Now the Netgear factory firmware actually is a heavily stripped down old version of OpenWRT. After reading a few of forum posts and wiki pages I decided that I should go for a bleeding edge snapshot version of OpenWRT (r27153). It’s all working very well now :)

Installation

First thing, I grabbed openwrt-ar71xx-generic-wndr3700-squashfs-factory.img from the website and flashed it onto the router using the stock firmware’s upgrade page. This process went smoothly and rebooted the router. I then used telnet to connect and was prompted to set a password. That disabled telnetd and enables the dropbear ssh server. I also put an ssh public key into /etc/dropbear/authorized_keys. So far so good.

OpenWRT uses a squashfs as the base read-only filesystem, with jffs2 set up as an overlay filesystem so you can write to anywhere. You can use the builtin opkg package manager to install a bunch of useful software beyond what is built in. Currently I have 2.3M used with 4.2M free :)

I didn’t bother installing a web interface, instead preferring to do all the configuration using the UCI config files in /etc/config. See the UCI docs for a description of what to put in all these files. Whenever you start a service, eg dnsmasq using the /etc/init.d/dnsmasq script, the appropriate UCI files are read, a temporary native config file for the service is created (if appropriate) and any necessary command line args are generated to start the service.

Syslog

If you’re trying to debug something, you can view the syslog on the device using the logread command. The logger command will echo its arguments to syslog.

Wireless Setup

Most of the /etc/config/wireless settings are automatically detected. Just set the encryption to psk2 (WPA2 AES) and put in your preferred passphrase and ssid.

The radios on this device support multiple SSIDs. Each of these shows up as a separate network interface in Linux. I chose ‘guest’ as the name for this interface.

config wifi-iface
  option device radio0
  option network guest
  option mode ap
  option wmm 0
  option encryption none
  option ssid 'your-guest-ssid'

Quick note, I discovered that leaving wmm (Wireless MultiMedia extensions?) enabled (the default) made SIP VoIP calls from my Nokia wifi clients unusable. It’s easy to disable as seen above.

Firewall (iptables)

Now we have our guest wifi network interface, lets set up some firewall rules to isolate it from the main lan.

I’m not using the WAN port on my WNDR3700. There are three interfaces that are relevant. The ethernet switch and my main wifi are both bridged as ‘lan’. This network is served by DHCP and DNS from my Debian router. It is 192.168.1.0/24. I also have the ‘guest’ network, which is not bridged, and gets DHCP and DNS from dnsmasq on the WNDR3700, it uses 192.168.2.0/24. dnsmasq is set to forward DNS requests onto my main router and to explicitly ignore the ‘lan’ interface.

The firewall policy is to disallow everything on the guest network except:

• ICMP
• DHCP/DNS requests to dnsmasq on the WNDR3700
• Packets from 192.168.2.0/24 not addressed to 192.168.0.0/16

That last rule ensures that anything coming from the guest network must be using one of the expected addresses, and also that the guest network cannot send packets to hosts on my main lan. By default OpenWRT allows all related,established packets using Linux iptables’ conntrack module.

Here’s the complete firewall config I’m using: /etc/config/firewall.

Routing

My Debian router also needs to know how to route back to the guest wlan subnet.

# route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.3

This can be put into /etc/network/interfaces as a post-up line. It tells the Debian router that whenever it needs to forward traffic from the internet back to the guest wlan it should do so through 192.168.1.3. This is the address of my WNDR3700.

Cron and Button events

I wanted to be able to turn the guest network on and off with the push of a button. I also wanted it to automatically disable itself each night at 3am if I forgot to turn it off.

First thing was to write a simple /root/guest-wifi script to enable/disable the guest wifi network from the command line. Then I’d hook this up to the button hotplug system and cron.

Cron is installed but not enabled by default:

cat > /etc/crontabs/root <<EOT
# m h  dom mon dow   command
  0 3   *   *   *     /root/guest-wifi disable
EOT
ln -s /etc/crontabs/root /etc/crontab
/etc/init.d/cron enable
/etc/init.d/cron start

Finally, set up the push button:

mkdir /etc/hotplug.d/button
cat > /etc/hotplug.d/button/guest-wifi-toggle <<EOT
#!/bin/sh
if [ "$BUTTON" = "BTN_2" -a "$ACTION" = "pressed" ]; then
  /root/guest-wifi toggle
fi
EOT
chmod +x /etc/hotplug.d/button/guest-wifi-toggle

System upgrades

You can update and install new packages with opkg, however at some point you may want to upgrade the kernel. Also if you’re using the squashfs images, anything you upgrade is taking up valuable space on the squashfs and the jffs2 overlay.

OpenWRT has a neat solution: sysupgrade. Always make sure to add any files that you want to keep across upgrades to the /etc/sysupgrade.conf file. Any files or directories listed here will be preserved by sysupgrade.

Package installation

Install the required packages:

# aptitude install e2fsprogs cryptsetup

Partitioning

Use your favourite partitioning tool, for example fdisk or cfdisk to set aside a whole partition with enough space to store your data.

Erase

This step is optional. For complete security you want the contents of the disk to be random before you start using it. Use the badblocks tool to do this.

# badblocks -c 10240 -s -w -t random -v /dev/sdX9

Format

The luksformat tool will format a partition to be used with LUKS (Linux Unified Key Setup) and then create a filesystem on it.

# luksformat -t ext3 /dev/sdX9

Mounting Manually

First use cryptsetup to create a device file:

# cryptsetup luksOpen /dev/sdX9 cryptofoo

You can now mount the device from /dev/mapper/cryptofoo:

# mount /dev/mapper/cryptofoo /mnt

When you’re done, unmount and then remove the cryptofoo device.

# umount /mnt; cryptsetup luksClose cryptofoo

Mount on Boot

Now all that remains is to add one line in each of crypttab and fstab

Add this line to /etc/crypttab:

myname /dev/sdX9 none luks

The crypttab file is examined by the system during boot. Each line maps a real encrypted device file (/dev/sdX9) to a virtual decrypted device file (/dev/mapper/myname). Once you’ve added done this run the following command to actually set up the mapping:

# /etc/init.d/cryptdisks restart

Now you can set up that virtual device file to be mounted like any other. For example, the following command would mount your filesystem:

# mount /dev/mapper/myname /mnt

Note that you should probably use partition UUIDs (UUID=XXXXX) in place of device file names (/dev/sdX9) in your crypttab for a more robust system. The easiest way to find these is by running:

# ls -l /dev/disks/by-uuid

Add a line like this to /etc/fstab

/dev/mapper/myname /path/to/mountpoint ext3 defaults 0 2

This post describes how to fix the function keys and swap command (windows or ‘super’) keys with the alt (or option) keys.

This command will fix the function keys, it saves you pressing fn-F1 whenever you want F1. The first command is for older kernels, the second is for version 2.6.28 or later.

# echo 2 > /sys/module/hid/parameters/pb_fnmode
# echo 2 > /sys/module/hid_apple/parameters/fnmode

Then add that line to your /etc/rc.local file, somewhere before the exit 0 at the end, so that it gets run on startup.

Next to swap the Command/Alt keys using xmodmap. I’m aware you can do this from the Gnome Keyboard Settings panel, but I’ve found this method works better. Particularly when combined with synergy.

Create a file called ~/.xmodmaprc with this inside:

clear mod1
keycode 115 = Alt_L
keycode 116 = Alt_R
keycode 64 = Super_L
keycode 113 = Super_R
add mod1 = Alt_L Alt_R

On another computer I’ve found this worked:

clear mod1
keycode 133 = Alt_L
keycode 134 = Alt_R
keycode 64 = Super_L
keycode 108 = Super_R
add mod1 = Alt_L Alt_R

Now run to activate the new keys, run:

$ xmodmap ~/.xmodmaprc

Don’t forget to add it to your list of startup programs. If you’re using Gnome, look at System->Preferences->Startup Applications
Otherwise you can just add it to ~/.xsession

To find the keycodes above I used the xev program. Try running it from a console. It shows you all X11 events that the xev window receives, including key presses/releases.