Warning: a lot of this documentation needs to be reviewed and updated.

Naming your device

Assigning a name to your device is important because it allows you to label it and identify it physically.

You should use the name you have chosen when creating the nodes page here.

OpenWRT

Set a custom name, in case you encouter other peers :-)

uci set system.@system[0].hostname=meshmtl42

Linux

hostname meshmtl42
hostname > /etc/hostname

Providing your own services

Any service that will not disrupt other services should be allowed, although individual nodes may do some filtering to control quality of service.

Replace OpenWRT's firewall with an open NAT service

Make sure the custom firewall ruleset is loaded:

uci show | grep include

If not, add this:

uci add firewall include
uci set firewall.@include[0].path="/etc/firewall.user"

Then in /etc/firewall.user:

[[!format Erreur: Format de page non reconnu sh]]

The above will clear all firewall rules, allowing all traffic through the node. It assumes you have another router doing some filtering downstream, if not you will need to customize that firewall according to your policy, below.

DHCP configuration

The following will enable DHCP on the wireless interface of the router (wlan0):

[[!format Erreur: Format de page non reconnu sh]]

Make sure the wireless interface has an IP assigned:

[[!format Erreur: Format de page non reconnu sh]]

and don't forget to commit the results:

uci commit

IPv6 configuration

The following will enable IPv6 router advertisement on the wireless router (wlan0):

[[!format Erreur: Format de page non reconnu sh]]

Make sure you have configured an IP on wlan0, using the ip configuration rules. For example:

[[!format Erreur: Format de page non reconnu sh]]

DNS services

By default, OpenWRT provides a DNS server through DNSmasq, however it relies on an upstream DNS server. To provide a "real" DNS server, you can try MaraDNS or the bind-server package.

However, there may yet be DNS servers on the mesh, which your router can use. Let's assume that 172.16.0.1 is a DNS server, then the following should enable your router to be a DNS cache:

rm /etc/resolv.conf
echo 'nameserver 172.16.0.1' > /etc/resolv.conf
uci set dhcp.@dnsmasq[0].resolvfile=/etc/resolv.conf
uci set dhcp.@dnsmasq[0].domain=reseaulibre.ca
uci set dhcp.@dnsmasq[0].local=/reseaulibre.ca/
uci commit
/etc/init.d/dnsmasq restart

This is taken from the OpenWRT howto.

IPv6 DNS service

Follow the above configuration, then:

echo 'nameserver fd64:2c08:9fa7:1::1' >> /etc/resolv.conf
uci add radvd rdnss
uci set radvd.@rdnss[0].interface wlan0
uci set radvd.@rdnss[0].addr fd64:2c08:9fa7:1::3
uci del radvd.@rdnss[0].ignore
uci commit

Taken from the OpenWRT howto.

Note: currently not working with Network manager during our first tests.

Providing some services behind a firewall

A good approach is to allocate a specific port on your firewall and allow it only some access to your internal network, and, maybe, the internet.

First, you need to determine the policy. Here is anarcat's:

  • no DHCP on the interface - we do not want to pollute the LAN
  • use up one IP in the IPv4 network (192.168.3.1 for my node, use your own!)
  • publish an IPv6 /64 network (minimum size), see above for configuration and allocation
  • block packets by default
  • allow to my server: port SSH (22)
    • HTTP (80)
    • HTTPS (443)
    • IMAPS (993)
    • XMPP (5222)
    • OpenVPN (1194)
    • git (9418)
    • streaming/icecast (8000)
    • jukebox/MPD (6600)
    • outgoing ICMP

OpenBSD's pf implementation

The above rules can be done with the following patch to a pf.conf, for OpenBSD's PF (Packet Filter):

[[!format Erreur: Format de page non reconnu diff]]

To allow access to the internet in general, I also throw in those rules:

  • allow to everywhere:
    • port SSH (22)
    • HTTP (80)
    • HTTPS (443)
    • IMAPS (993)
    • XMPP (5222)
    • OpenVPN (1194)
    • git (9418)
    • SMTP submissions (587)
    • outgoing ICMP

Advertising your services on the mesh

Then those services can be advertised in different ways:

  • through protocols like "Zeroconf" (Avahi in Linux, Bonjour in Apple, SSDP in Microsoft
  • by documenting it in this page, above

Providing Internet access

See: internet.