OpenWRT and vtun, and dropped one at each of our remote locations. This gave me the ability to have layer 2 tunnels to each of the remote sites. I kept one in my house, and if I ever needed to troubleshoot a remote network problem, I just setup the tunnel between the two OpenWRT boxes, connected my laptop or testing equipment to the OpenWRT sitting on my desk, and it was like being on the remote physical network! This saved me a number of times, being able to perform packet capturing on the remote network, observing the network traffic in real-time, requesting and obtaining DHCP addresses... essentially, I could experience exactly what the remote user was experiencing, all from the comfort of my own home.

This is just the beginning of what embedded Linux can do for you. To find out more what embedded Linux can do fo r your enterprise, check out Secure Linux Appliances in Your Enterprise. So dig up your old wireless router, check it against the hardware compatibility list, and see if your router is OpenWRT compatible, and open yourself up to a wrt of possibilities!

Josh Kuo
Co-Owner of q!Bang Solutions

Feb 1, 2007



Posted by Josh Kuo on February 1, 2007 03:34 PM

January 28, 2007

Secure Linux Appliances in Your Enterprise

Filed under: Open Source , Toys and tools

By now you've either seen them or read about them. Companies are selling all kinds of useful appliances based on embedded Linux. Some are for small tasks like wireless APs, mobile devices, or cell phones. Others are geared towards enterprise needs like load balancers, routers, and NAS (network attached storage) and SANs (storage attached network). They all run some version of Linux or BSD. You know you have a couple of Linux geeks working for you in the IT department. Why aren't they coming up with some of these cool Linux appliances for your own company to use? The excellent Debian Router project by Vadim Berkgaut is the help that your Linux admins need to develop their very own Linux appliances.

At my company, q!Bang Solutions, we provide all types of IT solutions, but our strong suit is our solutions built upon Open Source software. Our employees have used the Debian Router Project (which we refer to as "DebRouter") to build numerous solutions, including firewalls, OSPF and BGP routers, DNS servers, and even VoIP servers. DebRouter is a cornerstone of our technology solutions.

What's great about DebRouter is that you get a fully functional Debian Linux installation. So you can add whatever software packages you want to extend the functionality of the DebRouter. This is implemented through the usual Debian package management utilities, which means that you can change a DebRouter's functionality on the fly and in the field after it's been deployed.

Another important feature of DebRouter is that it boots from a flash device like a compact flash card (via an IDE adapter) or a USB flash drive. So if there are any problems with changes you've made, a reboot takes you back to the previous known-good version of your running system. Does this mean that you lose changes you've made when power to the DebRouter goes out? No. DebRouter implements a "write to flash" function much like a hardware router or manageable switch. So you can install and configure new packages, test them out, and write your changes to the flash-based boot media if everything went well in testing. If your tests revealed there was a problem, then just reboot without writing the changes to flash and you will roll back to the same state of the filesystem that you had before your changes. This makes it extremely easy to test potentially unstable software and configuration changes. If things don't work, just reboot, and voila! Your working system is back within seconds.

This also means that the machines are harder for crackers to abuse if they succeed in infiltrating the DebRouter. If you discover that your DebRouter has been compromised, you can reboot and be rid of the cracker. Then you check for security updates from Debian, install them, write your changes, and you're back up and running. I can tell you from experience that eradicating a cracker's presence from a normal machine with hard drives whose data persists across reboots is not this easy!

The boot process of the DebRouter provides another nice benefit. DebRouter boots from flash media, creates a RAM disk, copies the flash media's filesystem to the RAM disk and then unmounts the flash media filesystem and runs from the RAM disk. RAM is fast - lot faster than any hard drive. So now your filesystem I/O speed is absurdly fast. So if you install the Apache web server and put up some HTML and image files, you now have one of the fastest web servers available - without the hassle of a special configuration to load your pages into a ramdisk. It can also run web scripts (such as PHP, Perl, Python, Ruby, etc.) as fast as your normal hard drive based servers do.

What can you build with a DebRouter? Here are a few ideas to get you started:

  • Add the Quagga routing software package to make an OSPF/RIP/BGP router
  • Install the Apache web server with Perl/PHP/Python/etc scripting environments
  • Use the Asterisk software for a cheap VoIP server for a remote office
  • NAT/Firewall
  • Web content filtering via the Squid proxy package
  • Make a captive portal system for wireless networks in cafes or other public access areas
  • DNS server using the venerable and always popular BIND software
  • Create a network sniffer with the tcpdump utility which writes data to a remote NAS or other storage device
  • Combined with a NAS (Network Attached Storage) or an NFS server, a DebRouter can do most anything.

Since most enterprises will try to install all machines in racks, I checked a couple of online vendors to see how much it would cost to build a good 1RU DebRouter machine. I found that a 1RU machine far above the minimum specs can be had for $500, including shipping. This includes a 1RU case, motherboard with all essential functionality on board, a P4 2.8GHz CPU, 1GB ram, and a 512MB CF card and IDE-based CF reader.

So how about a $500 router that can do RIP/OSPF/BGP? Consider both the business and technology reasons that your company might want to use a DebRouter instead of a router from Cisco or one of the other routing big boys. The business side is easy. The hardware is cheap, even for a system with generous amounts of RAM and CPU. For the price of a typical router support contract, you can buy a couple of extra DebRouters to have sitting around as spares ready to jump into action if you have a hardware failure on your primary DebRouter. Subsequent years of support contracts you don't need to buy equal money that remains in your coffers helping to fatten up your Christmas bonus next year. Of course, let's not forget that most router vendors charge extra for the advanced software like OSPF or BGP routing, or encryption software so that you can use the more secure SSH instead of the gaping security hole called Telnet to remotely connect to your router. DebRouter has all that (and so much more) for free!

On the technology side, with the screaming fast processors available today, a DebRouter can pretty well hold its own against most of the major router vendors' offerings. And it's the versatility of the DebRouter that will likely interest your techies. Did I mention that Linux does 802.1q VLANs? How about an OSPF router that does double duty as a slave DNS server? Or perhaps an edge router that also acts as a VPN concentrator with strong encryption for hundreds of tunnels?

So walk on down to IT and find those two Linux guys tucked away in their cubicles and let them loose on a Debian Router project. They should be glad to have an interesting project to work on instead of trying to recover emails that Marge from Accounting accidentally deleted the other day, and you just might get some nifty devices from them that save you some cash on your bottom line. Your Linux admins are welcome to reach out to me if they need some help or just want to share their ideas on a new use for a Debian Router.

In the future, I'll touch on embedded Linux in extremely cheap devices that are excellent for smaller tasks.
[My q!Bang Solutions co-owner Josh Kuo beat me to the punch. Read his article "Beef Up Your Wireless Router", here on the Geeks in Pardise blog.]

The ANCL gang has now done a couple enterprise wireless shootouts and so far the obvious differences between the enterprise grade access points and consumer grade have mostly been in the realm of authentication, vlans, and tying those vlans to multiple SSID's. So while performance is also a consideration, we did not have the facilities available to us to do performance testing at that time. So while enterprise wireless hasn't stood still, the open source world seems to be catching up quickly.

So imagine my surprise when a Jesuit Priest introduced me to DD-WRT, an open source project that shoves Linux onto a Linksys WRT-54G and enables a bushel full of enterprise features, like:

  • 802.1x authentication with peap/leap connectors
  • vlan support
  • multiple ssid support each with their own WEP/WPA key
  • nfs support to bring in additional software features that wouldn't fit onto flash
  • client bridge, client router, and AP
  • Advanced routing (BGP for gawd sakes!)
  • DNS Cache
  • VPN passthru or pptp vpn support

I should in all good conscience point out that not all Linksys WRT-54G's are supported...version 5.0 from is notorious in that it only has 1/2 the ram of previous versions and it is supposedly impossible to shoe horn DD-WRT onto that version. This project has also forked many times with names like tofu, and HyperWRT where the authors have gone to other platforms (buffalo, etc) and one has gone onto a very popular embedded systems board from Soekris Engineering that has become the darling of the embedded Linux world.

Being a Linux geek, I just had to try this out. CompUSA just happened to have a couple older units left on the shelf and after much digging (with sales folks looking at me very oddly) I found a couple units to try out. Yup, not only does it work, it's also faster than the original firmware off my cable modem connection.

So if you're an SMB looking for enterprise features, maybe you might want to consider rolling your own AP by downloading DD-WRT or one of the forked versions.

dd-wrt-home-page.jpg

Posted by Brian Chee on August 31, 2006 12:59 PM






Tiny computers

Filed under: Toys and tools

Just when I am starting to wonder how much smaller are computers going to get, I find outrageously small machines like Jack PC (made by ChipPC) and Space Cube.

Jack PC (3.4" X 3.4" X 1.5"):
[Image] [Image]

Space Cube (2" X 2" X 2.2"):
[Image]

Of course the CPU/memory/storage is going to be pretty limited on these little guys, but nothing embedded Linux can't do! :-) Unfortunately, it looks like Jack PC only runs WindowsCE.


Bookmark and Share
posted by u2r2h at Wednesday, May 02, 2007 0 comments