A lot of folks don't understand Hairpin NAT, meaning what it is, why it exists, or the specific use cases in which it applies.
This is an awesome site that explains it nicely - although you have to read the very very last paragraph to get to the bottom of it:
Hairpin NAT Explained
Showing posts with label Router. Show all posts
Showing posts with label Router. Show all posts
Wednesday, February 13, 2019
Friday, June 1, 2018
More Cross Compiling for MIPS32
So in previous posts I could not successfully pull off building my own toolchain to cross compile on MIPS32.
I decided to try and do a simple cross compile using the OpenWRT toolchain.
Let me review the steps for this:
I decided to try and do a simple cross compile using the OpenWRT toolchain.
Let me review the steps for this:
- Download OpenWRT by doing a git clone on the OpenWRT project
- Select your target architecture using the "make menuconfig" command at the top directory of the OpenWRT project
- Invoke the build and monitor results to ensure build compiled correctly
The complexity of OpenWRT, and reverse-engineering what it is doing, starts here.
Here is the output directory structure...
....or at least what is written out to MY system when I did the build).
As you can see, I decided to name my configuration with a name that corresponded to the OEM router I used to build the image (handy if you install OpenWRT on multiple OEM routers).
So let's start talking now about why this is confusing.
1. You might expect the toolchain to be in the toolchain directory.
And it is, but it's not. The stuff to build the toolchain is in the toolchain folder....
.
...but the output of the build is not in this directory.
It is probably in the build_dir folder then, right? WRONG.
The build_dir folder is where the build is kicked off from. But once that happens, everything is written out to the staging_dir.
So let's go and take a look at that directory.
There are a few directories listed, so we will do some investigation and hunt for some binaries. A quick find command shows that indeed, there are some bin directories we can look at.
It turns out that the top level bin directory has the generated executables.
So when OpenWRT builds the toolchain, it writes it into the staging directory for the specific target that was configured in the initial "make menuconfig".
So the next step then, is to make sure that these can be used to build some code on the target device (MIPS32 in our case).
A simple testcompiler.c file is all that is needed:
#include <stdio.h>
int main()
{
printf("Testing MIPS32 Compiler!\n");
}
Next we will set up a simple Makefile to compile this simple source (we could do it on command line of course also).
all: testcompiler.o
testcompiler.o : testcompiler.c
${CC} testcompiler.c -o testcompiler -static -march=mips32
Next, we need to ensure that the proper compiler gets used, and we can do this by using an environment file before we kick off the build with the "make" command.
Now there are a couple of ways to test this binary, but the first and most simple thing to do is to inspect it using the file command, which indeed will confirm whether the binary was built for MIPS32.
Good. It is. So we can now do one of two things:
- Copy it to the target and run it
- Run the binary through an emulator
Emulators can be tricky to install and set up. The one most commonly used for Linux x86_64 architectures is QEMU.
NOTE: I tried to install and use this but got a bunch of errors. So, using QEMU was not as simple as I thought it would be. Something for later.
So, I copied it over to the target and it ran just fine.
Now this process is as simple as it gets. When you get into dependent libraries and packages, building, as well as running, on cross compiled architectures can get quite a bit trickier.
And I do plan to do some more sophisticated cross compiling, so I will write more on that as I do that.
OpenWRT Router (re) Configuration
I had to do some testing today, and I needed two routers to do that testing.
So I decided to use a Ubiquiti EdgeRouterX (MIPS32) for one of the routers, and for the other router I used the same <former> Ubiquiti EdgeRouterX (MIPS32), which I re-imaged with OpenWRT (discussed in previous posts).
Both of these routers enable an L3 switch across all of the ports, by default. And what this means, is that by default, if you plug into any of the ports on the device (except the WAN port of course), you will be on the same default LAN segment.
The Ubiquiti router is a little bit "smarter" in how it is defaulted, and it also has a Wizard that allows you to select how you want your ports set up, at which it will automagically configure the device ports settings for you. You can, for example, select 2 WAN ports (a very advanced link aggregation feature for a router like this), or just a single WAN port (more typical use case). But what this router does, is allow one port (eth0) to be the "admin" port which is on a LAN called 192.168.1.0/24, the WAN port is eth0 (dhcp by default), and the ports eth2, eth3 and eth4 are all on a switch with a LAN numbered 192.168.2.0/24 (or whatever you want it to be, frankly).
The OpenWRT router behaves differently upon default install. It does not have this concept of a dedicated "admin" port on eth0. It assumes (like most routers probably) that eth0 is the WAN port (dhcp by default), and eth1-eth4 are on a L3 switched 192.168.1.0/24 VLAN.
The <potential> issue here, if you use both of these routers together, is that the Ubiquiti knows inherently how to route to that 192.168.1.0/24 admin network that it has set up. So if you pull a 192.168.2.10/24 address via dhcp from the Ubiquiti, and put https://192.168.1.1 in your browser, voila' you get the admin page of the Ubiquiti router (btw....this is also accessible via https://192.168.2.1).
So you have two routers that understand a 192.168.1.0/24 local, separate address space. That's a problem.
I needed to change the OpenWRT router, so that it's address spaces were different than the Ubiquiti router. I thought this would be easy and take 15 seconds, as it does on the Ubiquiti. It was NOT as intuitive. Furthermore, I was very concerned about bricking the router (screw it up such that I could not connect to it or administer it), since I had put OpenWRT on it and wasn't sure what would happen if I paperclip reset it. So I had to be careful, which added even more time.
I managed to pull this off. And in fact, I *did* screw this router up in the process, but was able to reset it with a paperclip, which put the original OpenWRT default configuration back on it (thank goodness).
So here are the steps to create a new subnet on a set of ports:
1. Create a new device
By default, there is a WAN, a WAN6, and a LAN.
NOTE: The WAN6 is confusing and a separate topic to discuss. I deleted this WAN6 thinking it was redundant, and this is probably one of the reasons I had to reset the router.
I created a new LAN2 interface as a first step.
Now you can do this manually, if you want to play with fire, and ssh into the device and edit the file /etc/config/network. The setting for that in the file would look like this:
config interface 'lan2'
option type 'bridge'
option proto 'static'
option ifname 'eth0.3'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
But if you edit these files "hot" while the device is running and happen to make any kind of typo or syntax error, and you might find yourself with some big problems and unable to log into the device.
So I decided to use the GUI, because would assume a GUI knows how to save things properly (if not this router is in some big trouble).
If you click on "Edit", you will see some of the fields that I had to examine, and some of which I had to fill out to make sure this device was created properly.
The first tab is the "General Setup" tab.
Let's discuss what is important here.
You will notice that the IP address and network mask is filled out. This essentially "sets" the subnet for that interface. DHCP will use this network automatically.
I found this very confusing and this is very different from how Ubiquiti and other routers establish the network for an interface.
First, there is the "Advanced" tab. I will show that here. I made no changes to this tab.
By the way....the DHCP Server section below shows up across all tabs, which in my opinion is a bit of a design flaw (why not make it its own tab?).
There are some fields related to the DHCP server, and one might be interested in changing the default lease time or making other changes in the "advanced" field. I chose to stick with all of the defaults here.
Then there is the "Physical" tab. The first decision is to name your interface not in use.
We will go with eth0.3 which, as the GUI demonstrates, suggests that each "dot x" relates to a logical VLAN off of the L3 switch, which is named (or mapped to) eth0.
The other important decision is whether you want to add that interface to a bridge. I elected to do so, since the first default interface LAN is on a bridge (I did it for consistency).
NOTE: It is worth pointing out that you indeed can add multiple interfaces to a single bridge. But I don't suggest doing this unless you know precisely why you are doing it.
So for now, each Interface is on its own dedicated bridge. There is a 1:1 relationship between Interface and Bridge.
Next, there is a tab called "Firewall Settings". Let's examine that.
The OpenWRT router uses the well-known and common concept of "zones of security". By default there is a WAN zone, and a LAN zone. The WAN zone has policies and rules concerning traffic that is entering (ingress) or leaving (egress) the WAN port. The LAN zone has policies and rules for traffic that are internal to the router (between VLANs or otherwise L3-Switched Traffic).
You have the ability to define a new zone (LAN2), and put your new LAN2 interface in a LAN2 zone (and this would be a good idea of you needed special rules for this interface that differed between LAN2 and LAN). But setting up zones with rules takes time, and can be error-prone. Plus we don't have any specific reason to believe that our LAN2 interface needs anything different than the other LAN interface from a security point of view.
So we will share the same firewall zone for both the LAN and L2 interfaces. For now.
Are we done? NO. There is more work to do. Quite a bit actually.
Let's stop for a moment and review what we have done and where we are.
So I decided to use a Ubiquiti EdgeRouterX (MIPS32) for one of the routers, and for the other router I used the same <former> Ubiquiti EdgeRouterX (MIPS32), which I re-imaged with OpenWRT (discussed in previous posts).
Both of these routers enable an L3 switch across all of the ports, by default. And what this means, is that by default, if you plug into any of the ports on the device (except the WAN port of course), you will be on the same default LAN segment.
The Ubiquiti router is a little bit "smarter" in how it is defaulted, and it also has a Wizard that allows you to select how you want your ports set up, at which it will automagically configure the device ports settings for you. You can, for example, select 2 WAN ports (a very advanced link aggregation feature for a router like this), or just a single WAN port (more typical use case). But what this router does, is allow one port (eth0) to be the "admin" port which is on a LAN called 192.168.1.0/24, the WAN port is eth0 (dhcp by default), and the ports eth2, eth3 and eth4 are all on a switch with a LAN numbered 192.168.2.0/24 (or whatever you want it to be, frankly).
The OpenWRT router behaves differently upon default install. It does not have this concept of a dedicated "admin" port on eth0. It assumes (like most routers probably) that eth0 is the WAN port (dhcp by default), and eth1-eth4 are on a L3 switched 192.168.1.0/24 VLAN.
The <potential> issue here, if you use both of these routers together, is that the Ubiquiti knows inherently how to route to that 192.168.1.0/24 admin network that it has set up. So if you pull a 192.168.2.10/24 address via dhcp from the Ubiquiti, and put https://192.168.1.1 in your browser, voila' you get the admin page of the Ubiquiti router (btw....this is also accessible via https://192.168.2.1).
So you have two routers that understand a 192.168.1.0/24 local, separate address space. That's a problem.
I needed to change the OpenWRT router, so that it's address spaces were different than the Ubiquiti router. I thought this would be easy and take 15 seconds, as it does on the Ubiquiti. It was NOT as intuitive. Furthermore, I was very concerned about bricking the router (screw it up such that I could not connect to it or administer it), since I had put OpenWRT on it and wasn't sure what would happen if I paperclip reset it. So I had to be careful, which added even more time.
I managed to pull this off. And in fact, I *did* screw this router up in the process, but was able to reset it with a paperclip, which put the original OpenWRT default configuration back on it (thank goodness).
So here are the steps to create a new subnet on a set of ports:
1. Create a new device
By default, there is a WAN, a WAN6, and a LAN.
NOTE: The WAN6 is confusing and a separate topic to discuss. I deleted this WAN6 thinking it was redundant, and this is probably one of the reasons I had to reset the router.
I created a new LAN2 interface as a first step.
Now you can do this manually, if you want to play with fire, and ssh into the device and edit the file /etc/config/network. The setting for that in the file would look like this:
config interface 'lan2'
option type 'bridge'
option proto 'static'
option ifname 'eth0.3'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
But if you edit these files "hot" while the device is running and happen to make any kind of typo or syntax error, and you might find yourself with some big problems and unable to log into the device.
So I decided to use the GUI, because would assume a GUI knows how to save things properly (if not this router is in some big trouble).
If you click on "Edit", you will see some of the fields that I had to examine, and some of which I had to fill out to make sure this device was created properly.
The first tab is the "General Setup" tab.
You will notice that the IP address and network mask is filled out. This essentially "sets" the subnet for that interface. DHCP will use this network automatically.
I found this very confusing and this is very different from how Ubiquiti and other routers establish the network for an interface.
First, there is the "Advanced" tab. I will show that here. I made no changes to this tab.
By the way....the DHCP Server section below shows up across all tabs, which in my opinion is a bit of a design flaw (why not make it its own tab?).
There are some fields related to the DHCP server, and one might be interested in changing the default lease time or making other changes in the "advanced" field. I chose to stick with all of the defaults here.
We will go with eth0.3 which, as the GUI demonstrates, suggests that each "dot x" relates to a logical VLAN off of the L3 switch, which is named (or mapped to) eth0.
The other important decision is whether you want to add that interface to a bridge. I elected to do so, since the first default interface LAN is on a bridge (I did it for consistency).
NOTE: It is worth pointing out that you indeed can add multiple interfaces to a single bridge. But I don't suggest doing this unless you know precisely why you are doing it.
So for now, each Interface is on its own dedicated bridge. There is a 1:1 relationship between Interface and Bridge.
Next, there is a tab called "Firewall Settings". Let's examine that.
You have the ability to define a new zone (LAN2), and put your new LAN2 interface in a LAN2 zone (and this would be a good idea of you needed special rules for this interface that differed between LAN2 and LAN). But setting up zones with rules takes time, and can be error-prone. Plus we don't have any specific reason to believe that our LAN2 interface needs anything different than the other LAN interface from a security point of view.
So we will share the same firewall zone for both the LAN and L2 interfaces. For now.
Are we done? NO. There is more work to do. Quite a bit actually.
Let's stop for a moment and review what we have done and where we are.
- We have created a new Interface
- We have named it and put it on a bridge
- We have put it in a firewall zone.
So why would this not be enough to put the interface into use?
Because we do not know what ports will use this interface!
Right now, the ports are all bound to the L3 Switch, and the switch is set up to use a single VLAN which has 192.168.x.0/24 with a gateway address of 192.168.x.1 (x = 1 in a default configuration of OpenWRT).
So we now need to go into the Network / Switch menu at the very top of the administrative interface.
By default, there will only be two rows here.
- VLAN ID 1 (LAN)
- VLAN ID 2 (WAN)
Let's discuss these two default VLANs.
VLAN ID of 1 is essentially mapped to the LAN. The smoking gun indicator of this is that ports LAN1-4 are not set to "off". They are therefore in use, but set to "untagged" (don't assume untagged means unused - a very common misconception).
VLAN ID of 2 is essentially mapped to the WAN because it has the inversion situation where the ports LAN1-4 are set to off (not in use), but the WAN port is set to "untagged" (again, in use but untagged).
Both these ports interface with the CPU port (switch port) eth0, which can be viewed perhaps analogous to bus for traffic. The Bus tags traffic so that it knows what VLAN the traffic is coming from or going to.
We need to add a VLAN ID of 3 for our new bridged interface LAN 2 we created. And we are going to change the port assignments so that 2 ports are on the LAN, and 2 ports are on LAN2. Once this is done, each of these Interfaces can have an address space (e.g. 192.168.2.0/24 and 192.168.3.0/24).
NOTE: if we wanted to, we could create 3 new interfaces and 3 new VLAN IDs so that the router could manage 4 subnets. But we don't need 4 subnets. We only need two. So we are only going to "stripe" the router with a 2 x 2 configuration (two ports subnet=A, and two ports subnet=B). And when we do that we will see this screen below.
As we can see, VLAN ID of 1 has the LAN 1 and LAN 2 ports set to "untagged", and LAN 3 and LAN 4 ports are turned (set to) off.
VLAN ID 2 has LAN 3 and LAN 4 ports set to untagged, and LAN 1 and LAN 2 ports set to off.
There are some very bad GUI design issues here on the Switch interface, and let's discuss those:
The fact that the switch uses the labels LAN 1, LAN 2, LAN 3 and LAN 4 is confusing.
- There is a LAN 1 interface
- There is a LAN 2 interface we just created
Thank goodness they have pictures of the ports here, or people could really screw this router up.
From here, we could be finished. We could plug devices into the ports and ensure you get the right IP addresses on each port (e.g. 192.168.2.x on ports 1 and 2 and 192.168.3.x on ports 3 and 4).
I will avoid a discussion on DHCP and DNS, but there is a tab at the top of the administrative interface for DHCP/DNS, and you can configure all of the typical things in a series of tabs on that menu item.
The one thing that may be worth mentioning is the "Static Leases" section which is a fixture at the bottom of the "DHCP/DNS" page no matter what tab you happen to be working with.
On this page, you can set mac address IP reservations. And one thing I did not like about this is that it doesn't seem to prevent you from putting the wrong subnet into the reservation. So if the port is a 192.168.2.0/24 port, you can still put in a 192.168.3.0/24 IP for that mac. The GUI does not care or validate or otherwise govern the assignments. So you better know what network the port is on before you start entering reservations in the GUI. And this could be a pain if you had 4 subnets and a ton of reservations to type in here.
Okay. That is all. As we can see, this router is not as "nimble" to administer as the Ubiquiti EdgeRouterX.
Thursday, May 10, 2018
OpenWRT on a Ubiquiti EdgeRouterX - Part II
So in Part I, I built the source from scratch and generated an image that I could load onto a Ubiquiti EdgeRouterX device.
This worked - in the sense that I was able to boot that image and get a functional and working OpenWRT (LEDE) image.
The router handed me an IP address like it should have. The router was passing my packets out to the web and back, performing its SNAT functions like a good little router should.
The problems started when I tried to use the package manager.
The first problem I ran into using the package manager was the fact that the urls in the feeds.conf file were not resolving. They were all using openwrt.git.org. This may have been because the git sites for openwrt were down (temporarily). I fixed these urls by looking out on the web for the actual github urls, and commenting out the git.org sites and using the github sites instead.
Once I fixed this issue, I noticed that I kept getting an error from the opkg utility about having zero bytes in the overlay file system.
In looking, I did not have an /overlay file system. I had a directory off the root directory called /overlay.
In doing a google search on this issue I found a number of forum posts but when you clicked them, they links timed out.
Clearly, something went wrong when I built the image.
I typed the mount command, and saw a / mounted on a rootfs file system. I saw a tmpfs on /tmp. But no overlay. I didn't really understand the overlay file system anyway, so I was in trouble there. I knew enough to believe I might be able to manually mount this file system on a device, but I didn't see the device and things looked quite intimidating.
I began to realize that I was quite screwed. I had a router that I could not administratively update or manage because the file system was not "correct". I considered paper clipping (hard reset) the router, but I wasn't sure what that would do since I had replaced the original flash image from Ubiquiti with the one from OpenWRT. It seemed risky to do that.
I finally found a page that allowed me to take a more sensible risk. I found a page that had hardware / firmware images, and I decided to "upgrade" my router with the new image listed on this page. I wasn't sure if that would actually fix the file system layout on the flash or not, and I suspected it wouldn't, but I gave it a try nonetheless.
So after downloading the new flash image, I discovered another issue. This image I had built did not include the Luci GUI, so I needed to do anything and everything via command line. I found a way to upgrade the router via command line with this link:
https://openwrt.org/docs/guide-user/installation/sysupgrade.cli
Using ssh, I copied the downloaded image into a temporary directory and ran the command:
Now we have a /dev/root on /rom of type squashfs - something we did not see before.
Most importantly, we see the overlayfs mounted on the / folder in a directory called /overlay.
And some others we did not see before, either.
Things look better. We can launch a GUI and we can update our packages now. I installed OpenVPN, for example, which added itself to the "Services" menu.
This worked - in the sense that I was able to boot that image and get a functional and working OpenWRT (LEDE) image.
The router handed me an IP address like it should have. The router was passing my packets out to the web and back, performing its SNAT functions like a good little router should.
The problems started when I tried to use the package manager.
The first problem I ran into using the package manager was the fact that the urls in the feeds.conf file were not resolving. They were all using openwrt.git.org. This may have been because the git sites for openwrt were down (temporarily). I fixed these urls by looking out on the web for the actual github urls, and commenting out the git.org sites and using the github sites instead.
Once I fixed this issue, I noticed that I kept getting an error from the opkg utility about having zero bytes in the overlay file system.
In looking, I did not have an /overlay file system. I had a directory off the root directory called /overlay.
In doing a google search on this issue I found a number of forum posts but when you clicked them, they links timed out.
Clearly, something went wrong when I built the image.
I typed the mount command, and saw a / mounted on a rootfs file system. I saw a tmpfs on /tmp. But no overlay. I didn't really understand the overlay file system anyway, so I was in trouble there. I knew enough to believe I might be able to manually mount this file system on a device, but I didn't see the device and things looked quite intimidating.
I began to realize that I was quite screwed. I had a router that I could not administratively update or manage because the file system was not "correct". I considered paper clipping (hard reset) the router, but I wasn't sure what that would do since I had replaced the original flash image from Ubiquiti with the one from OpenWRT. It seemed risky to do that.
I finally found a page that allowed me to take a more sensible risk. I found a page that had hardware / firmware images, and I decided to "upgrade" my router with the new image listed on this page. I wasn't sure if that would actually fix the file system layout on the flash or not, and I suspected it wouldn't, but I gave it a try nonetheless.
So after downloading the new flash image, I discovered another issue. This image I had built did not include the Luci GUI, so I needed to do anything and everything via command line. I found a way to upgrade the router via command line with this link:
https://openwrt.org/docs/guide-user/installation/sysupgrade.cli
Using ssh, I copied the downloaded image into a temporary directory and ran the command:
sysupgrade -v /tmp/*.binAnd - lo and behold - after rebooting, I got a new, much superior image and experience. I had the Luci GUI. The file system looked proper.
Now we have a /dev/root on /rom of type squashfs - something we did not see before.
Most importantly, we see the overlayfs mounted on the / folder in a directory called /overlay.
And some others we did not see before, either.
Things look better. We can launch a GUI and we can update our packages now. I installed OpenVPN, for example, which added itself to the "Services" menu.
Thursday, November 23, 2017
Ubiquiti Edge Router ER-X - Impressive
I just love this router.
- The icon on the top that shows colorized ethernet plugs (colorization related to status). Cool.
- It was sooooo easy to configure it.
- It has a shell that takes you into Ubuntu Linux (uses Ubuntu = impressive). I'm not even sure it is using BusyBox or some slimmed down quasi-linux. It looks like a custom compile of Ubuntu.
- One cool feature is that it can support link aggregation. I am not using that feature, but it's cool.
- Has excellent support for IPv6.
It can also automatically switch the ports on the router so that you don't need a L3 switch to go with it.
So for example, you can set up:
- eth0 as the management port
- eth1 as the WAN port, and
- eth2, eth3 and eth4 are switched so that anything plugged into these are on the same network (you defined the network).
I have it set up with a hairpin NAT, and the firewall rules configured on it are rather trivial at the moment but designed to protect ingress through iptables rules.
This is truly a "power user" routing device, and it can fit into the palm of your hand; it is no bigger than a Raspberry Pi device.
This router also comes with some interesting Wizards that allow you to configure the router for certain use cases, like the WAN+LAN wizard.
So I have not done anything in-depth, but I spent an hour messing around with this device and I'm pretty impressed with it.
Subscribe to:
Posts (Atom)
SLAs using Zabbix in a VMware Environment
Zabbix 7 introduced some better support for SLAs. It also had better support for VMware. VMware, of course now owned by BroadSoft, has prio...
