Home Network Setup on Open Source

Setting up a more capable and advanced home network on open source software.

DD-WRT for Access Points

DD-WRT for Access Points

DD-WRT Install and AP Setup

I am combining the post for these two videos, as they are actually closely related.  If you've never heard of or used DD-WRT, then you'll be interested to know that it's been around for at least 15 years, if not more.  It's some amazing open source software (firmware) that takes an off the shelf router and in many cases gives it a lot of extra functionality that was simply hampered by the manufacturer's stock firmware.  

I originally used it on a Linksys WRT-54G - a router that cost about $50.00 US at the time, and it was fine for most home users.  But by putting DD-WRT on that router, you essentially unlocked all of the hampered functionality and turned itinto a $500.00 router (essentially Enterprise grade).

Still today, DD-WRT is providing enhanced functionality on off the shelf hardware.

In the first video I simply go through the initial installation and setup of DD-WRT as a single router and wireless access point using the DD-WRT firmware on an Asus RT-AC56U. You can find that video below.

This is the setup for using your hardware as a router, just behind your modem / firewall appliance, and allowing DD-WRT to do the DHCP assignments of IPs and so on, for your network.

I don't want to document the whole setup here for a couple of reasons.

  1. The DD-WRT Wiki is the absolute best place to get th ebest information on the support, install, and setup of any hardware.  You should always check the Forums and Wiki for your hardware and follow those guides whenever possible.  DD-WRT has a special page called the Router Database, and you should search there for your device. There are just too many different router manufactureers, models, and versions for me to aptly cover all of the possibilities here.
  2. The basic setup, once installed, is really ready to go as a router and wifi access point, except for needing to change the SSID of the wireless signal(s), and set a secure password for the wireless connection.  I show you how to do both of those things in the video.

My setup consists (now) of a dedicated machine to run OPNSense, check out my video on OPNSense here, or below:

acting as my main firewall/router/DHCP server, and then using four (4) Asus RT-AC56U routers as APs only for wireless and wired devices.

Again, I don't want to document the setup of the DD-WRT system for AP only, as the DD-WRT wiki has it well documented already.  I'd prefer you go to the source for that set of instructions, as it could change over time, and then my page is completely wrong at some point.

Support me on Patreon

Support my Channel and ongoing efforts through Patreon:
https://www.patreon.com/bePatron?u=234177

OPNSense Install and Setup

OPNSense Install and Setup

OPNSense Install and Initial Setup

I've been wanting to switch away from my Eero mesh wireless network for almost a year and a half.  I really wanted a system that I had more control over, and an open source option was my ideal situation.  I have made several attempts to do this over the past six months, but each time I found I just wasn't able to get everything setup the way I needed.

First, I tried to setup just DD-WRT on a few routers, using one as the main router and the rest as APs.  The system functioned, but for whatever reason DHCP was not working, and none of my DHCP devices would get an address.

I then tried pfSense with the DD-WRT Routers set as APs only, and pfSense set to assing out DHCP addresses. This initially seemed to work, but then I ran into multiple issues trying to get it setup to route my traffic via NAT Reflection (sometimes called NAT Redirection or Hairpinning). Essentially when I call the services running on my home machines by a URL that is running inside the same network.  This was a huge bust and a bit soul-crushing as I read more and more documentation, articles, forum posts, and so on of people trying to make it work in all kinds of situations, and nothing I tried worked.

I shelved the idea for a few months, then came back to it again a week or so ago.  This time, I went with OPNSense.  It's a forked version of pfSense, but over time the two have gottem some real separation in the way the work.  The user experience is similar, the menus and options are almost identical beyond their placement on the screen, but a few things in OPNSense felt easier to me.

Again, I was able to get it setup for DHCP, and I was able to get my DD-WRT APs setup easily, and got them working with no issue.  Initially, my iPhone wouldn't pull an address, and I feared I was about to hit my original issue all over again, but with a bit of testing I realized the wired connection in my wall was not working properly, and the jack i had my AP plugged into wasn't actually allowing it to communicate with the OPNSense router (Not the same issue I had with my first setup by the way).  

So, with those hardware issues out of the way, my devices were all connecting and getting DHCP addresses.  Yay!  Now to the task of getting my self-hosted services to be reachable from the outside world.

Installation

What You'll Need

Getting the ISO Image

It's important to know which media type you'll be using to boot from for the initial install. You need to know whether it's USB or DVD.

Visit https://opnsense.org/download/ and fill out the form. Select the architecture type (though it appears to only have amd64).  Next, choose an ISO type.  DVD for an actual DVD, or VGA if you plan to use a USB to install.  Finally, pick a mirror close to your physical location.  Then click the Download button.

Once the download completes, unpack the compressed archive file.  NOTE: this will be about 320 MB compressed, and just over 1 GB uncompressed. Once uncompressed, you'll want to burn the ISO to your DVD or USB using a program like Balena Etcher (for USB).  

Once burned, place your DVD or USB into the machine and boot it up.   You'll want to make sure to boot from the DVD or USB, so you may need to press a special key to get the boot device list.  This key differs based on manufacturer, model, and motherboard in most cases.  

Once the boot process starts you'll want to go through the options to select your

Once logged into the terminal, you may want to re-assign your interfaces.  You want to ensure the WAN interface is plugged into the correct ethernet port, and the same for the LAN interface.

To change the assignments, you'll press "1", then Enter.

the system will provide a list of detected interfaces.  Unless you need LAGGs or VLAN support, you can answer "n" for both of these questions.

Now enter the interface name for the WAN (internet connection) port. Then press Enter.  

Next, enter the interface name for the LAN (local area network) port, and again press Enter.

If you have more ports, and want to assign them for other purposes, then you can enter those next, or leave the final entry blank, and just press Enter to save and confirm your changes.

Give the system about 15 seconds to bring you back to the main menu. If it doesn't you can likely use CTRL + C to get back to the menu.  Now you can logout of the CLI, making note of your LAN interface IP address.

In my case, after the re-assignment task, my LAN was on 192.168.1.100, though yours may be different.

Now, on another machine, go to your web browser, and browse to the LAN IP address. NOTE: You can not browse to the web interface for OPNSense from the WAN address by default, and it is better if you don't allow access via the WAN interface.

The Web UI and Setup

If you only want to use this box to get internet access out from your network, and you have no internal servers / services running, you are essentially done, and do not need to make any further changes to your new OPNSense firewall / router.  You can adjust the default dashboard if you like, but other than than you are set, and should be able to access the internet if you have your ports set properly, and pluggied into your ISP modem.

If you wish to access your internal servers, there is more to do.

System -> Settings -> Administration

Navigate, in the left menu, to System -> Settings -> Administration and change the port setting from 443 to 440.  OPNSense, by default is setup to provide access to the WebGUI on port 443.  We, however, want to get access to our self hosted sites on port 80 and 443, so we need to change the SSL port for OPNSense to something else. We'll use 440 for this purpose.

Scroll down, and find the "Alternate Hostnames" section.  Add any domain names you will be using on your internal network from outside to this box separated by spaces.  It's important you add these here, or OPNSense will assume an attempt to reach the site may be some sort of attack.

Now scroll all the way to the end of the page and Save.  After saving, always check to see if an Apply option shows up at the top of the page as well, and click it if necessary.

Once you save this page it should redirect you automatically after about 30 seconds, back around to the new port 440.  If it doesn't you can access it via the IP address and port 440 by typing in https://ip.of.your.firewall:440, where you put the actual IP in place of my place-holder text here.

Check for Updates

Go to System -> Firmware -> Updates, and let the system check for any updates, then install the updates.  It's important to do this as there may be security patches and other fixes that will help make the system better.

(Optional) Change your LAN IP

Next, we'll go to Interfaces -> LAN (NOTE: this step is optional).  If you want to change the subnet IP addresses for your local network (defaults to 192.168.1.x), then you can do that here.  Scroll down to the "IPv4 Address" fiels and put in the address you prefer. Then scroll to the bottom and change it.  Click 'Save', then go to Services -> DHCPv4 and change your DHCP range if needed so that you have addresses in the same IP.  Again click 'Save', and 'Apply' if necessary.

You may need to disable and re-enable your connection to get it to pull a new address from the updated IP range.

Setup Firewall Rules for Access from Outside your Network

First we'll setup an Alias, as this will let us create fewer separate firewall rules.

Go to Firewall -> Aliases and click the "+" to add a new Alias. Call the alias web_server_ports, then select the Type as "Port(s)". Now in the Content field enter 80, then press Tab, and it should turn into a chip icon.  Next enter 443 and again press Tab.  Give this a description of "web server ports" and Save / Apply.

Add another Alias, and call it 'web_server_host' and give it a Type of
"Host(s)".  Next, in the content, enter the IP of your web server machine. Finally, give it a description of "web server host", and click Save / Apply.

Now navigate to Firewall -> NAT -> Port Forward.  Here we want to add a new rule, so click on the "+" icon, and make sure it's Enabled, and "WAN" is selected.

Next, we'll make sure we select the following:

Save this rule, and Apply.

Now we need to setup our final piece for NAT Redirection to work properly.  Navigate in the left menu to Firewall -> Settings ->Advanced.

Enable the following by checking their associated checkbox:

Scroll to the bottom, and Save.  Apply if necessary.

You may need to update host addresses in your proxy manager after changing your DHCP settings.  But once your proxy manager is setup (assuming you're using one) you should be able to reach all of your self hosted services from inside, or outside of your network.

Support me on Patreon

Support my Channel and ongoing efforts through Patreon:
https://www.patreon.com/bePatron?u=234177

OpenWRT Updates the Easy Way

OpenWRT Updates the Easy Way

Upgrade OpenWRT the Easy Way

 

It's important to keep your Router / Firewall appliances updated to the most recent versions of their firmware in order to maintain good security on your networks.  With OpenWRT, for a long time, this was a tedious process.  You had to get the new firmware, back up your existing setup, install the new firmware, install all of the packages you had again, and setup your configurations again.

It's been made much easier these days, but knowing how to get this done is not extremely obvious, as OpenWRT still does not "ship" with the necessary packages already installed. 

Let's go through the process together to update your OpenWRT appliance, without having to reset everything manually. 

What you'll need

Backup your current configuration

If you do nothing else in this tutorial, please, please, please make sure you make a backup of your current configuration and store it somewhere safe. This is important even if you aren't going to be updating the firmware today.  This can save you hours of work should anything terrible happen to your router/firewall.

  1. Login to your router's web user interface.
  2. Go to 'System' in the top navigation. When hovering, it should display a drop-down menu.
  3. Select 'Backup / Flash Firmware' from the drop menu.
  4. On the Backup page, you'll want to click the blue button that says 'Generate Archive'. 
  5. This will create a zipped file of your current configuration, and download it to your local machine. 
  6. Rename this downloaded file by appending "-pre-update" to the end of the generated file name.

You now have a backup of your OpenWRT configuration. 

Install the Attended Sysupgrade Packages

Now, we need to install a couple of packages from the software repository that will help us upgrade our current install, and also help us keep all of the configurations, packages, and so on in the process.

  1. In the upper navigation go to 'System' again and hover. 
  2. In the drop-menu, select 'Software'. 
  3. On the Software page, click the 'Update Lists...' button.  (You need internet access for this step to complete).
  4. Once updated, you'll see a list of available and installed software packages below the button row.
  5. You can use the search near the top of the 'Software' view to filter the list of available packages. 
  6. Type in 'Attended' and you should see the package listed as "attendedsysupgrade-common". To the right of this package option you'll see a button that says "Install". 
  7. Click the "Install" button, and wait for it to complete. There should be a pop-up message indicating a log of what happened, and a success message in it. You can dismiss this pop up when it comes up.
  8. Next, scroll down the software list until you find the package labeled "luci-app-attendedsysupgrade", and again click the "Install" button to the right of it.  This application gives us the ability to perform the attended sysupgrade from inside the web user interface.
  9. Again, you can dismiss the success pop-up when it's displayed. 
  10. Refresh your browser window, and you should now see a new option in the 'System' top navigation menu. 

Upgrade your OpenWRT using Attended SysUpgrade

We can now update our OpenWRT system using the Attended Sysupgrade function we just installed. The good news is this function will be kept for us to use in the future since we are using it to upgrade our firmware in-place.

  1. In the top navigation 'System' menu, select 'Attended Sysupgrade'.
  2. On the upgrade page, click the button labeled 'Search for Firmware Upgrade'.
  3. Be patient while it searches. If an upgraded version exists for your current install, it will be listed in a pop-up window. If not, the pop up will tell you there is no update available at this time.
  4. If you do have an update available, click the drop down to see if more than one version is available. You may want to update through each version 1 at a time, but feel free to jump to the latest version if it's presented. 
  5. Click the 'Reequest Firmware Image' button.
  6. This will send the request off to a build server to build a new image for your hardware.
  7. Be patient while the new version is built. It may take a few minutes to go through that process. 
  8. Once the build is complete, you'll want to click the link to Download the new image version as a backup copy. 
  9. Make sure the option to 'Keep setup and retain the current configuration' is checked.
  10. Click the 'Install Firmware Image' button. 
  11. Again, be patient as this will update the firmware, and reboot the device when complete. On my devices it took anywhere from 2 to 5 minutes to complete. Varying devices may take more or less time. 
  12. Once complete, you'll be redirected back to the login screen of your device. 
  13. Do a quick manual check of your various settings and configurations, and make sure everything looks good. 
  14. Ensure you can still navigate around your network, and access the internet.

Congratulations, you've updated your OpenWRT system.

Make a Backup

I know what you're thinking, and yes, we did make a backup earlier, but that was our pre-upgrade backup. Now we need to make our post-upgrade backup.  Make the backup in the same way as before, but rename this one by appending '-post-updade' to the file name. Keep both versions for a couple of weeks, just to be sure everything is working well. When you're satisfied that it's working fine, you can feel free to delete the pre-upgrade version if you want.

Support My Channel and Content

Support my Channel and ongoing efforts through Patreon:
https://www.patreon.com/awesomeopensource

Buy me a Beer / Coffee:
https://paypal.me/BrianMcGonagill