利用tftp方式给WZR-HP-G300NH2刷OpenWrt

WZR-HP-G300NH2我用了好多年了，原来安装的是OpenWrt AA固件，今天心血来潮要升级到BB固件。选择从GUI升级，最方便了，结果。。。居然失败，路由器一直不重启，也ping不通，等了半小时，还是没反应，得了，tftp吧。

用u-Boot内置的tftp刷机功能来恢复，不管原来是什么系统,或者是在刷什么系统的过程中变砖头的，统一用WZR-HP-G300NH2的OpenWRT tftp固件刷进去救回来。

按照以下步骤一步一步来：

1、把路由器的电源拔掉

2、把电脑的除了有线网卡以外的全部网卡禁用，关闭系统防火墙

3、把电脑的有线网卡，通过网线接到最靠近路由器WAN口的第一个LAN口（位置非常重要，只有这个LAN可以tftp）

4、把电脑的有线以太网卡IP设置成192.168.11.2，子网掩码255.255.255.0，网关192.168.11.1

5、以管理员身份运行命令提示符CMD

6、输入命令：route print，查看下面的接口列表,看看你的有线网卡对应的接口号是多少，例如我的就是3

===========================================================================
接口列表
 3...c8 60 00 dd b5 fb ......Intel(R) 82579V Gigabit Network Connection
 1...........................Software Loopback Interface 1
===========================================================================

7、找到这个接口好之后，输入如下命令：

netsh interface ipv4 add neighbors 3 192.168.11.1 02-AA-BB-CC-DD-1A

一定要把neigbors后面的3改成你电脑上对应的接口号。

8、下面准备用windows自带的tftp工具来上传固件，输入如下命令：

tftp -i 192.168.11.1 PUT openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin

这时候先不要按回车。

9、插上路由器的电源，观察路由器的网口指示灯，会发现指示灯会这样变化：（a）所有灯全亮》》（b）只剩插网线的LAN口灯亮》》（c）插网线的LAN口灯闪烁几下暗掉》》（d）插网线的LAN口灯再次亮起，（c）和（d）之间间隔大概4秒左右，u-boot只在这段时间接受tftp固件，所以一旦插网线的LAN口灯暗掉之后立刻按下回车上传固件。

10、很快固件就会上传完毕，之后等上5到10分钟，路由器更新完毕会自动重启。

11、固件成功刷新之后，把刚才添加的neighbors删掉，运行如下命令：

netsh interface ipv4 delete neighbors 3 192.168.11.1 02-AA-BB-CC-DD-1A

好了，现在可以telnet到192.168.1.1去设置root密码了，然后。。。随便折腾吧。

HOWTO: 利用OpenWrt路由器上的Shadowsocks+DNSMasq科学上网

在HOWTO: Prevent DNS cache pollution一文中，我介绍了利用DNS服务器的非标准端口来防止DNS污染。但即使获得了正确的ip地址，我们也不一定能上网，原因。。。你懂的。这儿介绍一种方法，在OpenWrt路由器上利用Shadowsocks和DNSMasq达到局域网内零配置科学上网。

一个Shadowsocks服务器是必须的，你可以在自己的VPS上搭建一个，方法参见HOWTO: Install and configure shadowsocks on VPS/Ubuntu。或者你可以找一个免费的Shadowsocks服务器，推荐一个获取免费账号的网址https://www.shadowsocks.net/get。

安装Shadowsocks

我的OpenWrt版本是AA 12.09，首先更新libpolarssl到最新版本：

$ wget https://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/base/libpolarssl_1.3.8-1_ar71xx.ipk
$ sudo opkg install libpolarssl_1.3.8-1_ar71xx.ipk

下载并安装Shadowsocks：

$ wget http://shadowsocks.org/nightly/shadowsocks-libev-polarssl_1.4.6_ar71xx.ipk
$ sudo opkg install shadowsocks-libev-polarssl_1.4.6_ar71xx.ipk

配置Shadowsocks

Shadowsocks安装之后在/usr/bin会有三个文件：

• ss-local    <== socks5 协议代理
• ss-redir    <== 透明代理
• ss-tunnel  <== 端口转发

本文方法利用的是shadowsocks的透明代理功能。

编辑配置文件/etc/shadowsocks.json，

{
    "server":"xxx.xxx.xxx.xxx",
    "server_port":8388,
    "local_port":1081,
    "password":"demo",
    "timeout":600,
    "method":"aes-256-cfb"
}

• server: 你的Shadowsocks服务器的IP地址 (IPv4/IPv6).
• server_port: 你的Shadowsocks服务器端口.
• local_port: 本地端口.
• password: 你的Shadowsocks服务器的账号密码.
• method: 你的Shadowsocks服务器采用的加密方式, “bf-cfb”, “aes-256-cfb”, “des-cfb”, “rc4”, 等等.

编辑/etc/init.d/shadowsocks

#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2011 OpenWrt.org

START=94

SERVICE_USE_PID=1
SERVICE_WRITE_PID=1
SERVICE_DAEMONIZE=1

start() {
 service_start /usr/bin/ss-redir -c /etc/shadowsocks.json
}

stop() {
 service_stop /usr/bin/ss-redir
}

运行Shadowsocks透明代理：

$ sudo /etc/init.d/shadowsocks start
$ sudo /etc/init.d/shadowsocks enable

添加防火墙规则

我们可以从APNIC获得最新的中国IP地址列表，利用iptables添加防火墙规则，保存以下文本为gen-firewall-gfw.sh

#!/bin/ash

# Write gfw iptables
firewall_gfw="/usr/bin/firewall-gfw.sh"
if [ -f $firewall_gfw ]; then
 rm $firewall_gfw
fi

echo "#!/bin/ash" >>$firewall_gfw
echo >>$firewall_gfw
echo "# Create a new chain named SHADOWSOCKS" >>$firewall_gfw
echo "iptables -t nat -N SHADOWSOCKS" >>$firewall_gfw
echo >>$firewall_gfw

echo "# Ignore shadowsocks server" >>$firewall_gfw
echo "iptables -t nat -A SHADOWSOCKS -d xxx.xxx.xxx.xxx -j RETURN" >>$firewall_gfw
echo >>$firewall_gfw

echo "# Ignore LANs ip addresses" >>$firewall_gfw
echo "iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN" >>$firewall_gfw
echo "iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN" >>$firewall_gfw
echo "iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN" >>$firewall_gfw
echo "iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN" >>$firewall_gfw
echo "iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/16 -j RETURN" >>$firewall_gfw
echo "iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN" >>$firewall_gfw
echo "iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN" >>$firewall_gfw
echo "iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN" >>$firewall_gfw
echo >>$firewall_gfw

echo "# Ignore China ip addresses" >>$firewall_gfw
# Get latest delegated internet number resources from apnic
cd /tmp
if [ -f "delegated-apnic-latest" ]; then
 echo "deleting old delegated internet number resources ..."
 rm delegated-apnic-latest
fi
echo "Downloading latest delegated internet number resources from apnic ..."
wget -c http://ftp.apnic.net/stats/apnic/delegated-apnic-latest

echo "Extracting china ip addresses from downloaded latest delegated internet number resources ..."
cat delegated-apnic-latest | awk -v awk_firewall_gfw=$firewall_gfw -F '|' '/CN/&&/ipv4/ \
 {print "iptables -t nat -A SHADOWSOCKS -d " $4 "/" 32-log($5)/log(2) " -j RETURN" >>awk_firewall_gfw}'
 
echo >>$firewall_gfw

echo "# Ohter ip addresses should be redirected to shadowsocks' local port" >>$firewall_gfw
echo "iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 1081" >>$firewall_gfw
echo >>$firewall_gfw

echo "# Apply the rules" >>$firewall_gfw
echo "iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS" >>$firewall_gfw

echo "Firewall rules for shadowsocks have been written into file " $firewall_gfw

然后

$ chmod +x gen-firewall-gfw.sh
$ ./gen-firewall-gfw.sh
$ sudo ./firewall-gfw.sh

用iptables命令查看一下这些规则有没有添加进去：

$ sudo iptables -t nat --list

大功告成。

现在所有通过你的路由器上网的设备无需设置就可以科学上网啦。

Useful links on building OpenWrt for WRT1900AC

WRT1900AC was announced on 6th of January 2014 as a router developed to be used with OpenWrt.

Specifications:

Model:	Linksys WRT1900AC
Technology:	Wireless-AC
Standards:	802.11a, 802.11b, 802.11g, 802.11n. 802.11ac
Frequency:	Dual
Bands:	Simultaneous: 2.4 GHz (Wireless-N), 5.0 GHz (Wireless-AC)
Security:	WEP 64/128-bit, WPA2-Personal & Enterpise (AES/TKIP), WPS
Antennas:	4x External Detachable Antennas
Antenna Gain (peak):	2.4GHz: 2.5dBi 5GHz: 3.8dBi
Antenna Type:	Dipole
Output Power:	2.4GHz: 19dBm 5GHz: 21dBm
Warranty:	2 year hardware limited warranty
OS Compatibility:	Windows, Mac
Minimum System Requirements:	PC with CD or DVD drive, running Windows XP SP3 (32-bit), Vista SP1/SP2 (32 & 64-bit), Win7 (32-bit & 64-bit) and Win8 (32-bit & 64-bit) Mac: Wi-Fi enabled with CD or DVD drive, Mac OS® X Leopard v10.5.8 or later, Snow Leopard v10.6.1 or later, Lion v10.7, or Mountain Lion v10.8 Available USB 2.0 port
Package Contents:	Linksys Dual Band Gigabit Wi-Fi Router AC1900, WRT1900AC, Quick Start Guide, CD-ROM with Documentation, 4 Antennas, Ethernet Cable, Power Adapter, Power Cord

Hardware Highlights:

SoC	Ram	Flash	Network	USB	Serial	JTag	eSata
Marvell MV78230	256 MiB	128 MiB		1×2.0 1×3.0	Yes

Serial Port:

1	2	3	4	5	6
GND	?	RX	?	TX	?

Useful Links:

OpenWrt forum thread for official statement: Update on Linksys WRT1900AC support

McWRT: https://github.com/Chadster766/McWRT

Prebuilt images: https://github.com/wrt1900ac/opensource

jimmychungbelkin/Mamba: https://github.com/jimmychungbelkin/Mamba

HOWTO: Schedule jobs with cron on OpenWrt

No additional software needs to be installed on OpenWrt, as it already has the crond binary included.

Configuration

Cron jobs need to be specified in /etc/crontabs/root. For now, just create an empty file:

# touch /etc/crontabs/root

Create a symbolic link to the crontab file:

# ln -sf /etc/crontabs/root /etc/crontab

it allows me to reference the crontab file using /etc/crontab.

Enable and start crond:

# /etc/init.d/crond start
# /etc/init.d/crond enable

Verify that crond successfully started by checking the syslog using:

# logread

and you should see something similar to this at the end of the logread output

Sep 11 17:26:40 OpenWrt cron.info crond[634]: crond: crond (busybox 1.19.4) started, log level 8

Usage

Now that you have crond running on OpenWrt, it can be used to periodically run any task that you want. Just add an entry to/etc/crontab for each task that you want periodically executed.

For example, if you want to run a script (/usr/bin/demo) daily at 23:30, the following would be added to crontab:

30 23 * * * /usr/bin/demo >/dev/null 2>&1

Restart crond to make this change take effect:

# /etc/init.d/cron restart

HOWTO: Prevent DNS cache pollution

Let us try to get the ip of twitter from the default port (53) of OpenDNS:

# dig @208.67.222.222 twitter.com
; <<>> DiG 9.9.1-P3 <<>> @208.67.222.222 -p 53 twitter.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28025
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;twitter.com. IN A

;; ANSWER SECTION:
twitter.com. 300 IN A 37.61.54.158

;; Query time: 8 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Wed Sep 10 07:51:57 2014
;; MSG SIZE rcvd: 56

Obviously 37.61.54.158 is not what we want.

Let us try with port 5353 and  443:

# dig @208.67.222.222 -p 5353 twitter.com

; <<>> DiG 9.9.1-P3 <<>> @208.67.222.222 -p 5353 twitter.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64372
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;twitter.com. IN A

;; ANSWER SECTION:
twitter.com. 15 IN A 199.59.148.82
twitter.com. 15 IN A 199.59.149.230
twitter.com. 15 IN A 199.59.150.7
twitter.com. 15 IN A 199.59.149.198

;; Query time: 85 msec
;; SERVER: 208.67.222.222#5353(208.67.222.222)
;; WHEN: Wed Sep 10 08:03:49 2014
;; MSG SIZE rcvd: 104

# dig @208.67.222.222 -p 443 twitter.com

; <<>> DiG 9.9.1-P3 <<>> @208.67.222.222 -p 443 twitter.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2939
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;twitter.com. IN A

;; ANSWER SECTION:
twitter.com. 4 IN A 199.59.148.10
twitter.com. 4 IN A 199.59.149.198
twitter.com. 4 IN A 199.59.148.82
twitter.com. 4 IN A 199.59.150.7

;; Query time: 294 msec
;; SERVER: 208.67.222.222#443(208.67.222.222)
;; WHEN: Wed Sep 10 08:04:53 2014
;; MSG SIZE rcvd: 104

Now we got it !!!

In OpenWrt, edit /etc/config/dhcp, change dnsmasq section

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
#   option resolvfile '/tmp/resolv.conf.auto'
    option noresolv 1
    list server '208.67.222.222#5353'
    list server '/pool.ntp.org/208.67.222.222'

HOWTO: Install and configure pdnsd on OpenWrt

Introduction

OpenWrt is described as a Linux distribution for embedded devices.
Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application. For developer, OpenWrt is the framework to build an application without having to build a complete firmware around it; for users this means the ability for full customization, to use the device in ways never envisioned.

The latest stable release is AttitudeAdjustment 12.09.

Installation

To install pdnsd, run command:

# opkg update
# opkg install pdnsd

Configuration

Edit configuration file /etc/pdnsd.conf.

The global section specifies parameters that affect the overall behaviour of the server. If you specify multiple global sections, the settings of those later in the file will overwrite the earlier given values.

The detailed description of the options can be found here.

Here is my global section

global {
        perm_cache=2048;
        cache_dir="/var/pdnsd";
#       pid_file = /var/run/pdnsd.pid;
#       run_as="nobody";
        server_port = 5353;
        server_ip = any; 
        status_ctl = on;
#       paranoid=on; 
        query_method=tcp_udp;
        min_ttl=15m; # Retain cached entries at least 15 minutes.
        max_ttl=1w; # One week.
        timeout=10; # Global timeout option (10 seconds).
        neg_domain_pol=on;
        udpbufsize=1024; # Upper limit on the size of UDP messages.
}

Each server section specifies a set of name servers that pdnsd should try to get resource records or authoritative name server information from. The servers are queried in the order of their appearance (or parallel to a limited extend). If one fails, the next one is taken and so on.
You probably want to specify the dns server in your LAN, the caching dns servers of your internet provider or even a list of root servers in one or more server sections.

The detailed description of the options can be found here.

I added opendns server in my configuration file

server {
        label= "opendns";
        ip = 208.67.222.222;
        port = 5353;
        root_server = on;
        uptest = none;
}

You can also add Google Public DNS. More DNS can be found here.

Usage

Enable and start pdnsd:

# /etc/init.d/pdnsd enable
# /etc/init.d/pdnsd start

Test with:

# dig @127.0.0.1 -p 5353 youtube.com
; <<>> DiG 9.9.1-P3 <<>> @127.0.0.1 -p 5353 youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49334
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;youtube.com. IN A

;; ANSWER SECTION:
youtube.com. 300 IN A 173.194.127.135
youtube.com. 300 IN A 173.194.127.137
youtube.com. 300 IN A 173.194.127.142
youtube.com. 300 IN A 173.194.127.136
youtube.com. 300 IN A 173.194.127.133
youtube.com. 300 IN A 173.194.127.132
youtube.com. 300 IN A 173.194.127.128
youtube.com. 300 IN A 173.194.127.131
youtube.com. 300 IN A 173.194.127.130
youtube.com. 300 IN A 173.194.127.129
youtube.com. 300 IN A 173.194.127.134

;; Query time: 311 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Sep 5 20:58:07 2014
;; MSG SIZE rcvd: 216