Now that we have ripped out the stock guts out of our Linksys WRT54G and replaced them with a miniature, but mighty, Linux operating system, it's time to configure it to do some actual work. (Part 1 and part 2 cover installation and setting up secure administration of your chopped, dropped little blue box.)
Sharing a Broadband Connection
Remember, none of these settings are committed to NVRAM (define) until you enter the nvram commit command. As long as you do not write to NVRAM, you can safely test new commands, and reboot to a known good configuration if something goes wrong. When everything works right then you can commit.
Log in to the router via SSH (see Part 2 for how to set up SSH). This shows example settings for sharing a cable or DSL connection on a dynamically-assigned WAN IP:
# nvram set lan_proto=static
# nvram set lan_ipaddr=192.168.1.15
# nvram set lan_netmask=255.255.255.0
# nvram set wan_proto=dhcp
NAT (define) is enabled in the default WAN firewall, which is configured in /etc/S45firewall. So all you need to do is configure your LAN and WAN ports, plug everything in, and you're done.
If your Internet service provides you with a static IP, that's just as easy to configure as the LAN IP:
# nvram set wan_proto=static
# nvram set wan_ipaddr=220.127.116.11
# nvram set wan_netmask=255.255.255.0
# nvram set wan_gateway=18.104.22.168
# nvram set wan_dns=22.214.171.124
At this point you can either do nvram commit and reboot the router, or just restart the networking interfaces:
# ifup lan
# ifup wan
Local DHCP and DNS
As you recall from part 1, the recommended installation created a read-only squashfs partition and a writable jffs2 partition. The default configuration files are written to the squashfs partition and symlinked to jffs2. This means that editing the default configuration files requires that you first delete the symlink, then copy the file to the jffs2 partition:
# rm /etc/dnsmasq.conf
# cp /rom/etc/dnsmasq.conf /etc/dnsmasq.conf
Every host should have its own hostname configured locally. On most Linuxes, this is done in /etc/hostname:
On Red Hat, it's configured in /etc/sysconfig/network. Check your work by running the hostname command, and remember that hostname changes require a reboot.
This sample dnsmasq configuration contains a pool of addresses that are assigned to hosts as they join the LAN. In this example the lease time is set at 168 hours for addresses 192.168.1.100-192.168.1.150:
# filter what we send upstream
#openwrt needs dnsmasq to run as root
You don't need to explicitly set the default route, DNS server, and gateway, unless these are on other servers, because dnsmasq automatically uses the settings from the server it is installed on.
The domain-needed directive tells dnsmasq to not forward name queries. If it is not found in /etc/hosts or DHCP it returns a "not found" answer.
bogus-priv returns an "NXDOMAIN" answer to any queries that are not answered in /etc/hosts or DHCP.
filterwin2k blocks insane DNS queries from newer versions of Windows that serve no purpose but to cause trouble and woe.
The expand-hosts directive tells dnsmasq to automatically expand the hostnames, by combining the hostnames with the domain name.
dnsmasq by default reads /etc/hosts, so this is where you assign static IPs to any hosts that need them, like servers:
127.0.0.1 localhost 192.168.1.100 mail1 192.168.1.101 http1 192.168.1.102 http2You only need to configure /etc/hosts on the dnsmasq server, which is a lovely time-saver.
You may map IP address to hardware addresses in dnsmasq. First add this directive to /etc/dnsmasq.conf:
Then create or edit the file /etc/ethers. This file contains the hardware address of each host mapped to its MAC address:
# fred's super-duper engineering workstation
# big ole Samba fileserver
Naturally, you must replace the Xes with your actual MAC addresses, which are found with the ifconfig command:
eth0 Link encap:Ethernet HWaddr 00:0B:6A:EF:7E:8D
And just like on a grownup Linux, whenever you make changes to a service, it must be restarted:
# /etc/init.d/S50dnsmasq restart
nvram show displays your current settings.
nvram set [foo] sets a new variable
nvram unset [foo] deletes a variable
nvram commit writes all newly-entered commands to NVRAM
Despite all the dire warnings in previous installments, you can usually get out of trouble. If you cannot get into the router at all, try resetting it to failsafe mode. This only works if you have the read-only squashfs partition. To get into failsafe, unplug then plug in the router, wait for the DMZ led to light, then press and hold the reset button for two seconds. If it worked, it will flash three times per second. The network settings will revert to the defaults, so you'll access it at 192.168.1.1.
If you want to restore the default filesystem on the jffs2 partition, erasing all changes you have made, run the firstboot command.
If you've been making a lot of changes using the nvram command and gotten hopelessly borked, wipe it all out and start with a clean slate by running these commands:
# mtd erase nvram
As long as you followed the instructions for the "difficult but safe" installation in Part 2, and have boot_wait=on set, you can always recover by re-flashing new firmware.
- Be sure to visit the the OpenWRT home page for the latest news, releases, and important information.
- OpenWRT's NVRAM commands
- See this page OpenWRT Packages to see package lists and how to connect to package repositories.
- If you lost your Linksys manual, visit Linksys.com.
- Linksysinfo.org. Lots of great information, including autopsy reports.
- Seattle Wireless, a great resources for wireless users