These are taggart’s openwrt notes (for lack of a better place to put them).
This is sort of a “cerowrt lite” that gets you some of the recent innovation but still on openwrt where you can update to newer releases if you need to get particular things faster than they go into “cerowrt”.

Setting up openwrt with SQM¶

Install¶

install the Chaos Calmer (hereafter CC) release (or newer if needed) on your device.
- Here are the generic instructions which are good to read for understanding
- Reading the page specific to your hardware is probably the best place to start. Look up your device in the Table of Hardware. The cerowrt (and openwireless.org) effort recommends the Netgear WNDR3800 as an affordable model with a decent design and good driver support (Here is the WNDR3800 page). If your link is >80Mbit the WNDR3800’s CPU won’t be able to do SQM, you should consider using a general x86 CPU, here is my page with openwrt x86 details.
- Grab the current CC release image from here (or trunk snapshot image from here). If you are using a Netgear WNDR3800 it is an ar71xx/generic.

login and initial setup¶

openwrt base images are designed to be very minimal and then you add the things you need. The first thing we need to do is get logged in, setup password, ssh, and install the web UI (luci).

login
- login with
```
telnet 192.168.1.1
```
  , set root password with
```
passwd
```
- login with
```
ssh root@192.168.1.1
```
  and the password you set
update packages and install some things
- Update the view of available packages:
```
opkg update
```
- Install the luci web interface:
```
opkg install luci
```
Now that luci is installed, you can point your browser at the web interface
```
http://192.168.1.1
```
setup ssh: System→Administration
- listen only on lan
- setup ssh keys
- “save and apply”
- ensure ssh with keys works, then turn off ssh with passwords: disable both “Allow SSH password authentication” and “Allow the root user to login with password”, and then “save and apply”. Exit your ssh login as well.

setup wireless¶

Under Network → Wifi
- Enable Radio 0.
- Scan (with the Scan button) for existing networks and determine the strength and count of other networks on the existing channels (bgn=1,6,11). Decide which channel will have the least interference. Ideally choose a channel with no other networks (almost impossible these days), but if that’s not possible, choose one with fewer networks that have strong signals (more bars).
setup private 802.11bgn(2.4GHz) network (edit existing “OpenWRT” bgn network)
- Click “edit” on the 802.11bgn network.
- set channel to the one you determined above
- set new ESSID
- keep Mode=Access Point, Network=lan, Hide ESSID=off, WMM Mode=on
- switch to Wireless Security tab, set Encryption=WPA2-PSK, leave Cipher=auto, set key (if you know you have devices that need to be on the private network and don’t support WPA2, you can used mixed mode, but try WPA2 only first)
- Save & Apply
- Enable the new network
setup private 802.11an(5GHz) network (edit existing “OpenWRT” an network)
- Enable Radio 1.
- Scan (with the Scan button) for existing networks and determine the strength and count of other networks on the existing channels. Decide which channel will have the least interference. Choose a channel with no other networks, this is way easier because 802.11an has way more channels.
- Click “edit” on the 802.11an network.
- set new ESSID
- keep Mode=Access Point, Network=lan, Hide ESSID=off, WMM Mode=on
- switch to Wireless Security tab, set Encryption=WPA2-PSK, leave Cipher=auto, set key (if you know you have devices that need to be on the private network and don’t support WPA2, you can used mixed mode, but try WPA2 only first)
- Save & Apply
- Enable the new network
If you want create a guest wlan, using the instruction here. It will only be allowed to talk to the internet and to the DNS and DHCP servers. Here is a sort summary, but if you get stuck refer to the link.
- Add a new 802.11bgn(2.4GHz) network by clicking “add” under the bgn radio section.
- set new ESSID (something like “foo-guest” where foo is the name you used for private above)
- create a new “guest” network for it to be in
- keep Mode=Access Point, Hide ESSID=off, WMM Mode=on
- under “Wireless Security” use "WPA-PSK/WPA2-PSK Mixed Mode, “auto” Cipher, and set a key.
- Save & Apply
- Enable the new network
- These steps need to be done via ssh
  - Edit
```
/etc/config/network
```
    and make the guest interface look like this:
```
config interface 'guest'      
        option proto 'static'
        option 'ipaddr' '192.168.2.1'
        option 'netmask' '255.255.255.0'
```
  - Note: While you’re in
```
/etc/config/network
```
    verify that there is only one
```
config interface 'guest'
```
    section. If there are more than one remove the instances that don’t match the one we just added.
  - Edit
```
/etc/config/dhcp
```
    and add a guest section like this:
```
config dhcp 'guest'                                      
        option interface 'guest'                         
        option start '151'                               
        option limit '200'                               
        option leasetime '12h'              
```
  - ```
  /etc/init.d/network restart
```
- If you want to setup a guest 802.11an(5GHz) network, you can repeat the radio setup steps above for a 802.11an network (but you don’t need to repeat the guest network/dhcp steps unless you want it on a separate subnet)
- The guest network won’t be easily usable yet until you setup the needed changes to the firewall below, so don’t test yet.

setup firewall¶

Go to the Network→Firewall page
Enable SYN-flood=yes, Drop invalid packets=yes
If you created a guest wireless network above, click “add” to setup a new “guest” zone
- input→reject, output→accept, forward→reject
- covered networks should only be “guest”
- Inter-zone Forwarding→Allow to destination zones should be “wan”
- Save & Apply
- back on the main firewall page you should see your new guest zone showing guest => WAN
Traffic Rules
- New forward rule, “guest DNS”, source zone=“guest”, dest zone=“wan”, Add and edit. Then: TCP+UDP, dest zone=“Device”, dest port=53, Save & Apply.
- New forward rule, “guest DHCP”, source zone=“guest”, dest zone=“wan”, Add and edit. Then: UDP, source port=68, dest zone=“Device”, dest port=67, Save & Apply.
Now you can test that guest wifi is working, you should be able to connect, get a DHCP lease(address assigned in the subnet and range you set above), use DNS, and talk to the internet.

Other stuff¶

SQM – Smart Queue Management

Modern network devices suffer from a few problems that can periodically make the network completely unusable, generally referred to as Bufferbloat. The combination of large buffers on network devices (in your computer, the wireless access point, the router, etc), assymetric ISP network bandwidth(usually large download/small upload, and poor algorithm performance in the face of multiple users can cause serious, multi-second delays. This is particularly bad for things that need low latency like voice/video conferencing, network games, etc.

Lots of smart people figured this out and solved it (first in cerowrt, now available in openwrt and the Linux kernel). The solution is referred to as “Smart Queue Management” (aka SQM) and is a combination of:

“Active Queue Management”(aka AQM) which includes advanced network scheduler algorithms, such as fq_codel, ECN. These improve behavior when the buffer/network is full, in order to ensure the best performance for all users.
“Quality of Service” which works to prioritize certain important types of traffic over others that can go slower (for example: video conferencing over bulk downloads)
traffic shaping and rate limiting, in order to ensure network buffers out of our control (upstream cable/DSL modems, network switches/routers, etc) cannot introduce bufferbloat into our connections.
SQM and the newest fixes to the Linux kernel are now available in openwrt CC.

install luci-app-sqm via web System→Software or opkg, which will pull in all the needed components.
We’re going to run iterative tests with different values in order to maximize stability and bandwidth.
- Read this cerowrt page and the README.md for the CeroWrtScripts
- Setup the test environment on a system that can be connected via ethernet to the switch on the router
  - ```
  git clone https://github.com/richb-hanover/CeroWrtScripts.git
```
- ```
apt-get install netperf
```
    (non-free unfortunately)
With SQM disabled on the router, run betterspeedtest.sh and save the results.
Now enable sqm Network→SQM QoS on WAN interface (eth1 on the WNDR3800) with settings that are 95% of what the above test got for upload and download.
Run betterspeedtest.sh again and compare the results.
I also use smokeping to measure latency over long periods, I can set up my smokeping server to monitor your IP (if I haven’t already and told you to follow this HOWTO).
Keep adjusting and running until you are happy with the results.
If you desire to limit the guest network speeds, setup a sqm rule for wlan0-1 (or whichever interface you want to limit) at the desired reduced speeds. But given how good SQM is at managing things, this shouldn’t be needed unless you have abusive users on the guest network.

BCP38

The IETF released a document, called “Best Current Practices 38” (aka BCP38) that recommends all networks filter their outbound traffic to stop traffic with sender addresses that are not from their network. This is needed because hackers take over computers and use them to inject this illegitimate traffic in order to attack others. If everyone on the internet implemented BCP38 in their networks, it would really cut down on these sorts of attacks. It’s easy to setup so everyone should do so as part of being a good internet citizen.

install luci-app-bcp38 (which is the web ui package for bcp38) via web System→Software or opkg, which will pull in all the needed components.
configure under Network→Firewall→BCP38, check enable

Site specific stuff

setup any needed port forwards (maybe you need to forward an external port into ssh on a host?)
setup any needed static DHCP assignments and hostnames (maybe you want to have convenient names for local services?)

Testing¶

Test that you can connect to each of the wifi networks and use the internet.
Test that devices on the private wifi can talk to devices on the LAN.
Test that devices on the guest network cannot talk to devices on the LAN.
From a host elsewhere on the internet(and one that you can run port scans from, maybe NFSW), use nmap on your address and make sure the ports that are open are the ones you think should be.
With betterspeedstest.sh or some big downloads saturating (maybe a bunch of fast torrents) try doing video conferencing with someone.

Adding additional APs¶

If you have wired backhaul, setting up multiple wireless access points to provide the same ESSID and allow clients to seamlessly roam does not require any special setup, the roaming stuff is built in to the clients. All that is needed is for the access points’ wireless and wired switches to be on the same network, and only have one DHCP server and the other APs are just dumb devices that aren’t doing any routing/firewalling/dhcp/etc. Here is a good article explaining the details.

NOTE: if you don’t have wired backhaul and want to use the wireless itself as
backhaul then you need something like WDS.

Setting up additional AP¶

same login and initial setup as above
same private wireless setup as above, except
- we want each AP to be on a different wireless channel so they don’t interfere with each other (with bgn we only have 3 choices so it get crowded, an has many more channels and is easy)
- no guest wireless, setting that up would be a lot more complicated
delete wan6 interface
edit wan interface
- disable from coming up on boot
- disable wan from doing dhcp
edit br0
- change static IP (I started with 192.168.1.254)
- set gateway and DNS to 192.168.1.1 (these should only matter for the device itself, like running opkg update)
System→Startup, disable and stop odhcpd and dnsmasq
disable the firewall/nat, delete the zones

back on the main router, setup a static dhcp and hostname assignment for the AP, to make it easy to access it via http/ssh