OpenWRT on Asus WL-500gP: Installation Guide
update note 8/9/2010: This guide is for the Asus WL-500g Premium version 1 which has the Broadcom 4704 (Broadcom 4318). Asus rereleased the WL-500gP with a slower chip that is not yet supported.
Contents
Replace Firmware with Linux
1. Access Asus router via web browser from PC. Programmed WAN IP address and network information.
2. Powered off the Asus router.
3. Downloaded openwrt-brcm-2.4-squashfs.trx and saved to my PC local disk.
4. Disabled all NIC's on the PC except for the one connected to the Asus.
5. Held in black "restore" button on back of router while powering it on. Waiting until power light (orange broken circle with line in top) stopped flashing.
6. Ran ASUS "Firmware Restoration" utility. Selected the file "openwrt-brcm-2.4-squashfs.trx" and submit. Waiting until status bar went across screen, then watched router reboot. Waiting another five minutes for good measure.
- instructions on using firmware restoration:
- Disable all but one network interfaces on your PC. This is nessesary because the firmware restoration tool is not very intelligent in finding the correct interface to use for communicating with the router.
- Configure Windows TCP/IP networking to have static IP address 192.168.1.10 as shown in this image.
- Disconnect the power cable.
- Press the reset button on the back of the router.
- Keep pressing the reset button while inserting the power cable again.
- Keep pressing the reset button until the power LED starts flashing every second.
- Start the firmware restoration tool on your PC (You can find this tool on the CD or download it from the Asus website).
- This tool should find the Asus router -> select it.
- Select the correct firmware file you want to upload. Double check again if it's the correct one!
- Press upload.
- instructions on using firmware restoration:
7. Using a web browser on the PC accessed the router on 192.168.1.1 and set a root password.
8. Using SSH accessed the router as 'root' and the new password and checked everything out.
br0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.XY.1 Bcast:192.168.XY.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:264 errors:0 dropped:0 overruns:0 frame:0
TX packets:186 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:25278 (24.6 KiB) TX bytes:46890 (45.7 KiB)
eth0 Link encap:Ethernet HWaddr 00:18:F3:70:5D:E4
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:260 errors:0 dropped:0 overruns:0 frame:0
TX packets:1783 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:30678 (29.9 KiB) TX bytes:161902 (158.1 KiB)
Interrupt:4
eth2 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:3263
TX packets:1696 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:107811 (105.2 KiB)
Interrupt:2 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
vlan0 Link encap:Ethernet HWaddr 00:18:F3:70:5D:E4
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:264 errors:0 dropped:0 overruns:0 frame:0
TX packets:1781 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:26334 (25.7 KiB) TX bytes:149714 (146.2 KiB)
vlan1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:XXX.XXX.XXX.XXX Bcast:XXX.XXX.XXX.255 Mask:255.255.255.XXX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Network Configuration
My desire is to have 3 interfaces, one WAN, one LAN, and one WiFi. (screened subnet architecture)
Here are some notes on vlans with OpenWRT:
- hwname is always eth0, the switch itself.
- always include port 5 because it is how the traffic is seen by the CPU (internal tagged port)
configuration concept:
Port 0: WAN:: vlan1 - connect to router, public IP address Port 1: LAN1: vlan0 - connect to network switch, private LAN IP address port 2: LAN2: vlan1 port 3: LAN3: vlan2 port 4: LAN4: vlan2 Wifi :::::::: vlan2
- It's a good idea when choosing a vlan layout to keep port 1 in vlan0. At least the WRT54GS v1.0 will not accept new firmware via TFTP if port 1 is in another VLAN.
1. Configure interfaces and vlans
nvram set vlan0hwname=et0 nvram set vlan0ports="1 5*" nvram set vlan1hwname=et0 nvram set vlan1ports="0 2 5*" nvram set vlan2hwname=et0 nvram set vlan2ports="3 4 5*" nvram set wan_ifname=vlan1 nvram set wan_ifnames=vlan1 nvram set wan_ipaddr=PUBLIC.IP.ADDRESS nvram set wan_netmask=255.255.255.248 nvram set wan_proto=static nvram set wan_gateway=PUBLIC.IP.GATEWAY nvram set lan_ifname=br0 nvram set lan_ifnames="vlan0" nvram set lan_ipaddr=192.168.XX.1 nvram set lan_netmask=255.255.255.0 nvram set lan_proto=static nvram set dmz_ifname=br1 nvram set dmz_ifnames="vlan2 eth2" nvram set dmz_proto=static nvram set dmz_ipaddr=192.168.XY.1 nvram set dmz_netmask=255.255.255.0 nvram set ifup_interfaces="lan wan wifi dmz" echo `nvram get vlan0ports` > /proc/switch/eth0/vlan/0/ports echo `nvram get vlan1ports` > /proc/switch/eth0/vlan/1/ports echo `nvram get vlan2ports` > /proc/switch/eth0/vlan/2/ports
I'm going to write this to nvram.
nvram commit
Note that lan, wan, and wifi are reserved names meaningful to the firmware.
Now I'm switching the wire from port 1 to 4 and changing the PC IP to 192.168.XY.10.
SSH into the router 192.168.XY.1
nvram set lan_ipaddr=192.168.XX.1 nvram set lan_dns=DNS.SERVER.YOU.CHOOSE nvram set wan_ipaddr=PUBLIC.IP.ADDRESS
/etc/init.d/S40network restart
I'm going to write this to nvram.
nvram commit
2. Checking to see if all my RAM is enabled:
free
total used free shared buffers
Mem: 30516 8768 21748 0 872
Swap: 0 0 0
Total: 30516 8768 21748
It is.
3. Configure the wireless interface
nvram set wl0_ssid="myhotspot" nvram set wl0_mode="ap" (skip, default) nvram wl0_closed=0 (set to 1 to hide ssid) nvram set wl0_radio=0 (disabled radio if you run 'wifi' afterwards)
defaults:
wl_radio_x=1 wl0_radio_x=1 wl0_radio_power_x=17 size: 11539 bytes (21229 left) wl0_radioids=BCM2050 wl0_radio_time_x=00002359 wl0_radio_date_x=1111111 wl_radio_time_x=00002359 wl_radioids= wl0_radio=0 wl_radio=1 wl_radio_date_x=1111111 wl_radio_power_x=17
wifi (command to apply changes)
nvram show (see the configuration)
4. Build a current package list, this step requires an Internet connection.
nvram set wan_ipaddr=10.21.204.250 (just until I am done configuring) nvram set lan_ipaddr=192.168.XX.3 just until I am done configuring) nvram set lan_gateway=192.168.XX.1 (just until I am done configuring) vi /etc/resolv.conf nameserver 64.21.192.5 /etc/init.d/S40network restart ipkg update (update package database) ipkg list (view list of available packages) ipkg status (view packages you have installed) ipkg install kmod-usb2 insmod ehci-hcd ipkg install kmod-usb-storage insmod scsi_mod insmod sd_mod insmod usb-storage reboot dmesg|grep -i usb ipkg install kmod-vfat ipkg install kmod-ext2 ipkg install kmod-ext3
Using the insmod is not necessary if you reboot.
insmod fat insmod vfat insmod ext2 insmod ext3 insmod jbd
ipkg install http://downloads.openwrt.org/backports/rc5/fdisk_2.12r-1_mipsel.ipk mkdir -p /mnt fdisk -l mount /dev/scsi/host0/bus0/target0/lun0/part1 /mnt
These settings should be retained after a reboot. I have noticed that sometimes after a reboot the USB device does not show up.
Installing and using IPKG packages in mount point other than root
- (I did not complete this procedure)
echo dest usb /mnt/disc0_1 >> /etc/ipkg.conf
Booting from the USB drive, with failover to the Flash
umount /dev/scsi/host0/bus0/target0/lun0/part1 fdisk /dev/scsi/host0/bus0/target0/lun0/part1
- Press 'd' to delete 1, 2, 3, and 4
- Press 'n' for new
- Press 'w' for write
ipkg install http://downloads.openwrt.org/backports/rc5/e2fsprogs_1.38-1_mipsel.ipk ln -s /proc/mounts /etc/mtab mke2fs -j /dev/scsi/host0/bus0/target0/lun0/part1
mount -t ext3 /dev/scsi/host0/bus0/target0/lun0/part1 /mnt mkdir /tmp/root mount -o bind /rom /tmp/root mount -o bind / /tmp/root cp /tmp/root/* /mnt -a umount /tmp/root umount /mnt
rm /sbin/init
And replace it with this script:
#!/bin/sh
# change this to your boot partition
boot_dev="/dev/scsi/host0/bus0/target0/lun0/part1"
for module in usbcore ehci-hcd scsi_mod sd_mod usb-storage jbd ext3; do {
insmod $module
}; done
# this may need to be higher if your disk is slow to initialize
sleep 4s
# mount the usb stick
mount "$boot_dev" /mnt
# if everything looks ok, do the pivot root
[ -x /mnt/sbin/init ] && {
mount -o move /proc /mnt/proc && \
pivot_root /mnt /mnt/mnt && {
mount -o move /mnt/dev /dev
mount -o move /mnt/tmp /tmp
mount -o move /mnt/jffs2 /jffs2 2>&-
mount -o move /mnt/sys /sys 2>&-
}
}
# finally, run the real init (from USB hopefully).
exec /bin/busybox init
Make sure your new /sbin/init is executable:
chmod a+x /sbin/init
If it mounts correctly it will look like this:
root@OpenWrt:~# mount /dev/root on /mnt/rom type squashfs (ro) none on /dev type devfs (rw) none on /proc type proc (rw) none on /tmp type tmpfs (rw,nosuid,nodev) /dev/mtdblock/4 on /mnt/jffs type jffs2 (rw) /jffs on /mnt type mini_fo (rw) none on /dev/pts type devpts (rw) none on /proc/bus/usb type usbfs (rw) /dev/scsi/host0/bus0/target0/lun0/part1 on /mnt/mnt/disc0_1 type ext3 (rw) /dev/scsi/host0/bus0/target0/lun0/part1 on / type ext3 (rw)
- Actually the disc0_1 line may not be correct. Unconfirmed if this is the result of a previous attempt to mount that is "stuck" in mtab.
- If booted from the USB flash drive, then packages installed by ipkg will go on the usb drive anyway. If the system boots failover to the internal flash, that package will be absent.
If everything went alright, you will not have to change your root password, and when you execute a 'ipkg list' you will see all of the packages from the database, which would otherwise have been absent. Use 'ipkg status' to show installed packages.
DNS and DHCP
The Asus WL-500gP has internal DHCP capabilities. Using the nvram option the Asus router own DHCP server can be enabled, however, to make the router respond to dns queries as a caching names server you should use dnsmasq instead.
Disable the router dhcp server and enable dhcp assignment via dnsmasq. To use dnsmasq simply edit the following file: /etc/dnsmasq.conf I used dnsmasq.conf instead of nvram. I wiped the S60dnsmasq file and created my own. My init script for dnsmasq contains only the fillowing line:
killall -9 dnsmasq ; dnsmasq -K -I vlan1
My /etc/dnsmasq.conf contains the following:
# filter what we send upstream domain-needed bogus-priv filterwin2k localise-queries # allow /etc/hosts and dhcp lookups via *.lan local=/lan/ domain=lan expand-hosts no-negcache resolv-file=/etc/resolv.conf # enable dhcp (start,end,netmask,leasetime) dhcp-authoritative # dhcp-range=[network-id,]<start-addr>,<end-addr>[[,<netmask>],<broadcast>][,<default lease time>] dhcp-range=lan,192.168.XX.100,192.168.XX.150,255.255.255.0,24h dhcp-range=wifi,192.168.XY.100,192.168.XY.105,255.255.255.0,2h dhcp-leasefile=/var/dhcp.leases # use /etc/ethers for static hosts; same format as --dhcp-host # <hwaddr> <ipaddr> read-ethers # other useful options: # default route(s): dhcp-option=3,192.168.1.1,192.168.1.2 # dns server(s): dhcp-option=6,192.168.1.1,192.168.1.2 dhcp-option=6,64.21.192.5,64.21.192.6
Configuring dnsmasq to use different IP ranges for wired and wireless
Firewall initialization by running a startup script in /etc/init.d Next it calls the user configuration file /etc/firewall.user
To better understand the firewall rules I will document notes about them in this section.
Starting with /etc/init.d/S35firewall
OpenVPN Installation and Configuration
First, install the package and then generate a static key file /etc/static.key
ipkg install openvpn mkdir /etc/openvpn openvpn --genkey --secret /etc/openvpn/wlan.key
Other guides advise the installation of openssl, lzo, and kmod-tun, however, I found them to already be installed. Allow OpenVPN connections from the Wifi to the LAN - rules need to be added to firewall.user.
iptables -t nat -A prerouting_rule -i br0 -p udp --dport 1194 -j ACCEPT iptables -A input_rule -i br0 -p udp --dport 1194 -j ACCEPT
The tunneling module
insmod tun echo "tun" >> /etc/modules
Now /etc/modules should look like this:
wl tun
Create /etc/openvpn/wlan.conf
dev tap0 proto udp port 1194 keepalive 10 120 ;comp-lzo status openvpn-status.log secret /etc/openvpn/wlan.key persist-key persist-tun verb 6 max-clients 10
note: I have tried "proto tcp-server" using tcp protocol. It is much slower than using udp. For some people udp won't work and therefore they have to use tcp.
Create /etc/openvpn/makebridge
#!/bin/sh
br="br0"
tap="tap0"
case "$1" in
up)
insmod tun
for t in $tap; do
openvpn --mktun --dev $t
done
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
;;
down)
for t in $tap; do
ifconfig $t 0.0.0.0 down
done
for t in $tap; do
brctl delif $br $t
done
for t in $tap; do
openvpn --rmtun --dev $t
done
rmmod tun
;;
*)
echo "$0 {up|down}"
;;
esac
Create /etc/init.d/S65openvpn
#!/bin/sh
case "$1" in
start)
/etc/openvpn/makebridge up
openvpn --daemon --config /etc/openvpn/wlan_roachnet.conf
;;
restart)
$0 stop
sleep 3
$0 start
;;
reload)
killall -SIGHUP openvpn
;;
stop)
killall openvpn
/etc/openvpn/makebridge down
;;
esac
Execute permissions on file
chmod a+x /etc/init.d/S65openvpn
Start the OpenVPN and check out interfaces
Some modifications to the iptables firewall /etc/firewall.user
iptables -t nat -A prerouting_rule -i br1 -p udp --dport 1194 -j ACCEPT iptables -A input_rule -i br1 -p udp --dport 1194 -j ACCEPT
WPA Wireless Security
Enable WPA Wireless Security (as opposed to WEP)
- WiFi Protected Access (WPA) is the new security standard adopted by the WiFi Alliance consortium.
- nas is the proprietary binary tool that sets up dynamic encryption (WEP/WPA) on the wireless device.
To use WPA the NAS package must be installed.
ipkg install nas
nvram set wl0_auth_mode="" was wl0_auth_mode=open nvram set wl0_akm=psk was wl0_akm=none nvram set wl0_crypto=aes+tkip was wl0_crypto=tkip nvram set wl0_auth=0 was wl0_auth=0 nvram set wl0_wpa_psk=yoursecretp was wl0_wpa_psk=""
(replace yoursecretp with a password of your choice, I used something with letters, numbers, and symbols)
nvram commit
Note: I chose to use PSK instead of PSK2 because PSK2 is not supported on my WinXP laptop OOB without updating something (probably wifi related driver).
The startup script for NAS has to be modified for our interface configuration. It defaults to br0, but with our setup our wifi is on br1.
vi /etc/init.d/S41wpa
Replace all references to br0 with br1. There should be two references.
Line 7: brctl show 2>&- | grep "${real_ifname}" >&- 2>&- && ifname=br1
line 86: [ "$ifname" = "br1" ] && exit
When the NAS service is running, doing a ps ax should show the process:
/usr/sbin/nas -P /var/run/nas.lan.pid -l br1 -H 34954 -i eth2 -A -m 4 -k yoursecretp -s icarus -w 6 -g 360
