Réseau Libre/ documentation/ services/ Ajouter un service sur le Réseau / Adding a new services on the mesh
  1. Naming your device
    1. OpenWRT
    2. Linux
  2. Providing your own services
    1. Replace OpenWRT's firewall with an open NAT service
    2. DHCP configuration
    3. IPv6 configuration
    4. DNS services
    5. IPv6 DNS service
    6. Providing some services behind a firewall
      1. OpenBSD's pf implementation
    7. Advertising your services on the mesh
    8. Providing Internet access

Warning: a lot of this documentation needs to be reviewed and updated.

Naming your device

Assigning a name to your device is important because it allows you to label it and identify it physically.

You should use the name you have chosen when creating the nodes page here.

OpenWRT

Set a custom name, in case you encouter other peers :-)

uci set system.@system[0].hostname=meshmtl42

Linux

hostname meshmtl42
hostname > /etc/hostname

Providing your own services

Any service that will not disrupt other services should be allowed, although individual nodes may do some filtering to control quality of service.

Replace OpenWRT's firewall with an open NAT service

Make sure the custom firewall ruleset is loaded:

uci show | grep include

If not, add this:

uci add firewall include
uci set firewall.@include[0].path="/etc/firewall.user"

Then in /etc/firewall.user:

#! /bin/sh

# set saneunsafe but open defaults
iptables -P INPUT   ACCEPT
iptables -P OUTPUT  ACCEPT
# drop forward - only NAT'd packets allowed
iptables -P FORWARD DROP

# get rid of the openwrt firewall
iptables -X
iptables -F
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -t nat -F
iptables -t nat -X

route_nat() {
  intif="$1"
  extif="$2"
  echo "configuring nat from $intif to $extif"
  iptables -A FORWARD -i $extif -o $intif -m state  --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A FORWARD -i $intif -o $extif -j ACCEPT
  iptables -t nat -A POSTROUTING -o $extif -j MASQUERADE
}

route_nat wlan0 br-lan

The above will clear all firewall rules, allowing all traffic through the node. It assumes you have another router doing some filtering downstream, if not you will need to customize that firewall according to your policy, below.

DHCP configuration

The following will enable DHCP on the wireless interface of the router (wlan0):

uci set dhcp.wlan0=dhcp
uci set dhcp.wlan0.interface=wlan0
uci set dhcp.wlan0.start=100
uci set dhcp.wlan0.limit=150
uci set dhcp.wlan0.leasetime=1h

Make sure the wireless interface has an IP assigned:

uci set network.wlan0.proto=static
uci set network.wlan0.ipaddr="192.168.4.1"
uci set network.wlan0.netmask="255.255.255.0"

and don't forget to commit the results:

uci commit

IPv6 configuration

The following will enable IPv6 router advertisement on the wireless router (wlan0):

uci add radvd prefix
uci set radvd.@prefix[1]=prefix
uci set radvd.@prefix[1].interface=wlan0
uci set radvd.@prefix[1].AdvOnLink=1
uci set radvd.@prefix[1].AdvAutonomous=1
uci set radvd.@prefix[1].ignore=0
uci set radvd.@prefix[1].prefix="fd64:2c08:9fa7:2::/64"
uci set radvd.@prefix[1].AdvRouterAddr=1
uci add radvd interface
uci set radvd.@interface[1]=interface
uci set radvd.@interface[1].interface=wlan0
uci set radvd.@interface[1].AdvSendAdvert=1
uci set radvd.@interface[1].AdvManagedFlag=0
uci set radvd.@interface[1].AdvOtherConfigFlag=0
uci set radvd.@interface[1].ignore=0

Make sure you have configured an IP on wlan0, using the ip configuration rules. For example:

uci set network.wlan0.ip6addr="fd64:2c08:9fa7:2::1/64"
uci commit

DNS services

By default, OpenWRT provides a DNS server through DNSmasq, however it relies on an upstream DNS server. To provide a "real" DNS server, you can try MaraDNS or the bind-server package.

However, there may yet be DNS servers on the mesh, which your router can use. Let's assume that 172.16.0.1 is a DNS server, then the following should enable your router to be a DNS cache:

rm /etc/resolv.conf
echo 'nameserver 172.16.0.1' > /etc/resolv.conf
uci set dhcp.@dnsmasq[0].resolvfile=/etc/resolv.conf
uci set dhcp.@dnsmasq[0].domain=reseaulibre.ca
uci set dhcp.@dnsmasq[0].local=/reseaulibre.ca/
uci commit
/etc/init.d/dnsmasq restart

This is taken from the OpenWRT howto.

IPv6 DNS service

Follow the above configuration, then:

echo 'nameserver fd64:2c08:9fa7:1::1' >> /etc/resolv.conf
uci add radvd rdnss
uci set radvd.@rdnss[0].interface wlan0
uci set radvd.@rdnss[0].addr fd64:2c08:9fa7:1::3
uci del radvd.@rdnss[0].ignore
uci commit

Taken from the OpenWRT howto.

Note: currently not working with Network manager during our first tests.

Providing some services behind a firewall

A good approach is to allocate a specific port on your firewall and allow it only some access to your internal network, and, maybe, the internet.

First, you need to determine the policy. Here is anarcat's:

  • no DHCP on the interface - we do not want to pollute the LAN
  • use up one IP in the IPv4 network (192.168.3.1 for my node, use your own!)
  • publish an IPv6 /64 network (minimum size), see above for configuration and allocation
  • block packets by default
  • allow to my server: port SSH (22)
    • HTTP (80)
    • HTTPS (443)
    • IMAPS (993)
    • XMPP (5222)
    • OpenVPN (1194)
    • git (9418)
    • streaming/icecast (8000)
    • jukebox/MPD (6600)
    • outgoing ICMP

OpenBSD's pf implementation

The above rules can be done with the following patch to a pf.conf, for OpenBSD's PF (Packet Filter):

diff --git a/pf.conf b/pf.conf
index 8ecb84f..796d847 100644
--- a/pf.conf
+++ b/pf.conf
@@ -9,6 +9,7 @@
 dmz_if = "vr3"
 # lan_if = "vr1"
 lan_if = "bridge0"
+mesh_if = "vr2"
 ext_if = "ng0"
 tun_if = "gif0"

@@ -25,7 +26,7 @@ set skip on lo0

 # those interfaces are bridged on $lan_if
 set skip on vr1
-set skip on vr2
+#set skip on vr2

 ########################################################################
 # ALTQ (traffic shaping) configuration
@@ -190,6 +191,26 @@ pass in on $lan_if proto tcp from any to ($lan_if) port 10001:20001
 pass in on $lan_if proto udp from any to ($lan_if) port 10001:20001

 ##############################
+# Mesh network ruls
+# block by default
+block in log on $mesh_if all
+pass out on $mesh_if all
+
+# DNS
+pass in on $mesh_if proto udp from any to ($mesh_if) port 53
+# allow access to some services on marcos
+pass in on $mesh_if proto tcp from any to $marcos port 22
+pass in on $mesh_if proto tcp from any to $marcos port 80
+pass in on $mesh_if proto tcp from any to $marcos port 443
+pass in on $mesh_if proto tcp from any to $marcos port 993
+pass in on $mesh_if proto tcp from any to $marcos port 9418
+pass in on $mesh_if proto tcp from any to $marcos port 8000
+pass in on $mesh_if proto tcp from any to $marcos port 6600
+pass in on $mesh_if proto tcp from any to $marcos port 6601
+# test: http://talk.maemo.org/showthread.php?p=722127
+#pass in on $mesh_if proto tcp from any to $marcos port 5434
+
+##############################
 # DMZ rules
 # block by default
 block in log on $dmz_if all

To allow access to the internet in general, I also throw in those rules:

  • allow to everywhere:
    • port SSH (22)
    • HTTP (80)
    • HTTPS (443)
    • IMAPS (993)
    • XMPP (5222)
    • OpenVPN (1194)
    • git (9418)
    • SMTP submissions (587)
    • outgoing ICMP

Advertising your services on the mesh

Then those services can be advertised in different ways:

  • through protocols like "Zeroconf" (Avahi in Linux, Bonjour in Apple, SSDP in Microsoft
  • by documenting it in this page, above

Providing Internet access

See: internet.