Using DD-WRT to build a demo cluster firewall

00-HOWTO.md

Demo Firewall

Features

• WiFi AP & NAT firewall. (192.168.10.x)
• Radio initially off; front button (Cisco logo) turns on.
• Isolated VLAN on Port 4. (192.168.11.x)
• HAProxy load balancer. (192.168.10.2)
• PXE on vlan2 netboots Ubuntu 12.04 LTS installer.
• Linksys WRT54GS!

Setup

Base System

If you don't have a WRT54GS lying around, they are about $25 on eBay. Needs to be a version between 1 and 3. I like v2 best because of the added LED. Some are sold with DD-WRT mega pre-installed. We'll need to replace that version, but at least that confirms that it works can saves initial load hassles.

I installed revision 13491 VINT std. Select restore defaults options to wipe nvram at the same time.

• LAN IP: 192.168.10.1
• Server name: DD-WRT
• Username: fdb
• Password: secret

Services > Services

SES / AOSS / EZ-SETUP / WPS Button

• Use this button for turning off radio: Enable
• Turn radio off at boot: Enable

Secure Shell

• SSHd: Enable
• SSH TCP Forwarding: Enable
• Paste SSH key into Authorized Keys

Telnet

• Telnet: Disable

Install Optware

Reference

Administration > Management

JFFS2 Support

• JFFS2: Enable
• Clear JFFS2: Enable

SSH in

mkdir -p /jffs/opt
mount -o bind /jffs/opt /opt

wget http://www.3iii.dk/linux/optware/optware-install-ddwrt.sh -O - | tr -d '\r' > /tmp/optware-install.sh
sh /tmp/optware-install.sh

ipkg-opt --tmp-dir /tmp install libuclibc++
ipkg-opt --tmp-dir /tmp install haproxy
ipkg-opt --tmp-dir /tmp install tftp-hpa -nodeps
rm -rf /opt/etc/xinetd.d 
mv /opt/sbin/in.tftpd /opt/sbin/tftpd

The opt file system can be backed up at any time with:

ssh 192.168.10.1 tar cf - /opt >opt-backup.tar
gzip opt-backup.tar

and then restored

zcat opt-backup.tar.gz | ssh 192.168.10.1 'sh -c "cd / && tar xf -"'

VLAN setup

Reference

Setup > VLANs

VLAN

• VLAN 0 uncheck Port 4
• VLAN 2 check Port 4

Apply Settings

Setup > Networking

Port Setup

• Network Configuration vlan2: Unbridged
  • 192.168.11.1
  • 255.255.255.0

Apply Settings

DHCPD

• Multiple DHCP Server
• Add
  • DHCP 0 vlan2

Apply Settings

Additional DNSMasq Options

dhcp-boot=precise.kpxe,DD-WRT,192.168.11.1
address=/fdb.demo/192.168.10.2

Startup Commands

Administration > Commands

ifconfig vlan0:0 192.168.10.2 netmask 255.255.255.0 up
mount -o bind /jffs/opt /opt
tftpd -l -a 192.168.11.1 -s /opt/tftpboot -u root
haproxy -f /opt/etc/haproxy.cfg

Save Startup

iptables -t nat -I PREROUTING -p tcp -d 192.168.10.2 --dport 80 -j DNAT --to 192.168.10.1:8800
iptables -I FORWARD -i br0 -o vlan2 -j DROP

Save Firewall

(Comment out that last line to use the LAN to access the demo boxes during initial setup.)

iPXE Setup

To create /opt/netboot/precise.kpxe, use ROM-o-matic.

• Select UNDI only.
• Upload precise.ipxe.
• Download and scp over.

haproxy.cfg

global
  daemon
  maxconn 128
  
defaults
  mode http
  timeout connect 5s
  timeout client 1m
  timeout server 1m

listen fdb-demo
  bind *:8800
  server nuc-1 192.168.11.51:8000 check
  server nuc-2 192.168.11.52:8000 check
  server nuc-3 192.168.11.53:8000 check
  server nuc-4 192.168.11.54:8000 check
  server nuc-5 192.168.11.55:8000 check
  balance roundrobin

precise.ipxe

#!ipxe
:retry
ifconf || goto retry
echo Starting Precise installer
set dns 75.75.75.75
set base-url http://archive.ubuntu.com/ubuntu/dists/precise/main/installer-amd64/current/images/netboot/ubuntu-installer/amd64
kernel ${base-url}/linux
initrd ${base-url}/initrd.gz
boot ||
echo Boot from ${base-url} failed
prompt --key 0x197e --timeout 2000 Press F12 to investigate || exit
shell