Sunday, March 11, 2012

Fun with OpenWRT

I've been using OpenWRT for a while. When Backfire 10.03.1 final was released, I flashed it the next day.
My router is Buffalo's WZR-HP-G300NH, which is pretty powerful for it's price.

As I've been tinkering, I've run across some annoyances.


Sysctl Settings

First up: Something seems funky in conntrack. Running logread shows lots of entries like:

nf_conntrack: table full, dropping packet.

nf_conntrack: table full, dropping packet.

nf_conntrack: table full, dropping packet.


In my google searches to solve it, I came across some "P2P settings" that lowers the timeouts to keep the tables from filling as quickly. Pop the following in /etc/sysctl.conf:




net.netfilter.nf_conntrack_checksum=0
net.ipv4.netfilter.ip_conntrack_checksum=0
net.ipv4.netfilter.ip_conntrack_max=16384
net.ipv4.netfilter.ip_conntrack_generic_timeout=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=1200
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close=5
net.ipv4.netfilter.ip_conntrack_udp_timeout=10
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
net.ipv4.netfilter.ip_conntrack_icmp_timeout=10

I've also stuffed a usb stick in the back and I've been trying to get Squid working on it to supplement my WiMAX connection.



Installing SQUID

Downloading/Installing SQUID

# opkg install squid
Installing squid (2.7.STABLE9-1) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/squid_2.7.STABLE9-1_ar71xx.ipk.
Installing libopenssl (0.9.8p-1) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/libopenssl_0.9.8p-1_ar71xx.ipk.
Installing zlib (1.2.3-5) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/zlib_1.2.3-5_ar71xx.ipk.
Installing libpthread (0.9.30.1-43.10) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/libpthread_0.9.30.1-43.10_ar71xx.ipk.
Installing librt (0.9.30.1-43.10) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/librt_0.9.30.1-43.10_ar71xx.ipk.
Configuring librt.
Configuring libpthread.
Configuring zlib.
Configuring libopenssl.
Configuring squid.

Directories

I had to create the following directories:
# mkdir -p /mnt/usbstorage/squid/squid-cache
# mkdir -p /mnt/usbstorage/squid/log

SQUID config file

My /etc/squid/squid.conf looks like:
pid_filename /var/run/squid.pid

cache_effective_user root
cache_effective_group nogroup
cache_mgr kamilion@gmail.com
visible_hostname fusion

# These default to lru if commented. Broken on '2.6'? (squid 2.6? Kernel 2.6?)
#cache_replacement_policy heap LFUDA
#memory_replacement_policy LFUDA

ipcache_size 2048
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 100 KB

# If you have 64/8MB Router you can use 16MB cache_mem. If smaller, use 8MB ram. Any less, no worky well.
cache_mem 16 MB

# cache_dir: change it if you want. 100 meams 100MB cache size.
cache_dir ufs /mnt/usbstorage/squid/squid-cache 100 16 256

logfile_rotate 10
fqdncache_size 2048
memory_pools off
maximum_object_size 16384 KB
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off
negative_dns_ttl 10 second
connect_timeout 60 second
read_timeout 80 second
request_timeout 80 second

# Logs, goes to USB stick
cache_access_log /mnt/usbstorage/squid/log/squid-access.log
cache_log /mnt/usbstorage/squid/log/squid-debug.log
cache_store_log /mnt/usbstorage/squid/log/squid-storage.log

# Logs, goes into openwrt's existing log folder.
#cache_access_log /var/log/squid-access.log
#cache_log /var/log/squid-debug.log
#cache_store_log /var/log/squid-storage.log


hierarchy_stoplist on

# Our internal IP and listen port
http_port 10.30.60.254:3128 transparent

# Global ACL-Definitions (Access control lists)
acl idents ident REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl intern dst 10.30.60.0/24
acl FTP proto FTP
always_direct allow FTP

# Allowed External Ports and Internal Lan IPs
acl Allowed_Ports port 80 99 443 21 563 488 777 210 1025-65535
acl yourLAN src 10.30.60.0/24

#http_access definition
http_access allow idents
http_access allow all
http_access allow intern
http_access deny manager all
http_access allow yourLAN
http_access deny all
icp_access deny all
miss_access allow all
always_direct allow intern

Check

Check if everything is ok
# squid -f /etc/squid/squid.conf -z

S80squid

This is the dd-wrt startup file I'm adapting. It starts SQUID and setting up the transparent iptables rules.
#!/bin/sh

INTERNAL_NETWORK=10.30.60.0/24
ROUTER_IP=10.30.60.254
PROXY_SERVER=10.30.60.254
PROXY_PORT=3128

# Uncomment this to short circuit setting iptables.

TRANSPARENT_PROXY="1"



case "$1" in
    start)
        echo -n "Starting proxy server: "
        /usr/sbin/squid -f /etc/squid/squid.conf
        if [ -z $TRANSPARENT_PROXY ]; then
            /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
            /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 -j DNAT --to $PROXY_SERVER:$PROXY_PORT
            /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d $PROXY_SERVER -j SNAT --to $ROUTER_IP
            /usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT
            export TRANSPARENT_PROXY="1"
        else
            echo "This script has already run!"
            echo "If it hasn't, unset $TRANSPARENT_PROXY manually via the shell."
        fi
        echo "done."
        ;;
    stop)
        echo -n "Stopping proxy server: "
        /usr/sbin/squid -f /etc/squid/squid.conf -k shutdown

        if [ -z $TRANSPARENT_PROXY ]; then
            /usr/sbin/iptables -t nat -D PREROUTING -i br0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
            /usr/sbin/iptables -t nat -D PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 -j DNAT --to $PROXY_SERVER:$PROXY_PORT
            /usr/sbin/iptables -t nat -D POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d $PROXY_SERVER -j SNAT --to $ROUTER_IP
            /usr/sbin/iptables -t filter -D FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT
            export TRANSPARENT_PROXY="1"

            /usr/sbin/iptables -t filter -L
            /usr/sbin/iptables -t nat -L
       else
           echo "This script has already run!"
           echo "If it hasn't, unset $TRANSPARENT_PROXY manually via the shell."
        fi

        echo "done."
        ;;
    reload|force-reload)
        echo -n "Reloading proxy server configuration files: "
        /usr/sbin/squid -f /etc/squid/squid.conf -k reconfigure
        echo "done."
        ;;
    restart)
        echo -n "Restarting proxy server: "
        echo "done."
        ;;
    *)
        echo "Usage: /etc/init.d/S80squid {start|stop|reload|force-reload|restart} "
        exit 1
        ;;
esac
Posted by at No comments:

Wednesday, January 4, 2012

Really, Brother?

This is popping up on my screen every five minutes.


Really? Ink Low?
Doesn't look low to me, and certainly not low enough to be BUGGING ME EVERY FIVE MINUTES.

I'd expect it to be complaining at 15%-25%, not "hey, your black dropped below 50%!"

I think I'm going to change the printer's assigned hostname from the router to 'navi'.
"HEY, LISTEN! HEY, LISTEN! HEY, LISTEN!"
Posted by at No comments:
Subscribe to: Posts (Atom)