Sunday, March 11, 2012

Fun with OpenWRT

I've been using OpenWRT for a while. When Backfire 10.03.1 final was released, I flashed it the next day.
My router is Buffalo's WZR-HP-G300NH, which is pretty powerful for it's price.

As I've been tinkering, I've run across some annoyances.


Sysctl Settings

First up: Something seems funky in conntrack. Running logread shows lots of entries like:

nf_conntrack: table full, dropping packet.

nf_conntrack: table full, dropping packet.

nf_conntrack: table full, dropping packet.


In my google searches to solve it, I came across some "P2P settings" that lowers the timeouts to keep the tables from filling as quickly. Pop the following in /etc/sysctl.conf:




net.netfilter.nf_conntrack_checksum=0
net.ipv4.netfilter.ip_conntrack_checksum=0
net.ipv4.netfilter.ip_conntrack_max=16384
net.ipv4.netfilter.ip_conntrack_generic_timeout=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=1200
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close=5
net.ipv4.netfilter.ip_conntrack_udp_timeout=10
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
net.ipv4.netfilter.ip_conntrack_icmp_timeout=10


I've also stuffed a usb stick in the back and I've been trying to get Squid working on it to supplement my WiMAX connection.



Installing SQUID

Downloading/Installing SQUID

# opkg install squid
Installing squid (2.7.STABLE9-1) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/squid_2.7.STABLE9-1_ar71xx.ipk.
Installing libopenssl (0.9.8p-1) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/libopenssl_0.9.8p-1_ar71xx.ipk.
Installing zlib (1.2.3-5) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/zlib_1.2.3-5_ar71xx.ipk.
Installing libpthread (0.9.30.1-43.10) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/libpthread_0.9.30.1-43.10_ar71xx.ipk.
Installing librt (0.9.30.1-43.10) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/librt_0.9.30.1-43.10_ar71xx.ipk.
Configuring librt.
Configuring libpthread.
Configuring zlib.
Configuring libopenssl.
Configuring squid.

Directories

I had to create the following directories:
# mkdir -p /mnt/usbstorage/squid/squid-cache
# mkdir -p /mnt/usbstorage/squid/log

SQUID config file

My /etc/squid/squid.conf looks like:
pid_filename /var/run/squid.pid

cache_effective_user root
cache_effective_group nogroup
cache_mgr kamilion@gmail.com
visible_hostname fusion

# These default to lru if commented. Broken on '2.6'? (squid 2.6? Kernel 2.6?)
#cache_replacement_policy heap LFUDA
#memory_replacement_policy LFUDA

ipcache_size 2048
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 100 KB

# If you have 64/8MB Router you can use 16MB cache_mem. If smaller, use 8MB ram. Any less, no worky well.
cache_mem 16 MB

# cache_dir: change it if you want. 100 meams 100MB cache size.
cache_dir ufs /mnt/usbstorage/squid/squid-cache 100 16 256

logfile_rotate 10
fqdncache_size 2048
memory_pools off
maximum_object_size 16384 KB
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off
negative_dns_ttl 10 second
connect_timeout 60 second
read_timeout 80 second
request_timeout 80 second

# Logs, goes to USB stick
cache_access_log /mnt/usbstorage/squid/log/squid-access.log
cache_log /mnt/usbstorage/squid/log/squid-debug.log
cache_store_log /mnt/usbstorage/squid/log/squid-storage.log

# Logs, goes into openwrt's existing log folder.
#cache_access_log /var/log/squid-access.log
#cache_log /var/log/squid-debug.log
#cache_store_log /var/log/squid-storage.log


hierarchy_stoplist on

# Our internal IP and listen port
http_port 10.30.60.254:3128 transparent

# Global ACL-Definitions (Access control lists)
acl idents ident REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl intern dst 10.30.60.0/24
acl FTP proto FTP
always_direct allow FTP

# Allowed External Ports and Internal Lan IPs
acl Allowed_Ports port 80 99 443 21 563 488 777 210 1025-65535
acl yourLAN src 10.30.60.0/24

#http_access definition
http_access allow idents
http_access allow all
http_access allow intern
http_access deny manager all
http_access allow yourLAN
http_access deny all
icp_access deny all
miss_access allow all
always_direct allow intern

Check

Check if everything is ok
# squid -f /etc/squid/squid.conf -z

S80squid

This is the dd-wrt startup file I'm adapting. It starts SQUID and setting up the transparent iptables rules.
#!/bin/sh

INTERNAL_NETWORK=10.30.60.0/24
ROUTER_IP=10.30.60.254
PROXY_SERVER=10.30.60.254
PROXY_PORT=3128
# Uncomment this to short circuit setting iptables.
TRANSPARENT_PROXY="1"

case "$1" in
    start)
        echo -n "Starting proxy server: "
        /usr/sbin/squid -f /etc/squid/squid.conf
        if [ -z $TRANSPARENT_PROXY ]; then
            /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
            /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 -j DNAT --to $PROXY_SERVER:$PROXY_PORT
            /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d $PROXY_SERVER -j SNAT --to $ROUTER_IP
            /usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT
            export TRANSPARENT_PROXY="1"
        else
            echo "This script has already run!"
            echo "If it hasn't, unset $TRANSPARENT_PROXY manually via the shell."
        fi
        echo "done."
        ;;
    stop)
        echo -n "Stopping proxy server: "
        /usr/sbin/squid -f /etc/squid/squid.conf -k shutdown

        if [ -z $TRANSPARENT_PROXY ]; then
            /usr/sbin/iptables -t nat -D PREROUTING -i br0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
            /usr/sbin/iptables -t nat -D PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 -j DNAT --to $PROXY_SERVER:$PROXY_PORT
            /usr/sbin/iptables -t nat -D POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d $PROXY_SERVER -j SNAT --to $ROUTER_IP
            /usr/sbin/iptables -t filter -D FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT
            export TRANSPARENT_PROXY="1"

            /usr/sbin/iptables -t filter -L
            /usr/sbin/iptables -t nat -L
       else
           echo "This script has already run!"
           echo "If it hasn't, unset $TRANSPARENT_PROXY manually via the shell."
        fi

        echo "done."
        ;;
    reload|force-reload)
        echo -n "Reloading proxy server configuration files: "
        /usr/sbin/squid -f /etc/squid/squid.conf -k reconfigure
        echo "done."
        ;;
    restart)
        echo -n "Restarting proxy server: "
        echo "done."
        ;;
    *)
        echo "Usage: /etc/init.d/S80squid {start|stop|reload|force-reload|restart} "
        exit 1
        ;;
esac