Powerline ethernet and HW design

Powerline Ethernet is a relatively new concept, that uses the existing electrical wires within a house to deliver wired networking capabilities to different parts of a house. I had been following the development of the standard with anticipation for a few years now, but I was not apparently paying attention as the technology was commercialized relatively quickly.

I came upon the commercial implementations anew, when I was looking for a solution to help extend the wireless range of my ageing router. Wireless repeaters were a potential option, but the idea of taking a degrading signal to re-broadcast it was not something that I appreciated for just an aesthetic point of view. Further, that would also constrain the location of the repeater and leave me open to the need for additional repeaters.

Enter Powerline networking and in particular a company called TP Link. After a bunch of research, I figured I was not sure if this would even work in my house and was not willing to pay the premium of a recognized brand. TP Link was a good balance between positive reviews and price.

Turns out, using the electrical wires in the house to transmit Ethernet signals is ridiculously easy.

You need a couple of pieces of hardware to get things going. The first is the base unit, that plugs into a power socket next to the broadband router. The port on that base unit plugs directly into one of the router ports. This essentially makes the entire home “live”.

You then need a client unit, that you can take anywhere in the house and plug into another power socket. Now, on that unit is an Ethernet port that effectively works as a live network port, that can route packets through the electrical wires, through the base unit, the router and out on the the internet.

If you were only looking for an extension of your wired network, you are done. If however, you are looking to have the second unit act, also, as a WiFi access point you have additional work to do.

The additional work is because the default access point is a cryptic SSID, running an unencrypted signal. I wanted it to have the same SSID and authentication parameters as my original WiFi router, so I could roam upstairs and downstairs between either access point. Figured I'd just configure the TP-Link Powerline client access point that way.

And all hell broke loose.

TP-Link essentially hard codes the configuration IP of the second access point. The address unfortunately was the same as the base of my home network. This resulted in a few hours of mental and networking gymnastics, just to be able to configure the second access points with the SSID and authentication parameters that I liked.

Which brings me to the second point of this post - good core technology but crappy hardware design. The two Powerline plugs were not elegant by any means, but they were functionally simple and effective. But an underlying assumption that one would be OK with default access point parameters, led to some questionable hardware design choices ultimately rendering an otherwise attractive product cumbersome. If only these smaller companies took some of these underlying assumptions seriously enough, there is almost no reason why their products cannot easily compete with the big dogs - in not just the marketplace, but also the social marketplace of the star counts on Amazon.com.

Seriously guys, you should just fix it.

Configuring PPTP VPN

This post is the last in the series of upgrades I completed on my router running the new TomatoUSB router firmware. Most data for this post is thanks to this tutorial

Requirements:

• A router running TomatoUSB
• Install and configure Optware on the router
• A way to address the router from outside the home network - like setting up a dynamic DNS maybe
• A VPN client to connect to the router

Installation

Log onto your TomatoUSB via SSH and run the following on the shell

ipkg install poptop

That is it. Wait for ipkg to do it's thing and you are done installing.

Configuration

Edit the file /opt/etc/pptpd.conf

I installed what is called a Single-Net configuration, after logging in, the entire network is available to the VPN. This was a home network, and I wasn't going to implement any sort of zoning on it.

Ensure the following line is commented

logwtmp

Establish the list of available IP addresses. Here is what I have

localip 192.168.1.1 #This is the local IP address of the router remoteip 192.168.1.245-254 #These are the available remote IPs to be used when a remote VPN connection is made

Edit the file /opt/etc/ppp/options.pptpd

Here is what I have as the final configuration. I have removed the prompts & help text to keep it clean(er).

name pptpd #chapms-strip-domain # BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o # {{{ refuse-pap refuse-chap refuse-mschap # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. require-mschap-v2 # Require MPPE 128-bit encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) require-mppe-128 # }}} # OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o # {{{ #-chap #-chapms # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. #+chapms-v2 # Require MPPE encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) #mppe-40 # enable either 40-bit or 128-bit, not both #mppe-128 #mppe-stateless nomppe-stateful # }}} # Network and Routing ms-dns 192.168.1.1 #ms-dns 10.0.0.2 #ms-wins 10.0.0.3 #ms-wins 10.0.0.4 proxyarp # Logging #debug #dump # Miscellaneous lock nobsdcomp

Authentication & Credentials

Create the file /opt/etc/ppp/chap-secrets with the VPN setup credentials. My file looks like below, of course with a valid username & password.

# Username Server Password AllowedIPs myusername * myawesomepassword *

As with any password file, ensure it is only readable by root by running the following as root.

chmod 600 /opt/etc/ppp/chap-secrets

Configure Firewall

Create the file /opt/etc/config/vpn.fire and put the following in it

#!/bin/sh iptables -A INPUT -p gre -j ACCEPT iptables -A INPUT -p tcp --dport 1723 -j ACCEPT iptables -A INPUT -i ppp+ -j ACCEPT iptables -A FORWARD -i ppp+ -j ACCEPT iptables -A FORWARD -o ppp+ -j ACCEPT

Make the script executable by running the following

chmod +x /opt/etc/config/vpn.fire

Restart the firewall service

service firewall restart

Start VPN server

This is the last step. Create the file /opt/etc/config/vpn.wanup and add the following

#!/bin/sh if [ ! -f /tmp/ppp/chap-secrets ]; then mkdir -p /tmp/ppp ln -s /opt/etc/ppp/chap-secrets /tmp/ppp fi /opt/etc/init.d/S20poptop restart

Make this script executable

chmod +x /opt/etc/config/vpn.wanup

That is it, this will ensure the vpn always runs whenever the WAN comes back up. The VPN is up and running.

Testing it may end up being a bit tricky. You cannot log into the network while you are on it. I used my phone, disabled WiFi, and configured it to log in via the mobile network to ensure that the VPN was indeed accessible and working. Presto, I could log into my home network from anywhere in the world.

Check out the original post about ways to configure a VPN client on an iOS or Android device.

Extending Tomato with Optware

I had waxed eloquent about the flexibility, freedom and capabilities extended by open source tools in general, and the Tomato USB in particular. Little did I know, that this was just the tip of the iceberg of capabilities offered by the third party firmware on my Netgear router.

The big extension to the core capabilities offered by the firmware is available via the installation of Optware. At its core, Optware is an advanced package manager, built for distribution of software packages across a number of platforms, including the TomatoUSB router firmware.

Optware comes with a variety of packages compiled and available in it's repository. This repository extends the capabilities of the router firmware, from their stripped down, small-footprint cousins to the full featured Linux box tools.

Tomato has inbuilt support for Optware. But it needed a bunch of work, to prepare the setup for Optware. In particular there were two things that had to be done:

• Format the connected storage in EXT3. My terabyte RAID had been originally formatted in NTFS. While TomatoUSB has support for NTFS, but it is slow and painful, and fundamentally missing capabilities. Not something that lends itself for Optware.
• Figure out where /opt is going to mounted.

There is no easy way to convert NTFS to EXT3 - other that the slow and methodical approach. Take files off the NTFS file system, format the disk as EXT3, and copy the files back. There are several tutorials out there, like this one - the only tweak was that I ended up using the mkfs.ext3 script available on the router to format the disk.

An aside, the cheap Terabyte RAID survived and is thriving through this all - including the EXT3 formatted drive.

Now mounting storage on /opt where Optware will be installed, seemed tricky at first, but ended up being pretty simple. The reason it seemed tricky was that I created only one partition on the storage when I formatted it as EXT3. My worry was that I'd have to re-size the partition and add a new one, which could then be mounted on /opt.

Turns out, you can mount the same device on multiple mount points. And given that I am already automounting the USB device, I figured all I had to do was to mount a sub-folder on /opt. Adding the following in the “Run after mounting” script-box, did the trick.

if [ -d /mnt/Teranarchy/optware ]; then mount -o bind /mnt/Teranarchy/optware /opt fi

Once I had space available on /opt - installing Optware is simple. As simple as running the following on a shell after logging in via Telnet or SSH.

wget http://tomatousb.org/local--files/tut:optware-installation/optware-install.sh -O - | tr -d '\r' > /tmp/optware-install.sh chmod +x /tmp/optware-install.sh sh /tmp/optware-install.sh

That is it. Optware does a great job of obtaining and installing all the packages. And because Tomato already has the correct folders in $PATH variables, all the tools and capabilities are available instantly from any shell.

Now that I have Optware, it is time to start doing something more interesting. Like installing a VPN on the router. Coming up next.

Dynamic DNS on my Tomato Router

Here is the problem statement - now that I had my router running a custom TomatoUSB build, I wanted to open it up to the Internet so that I could access my music and data from anywhere.

The first step though, was to establish a way to address my router via the Internet. Now, I get a dynamic IP address from my ISP; so I had to find a way to keep track of the latest address. The answer, of course, was to use a dynamic DNS (DDNS) solution, of which there are dozens available. But as it turned out, my case was more complicated than that.

I chose the FreeDNS service offered by afraid.org. Tomato firmware has native support for their dynamic DNS service built in. But more importantly the tagline on their website read “Why is it free? It's quite simple. We wanted a challenge... that's it.”.

To set my site up, I had to delegate the nameserver function for my domain to my hosting provider. My initial idea was to delegate a subdomain to the FreeDNS service, and then update the IP address directly from my router. Unfortunately my hosting provider did not allow delegation of sub-domains to a different DNS provider. In other words, they did not allow NS records to be created for their inconsequential customers like me. They only allowed A, TXT or CNAME records. CNAME records - that gave me a way out.

I created a sub-domain on one of the free domains provided by the FreeDNS service - in my case it was mooo.com. The name of the sub-domain did not really matter, any available one worked just fine. Then I set up my Tomato router to update the IP address of this sub-domain automatically.

Finally, I set-up a CNAME pointing a sub-domain from anarchius.org to the newly created sub-domain on mooo.com. Presto - sub-domain.anarchius.org now resolved to my WAN IP address. Here is how my DNS records look now:

There you are, Dynamic DNS on my Tomato router up and running, linked directly to my own domain. Bring on the possibilities.

TomatoUSB on Netgear 3500L

Upgrading a Netgear 3500L to the latest TomatoUSB build. This worked for me as of December 01, 2011 - with no guarantees that will work for you or at any other time.

Required ingredients:

• The trailed DD-WRT build to perform the first upgrade. Filename: dd-wrt.v24-15704_NEWD-2_K2.6_mini-WNR3500L.chk
• The correct TomatoUSB version - Build 54, Kernel 2.6, CPU MIPSR2 and feature-set Extras or Ext. This is what I used, but you might check the latest version here. Filename: tomato-K26USB-1.28.9054MIPSR2-beta-Ext.rar
• WinRAR or 7-zip or a related utility to unzip the RAR file.
• Some timer - either an app on your phone or a watch with a seconds hand.
• A pushpin of some sort.
• A printout of a document that looks something like this.
• A laptop or desktop of some kind that has a working modern browser.

Procedure:

• Ensure your firmware files are identified, available and ready to go. See above for the two files you need to keep available. Use WinRAR or 7-Zip to unzip the .rar file. You will get a .trx file along with a changelog. Rename the .trx extension to .bin.
• Connect your computer to the router using an Ethernet cable, if you do not have extra cords, use the one which used to connect the router to the external WAN. In either case, ensure the External WAN is disconnected.
• Set your computer to a static IP of 192.168.1.8 (Ensure you are doing this to the wired LAN connection)
• Perform a 30-30-30 reset using your push-pin on the depressed reset button on the back of the router. You might want to use the timer to ensure you are actually keeping it depressed for 30 seconds.

• Wait for the router to boot back up. Using your browser, head over to http://192.168.1.1, and use your default credentials login: admin and password: password to log in.
• Using the Upgrade option on the Netgear admin menu, use the .chk file you downloaded from the DD-WRT site. Note you are not using the bigger TomatoUSB firmware yet.
• Wait, no seriously wait. Wait till the lights get back to normal. Wait. Wait to see that you can access the new admin interface.
• Perform the 30-30-30 reset. Wait for the router to come back up.

• Now head back over to http://192.168.1.1. You should be automatically logged in, but instead will be asked to set an admin account with password. You can set this to be whatever you want, your firmware is just about to be flashed.
• Go to the Administration tab and then Firmware Upgrade sub-tab. Select the TomatoUSB file that you extracted from the RAR archive and renamed to a .bin file.
• Again wait. For all the frenzy to subside. After you can see the router administration page again, wait some more.
• Perform another 30-30-30 reset. Wait for the router to come back up.
• Again head back over to http://192.168.1.1. Login using the Tomato default credentials: no login required and password: admin
• Set up basic wireless services, located under. Disconnect the Ethernet cord, reconnect the router to the WAN network, get-up sit on the couch and continue configuring your brand new router firmware.
• And yes, keep away the push-pin, the timer and set your wired connection back to dynamic IP.

That was it, and if you have been following along, my Toshiba thrive connects beautifully to the new router via SMB and I can now access all the media I have on my RAID, wirelessly over the home WiFi network. Cloud anyone?

Freedom to hack: 1 - Closed systems:0.

Upgrading my Netgear 3500L

The story so far...

My tablet could not access my ReadyShare NAS that ran on my Netgear 3500L. So far, it seemed as if the problem was with the router and it's implementation of SMB. After much wrangling of hands, cussing of SMB and praising the virtues of hackable gadgets, I decided to change the stock firmware on my router.

My Open Router, is a great resource for available after-market firmware. It also has that typical Open Source lack of polish, that makes the process of re-flashing a real journey - filled with uncertainty and trepidation. Here is an example, the initial page for the 3500L has a total of 5 open source options, and the very first article after the review is a “de-bricking” tutorial. If you were not aware, bricking happens when you mess things up so bad, that the only true use of your cuboidal device is to use it as - you guessed it - a brick.

The key with open source projects is to just jump in and start reading. Do not try to form an approach - you will mostly be wrong. The most useful nuggets are mostly hidden - like the curiously named Peacock thread, or Redhawk0's firmware recommendation thread. If you were planning on using DD-WRT, you should not be touching the reset button without reading both these threads.

After about 30 tabs worth of reading, I learnt a few things. In no particular order, but relevant to me were...

• Doing the 30-30-30 reset.
• If you do not do a 30-30-30 before and after a firmware upgrade, you could brick your device.
• There are two kinds of kernels used in firmwares - 2.4 and 2.6, use the wrong one and you could brick your device.
• There are different types of builds - using a Mega build could brick my particular device.
• If you try to reboot routers too quickly within the flashing phase, you could brick your router.
• Trailed builds, are builds specific to a particular router. They do not have all the features or a regular build, but are critical to get off the original stock firmware. Use the wrong trailed build, and you could brick your router.

And everything you learnt above had caveats, which could also cause you to brick your router.

Anyway, after several days of researching, and figuring out what my priorities were, I decided to skip the DD-WRT in favor of a different sort of firmware called Tomato, and in particular a fork called TomatoUSB, that seemed most appropriate. I still had to upgrade to the DD-WRT trailed build to get off the stock firmware, but that was only a rest-stop on the upgrade path.

Next post, doing the actual upgrade.