Hotrod Your Linksys WAP with Linux (Part 3)

By Carla Schroder

November 08, 2005

Those little, blue consumer-grade WAPS make nice experimental Linux boxes. This week we cover setting up DNS and DHCP services.

Now that we have ripped out the stock guts out of our Linksys WRT54G and replaced them with a miniature, but mighty, Linux operating system, it's time to configure it to do some actual work. (Part 1 and part 2 cover installation and setting up secure administration of your chopped, dropped little blue box.)

Sharing a Broadband Connection
Remember, none of these settings are committed to NVRAM (define) until you enter the nvram commit command. As long as you do not write to NVRAM, you can safely test new commands, and reboot to a known good configuration if something goes wrong. When everything works right then you can commit.

Log in to the router via SSH (see Part 2 for how to set up SSH). This shows example settings for sharing a cable or DSL connection on a dynamically-assigned WAN IP:

# nvram set lan_proto=static
# nvram set lan_ipaddr=192.168.1.15
# nvram set lan_netmask=255.255.255.0
# nvram set wan_proto=dhcp

NAT (define) is enabled in the default WAN firewall, which is configured in /etc/S45firewall. So all you need to do is configure your LAN and WAN ports, plug everything in, and you're done.

If your Internet service provides you with a static IP, that's just as easy to configure as the LAN IP:

# nvram set wan_proto=static
# nvram set wan_ipaddr=12.34.56.78
# nvram set wan_netmask=255.255.255.0
# nvram set wan_gateway=23.45.67.89
# nvram set wan_dns=23.45.67.99

At this point you can either do nvram commit and reboot the router, or just restart the networking interfaces:

# ifup lan
# ifup wan

Local DHCP and DNS
As you recall from part 1, the recommended installation created a read-only squashfs partition and a writable jffs2 partition. The default configuration files are written to the squashfs partition and symlinked to jffs2. This means that editing the default configuration files requires that you first delete the symlink, then copy the file to the jffs2 partition:

# rm /etc/dnsmasq.conf
# cp /rom/etc/dnsmasq.conf /etc/dnsmasq.conf

Every host should have its own hostname configured locally. On most Linuxes, this is done in /etc/hostname:

workstationFred

On Red Hat, it's configured in /etc/sysconfig/network. Check your work by running the hostname command, and remember that hostname changes require a reboot.

This sample dnsmasq configuration contains a pool of addresses that are assigned to hosts as they join the LAN. In this example the lease time is set at 168 hours for addresses 192.168.1.100-192.168.1.150:

# filter what we send upstream
domain-needed
bogus-priv
filterwin2k

#openwrt needs dnsmasq to run as root
user=root

expand-hosts
domain=carlasdomain.net
dhcp-range=192.168.1.100,192.168.1.150,168h

You don't need to explicitly set the default route, DNS server, and gateway, unless these are on other servers, because dnsmasq automatically uses the settings from the server it is installed on.

The domain-needed directive tells dnsmasq to not forward name queries. If it is not found in /etc/hosts or DHCP it returns a "not found" answer.

bogus-priv returns an "NXDOMAIN" answer to any queries that are not answered in /etc/hosts or DHCP.

filterwin2k blocks insane DNS queries from newer versions of Windows that serve no purpose but to cause trouble and woe.

The expand-hosts directive tells dnsmasq to automatically expand the hostnames, by combining the hostnames with the domain name.

dnsmasq by default reads /etc/hosts, so this is where you assign static IPs to any hosts that need them, like servers:


127.0.0.1            localhost
192.168.1.100        mail1
192.168.1.101        http1
192.168.1.102        http2
 
You only need to configure /etc/hosts on the dnsmasq server, which is a lovely time-saver.

You may map IP address to hardware addresses in dnsmasq. First add this directive to /etc/dnsmasq.conf:

--read-ethers

Then create or edit the file /etc/ethers. This file contains the hardware address of each host mapped to its MAC address:

#carla's thinkpad
xx:xx:xx:xx:xx:xx 192.168.1.160
# fred's super-duper engineering workstation
xx:xx:xx:xx:xx:xx 192.168.1.161
# big ole Samba fileserver
xx:xx:xx:xx:xx:xx 192.168.1.162

Naturally, you must replace the Xes with your actual MAC addresses, which are found with the ifconfig command:

$ /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:0B:6A:EF:7E:8D

And just like on a grownup Linux, whenever you make changes to a service, it must be restarted:

# /etc/init.d/S50dnsmasq restart

NVRAM Commands
nvram show displays your current settings.
nvram set [foo] sets a new variable
nvram unset [foo] deletes a variable
nvram commit writes all newly-entered commands to NVRAM

Troubleshooting
Despite all the dire warnings in previous installments, you can usually get out of trouble. If you cannot get into the router at all, try resetting it to failsafe mode. This only works if you have the read-only squashfs partition. To get into failsafe, unplug then plug in the router, wait for the DMZ led to light, then press and hold the reset button for two seconds. If it worked, it will flash three times per second. The network settings will revert to the defaults, so you'll access it at 192.168.1.1.

If you want to restore the default filesystem on the jffs2 partition, erasing all changes you have made, run the firstboot command.

If you've been making a lot of changes using the nvram command and gotten hopelessly borked, wipe it all out and start with a clean slate by running these commands:

# mtd erase nvram
# reboot

As long as you followed the instructions for the "difficult but safe" installation in Part 2, and have boot_wait=on set, you can always recover by re-flashing new firmware.

Resources

Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.